Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 18:11
Behavioral task
behavioral1
Sample
NEAS.2b920f617b9814f34963af4528d8d830_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2b920f617b9814f34963af4528d8d830_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.2b920f617b9814f34963af4528d8d830_JC.exe
-
Size
153KB
-
MD5
2b920f617b9814f34963af4528d8d830
-
SHA1
0846606ed77bf74fa80fe8ec84e81e9e3fde5346
-
SHA256
fc1c405d2192dd9e45b41dde4871032acf9fb671d53ddfd9ece383a841b12809
-
SHA512
98fa5c50ce9f1b366d52807f2ba00379a638675e3e78df5232a5d93814e0f6a45db3b88cbc4ba44ffb89e09a6657b5df6d3b80aa2377c5ec8b5f7d1ecaea474a
-
SSDEEP
3072:au7rvxXsL50JaPNYeUAEQGBcHN0OlaxP3DZyN/+oeRpxPdZFibDyxn:La9aaqdAHj05xP3DZyN1eRppzcexn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkofga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noppeaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobdbkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphqji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapppn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgepom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmjlojd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppamophb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knalji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhloj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbponja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbfhmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbegqjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnlnaom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiknlagg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahlcaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohghgodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdjpmac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbiamhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqefjpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajohfcpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njefqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqkill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpoaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipflihfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/files/0x00090000000222f4-7.dat family_berbew behavioral2/files/0x0007000000022ded-15.dat family_berbew behavioral2/files/0x0007000000022ded-14.dat family_berbew behavioral2/files/0x0006000000022df2-23.dat family_berbew behavioral2/files/0x0006000000022df4-30.dat family_berbew behavioral2/files/0x0006000000022df4-32.dat family_berbew behavioral2/files/0x0006000000022df2-22.dat family_berbew behavioral2/files/0x0006000000022df6-38.dat family_berbew behavioral2/files/0x0006000000022df6-40.dat family_berbew behavioral2/files/0x0006000000022df8-46.dat family_berbew behavioral2/files/0x0006000000022df8-47.dat family_berbew behavioral2/files/0x0006000000022dfa-54.dat family_berbew behavioral2/files/0x0006000000022dfa-55.dat family_berbew behavioral2/files/0x0006000000022dfc-62.dat family_berbew behavioral2/files/0x0006000000022dfc-64.dat family_berbew behavioral2/files/0x0006000000022dfe-70.dat family_berbew behavioral2/files/0x0006000000022dfe-72.dat family_berbew behavioral2/files/0x0006000000022e01-80.dat family_berbew behavioral2/files/0x0006000000022e01-78.dat family_berbew behavioral2/files/0x0006000000022e03-86.dat family_berbew behavioral2/files/0x0006000000022e05-94.dat family_berbew behavioral2/files/0x0006000000022e03-87.dat family_berbew behavioral2/files/0x0006000000022e05-96.dat family_berbew behavioral2/files/0x0006000000022e07-103.dat family_berbew behavioral2/files/0x0006000000022e09-111.dat family_berbew behavioral2/files/0x0006000000022e0b-118.dat family_berbew behavioral2/files/0x0006000000022e0b-119.dat family_berbew behavioral2/files/0x0006000000022e0d-126.dat family_berbew behavioral2/files/0x0006000000022e0d-127.dat family_berbew behavioral2/files/0x0006000000022e0f-129.dat family_berbew behavioral2/files/0x0006000000022e0f-134.dat family_berbew behavioral2/files/0x0006000000022e0f-136.dat family_berbew behavioral2/files/0x0006000000022e09-110.dat family_berbew behavioral2/files/0x0006000000022e07-102.dat family_berbew behavioral2/files/0x0006000000022e11-142.dat family_berbew behavioral2/files/0x0006000000022e11-143.dat family_berbew behavioral2/files/0x0006000000022e13-151.dat family_berbew behavioral2/files/0x0006000000022e16-158.dat family_berbew behavioral2/files/0x0006000000022e16-160.dat family_berbew behavioral2/files/0x0006000000022e13-150.dat family_berbew behavioral2/files/0x0006000000022e18-166.dat family_berbew behavioral2/files/0x0006000000022e18-168.dat family_berbew behavioral2/files/0x0006000000022e1a-175.dat family_berbew behavioral2/files/0x0006000000022e1a-174.dat family_berbew behavioral2/files/0x0006000000022e1c-183.dat family_berbew behavioral2/files/0x0006000000022e1c-182.dat family_berbew behavioral2/files/0x0006000000022e1e-190.dat family_berbew behavioral2/files/0x0006000000022e1e-192.dat family_berbew behavioral2/files/0x0006000000022e20-198.dat family_berbew behavioral2/files/0x0006000000022e20-200.dat family_berbew behavioral2/files/0x0006000000022e22-208.dat family_berbew behavioral2/files/0x0006000000022e22-206.dat family_berbew behavioral2/files/0x0006000000022e24-209.dat family_berbew behavioral2/files/0x0006000000022e24-214.dat family_berbew behavioral2/files/0x0006000000022e24-216.dat family_berbew behavioral2/files/0x0006000000022e26-222.dat family_berbew behavioral2/files/0x0006000000022e26-223.dat family_berbew behavioral2/files/0x0006000000022e28-230.dat family_berbew behavioral2/files/0x0006000000022e28-232.dat family_berbew behavioral2/files/0x0006000000022e2a-238.dat family_berbew behavioral2/files/0x0006000000022e2a-239.dat family_berbew behavioral2/files/0x0006000000022e2c-241.dat family_berbew behavioral2/files/0x0006000000022e2c-246.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4940 Hkdbpe32.exe 748 Heocnk32.exe 2792 Hkikkeeo.exe 916 Hfnphn32.exe 3568 Hofdacke.exe 3344 Immapg32.exe 524 Icgjmapi.exe 3400 Imoneg32.exe 376 Iblfnn32.exe 852 Ippggbck.exe 572 Iemppiab.exe 1384 Ilghlc32.exe 4204 Ibqpimpl.exe 3352 Imfdff32.exe 3484 Icplcpgo.exe 1800 Jeaikh32.exe 4088 Jcbihpel.exe 3420 Jlnnmb32.exe 2616 Jefbfgig.exe 4068 Jcgbco32.exe 3604 Jlbgha32.exe 1964 Jifhaenk.exe 4992 Jcllonma.exe 2624 Kiidgeki.exe 3636 Kikame32.exe 224 Kpeiioac.exe 4984 Klljnp32.exe 4336 Kibgmdcn.exe 3212 Klqcioba.exe 1692 Liddbc32.exe 1972 Lfhdlh32.exe 2784 Lmbmibhb.exe 4008 Lfkaag32.exe 2896 Ldoaklml.exe 2396 Lbdolh32.exe 4144 Lllcen32.exe 3784 Mmlpoqpg.exe 3480 Mchhggno.exe 1344 Mibpda32.exe 456 Mplhql32.exe 4600 Meiaib32.exe 4696 Mlcifmbl.exe 4692 Mdjagjco.exe 2040 Mpablkhc.exe 4444 Mcpnhfhf.exe 4496 Miifeq32.exe 4244 Npcoakfp.exe 4288 Nljofl32.exe 4392 Nebdoa32.exe 4252 Ndfqbhia.exe 3632 Ngdmod32.exe 2348 Nlaegk32.exe 5056 Nckndeni.exe 1828 Njefqo32.exe 968 Odkjng32.exe 2664 Oflgep32.exe 3624 Odmgcgbi.exe 4044 Olhlhjpd.exe 2736 Ognpebpj.exe 4932 Oqfdnhfk.exe 740 Ofcmfodb.exe 4812 Olmeci32.exe 3984 Ojaelm32.exe 3872 Pdfjifjo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lfojjf32.dll Jcbdgb32.exe File created C:\Windows\SysWOW64\Aonhghjl.exe Ahdpjn32.exe File opened for modification C:\Windows\SysWOW64\Ipihpkkd.exe Ihbponja.exe File opened for modification C:\Windows\SysWOW64\Jldbpl32.exe Joqafgni.exe File created C:\Windows\SysWOW64\Jimldogg.exe Jafdcbge.exe File opened for modification C:\Windows\SysWOW64\Pcbmka32.exe Pqdqof32.exe File created C:\Windows\SysWOW64\Dempqa32.dll Npepkf32.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Ganldgib.exe File created C:\Windows\SysWOW64\Plhfdjfl.dll Ocdjpmac.exe File opened for modification C:\Windows\SysWOW64\Kmfhkf32.exe Kjhloj32.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Bhhiemoj.exe File created C:\Windows\SysWOW64\Jahqiaeb.exe Jpgdai32.exe File created C:\Windows\SysWOW64\Mgdjapoo.dll Ilghlc32.exe File created C:\Windows\SysWOW64\Qgcbgo32.exe Qqijje32.exe File opened for modification C:\Windows\SysWOW64\Dabhdinj.exe Djhpgofm.exe File opened for modification C:\Windows\SysWOW64\Icnklbmj.exe Ipoopgnf.exe File opened for modification C:\Windows\SysWOW64\Qjiipk32.exe Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Gaebef32.exe File created C:\Windows\SysWOW64\Hhhjoabm.dll Gipdap32.exe File created C:\Windows\SysWOW64\Iloidijb.exe Igbalblk.exe File opened for modification C:\Windows\SysWOW64\Lhgkgijg.exe Lancko32.exe File created C:\Windows\SysWOW64\Bgehcmmm.exe Beglgani.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Adcjop32.exe File opened for modification C:\Windows\SysWOW64\Afappe32.exe Acccdj32.exe File opened for modification C:\Windows\SysWOW64\Jcgbco32.exe Jefbfgig.exe File opened for modification C:\Windows\SysWOW64\Oflgep32.exe Odkjng32.exe File created C:\Windows\SysWOW64\Beglgani.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Ijhjcchb.exe Igjngh32.exe File created C:\Windows\SysWOW64\Kecabifp.exe Kbddfmgl.exe File created C:\Windows\SysWOW64\Ocfgbfdm.dll Fqppci32.exe File created C:\Windows\SysWOW64\Mlbmonhi.dll Foclgq32.exe File created C:\Windows\SysWOW64\Famhmfkl.exe Fggdpnkf.exe File created C:\Windows\SysWOW64\Cojlbcgp.dll Liddbc32.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Qdaniq32.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Gacepg32.exe Gpaihooo.exe File opened for modification C:\Windows\SysWOW64\Jahqiaeb.exe Jpgdai32.exe File opened for modification C:\Windows\SysWOW64\Nihipdhl.exe Naaqofgj.exe File created C:\Windows\SysWOW64\Ncnofeof.exe Nnafno32.exe File opened for modification C:\Windows\SysWOW64\Eiekog32.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Pnplfj32.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Ohmkjd32.dll Cgcmjd32.exe File created C:\Windows\SysWOW64\Hpdclcbj.dll Emehdh32.exe File opened for modification C:\Windows\SysWOW64\Bhpofl32.exe Bphgeo32.exe File opened for modification C:\Windows\SysWOW64\Nciopppp.exe Mqjbddpl.exe File created C:\Windows\SysWOW64\Bkhakafh.dll Pflibgil.exe File created C:\Windows\SysWOW64\Agbkmijg.exe Qqhcpo32.exe File created C:\Windows\SysWOW64\Foapaa32.exe Fgjhpcmo.exe File opened for modification C:\Windows\SysWOW64\Ajohfcpj.exe Abhqefpg.exe File created C:\Windows\SysWOW64\Oahicipe.dll Acqimo32.exe File created C:\Windows\SysWOW64\Lafmjp32.exe Lpepbgbd.exe File created C:\Windows\SysWOW64\Gejimf32.dll Oonlfo32.exe File created C:\Windows\SysWOW64\Ddmhhd32.exe Daollh32.exe File created C:\Windows\SysWOW64\Cikglnkj.exe Cgjjdf32.exe File opened for modification C:\Windows\SysWOW64\Hcpojd32.exe Hpabni32.exe File created C:\Windows\SysWOW64\Qfglbe32.dll Ldipha32.exe File opened for modification C:\Windows\SysWOW64\Hkikkeeo.exe Heocnk32.exe File created C:\Windows\SysWOW64\Lbandhne.dll Qjiipk32.exe File created C:\Windows\SysWOW64\Ichqihli.dll Aonhghjl.exe File created C:\Windows\SysWOW64\Ibjqaf32.exe Ilphdlqh.exe File created C:\Windows\SysWOW64\Ofckhj32.exe Ocdnln32.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Innfnl32.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Keiifian.dll Qfkqjmdg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12240 12140 WerFault.exe 804 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifppdpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaajed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll" Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebekb32.dll" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgpgh32.dll" Fineoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faimhjhp.dll" Eclmamod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll" Jikoopij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggdpnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Ekonpckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpeaoih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqgedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipbaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmclqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fboecfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnilk32.dll" Cippgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eephln32.dll" Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gologg32.dll" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Bpkdjofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjimp32.dll" Pdjgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bciehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfhmjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkbmqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklbdm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 4940 1920 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 86 PID 1920 wrote to memory of 4940 1920 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 86 PID 1920 wrote to memory of 4940 1920 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 86 PID 4940 wrote to memory of 748 4940 Hkdbpe32.exe 87 PID 4940 wrote to memory of 748 4940 Hkdbpe32.exe 87 PID 4940 wrote to memory of 748 4940 Hkdbpe32.exe 87 PID 748 wrote to memory of 2792 748 Heocnk32.exe 88 PID 748 wrote to memory of 2792 748 Heocnk32.exe 88 PID 748 wrote to memory of 2792 748 Heocnk32.exe 88 PID 2792 wrote to memory of 916 2792 Hkikkeeo.exe 89 PID 2792 wrote to memory of 916 2792 Hkikkeeo.exe 89 PID 2792 wrote to memory of 916 2792 Hkikkeeo.exe 89 PID 916 wrote to memory of 3568 916 Hfnphn32.exe 90 PID 916 wrote to memory of 3568 916 Hfnphn32.exe 90 PID 916 wrote to memory of 3568 916 Hfnphn32.exe 90 PID 3568 wrote to memory of 3344 3568 Hofdacke.exe 91 PID 3568 wrote to memory of 3344 3568 Hofdacke.exe 91 PID 3568 wrote to memory of 3344 3568 Hofdacke.exe 91 PID 3344 wrote to memory of 524 3344 Immapg32.exe 93 PID 3344 wrote to memory of 524 3344 Immapg32.exe 93 PID 3344 wrote to memory of 524 3344 Immapg32.exe 93 PID 524 wrote to memory of 3400 524 Icgjmapi.exe 94 PID 524 wrote to memory of 3400 524 Icgjmapi.exe 94 PID 524 wrote to memory of 3400 524 Icgjmapi.exe 94 PID 3400 wrote to memory of 376 3400 Imoneg32.exe 95 PID 3400 wrote to memory of 376 3400 Imoneg32.exe 95 PID 3400 wrote to memory of 376 3400 Imoneg32.exe 95 PID 376 wrote to memory of 852 376 Iblfnn32.exe 96 PID 376 wrote to memory of 852 376 Iblfnn32.exe 96 PID 376 wrote to memory of 852 376 Iblfnn32.exe 96 PID 852 wrote to memory of 572 852 Ippggbck.exe 97 PID 852 wrote to memory of 572 852 Ippggbck.exe 97 PID 852 wrote to memory of 572 852 Ippggbck.exe 97 PID 572 wrote to memory of 1384 572 Iemppiab.exe 99 PID 572 wrote to memory of 1384 572 Iemppiab.exe 99 PID 572 wrote to memory of 1384 572 Iemppiab.exe 99 PID 1384 wrote to memory of 4204 1384 Ilghlc32.exe 98 PID 1384 wrote to memory of 4204 1384 Ilghlc32.exe 98 PID 1384 wrote to memory of 4204 1384 Ilghlc32.exe 98 PID 4204 wrote to memory of 3352 4204 Ibqpimpl.exe 100 PID 4204 wrote to memory of 3352 4204 Ibqpimpl.exe 100 PID 4204 wrote to memory of 3352 4204 Ibqpimpl.exe 100 PID 3352 wrote to memory of 3484 3352 Imfdff32.exe 103 PID 3352 wrote to memory of 3484 3352 Imfdff32.exe 103 PID 3352 wrote to memory of 3484 3352 Imfdff32.exe 103 PID 3484 wrote to memory of 1800 3484 Icplcpgo.exe 102 PID 3484 wrote to memory of 1800 3484 Icplcpgo.exe 102 PID 3484 wrote to memory of 1800 3484 Icplcpgo.exe 102 PID 1800 wrote to memory of 4088 1800 Jeaikh32.exe 101 PID 1800 wrote to memory of 4088 1800 Jeaikh32.exe 101 PID 1800 wrote to memory of 4088 1800 Jeaikh32.exe 101 PID 4088 wrote to memory of 3420 4088 Jcbihpel.exe 104 PID 4088 wrote to memory of 3420 4088 Jcbihpel.exe 104 PID 4088 wrote to memory of 3420 4088 Jcbihpel.exe 104 PID 3420 wrote to memory of 2616 3420 Jlnnmb32.exe 105 PID 3420 wrote to memory of 2616 3420 Jlnnmb32.exe 105 PID 3420 wrote to memory of 2616 3420 Jlnnmb32.exe 105 PID 2616 wrote to memory of 4068 2616 Jefbfgig.exe 106 PID 2616 wrote to memory of 4068 2616 Jefbfgig.exe 106 PID 2616 wrote to memory of 4068 2616 Jefbfgig.exe 106 PID 4068 wrote to memory of 3604 4068 Jcgbco32.exe 107 PID 4068 wrote to memory of 3604 4068 Jcgbco32.exe 107 PID 4068 wrote to memory of 3604 4068 Jcgbco32.exe 107 PID 3604 wrote to memory of 1964 3604 Jlbgha32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2b920f617b9814f34963af4528d8d830_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2b920f617b9814f34963af4528d8d830_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1384
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484
-
-
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe6⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe7⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe8⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe9⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe10⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe12⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe13⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe15⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe16⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe17⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe18⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe19⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe20⤵
- Executes dropped EXE
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe21⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe22⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe23⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe24⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe26⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe27⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe28⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe29⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe31⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe32⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe33⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe34⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe35⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe36⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe37⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe40⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe41⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe42⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe43⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe44⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe45⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe47⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe48⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe49⤵PID:940
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe50⤵PID:1556
-
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe51⤵PID:820
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe52⤵PID:4404
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe53⤵PID:116
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe54⤵PID:2648
-
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe55⤵PID:1900
-
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe56⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe57⤵PID:4532
-
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe58⤵PID:3120
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe59⤵PID:4108
-
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe60⤵PID:4648
-
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe61⤵
- Drops file in System32 directory
PID:4808 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe62⤵PID:5136
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe63⤵PID:5180
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe64⤵PID:5224
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe65⤵PID:5268
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe66⤵PID:5312
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe67⤵PID:5348
-
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe68⤵PID:5396
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe70⤵PID:5484
-
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe71⤵PID:5528
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe72⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe73⤵PID:5616
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe74⤵PID:5660
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe75⤵PID:5708
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe76⤵PID:5752
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe77⤵PID:5796
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe78⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe79⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe80⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe81⤵PID:5968
-
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe82⤵PID:6012
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe83⤵PID:6056
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe84⤵PID:6092
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe85⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe86⤵PID:5172
-
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe87⤵PID:5260
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe88⤵PID:5340
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe89⤵PID:5384
-
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe90⤵PID:5452
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe91⤵PID:5540
-
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe92⤵PID:5608
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe93⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe94⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe95⤵PID:5848
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe96⤵PID:5912
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe97⤵PID:6052
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe98⤵PID:6108
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe99⤵PID:5168
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe100⤵PID:5280
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe101⤵PID:5388
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe103⤵PID:5596
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe104⤵PID:5760
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe105⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe107⤵PID:1880
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe108⤵PID:2764
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe109⤵PID:5868
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe110⤵PID:5940
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe111⤵PID:3572
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe112⤵PID:4768
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe113⤵PID:6084
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe114⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe115⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe116⤵PID:5580
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe117⤵PID:3812
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe118⤵PID:4756
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe119⤵PID:5876
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe121⤵PID:4564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-