Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:18
Behavioral task
behavioral1
Sample
NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe
-
Size
176KB
-
MD5
46c11c5ac8c550c05bdf14211b5fe3a0
-
SHA1
63a43f3340c8cf3b9a9388932afa45d97031840c
-
SHA256
72aae504d785449cc96d73eba4ded262c9c8459e35cbd59d509d1a83897a3369
-
SHA512
88889d55987419236f9d9355bb77ec5537c1729dacfeb276fd9660b0c0b034bc7dcb2f859722326198f6690a42f3132099414f0226c3ddec293361e65c17f7ba
-
SSDEEP
3072:xAw/IMYd5xIFgo1cjENRZ9wmAOIayGsOOJF4EISi/i4gG4npAjmA39QQIckJI:xAZMYdkFgo1nTZ9EaUn4yjK99QQd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfdmlcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiljh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flngfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkdbacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhifjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgldfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifihif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boihcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbiofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafonaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdenmbkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklnjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najmjokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckiihok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafonaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbiofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2168-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000500000001e9bf-5.dat family_berbew behavioral2/memory/1932-7-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x000500000001e9bf-8.dat family_berbew behavioral2/files/0x0007000000022e25-14.dat family_berbew behavioral2/memory/4540-16-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0007000000022e25-15.dat family_berbew behavioral2/files/0x0006000000022e29-22.dat family_berbew behavioral2/memory/896-24-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e29-23.dat family_berbew behavioral2/files/0x0006000000022e2b-30.dat family_berbew behavioral2/memory/2252-32-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2b-31.dat family_berbew behavioral2/files/0x0006000000022e2d-38.dat family_berbew behavioral2/files/0x0006000000022e2d-39.dat family_berbew behavioral2/memory/1340-40-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-46.dat family_berbew behavioral2/memory/3340-47-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-48.dat family_berbew behavioral2/files/0x0006000000022e34-54.dat family_berbew behavioral2/memory/4452-55-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e34-56.dat family_berbew behavioral2/files/0x0006000000022e38-62.dat family_berbew behavioral2/files/0x0006000000022e38-64.dat family_berbew behavioral2/memory/3048-63-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/4172-71-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0007000000022e26-70.dat family_berbew behavioral2/files/0x0007000000022e26-72.dat family_berbew behavioral2/files/0x0006000000022e3b-78.dat family_berbew behavioral2/memory/1628-79-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3b-80.dat family_berbew behavioral2/files/0x0006000000022e3d-81.dat family_berbew behavioral2/files/0x0006000000022e3d-86.dat family_berbew behavioral2/memory/3440-88-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-87.dat family_berbew behavioral2/files/0x0006000000022e3f-94.dat family_berbew behavioral2/files/0x0006000000022e3f-95.dat family_berbew behavioral2/memory/4564-96-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e42-104.dat family_berbew behavioral2/memory/2392-103-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e42-102.dat family_berbew behavioral2/files/0x0006000000022e44-111.dat family_berbew behavioral2/memory/3384-112-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e44-110.dat family_berbew behavioral2/files/0x0006000000022e4c-118.dat family_berbew behavioral2/memory/1036-120-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4c-119.dat family_berbew behavioral2/files/0x0006000000022e4e-126.dat family_berbew behavioral2/memory/1252-127-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4e-128.dat family_berbew behavioral2/files/0x0006000000022e50-134.dat family_berbew behavioral2/files/0x0006000000022e50-136.dat family_berbew behavioral2/memory/1460-135-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e52-143.dat family_berbew behavioral2/files/0x0006000000022e52-142.dat family_berbew behavioral2/memory/3792-144-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e54-150.dat family_berbew behavioral2/files/0x0006000000022e56-159.dat family_berbew behavioral2/files/0x0006000000022e56-158.dat family_berbew behavioral2/memory/1840-160-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/memory/3672-152-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral2/files/0x0006000000022e54-151.dat family_berbew behavioral2/files/0x0006000000022e58-166.dat family_berbew behavioral2/memory/416-167-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1932 Iickkbje.exe 4540 Ifgldfio.exe 896 Ifihif32.exe 2252 Jkhngl32.exe 1340 Jbbfdfkn.exe 3340 Joffnk32.exe 4452 Jfpojead.exe 3048 Jbgoof32.exe 4172 Jnnpdg32.exe 1628 Jgfdmlcm.exe 3440 Jfgdkd32.exe 4564 Knbiofhg.exe 2392 Klfjijgq.exe 3384 Keonap32.exe 1036 Khmknk32.exe 1252 Kimghn32.exe 1460 Kiodmn32.exe 3792 Kpiljh32.exe 3672 Kfcdfbqo.exe 1840 Lpkiph32.exe 416 Lpneegel.exe 3016 Lhijijbg.exe 4272 Lihfcm32.exe 1800 Falcae32.exe 868 Fdkpma32.exe 3680 Gijekg32.exe 2068 Gdoihpbk.exe 988 Gklnjj32.exe 4880 Ggbook32.exe 4236 Hdilnojp.exe 5040 Hdkidohn.exe 1908 Hjhalefe.exe 2644 Hjjnae32.exe 4772 Hdpbon32.exe 1528 Hjlkge32.exe 3460 Ihnkel32.exe 3252 Iafonaao.exe 4840 Iddljmpc.exe 3200 Ijadbdoj.exe 2300 Ihbdplfi.exe 1612 Ijcahd32.exe 4276 Idieem32.exe 3256 Ijfnmc32.exe 408 Idkbkl32.exe 3276 Cjecpkcg.exe 4068 Ckfphc32.exe 5056 Fbcfhibj.exe 3364 Fimodc32.exe 4636 Fjmkoeqi.exe 3928 Flngfn32.exe 1736 Fibhpbea.exe 4328 Flqdlnde.exe 1804 Fjadje32.exe 1576 Gpnmbl32.exe 1936 Gmbmkpie.exe 4532 Gpqjglii.exe 232 Gdobnj32.exe 1988 Gpecbk32.exe 2556 Hgdejd32.exe 4904 Hlambk32.exe 2436 Hienlpel.exe 1392 Hkdjfb32.exe 3692 Hpabni32.exe 1324 Hgmgqc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ocoaob32.dll Gidnkkpc.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Iibccgep.exe File created C:\Windows\SysWOW64\Jjpode32.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Kfcdfbqo.exe Kpiljh32.exe File created C:\Windows\SysWOW64\Djiiimel.dll Icknfcol.exe File created C:\Windows\SysWOW64\Polalahi.dll Jghpbk32.exe File created C:\Windows\SysWOW64\Jdgccn32.dll Ekodjiol.exe File opened for modification C:\Windows\SysWOW64\Ljqhkckn.exe Lgbloglj.exe File opened for modification C:\Windows\SysWOW64\Jbgoof32.exe Jfpojead.exe File opened for modification C:\Windows\SysWOW64\Jlfpdh32.exe Ikdcmpnl.exe File opened for modification C:\Windows\SysWOW64\Kkconn32.exe Jcikgacl.exe File created C:\Windows\SysWOW64\Nchkcb32.dll Dojqjdbl.exe File opened for modification C:\Windows\SysWOW64\Nccokk32.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Dkfadkgf.exe Dheibpje.exe File created C:\Windows\SysWOW64\Geohklaa.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Oaabap32.dll Imgicgca.exe File opened for modification C:\Windows\SysWOW64\Jiiicf32.exe Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Qaqegecm.exe Qjfmkk32.exe File opened for modification C:\Windows\SysWOW64\Hdkidohn.exe Hdilnojp.exe File opened for modification C:\Windows\SysWOW64\Lggldm32.exe Ljclki32.exe File opened for modification C:\Windows\SysWOW64\Mjkblhfo.exe Mcqjon32.exe File created C:\Windows\SysWOW64\Konidd32.dll Fmkqpkla.exe File opened for modification C:\Windows\SysWOW64\Nnafno32.exe Nmbjcljl.exe File opened for modification C:\Windows\SysWOW64\Nqpcjj32.exe Nnafno32.exe File created C:\Windows\SysWOW64\Qofmkc32.dll Njpdnedf.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Oeheqm32.exe File created C:\Windows\SysWOW64\Ekpped32.dll Qlimed32.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Hdkidohn.exe Hdilnojp.exe File created C:\Windows\SysWOW64\Fmkqpkla.exe Ffqhcq32.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Gjimmmpe.dll Fjadje32.exe File created C:\Windows\SysWOW64\Paedlhhc.dll Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Ipgijcij.dll Lcdciiec.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Mnjqmpgg.exe File created C:\Windows\SysWOW64\Jgfdmlcm.exe Jnnpdg32.exe File opened for modification C:\Windows\SysWOW64\Palbgl32.exe Pdhbmh32.exe File opened for modification C:\Windows\SysWOW64\Pldcjeia.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Dnmhpg32.exe Chqogq32.exe File created C:\Windows\SysWOW64\Gfeaopqo.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Jhafck32.dll Kcbfcigf.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Idefqiag.dll Lgbloglj.exe File created C:\Windows\SysWOW64\Kfcdfbqo.exe Kpiljh32.exe File created C:\Windows\SysWOW64\Ijcahd32.exe Ihbdplfi.exe File created C:\Windows\SysWOW64\Hhoneioi.dll Jgkdbacp.exe File created C:\Windows\SysWOW64\Ojdnid32.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Ahoemi32.dll Fneggdhg.exe File opened for modification C:\Windows\SysWOW64\Imgicgca.exe Ifmqfm32.exe File opened for modification C:\Windows\SysWOW64\Iddljmpc.exe Iafonaao.exe File created C:\Windows\SysWOW64\Ehighp32.dll Ihbdplfi.exe File created C:\Windows\SysWOW64\Ldldehjm.dll Hfaajnfb.exe File created C:\Windows\SysWOW64\Hekgfj32.exe Hblkjo32.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Eobkhf32.dll Anobgl32.exe File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Ekodjiol.exe File created C:\Windows\SysWOW64\Iomoenej.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Ngjbaj32.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cfpffeaj.exe File opened for modification C:\Windows\SysWOW64\Cnaaib32.exe Bajqda32.exe File opened for modification C:\Windows\SysWOW64\Dafppp32.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Inmabofh.dll Kkconn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8160 8004 WerFault.exe 383 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polalahi.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pffgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcpel32.dll" Kpjgaoqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnafno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poimpapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpode32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqmmmmph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimodc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoffg32.dll" Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gldglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckfphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoaglhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfgipd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opngmi32.dll" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcnmpcj.dll" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehcdm32.dll" Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnoncim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebke32.dll" Jnnpdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompfej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbdplfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Oeheqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpnmbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 1932 2168 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 86 PID 2168 wrote to memory of 1932 2168 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 86 PID 2168 wrote to memory of 1932 2168 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 86 PID 1932 wrote to memory of 4540 1932 Iickkbje.exe 87 PID 1932 wrote to memory of 4540 1932 Iickkbje.exe 87 PID 1932 wrote to memory of 4540 1932 Iickkbje.exe 87 PID 4540 wrote to memory of 896 4540 Ifgldfio.exe 88 PID 4540 wrote to memory of 896 4540 Ifgldfio.exe 88 PID 4540 wrote to memory of 896 4540 Ifgldfio.exe 88 PID 896 wrote to memory of 2252 896 Ifihif32.exe 90 PID 896 wrote to memory of 2252 896 Ifihif32.exe 90 PID 896 wrote to memory of 2252 896 Ifihif32.exe 90 PID 2252 wrote to memory of 1340 2252 Jkhngl32.exe 91 PID 2252 wrote to memory of 1340 2252 Jkhngl32.exe 91 PID 2252 wrote to memory of 1340 2252 Jkhngl32.exe 91 PID 1340 wrote to memory of 3340 1340 Jbbfdfkn.exe 92 PID 1340 wrote to memory of 3340 1340 Jbbfdfkn.exe 92 PID 1340 wrote to memory of 3340 1340 Jbbfdfkn.exe 92 PID 3340 wrote to memory of 4452 3340 Joffnk32.exe 93 PID 3340 wrote to memory of 4452 3340 Joffnk32.exe 93 PID 3340 wrote to memory of 4452 3340 Joffnk32.exe 93 PID 4452 wrote to memory of 3048 4452 Jfpojead.exe 94 PID 4452 wrote to memory of 3048 4452 Jfpojead.exe 94 PID 4452 wrote to memory of 3048 4452 Jfpojead.exe 94 PID 3048 wrote to memory of 4172 3048 Jbgoof32.exe 95 PID 3048 wrote to memory of 4172 3048 Jbgoof32.exe 95 PID 3048 wrote to memory of 4172 3048 Jbgoof32.exe 95 PID 4172 wrote to memory of 1628 4172 Jnnpdg32.exe 97 PID 4172 wrote to memory of 1628 4172 Jnnpdg32.exe 97 PID 4172 wrote to memory of 1628 4172 Jnnpdg32.exe 97 PID 1628 wrote to memory of 3440 1628 Jgfdmlcm.exe 98 PID 1628 wrote to memory of 3440 1628 Jgfdmlcm.exe 98 PID 1628 wrote to memory of 3440 1628 Jgfdmlcm.exe 98 PID 3440 wrote to memory of 4564 3440 Jfgdkd32.exe 99 PID 3440 wrote to memory of 4564 3440 Jfgdkd32.exe 99 PID 3440 wrote to memory of 4564 3440 Jfgdkd32.exe 99 PID 4564 wrote to memory of 2392 4564 Knbiofhg.exe 100 PID 4564 wrote to memory of 2392 4564 Knbiofhg.exe 100 PID 4564 wrote to memory of 2392 4564 Knbiofhg.exe 100 PID 2392 wrote to memory of 3384 2392 Klfjijgq.exe 101 PID 2392 wrote to memory of 3384 2392 Klfjijgq.exe 101 PID 2392 wrote to memory of 3384 2392 Klfjijgq.exe 101 PID 3384 wrote to memory of 1036 3384 Keonap32.exe 102 PID 3384 wrote to memory of 1036 3384 Keonap32.exe 102 PID 3384 wrote to memory of 1036 3384 Keonap32.exe 102 PID 1036 wrote to memory of 1252 1036 Khmknk32.exe 103 PID 1036 wrote to memory of 1252 1036 Khmknk32.exe 103 PID 1036 wrote to memory of 1252 1036 Khmknk32.exe 103 PID 1252 wrote to memory of 1460 1252 Kimghn32.exe 104 PID 1252 wrote to memory of 1460 1252 Kimghn32.exe 104 PID 1252 wrote to memory of 1460 1252 Kimghn32.exe 104 PID 1460 wrote to memory of 3792 1460 Kiodmn32.exe 105 PID 1460 wrote to memory of 3792 1460 Kiodmn32.exe 105 PID 1460 wrote to memory of 3792 1460 Kiodmn32.exe 105 PID 3792 wrote to memory of 3672 3792 Kpiljh32.exe 106 PID 3792 wrote to memory of 3672 3792 Kpiljh32.exe 106 PID 3792 wrote to memory of 3672 3792 Kpiljh32.exe 106 PID 3672 wrote to memory of 1840 3672 Kfcdfbqo.exe 107 PID 3672 wrote to memory of 1840 3672 Kfcdfbqo.exe 107 PID 3672 wrote to memory of 1840 3672 Kfcdfbqo.exe 107 PID 1840 wrote to memory of 416 1840 Lpkiph32.exe 108 PID 1840 wrote to memory of 416 1840 Lpkiph32.exe 108 PID 1840 wrote to memory of 416 1840 Lpkiph32.exe 108 PID 416 wrote to memory of 3016 416 Lpneegel.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe23⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe24⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe26⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe28⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe32⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe33⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe34⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe35⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe36⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe37⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe39⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe40⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe42⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe43⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe45⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe52⤵PID:1284
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe54⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe57⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe58⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe60⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe62⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe66⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3836 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4372 -
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe69⤵
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe70⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe71⤵PID:3080
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3472 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe73⤵PID:4812
-
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe74⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5100 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe76⤵
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe77⤵PID:3820
-
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:5116 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe79⤵
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe80⤵PID:4964
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe81⤵
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe82⤵PID:4892
-
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe83⤵
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe84⤵PID:2172
-
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe85⤵PID:1208
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe86⤵PID:1216
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe87⤵PID:1524
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe89⤵PID:1112
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe90⤵PID:1724
-
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe91⤵PID:1660
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe92⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe93⤵
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe94⤵PID:2248
-
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe95⤵PID:4216
-
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe97⤵PID:5028
-
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe99⤵PID:5184
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe100⤵PID:5224
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe102⤵PID:5312
-
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe103⤵PID:5356
-
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe104⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe105⤵
- Drops file in System32 directory
PID:5444 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe106⤵PID:5488
-
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe108⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe111⤵PID:5708
-
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe113⤵PID:5796
-
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe114⤵PID:5840
-
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe115⤵PID:5884
-
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe116⤵
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe117⤵PID:5972
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe120⤵PID:6100
-
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe121⤵
- Drops file in System32 directory
PID:6140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-