Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:18
Behavioral task
behavioral1
Sample
NEAS.bc4825e49e53b669393e47e542d390d0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bc4825e49e53b669393e47e542d390d0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.bc4825e49e53b669393e47e542d390d0.exe
-
Size
482KB
-
MD5
bc4825e49e53b669393e47e542d390d0
-
SHA1
535019abee642984ce7c472c9b0dbaa1b6ee454b
-
SHA256
f969739e5b81b6ef19d74515448a85ae80a6d9e7b0c2fe09764989cd4921c8c4
-
SHA512
72e8ac880a1bd053aa8a62eabb99fd529faba1e535852b8679654896ecd3b7d7ffc31b897cea29496f7ef5a9cd3ef203e429125e119e5b61880da0327997fcd3
-
SSDEEP
12288:0wr1NJSLrpV6yYP4rbpV6yYPg058KpV6yYP8OThj:0wDJSLrW4XWleKW8OThj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pelacg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhgogojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgfqgkib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgamhjja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlknqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coigllel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikgicmpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohkbldfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmjqjqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljcejhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldmlih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonlhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npcokpln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiiiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmkkgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jngbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngnnbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdmohnhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joekkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lebiddfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noopof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqdoob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Encgofhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhnhkpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpeigle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akipdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnfpcada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkljka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhgaipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbcjhobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpeclq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnlfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdfpdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihkobl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pafkpfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kojkeogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfgpblda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqfbihll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poaqocgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmpdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmopp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qciqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aiifeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlknqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfhbpghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkofpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfjpppbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fecmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phfjmlhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjchjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idieob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjph32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cee-7.dat family_berbew behavioral2/files/0x0007000000022cee-9.dat family_berbew behavioral2/files/0x0008000000022cf2-15.dat family_berbew behavioral2/files/0x0008000000022cf2-17.dat family_berbew behavioral2/files/0x0009000000022cf5-23.dat family_berbew behavioral2/files/0x0009000000022cf5-24.dat family_berbew behavioral2/files/0x0006000000022cfa-32.dat family_berbew behavioral2/files/0x0006000000022cfa-31.dat family_berbew behavioral2/files/0x0006000000022cff-39.dat family_berbew behavioral2/files/0x0006000000022cff-41.dat family_berbew behavioral2/files/0x0006000000022d00-47.dat family_berbew behavioral2/files/0x0006000000022d00-49.dat family_berbew behavioral2/files/0x0006000000022d02-55.dat family_berbew behavioral2/files/0x0006000000022d02-57.dat family_berbew behavioral2/files/0x0006000000022d05-58.dat family_berbew behavioral2/files/0x0006000000022d05-63.dat family_berbew behavioral2/files/0x0006000000022d05-64.dat family_berbew behavioral2/files/0x0006000000022d10-71.dat family_berbew behavioral2/files/0x0006000000022d10-73.dat family_berbew behavioral2/files/0x0007000000022d0b-80.dat family_berbew behavioral2/files/0x0007000000022d0b-81.dat family_berbew behavioral2/files/0x0007000000022cdc-88.dat family_berbew behavioral2/files/0x0007000000022cdc-91.dat family_berbew behavioral2/files/0x0006000000022d11-92.dat family_berbew behavioral2/files/0x0006000000022d11-98.dat family_berbew behavioral2/files/0x0006000000022d11-101.dat family_berbew behavioral2/files/0x0006000000022d15-107.dat family_berbew behavioral2/files/0x0006000000022d15-110.dat family_berbew behavioral2/files/0x0006000000022d17-116.dat family_berbew behavioral2/files/0x0006000000022d17-118.dat family_berbew behavioral2/files/0x0006000000022d19-124.dat family_berbew behavioral2/files/0x0006000000022d19-128.dat family_berbew behavioral2/files/0x0006000000022d1b-134.dat family_berbew behavioral2/files/0x0006000000022d1b-136.dat family_berbew behavioral2/files/0x0006000000022d20-143.dat family_berbew behavioral2/files/0x0006000000022d20-145.dat family_berbew behavioral2/files/0x0006000000022d22-152.dat family_berbew behavioral2/files/0x0006000000022d22-153.dat family_berbew behavioral2/files/0x0006000000022d24-160.dat family_berbew behavioral2/files/0x0006000000022d24-161.dat family_berbew behavioral2/files/0x0006000000022d2b-178.dat family_berbew behavioral2/files/0x0006000000022d2b-179.dat family_berbew behavioral2/files/0x0006000000022d29-171.dat family_berbew behavioral2/files/0x0006000000022d29-169.dat family_berbew behavioral2/files/0x0006000000022d2d-186.dat family_berbew behavioral2/files/0x0006000000022d2d-188.dat family_berbew behavioral2/files/0x0006000000022d30-196.dat family_berbew behavioral2/files/0x0006000000022d30-195.dat family_berbew behavioral2/files/0x0006000000022d32-204.dat family_berbew behavioral2/files/0x0006000000022d32-206.dat family_berbew behavioral2/files/0x0006000000022d34-208.dat family_berbew behavioral2/files/0x0006000000022d34-213.dat family_berbew behavioral2/files/0x0006000000022d34-215.dat family_berbew behavioral2/files/0x0006000000022d39-222.dat family_berbew behavioral2/files/0x0006000000022d39-224.dat family_berbew behavioral2/files/0x0006000000022d3b-231.dat family_berbew behavioral2/files/0x0006000000022d3b-233.dat family_berbew behavioral2/files/0x0006000000022d3d-240.dat family_berbew behavioral2/files/0x0006000000022d3d-243.dat family_berbew behavioral2/files/0x0006000000022d3f-249.dat family_berbew behavioral2/files/0x0006000000022d3f-250.dat family_berbew behavioral2/files/0x0006000000022d41-252.dat family_berbew behavioral2/files/0x0006000000022d41-257.dat family_berbew behavioral2/files/0x0006000000022d41-258.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 5052 Mpenmadn.exe 4416 Pdlbpldg.exe 2356 Anccjp32.exe 2084 Bdkghg32.exe 1480 Bglpjb32.exe 556 Cnmoglij.exe 4908 Ddpjjd32.exe 1872 Eepbabjj.exe 1152 Gmggac32.exe 220 Hdahek32.exe 2484 Jdnqgg32.exe 1680 Kojkeogp.exe 1404 Mnggnh32.exe 4592 Nnnmogae.exe 396 Nmommn32.exe 1964 Pfmdgq32.exe 1952 Amblpikl.exe 3840 Aikijjon.exe 3544 Bipcei32.exe 1824 Ccfcpm32.exe 3444 Clohhbli.exe 3500 Claenb32.exe 1272 Dcpffk32.exe 1328 Dfqogfjo.exe 3028 Efgehe32.exe 3864 Emhdeoel.exe 4564 Fjoadbbc.exe 3912 Fclohg32.exe 4340 Gablgk32.exe 1524 Gmpcmkaa.exe 2388 Hhegjdag.exe 3628 Hmifcjif.exe 4268 Ikgicmpe.exe 1980 Jpfnqc32.exe 4664 Jphkfc32.exe 4952 Kkgbjkac.exe 1716 Kkioojpp.exe 4960 Ldkfno32.exe 3860 Mddidm32.exe 2368 Mbkfcabb.exe 4716 Mbpoop32.exe 4004 Nnfpcada.exe 2580 Nnimia32.exe 636 Oghgbe32.exe 1000 Oaeegjeb.exe 3540 Oajoaj32.exe 3516 Panhmi32.exe 4296 Pelacg32.exe 864 Plifea32.exe 4844 Aified32.exe 32 Aacjofkp.exe 3640 Apdkmn32.exe 4092 Beaced32.exe 3664 Blkkaohc.exe 5112 Befmpdmq.exe 2244 Blpemn32.exe 4000 Bbljoh32.exe 1172 Ccfmef32.exe 1968 Cpjmok32.exe 1188 Dcjfpfnh.exe 2040 Dhgoimlo.exe 500 Dcmcfeke.exe 3212 Dpqcoj32.exe 1568 Dabpgbpm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Habndbpf.exe Hfjmajbc.exe File created C:\Windows\SysWOW64\Jiepaa32.dll Lpfidh32.exe File created C:\Windows\SysWOW64\Mfoclflo.exe Loqejjad.exe File created C:\Windows\SysWOW64\Phdngljk.exe Poliog32.exe File opened for modification C:\Windows\SysWOW64\Apcemh32.exe Qjdpoacp.exe File opened for modification C:\Windows\SysWOW64\Doeghk32.exe Cpdgjc32.exe File opened for modification C:\Windows\SysWOW64\Egnhnkmj.exe Ebapednb.exe File created C:\Windows\SysWOW64\Bkkabc32.dll Oblhlpne.exe File opened for modification C:\Windows\SysWOW64\Cdolbijg.exe Bhdbaihi.exe File opened for modification C:\Windows\SysWOW64\Npcokpln.exe Nnbeie32.exe File opened for modification C:\Windows\SysWOW64\Bganac32.exe Bmkjdj32.exe File created C:\Windows\SysWOW64\Nlbkifhp.dll Hipdjfoo.exe File created C:\Windows\SysWOW64\Aampgb32.dll Eijbge32.exe File created C:\Windows\SysWOW64\Cncdkbdj.dll Qjdpoacp.exe File created C:\Windows\SysWOW64\Mkaqdc32.dll Cgiflnoa.exe File opened for modification C:\Windows\SysWOW64\Mhjhfnma.exe Mcmongoj.exe File created C:\Windows\SysWOW64\Qnlcpg32.dll Ocgkkc32.exe File opened for modification C:\Windows\SysWOW64\Fclohg32.exe Fjoadbbc.exe File opened for modification C:\Windows\SysWOW64\Hhegjdag.exe Gmpcmkaa.exe File opened for modification C:\Windows\SysWOW64\Ealanc32.exe Ehdmenhh.exe File created C:\Windows\SysWOW64\Cpcahb32.dll Loqejjad.exe File opened for modification C:\Windows\SysWOW64\Fejebdig.exe Eijbge32.exe File created C:\Windows\SysWOW64\Qgmbbfja.dll Fejebdig.exe File created C:\Windows\SysWOW64\Mpfooc32.dll Ggjqqg32.exe File opened for modification C:\Windows\SysWOW64\Ipihkobl.exe Hjjbmhfg.exe File opened for modification C:\Windows\SysWOW64\Ibgmldnd.exe Hicihp32.exe File opened for modification C:\Windows\SysWOW64\Ikgicmpe.exe Hmifcjif.exe File opened for modification C:\Windows\SysWOW64\Daolgl32.exe Cdolbijg.exe File created C:\Windows\SysWOW64\Qhlamhkj.exe Qgkeep32.exe File created C:\Windows\SysWOW64\Ampfba32.dll Hglaookl.exe File opened for modification C:\Windows\SysWOW64\Omegdebp.exe Oejbpb32.exe File created C:\Windows\SysWOW64\Mccqgk32.dll Pecefa32.exe File opened for modification C:\Windows\SysWOW64\Jghpkq32.exe Jmplbk32.exe File created C:\Windows\SysWOW64\Linhmpei.dll Pcgdbakj.exe File created C:\Windows\SysWOW64\Ohceqo32.exe Onkphi32.exe File created C:\Windows\SysWOW64\Apcemh32.exe Qjdpoacp.exe File created C:\Windows\SysWOW64\Qggmdcdb.dll Lebiddfi.exe File created C:\Windows\SysWOW64\Fofiff32.exe Faeihogj.exe File created C:\Windows\SysWOW64\Ldkfno32.exe Kkioojpp.exe File created C:\Windows\SysWOW64\Jplmglbf.exe Jpgdlm32.exe File created C:\Windows\SysWOW64\Aclphkmi.dll Mefmbbod.exe File created C:\Windows\SysWOW64\Cmdfpbkc.exe Bjjjhifm.exe File created C:\Windows\SysWOW64\Hdmohnhl.exe Hkdjph32.exe File created C:\Windows\SysWOW64\Poapio32.dll Mbgejcpm.exe File created C:\Windows\SysWOW64\Hmifcjif.exe Hhegjdag.exe File created C:\Windows\SysWOW64\Plagmh32.exe Pchcdbck.exe File opened for modification C:\Windows\SysWOW64\Qhlamhkj.exe Qgkeep32.exe File opened for modification C:\Windows\SysWOW64\Hehkjpod.exe Himqjpme.exe File created C:\Windows\SysWOW64\Iklpcimi.dll Jefpahoi.exe File created C:\Windows\SysWOW64\Lankkfal.dll Nobldfio.exe File created C:\Windows\SysWOW64\Anccjp32.exe Pdlbpldg.exe File opened for modification C:\Windows\SysWOW64\Jmknkk32.exe Jpbdfgge.exe File created C:\Windows\SysWOW64\Bjjjhifm.exe Bmfjodgc.exe File opened for modification C:\Windows\SysWOW64\Koodka32.exe Kfgpblda.exe File created C:\Windows\SysWOW64\Pqheglcj.dll Anccjp32.exe File created C:\Windows\SysWOW64\Edngdafi.dll Glebbpbd.exe File opened for modification C:\Windows\SysWOW64\Lgamhjja.exe Kbkaiddd.exe File created C:\Windows\SysWOW64\Ieodck32.dll Nacmnlkd.exe File created C:\Windows\SysWOW64\Nmpdbh32.exe Mnkgakpp.exe File opened for modification C:\Windows\SysWOW64\Pmafpchb.exe Phdngljk.exe File created C:\Windows\SysWOW64\Pdlbpldg.exe Mpenmadn.exe File opened for modification C:\Windows\SysWOW64\Oghgbe32.exe Nnimia32.exe File opened for modification C:\Windows\SysWOW64\Bjgghc32.exe Ahgjnpna.exe File created C:\Windows\SysWOW64\Jljanf32.dll Ahgjnpna.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 5428 5148 WerFault.exe 577 5668 5148 WerFault.exe 577 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnfnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jiiiml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpdkg32.dll" Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Befmpdmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeodcom.dll" Dfefeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkejgfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iciaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlqjlmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdnqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckeji32.dll" Gkofpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onqibfkn.dll" Hbbacobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obgoaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blpemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhppcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikkppgld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijqmacpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pecefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdica32.dll" Dfphmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnaalghe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmfjodgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nacmnlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljheeage.dll" Omhicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnigkcd.dll" Kcikagij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ielmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmmleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckmpaek.dll" Jpgdlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngdafi.dll" Glebbpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fneohd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepkej32.dll" Cijpkmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmkkgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmcnlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pffghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkioojpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjmajbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljlagndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ealanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acanjcbi.dll" Ijqmacpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doanno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcbpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaocfebe.dll" Ddpjjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldohogfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnldlfhp.dll" Ibgmldnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijoaml.dll" Ecefjckj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jncfmgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaldkid.dll" Gbofmmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmpkkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhppknhe.dll" Jiiiml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdkghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffggdmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkmlilej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmegc32.dll" Gmqgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbpenpdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbgejcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimipoo.dll" Kfgpblda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngnnbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okeinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkbfafel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jljiimeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jphkfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihlge32.dll" Gbdgpfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecakp32.dll" Cfigib32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3816 wrote to memory of 5052 3816 NEAS.bc4825e49e53b669393e47e542d390d0.exe 93 PID 3816 wrote to memory of 5052 3816 NEAS.bc4825e49e53b669393e47e542d390d0.exe 93 PID 3816 wrote to memory of 5052 3816 NEAS.bc4825e49e53b669393e47e542d390d0.exe 93 PID 5052 wrote to memory of 4416 5052 Mpenmadn.exe 95 PID 5052 wrote to memory of 4416 5052 Mpenmadn.exe 95 PID 5052 wrote to memory of 4416 5052 Mpenmadn.exe 95 PID 4416 wrote to memory of 2356 4416 Pdlbpldg.exe 96 PID 4416 wrote to memory of 2356 4416 Pdlbpldg.exe 96 PID 4416 wrote to memory of 2356 4416 Pdlbpldg.exe 96 PID 2356 wrote to memory of 2084 2356 Anccjp32.exe 97 PID 2356 wrote to memory of 2084 2356 Anccjp32.exe 97 PID 2356 wrote to memory of 2084 2356 Anccjp32.exe 97 PID 2084 wrote to memory of 1480 2084 Bdkghg32.exe 98 PID 2084 wrote to memory of 1480 2084 Bdkghg32.exe 98 PID 2084 wrote to memory of 1480 2084 Bdkghg32.exe 98 PID 1480 wrote to memory of 556 1480 Bglpjb32.exe 99 PID 1480 wrote to memory of 556 1480 Bglpjb32.exe 99 PID 1480 wrote to memory of 556 1480 Bglpjb32.exe 99 PID 556 wrote to memory of 4908 556 Cnmoglij.exe 100 PID 556 wrote to memory of 4908 556 Cnmoglij.exe 100 PID 556 wrote to memory of 4908 556 Cnmoglij.exe 100 PID 4908 wrote to memory of 1872 4908 Ddpjjd32.exe 101 PID 4908 wrote to memory of 1872 4908 Ddpjjd32.exe 101 PID 4908 wrote to memory of 1872 4908 Ddpjjd32.exe 101 PID 1872 wrote to memory of 1152 1872 Eepbabjj.exe 102 PID 1872 wrote to memory of 1152 1872 Eepbabjj.exe 102 PID 1872 wrote to memory of 1152 1872 Eepbabjj.exe 102 PID 1152 wrote to memory of 220 1152 Gmggac32.exe 103 PID 1152 wrote to memory of 220 1152 Gmggac32.exe 103 PID 1152 wrote to memory of 220 1152 Gmggac32.exe 103 PID 220 wrote to memory of 2484 220 Hdahek32.exe 104 PID 220 wrote to memory of 2484 220 Hdahek32.exe 104 PID 220 wrote to memory of 2484 220 Hdahek32.exe 104 PID 2484 wrote to memory of 1680 2484 Jdnqgg32.exe 105 PID 2484 wrote to memory of 1680 2484 Jdnqgg32.exe 105 PID 2484 wrote to memory of 1680 2484 Jdnqgg32.exe 105 PID 1680 wrote to memory of 1404 1680 Kojkeogp.exe 106 PID 1680 wrote to memory of 1404 1680 Kojkeogp.exe 106 PID 1680 wrote to memory of 1404 1680 Kojkeogp.exe 106 PID 1404 wrote to memory of 4592 1404 Mnggnh32.exe 107 PID 1404 wrote to memory of 4592 1404 Mnggnh32.exe 107 PID 1404 wrote to memory of 4592 1404 Mnggnh32.exe 107 PID 4592 wrote to memory of 396 4592 Nnnmogae.exe 108 PID 4592 wrote to memory of 396 4592 Nnnmogae.exe 108 PID 4592 wrote to memory of 396 4592 Nnnmogae.exe 108 PID 396 wrote to memory of 1964 396 Nmommn32.exe 109 PID 396 wrote to memory of 1964 396 Nmommn32.exe 109 PID 396 wrote to memory of 1964 396 Nmommn32.exe 109 PID 1964 wrote to memory of 1952 1964 Pfmdgq32.exe 110 PID 1964 wrote to memory of 1952 1964 Pfmdgq32.exe 110 PID 1964 wrote to memory of 1952 1964 Pfmdgq32.exe 110 PID 1952 wrote to memory of 3840 1952 Amblpikl.exe 111 PID 1952 wrote to memory of 3840 1952 Amblpikl.exe 111 PID 1952 wrote to memory of 3840 1952 Amblpikl.exe 111 PID 3840 wrote to memory of 3544 3840 Aikijjon.exe 112 PID 3840 wrote to memory of 3544 3840 Aikijjon.exe 112 PID 3840 wrote to memory of 3544 3840 Aikijjon.exe 112 PID 3544 wrote to memory of 1824 3544 Bipcei32.exe 113 PID 3544 wrote to memory of 1824 3544 Bipcei32.exe 113 PID 3544 wrote to memory of 1824 3544 Bipcei32.exe 113 PID 1824 wrote to memory of 3444 1824 Ccfcpm32.exe 114 PID 1824 wrote to memory of 3444 1824 Ccfcpm32.exe 114 PID 1824 wrote to memory of 3444 1824 Ccfcpm32.exe 114 PID 3444 wrote to memory of 3500 3444 Clohhbli.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bc4825e49e53b669393e47e542d390d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bc4825e49e53b669393e47e542d390d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Mpenmadn.exeC:\Windows\system32\Mpenmadn.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Pdlbpldg.exeC:\Windows\system32\Pdlbpldg.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Anccjp32.exeC:\Windows\system32\Anccjp32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Bdkghg32.exeC:\Windows\system32\Bdkghg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Bglpjb32.exeC:\Windows\system32\Bglpjb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Cnmoglij.exeC:\Windows\system32\Cnmoglij.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Gmggac32.exeC:\Windows\system32\Gmggac32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Hdahek32.exeC:\Windows\system32\Hdahek32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Jdnqgg32.exeC:\Windows\system32\Jdnqgg32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kojkeogp.exeC:\Windows\system32\Kojkeogp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Mnggnh32.exeC:\Windows\system32\Mnggnh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Nnnmogae.exeC:\Windows\system32\Nnnmogae.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Nmommn32.exeC:\Windows\system32\Nmommn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Pfmdgq32.exeC:\Windows\system32\Pfmdgq32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Amblpikl.exeC:\Windows\system32\Amblpikl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Aikijjon.exeC:\Windows\system32\Aikijjon.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Bipcei32.exeC:\Windows\system32\Bipcei32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Ccfcpm32.exeC:\Windows\system32\Ccfcpm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Clohhbli.exeC:\Windows\system32\Clohhbli.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Claenb32.exeC:\Windows\system32\Claenb32.exe23⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe24⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Dfqogfjo.exeC:\Windows\system32\Dfqogfjo.exe25⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Efgehe32.exeC:\Windows\system32\Efgehe32.exe26⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Emhdeoel.exeC:\Windows\system32\Emhdeoel.exe27⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Fjoadbbc.exeC:\Windows\system32\Fjoadbbc.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe29⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Gablgk32.exeC:\Windows\system32\Gablgk32.exe30⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Hhegjdag.exeC:\Windows\system32\Hhegjdag.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Ikgicmpe.exeC:\Windows\system32\Ikgicmpe.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Jpfnqc32.exeC:\Windows\system32\Jpfnqc32.exe35⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Jphkfc32.exeC:\Windows\system32\Jphkfc32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4664 -
C:\Windows\SysWOW64\Kkgbjkac.exeC:\Windows\system32\Kkgbjkac.exe37⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ldkfno32.exeC:\Windows\system32\Ldkfno32.exe39⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Mddidm32.exeC:\Windows\system32\Mddidm32.exe40⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Mbkfcabb.exeC:\Windows\system32\Mbkfcabb.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mbpoop32.exeC:\Windows\system32\Mbpoop32.exe42⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Nnfpcada.exeC:\Windows\system32\Nnfpcada.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Nnimia32.exeC:\Windows\system32\Nnimia32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Oghgbe32.exeC:\Windows\system32\Oghgbe32.exe45⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Oaeegjeb.exeC:\Windows\system32\Oaeegjeb.exe46⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Oajoaj32.exeC:\Windows\system32\Oajoaj32.exe47⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Panhmi32.exeC:\Windows\system32\Panhmi32.exe48⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Pelacg32.exeC:\Windows\system32\Pelacg32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Plifea32.exeC:\Windows\system32\Plifea32.exe50⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Aified32.exeC:\Windows\system32\Aified32.exe51⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Aacjofkp.exeC:\Windows\system32\Aacjofkp.exe52⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Apdkmn32.exeC:\Windows\system32\Apdkmn32.exe53⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Beaced32.exeC:\Windows\system32\Beaced32.exe54⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Blkkaohc.exeC:\Windows\system32\Blkkaohc.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Befmpdmq.exeC:\Windows\system32\Befmpdmq.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bbljoh32.exeC:\Windows\system32\Bbljoh32.exe58⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe59⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cpjmok32.exeC:\Windows\system32\Cpjmok32.exe60⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Dcjfpfnh.exeC:\Windows\system32\Dcjfpfnh.exe61⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Dhgoimlo.exeC:\Windows\system32\Dhgoimlo.exe62⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dcmcfeke.exeC:\Windows\system32\Dcmcfeke.exe63⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Dpqcoj32.exeC:\Windows\system32\Dpqcoj32.exe64⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Dabpgbpm.exeC:\Windows\system32\Dabpgbpm.exe65⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Dfphmp32.exeC:\Windows\system32\Dfphmp32.exe66⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Efdbhpbn.exeC:\Windows\system32\Efdbhpbn.exe67⤵PID:1496
-
C:\Windows\SysWOW64\Ecmlmcmb.exeC:\Windows\system32\Ecmlmcmb.exe68⤵PID:2180
-
C:\Windows\SysWOW64\Ecphbckp.exeC:\Windows\system32\Ecphbckp.exe69⤵PID:2264
-
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe70⤵PID:4652
-
C:\Windows\SysWOW64\Ffggdmbi.exeC:\Windows\system32\Ffggdmbi.exe71⤵
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Gjgmpkfl.exeC:\Windows\system32\Gjgmpkfl.exe72⤵PID:1948
-
C:\Windows\SysWOW64\Godehbed.exeC:\Windows\system32\Godehbed.exe73⤵PID:768
-
C:\Windows\SysWOW64\Gjjjfkdj.exeC:\Windows\system32\Gjjjfkdj.exe74⤵PID:4808
-
C:\Windows\SysWOW64\Gcdkdpih.exeC:\Windows\system32\Gcdkdpih.exe75⤵PID:4304
-
C:\Windows\SysWOW64\Hifmhf32.exeC:\Windows\system32\Hifmhf32.exe76⤵PID:2208
-
C:\Windows\SysWOW64\Hfjmajbc.exeC:\Windows\system32\Hfjmajbc.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Habndbpf.exeC:\Windows\system32\Habndbpf.exe78⤵PID:3284
-
C:\Windows\SysWOW64\Hjjbmhfg.exeC:\Windows\system32\Hjjbmhfg.exe79⤵
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Ipihkobl.exeC:\Windows\system32\Ipihkobl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5152 -
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe81⤵PID:5192
-
C:\Windows\SysWOW64\Jpgdlm32.exeC:\Windows\system32\Jpgdlm32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Jplmglbf.exeC:\Windows\system32\Jplmglbf.exe83⤵PID:5272
-
C:\Windows\SysWOW64\Kiikkada.exeC:\Windows\system32\Kiikkada.exe84⤵PID:5320
-
C:\Windows\SysWOW64\Kcfiof32.exeC:\Windows\system32\Kcfiof32.exe85⤵PID:5356
-
C:\Windows\SysWOW64\Kipalpoj.exeC:\Windows\system32\Kipalpoj.exe86⤵PID:5404
-
C:\Windows\SysWOW64\Lgfojd32.exeC:\Windows\system32\Lgfojd32.exe87⤵PID:5448
-
C:\Windows\SysWOW64\Lcmopeae.exeC:\Windows\system32\Lcmopeae.exe88⤵PID:5488
-
C:\Windows\SysWOW64\Lnccmnak.exeC:\Windows\system32\Lnccmnak.exe89⤵PID:5532
-
C:\Windows\SysWOW64\Ldmlih32.exeC:\Windows\system32\Ldmlih32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Ldohogfe.exeC:\Windows\system32\Ldohogfe.exe91⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Ljlagndl.exeC:\Windows\system32\Ljlagndl.exe92⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Lpfidh32.exeC:\Windows\system32\Lpfidh32.exe93⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Mgdklb32.exeC:\Windows\system32\Mgdklb32.exe94⤵PID:5752
-
C:\Windows\SysWOW64\Njjmil32.exeC:\Windows\system32\Njjmil32.exe95⤵PID:5796
-
C:\Windows\SysWOW64\Ngnnbq32.exeC:\Windows\system32\Ngnnbq32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Nbjhph32.exeC:\Windows\system32\Nbjhph32.exe97⤵PID:5888
-
C:\Windows\SysWOW64\Okeinn32.exeC:\Windows\system32\Okeinn32.exe98⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Oqbagd32.exeC:\Windows\system32\Oqbagd32.exe99⤵PID:5976
-
C:\Windows\SysWOW64\Okgfdm32.exeC:\Windows\system32\Okgfdm32.exe100⤵PID:6020
-
C:\Windows\SysWOW64\Pegqmbch.exeC:\Windows\system32\Pegqmbch.exe101⤵PID:6064
-
C:\Windows\SysWOW64\Pnaalghe.exeC:\Windows\system32\Pnaalghe.exe102⤵
- Modifies registry class
PID:6108 -
C:\Windows\SysWOW64\Bhdbaihi.exeC:\Windows\system32\Bhdbaihi.exe103⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Cdolbijg.exeC:\Windows\system32\Cdolbijg.exe104⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Daolgl32.exeC:\Windows\system32\Daolgl32.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Ddpeigle.exeC:\Windows\system32\Ddpeigle.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Deoabj32.exeC:\Windows\system32\Deoabj32.exe107⤵PID:5480
-
C:\Windows\SysWOW64\Dkljka32.exeC:\Windows\system32\Dkljka32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5556 -
C:\Windows\SysWOW64\Ehpjdepi.exeC:\Windows\system32\Ehpjdepi.exe109⤵PID:5632
-
C:\Windows\SysWOW64\Eceoanpo.exeC:\Windows\system32\Eceoanpo.exe110⤵PID:5692
-
C:\Windows\SysWOW64\Ekqcfpmj.exeC:\Windows\system32\Ekqcfpmj.exe111⤵PID:5780
-
C:\Windows\SysWOW64\Eefhcimp.exeC:\Windows\system32\Eefhcimp.exe112⤵PID:5836
-
C:\Windows\SysWOW64\Femndhgh.exeC:\Windows\system32\Femndhgh.exe113⤵PID:5932
-
C:\Windows\SysWOW64\Ffpjihee.exeC:\Windows\system32\Ffpjihee.exe114⤵PID:5964
-
C:\Windows\SysWOW64\Fafkoiji.exeC:\Windows\system32\Fafkoiji.exe115⤵PID:992
-
C:\Windows\SysWOW64\Flnlaahl.exeC:\Windows\system32\Flnlaahl.exe116⤵PID:2812
-
C:\Windows\SysWOW64\Flqigq32.exeC:\Windows\system32\Flqigq32.exe117⤵PID:2568
-
C:\Windows\SysWOW64\Fckacknf.exeC:\Windows\system32\Fckacknf.exe118⤵PID:4200
-
C:\Windows\SysWOW64\Glebbpbd.exeC:\Windows\system32\Glebbpbd.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Gbdgpfni.exeC:\Windows\system32\Gbdgpfni.exe120⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Gkmlilej.exeC:\Windows\system32\Gkmlilej.exe121⤵
- Modifies registry class
PID:5220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-