Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 05:27
Behavioral task
behavioral1
Sample
NEAS.cc78ec473211c881ae7804dd61943660.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cc78ec473211c881ae7804dd61943660.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
NEAS.cc78ec473211c881ae7804dd61943660.exe
-
Size
115KB
-
MD5
cc78ec473211c881ae7804dd61943660
-
SHA1
12c15aba78f6fe58acb6809d53b3dbf6265dd47d
-
SHA256
ddf0735f914a623e5b41d5e4c579743102d53f3430429a6c383ce7e574cff770
-
SHA512
178fa111cb008e200b229778eab09092740898d7c2ca5cfa9d63b2bb401fafca0ba7fe4ffac1132e6c68cb20de18e8a378fbee4207941ac9c459382491370f80
-
SSDEEP
3072:OHhvDLb/L04dbrIR/SoQUP5u30KqTKr4:eRLDL04hrIooQUPoDqTKE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcphab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccppmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apaadpng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfekbdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkondfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difpmfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggpfkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apggckbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbaahf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qamago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbnpnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcigeooj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmamod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifojnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkpnclp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qamago32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqphic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfagighf.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00040000000222d5-8.dat family_berbew behavioral2/files/0x00040000000222d5-7.dat family_berbew behavioral2/files/0x0006000000022ded-15.dat family_berbew behavioral2/files/0x0006000000022ded-16.dat family_berbew behavioral2/files/0x0006000000022def-22.dat family_berbew behavioral2/files/0x0006000000022def-25.dat family_berbew behavioral2/files/0x0006000000022df1-32.dat family_berbew behavioral2/files/0x0006000000022df1-31.dat family_berbew behavioral2/files/0x0006000000022df3-39.dat family_berbew behavioral2/files/0x0006000000022df3-40.dat family_berbew behavioral2/files/0x0006000000022df5-47.dat family_berbew behavioral2/files/0x0006000000022df5-48.dat family_berbew behavioral2/files/0x0006000000022df7-57.dat family_berbew behavioral2/files/0x0006000000022df7-55.dat family_berbew behavioral2/files/0x0006000000022df9-58.dat family_berbew behavioral2/files/0x0006000000022df9-63.dat family_berbew behavioral2/files/0x0006000000022df9-65.dat family_berbew behavioral2/files/0x0006000000022dfb-71.dat family_berbew behavioral2/files/0x0006000000022dfb-72.dat family_berbew behavioral2/files/0x0006000000022dfd-79.dat family_berbew behavioral2/files/0x0006000000022dfd-80.dat family_berbew behavioral2/files/0x0006000000022dff-89.dat family_berbew behavioral2/files/0x0007000000022de7-96.dat family_berbew behavioral2/files/0x0007000000022de7-97.dat family_berbew behavioral2/files/0x0006000000022dff-88.dat family_berbew behavioral2/files/0x0006000000022e02-104.dat family_berbew behavioral2/files/0x0006000000022e02-105.dat family_berbew behavioral2/files/0x0006000000022e04-112.dat family_berbew behavioral2/files/0x0006000000022e04-113.dat family_berbew behavioral2/files/0x0006000000022e06-120.dat family_berbew behavioral2/files/0x0006000000022e06-122.dat family_berbew behavioral2/files/0x0006000000022e08-128.dat family_berbew behavioral2/files/0x0006000000022e08-130.dat family_berbew behavioral2/files/0x0006000000022e0a-136.dat family_berbew behavioral2/files/0x0006000000022e0a-137.dat family_berbew behavioral2/files/0x0006000000022e0c-144.dat family_berbew behavioral2/files/0x0006000000022e0c-145.dat family_berbew behavioral2/files/0x0006000000022e0e-152.dat family_berbew behavioral2/files/0x0006000000022e0e-154.dat family_berbew behavioral2/files/0x0006000000022e11-160.dat family_berbew behavioral2/files/0x0006000000022e11-162.dat family_berbew behavioral2/files/0x0006000000022e13-168.dat family_berbew behavioral2/files/0x0006000000022e13-169.dat family_berbew behavioral2/files/0x0006000000022e15-176.dat family_berbew behavioral2/files/0x0006000000022e15-178.dat family_berbew behavioral2/files/0x0006000000022e17-184.dat family_berbew behavioral2/files/0x0006000000022e17-186.dat family_berbew behavioral2/files/0x0006000000022e19-192.dat family_berbew behavioral2/files/0x0006000000022e19-194.dat family_berbew behavioral2/files/0x0006000000022e1b-201.dat family_berbew behavioral2/files/0x0006000000022e1b-200.dat family_berbew behavioral2/files/0x0006000000022e1d-208.dat family_berbew behavioral2/files/0x0006000000022e1d-209.dat family_berbew behavioral2/files/0x0006000000022e1f-216.dat family_berbew behavioral2/files/0x0006000000022e1f-218.dat family_berbew behavioral2/files/0x0006000000022e21-225.dat family_berbew behavioral2/files/0x0006000000022e21-224.dat family_berbew behavioral2/files/0x0006000000022e23-232.dat family_berbew behavioral2/files/0x0006000000022e23-234.dat family_berbew behavioral2/files/0x0006000000022e25-240.dat family_berbew behavioral2/files/0x0006000000022e25-242.dat family_berbew behavioral2/files/0x0006000000022e27-248.dat family_berbew behavioral2/files/0x0006000000022e27-249.dat family_berbew behavioral2/files/0x0006000000022e29-257.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1832 Ccgjopal.exe 1368 Dmoohe32.exe 5096 Dcigeooj.exe 1100 Difpmfna.exe 3668 Dpphjp32.exe 436 Dfjpfj32.exe 3100 Dmdhcddh.exe 2120 Dikihe32.exe 1740 Dfoiaj32.exe 4524 Dmhand32.exe 3168 Ebejfk32.exe 4208 Elnoopdj.exe 2208 Eiaoid32.exe 4692 Ecgcfm32.exe 3356 Ejalcgkg.exe 3636 Eblpgjha.exe 2028 Eclmamod.exe 2384 Emdajb32.exe 1632 Fmkgkapm.exe 2828 Ffclcgfn.exe 2800 Fmndpq32.exe 4164 Fffhifdk.exe 216 Gpnmbl32.exe 2352 Gjdaodja.exe 1584 Gdlfhj32.exe 3224 Giinpa32.exe 568 Gpcfmkff.exe 1152 Gikkfqmf.exe 4288 Gingkqkd.exe 2924 Ggahedjn.exe 5004 Hbhijepa.exe 3096 Hmnmgnoh.exe 3676 Hgfapd32.exe 4884 Hpofii32.exe 1496 Higjaoci.exe 2836 Hpabni32.exe 4780 Hcpojd32.exe 1552 Hiiggoaf.exe 3588 Hpcodihc.exe 392 Hgmgqc32.exe 3624 Iljpij32.exe 1456 Ikkpgafg.exe 3292 Iphioh32.exe 840 Iknmla32.exe 1392 Iloidijb.exe 544 Idfaefkd.exe 1628 Ipmbjgpi.exe 4132 Ikbfgppo.exe 2508 Jncoikmp.exe 3872 Jcphab32.exe 1556 Jgnqgqan.exe 3528 Jjlmclqa.exe 1564 Jdaaaeqg.exe 4964 Jnjejjgh.exe 644 Jcgnbaeo.exe 4760 Jnlbojee.exe 4300 Jgeghp32.exe 3060 Kjccdkki.exe 3540 Kclgmq32.exe 4788 Kmdlffhj.exe 768 Kkeldnpi.exe 5000 Kqbdldnq.exe 3920 Kglmio32.exe 4784 Kqdaadln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eclmamod.exe Eblpgjha.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Addaif32.exe File opened for modification C:\Windows\SysWOW64\Ahdpjn32.exe Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Apjdikqd.exe Afappe32.exe File created C:\Windows\SysWOW64\Cajjjk32.exe Ckpamabg.exe File created C:\Windows\SysWOW64\Gjimmmpe.dll Fffhifdk.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Akepfpcl.exe File created C:\Windows\SysWOW64\Fkgillpj.exe Fqbeoc32.exe File created C:\Windows\SysWOW64\Debbff32.dll Kifojnol.exe File opened for modification C:\Windows\SysWOW64\Mcoljagj.exe Mfkkqmiq.exe File created C:\Windows\SysWOW64\Ghcfpl32.dll Nciopppp.exe File created C:\Windows\SysWOW64\Kmdlffhj.exe Kclgmq32.exe File created C:\Windows\SysWOW64\Jhohnk32.dll Kclgmq32.exe File created C:\Windows\SysWOW64\Mdpmoppk.dll Ponfka32.exe File created C:\Windows\SysWOW64\Ieoacg32.dll Adfnofpd.exe File created C:\Windows\SysWOW64\Hiciojhd.dll Klpakj32.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Nnicid32.exe File created C:\Windows\SysWOW64\Pknjieep.dll Ckpamabg.exe File created C:\Windows\SysWOW64\Bgmakofh.dll Eblpgjha.exe File created C:\Windows\SysWOW64\Fjohgj32.dll Kpnjah32.exe File created C:\Windows\SysWOW64\Ildolk32.dll Nqoloc32.exe File created C:\Windows\SysWOW64\Ajaelc32.exe Adgmoigj.exe File created C:\Windows\SysWOW64\Labnlj32.dll Bbhildae.exe File created C:\Windows\SysWOW64\Kminigbj.dll Fnjocf32.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Pmoiqneg.exe File opened for modification C:\Windows\SysWOW64\Adkqoohc.exe Amqhbe32.exe File created C:\Windows\SysWOW64\Ojqcnhkl.exe Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Pmmlla32.exe Pbhgoh32.exe File created C:\Windows\SysWOW64\Egpnooan.exe Egkddo32.exe File created C:\Windows\SysWOW64\Gpcfmkff.exe Giinpa32.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jjlmclqa.exe File created C:\Windows\SysWOW64\Ajihlijd.dll Ljfhqh32.exe File created C:\Windows\SysWOW64\Gdlfcb32.dll Adkqoohc.exe File opened for modification C:\Windows\SysWOW64\Aadghn32.exe Ajjokd32.exe File created C:\Windows\SysWOW64\Ncgjgp32.dll Dfoiaj32.exe File opened for modification C:\Windows\SysWOW64\Jcgnbaeo.exe Jnjejjgh.exe File opened for modification C:\Windows\SysWOW64\Mmkkmc32.exe Mkjnfkma.exe File created C:\Windows\SysWOW64\Debcil32.dll Nhegig32.exe File opened for modification C:\Windows\SysWOW64\Gqnejaff.exe Gcghkm32.exe File created C:\Windows\SysWOW64\Jncoikmp.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Manmoq32.exe Mnpabe32.exe File opened for modification C:\Windows\SysWOW64\Poimpapp.exe Plkpcfal.exe File opened for modification C:\Windows\SysWOW64\Kmdlffhj.exe Kclgmq32.exe File opened for modification C:\Windows\SysWOW64\Lnjnqh32.exe Lklbdm32.exe File opened for modification C:\Windows\SysWOW64\Ahaceo32.exe Akepfpcl.exe File created C:\Windows\SysWOW64\Dnljkk32.exe Dgbanq32.exe File opened for modification C:\Windows\SysWOW64\Dnljkk32.exe Dgbanq32.exe File created C:\Windows\SysWOW64\Enabbk32.dll Elnoopdj.exe File opened for modification C:\Windows\SysWOW64\Iphioh32.exe Ikkpgafg.exe File created C:\Windows\SysWOW64\Dmeoam32.dll Kgninn32.exe File opened for modification C:\Windows\SysWOW64\Aggpfkjj.exe Ahdpjn32.exe File created C:\Windows\SysWOW64\Paenokbf.dll Aaiqcnhg.exe File created C:\Windows\SysWOW64\Mcdeeq32.exe Mljmhflh.exe File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe Ebejfk32.exe File created C:\Windows\SysWOW64\Mbddol32.dll Cgklmacf.exe File created C:\Windows\SysWOW64\Cildom32.exe Ckidcpjl.exe File opened for modification C:\Windows\SysWOW64\Dahfkimd.exe Dnljkk32.exe File opened for modification C:\Windows\SysWOW64\Gjdaodja.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Njinmf32.exe File created C:\Windows\SysWOW64\Palbgl32.exe Ponfka32.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Pmmlla32.exe File opened for modification C:\Windows\SysWOW64\Aajhndkb.exe Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Cdolgfbp.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Nepmal32.dll Ccppmc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8344 8280 WerFault.exe 379 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nciopppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiacfqch.dll" Jjlmclqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjnqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqndhcdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll" Ckpamabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkeldnpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoiqneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll" Cildom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binnimfj.dll" Dpphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghghj32.dll" Lklbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" Omegjomb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoohe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll" Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giinpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoddcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdeeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbobmnod.dll" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imakphnc.dll" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll" Aaiqcnhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcecjmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoljp32.dll" Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dikihe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll" Dpmcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll" Oqhoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncofplba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnljkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkibgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqnejaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgogbi32.dll" Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll" Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjaopom.dll" Gpcfmkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flafeh32.dll" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecellgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfmkfhq.dll" Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll" Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll" Apaadpng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnjocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 6452 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 1832 4976 NEAS.cc78ec473211c881ae7804dd61943660.exe 88 PID 4976 wrote to memory of 1832 4976 NEAS.cc78ec473211c881ae7804dd61943660.exe 88 PID 4976 wrote to memory of 1832 4976 NEAS.cc78ec473211c881ae7804dd61943660.exe 88 PID 1832 wrote to memory of 1368 1832 Ccgjopal.exe 89 PID 1832 wrote to memory of 1368 1832 Ccgjopal.exe 89 PID 1832 wrote to memory of 1368 1832 Ccgjopal.exe 89 PID 1368 wrote to memory of 5096 1368 Dmoohe32.exe 90 PID 1368 wrote to memory of 5096 1368 Dmoohe32.exe 90 PID 1368 wrote to memory of 5096 1368 Dmoohe32.exe 90 PID 5096 wrote to memory of 1100 5096 Dcigeooj.exe 91 PID 5096 wrote to memory of 1100 5096 Dcigeooj.exe 91 PID 5096 wrote to memory of 1100 5096 Dcigeooj.exe 91 PID 1100 wrote to memory of 3668 1100 Difpmfna.exe 92 PID 1100 wrote to memory of 3668 1100 Difpmfna.exe 92 PID 1100 wrote to memory of 3668 1100 Difpmfna.exe 92 PID 3668 wrote to memory of 436 3668 Dpphjp32.exe 93 PID 3668 wrote to memory of 436 3668 Dpphjp32.exe 93 PID 3668 wrote to memory of 436 3668 Dpphjp32.exe 93 PID 436 wrote to memory of 3100 436 Dfjpfj32.exe 94 PID 436 wrote to memory of 3100 436 Dfjpfj32.exe 94 PID 436 wrote to memory of 3100 436 Dfjpfj32.exe 94 PID 3100 wrote to memory of 2120 3100 Dmdhcddh.exe 95 PID 3100 wrote to memory of 2120 3100 Dmdhcddh.exe 95 PID 3100 wrote to memory of 2120 3100 Dmdhcddh.exe 95 PID 2120 wrote to memory of 1740 2120 Dikihe32.exe 96 PID 2120 wrote to memory of 1740 2120 Dikihe32.exe 96 PID 2120 wrote to memory of 1740 2120 Dikihe32.exe 96 PID 1740 wrote to memory of 4524 1740 Dfoiaj32.exe 97 PID 1740 wrote to memory of 4524 1740 Dfoiaj32.exe 97 PID 1740 wrote to memory of 4524 1740 Dfoiaj32.exe 97 PID 4524 wrote to memory of 3168 4524 Dmhand32.exe 98 PID 4524 wrote to memory of 3168 4524 Dmhand32.exe 98 PID 4524 wrote to memory of 3168 4524 Dmhand32.exe 98 PID 3168 wrote to memory of 4208 3168 Ebejfk32.exe 99 PID 3168 wrote to memory of 4208 3168 Ebejfk32.exe 99 PID 3168 wrote to memory of 4208 3168 Ebejfk32.exe 99 PID 4208 wrote to memory of 2208 4208 Elnoopdj.exe 100 PID 4208 wrote to memory of 2208 4208 Elnoopdj.exe 100 PID 4208 wrote to memory of 2208 4208 Elnoopdj.exe 100 PID 2208 wrote to memory of 4692 2208 Eiaoid32.exe 101 PID 2208 wrote to memory of 4692 2208 Eiaoid32.exe 101 PID 2208 wrote to memory of 4692 2208 Eiaoid32.exe 101 PID 4692 wrote to memory of 3356 4692 Ecgcfm32.exe 102 PID 4692 wrote to memory of 3356 4692 Ecgcfm32.exe 102 PID 4692 wrote to memory of 3356 4692 Ecgcfm32.exe 102 PID 3356 wrote to memory of 3636 3356 Ejalcgkg.exe 103 PID 3356 wrote to memory of 3636 3356 Ejalcgkg.exe 103 PID 3356 wrote to memory of 3636 3356 Ejalcgkg.exe 103 PID 3636 wrote to memory of 2028 3636 Eblpgjha.exe 104 PID 3636 wrote to memory of 2028 3636 Eblpgjha.exe 104 PID 3636 wrote to memory of 2028 3636 Eblpgjha.exe 104 PID 2028 wrote to memory of 2384 2028 Eclmamod.exe 106 PID 2028 wrote to memory of 2384 2028 Eclmamod.exe 106 PID 2028 wrote to memory of 2384 2028 Eclmamod.exe 106 PID 2384 wrote to memory of 1632 2384 Emdajb32.exe 108 PID 2384 wrote to memory of 1632 2384 Emdajb32.exe 108 PID 2384 wrote to memory of 1632 2384 Emdajb32.exe 108 PID 1632 wrote to memory of 2828 1632 Fmkgkapm.exe 109 PID 1632 wrote to memory of 2828 1632 Fmkgkapm.exe 109 PID 1632 wrote to memory of 2828 1632 Fmkgkapm.exe 109 PID 2828 wrote to memory of 2800 2828 Ffclcgfn.exe 110 PID 2828 wrote to memory of 2800 2828 Ffclcgfn.exe 110 PID 2828 wrote to memory of 2800 2828 Ffclcgfn.exe 110 PID 2800 wrote to memory of 4164 2800 Fmndpq32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cc78ec473211c881ae7804dd61943660.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cc78ec473211c881ae7804dd61943660.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe25⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe26⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe29⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe30⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe31⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe33⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe34⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe35⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe37⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe38⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe39⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe40⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe41⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe44⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe45⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe46⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3528 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe54⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe57⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe61⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe63⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe64⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe65⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe66⤵
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe67⤵PID:4736
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:4944 -
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe70⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe71⤵PID:3908
-
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe72⤵PID:1288
-
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe73⤵
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe74⤵PID:60
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4744 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe76⤵
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe77⤵PID:5132
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe78⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe79⤵PID:5292
-
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe80⤵PID:5336
-
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe81⤵
- Drops file in System32 directory
PID:5376 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe82⤵PID:5424
-
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe83⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe84⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe85⤵PID:5572
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe86⤵PID:5616
-
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe87⤵PID:5656
-
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe88⤵
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe89⤵PID:5748
-
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe90⤵PID:5792
-
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe91⤵PID:5832
-
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe92⤵PID:5876
-
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe93⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe94⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe95⤵PID:6004
-
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe96⤵PID:6052
-
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe97⤵PID:6096
-
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe98⤵PID:6140
-
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe99⤵PID:5256
-
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe103⤵PID:5556
-
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe104⤵PID:5636
-
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe105⤵PID:5712
-
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe106⤵PID:5776
-
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe107⤵PID:5844
-
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5908 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe109⤵PID:5988
-
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe110⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe111⤵PID:6132
-
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe113⤵PID:5356
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe114⤵PID:5436
-
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe115⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe117⤵PID:5808
-
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe118⤵
- Drops file in System32 directory
PID:5972 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe120⤵
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe121⤵
- Modifies registry class
PID:5448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-