Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
176s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 19:51
Behavioral task
behavioral1
Sample
NEAS.268eace6a6e2b16244234529a9d6f5d0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.268eace6a6e2b16244234529a9d6f5d0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.268eace6a6e2b16244234529a9d6f5d0.exe
-
Size
196KB
-
MD5
268eace6a6e2b16244234529a9d6f5d0
-
SHA1
70966fdace41d810f72affea7e9dc5b2ff61b80a
-
SHA256
a5638ab5b39d3e85d9abdb5adc97f06b0e4d627f5a15367c1e56496c51aac33e
-
SHA512
ba34be5ad1bbaa1cf76dbc650a640ba68cc36e990743f141a980f9fd191d8c0f4241a22d99cd8142b40d02d3c1e834dcf1e29e8ca457cfeaf7010bafa91ad923
-
SSDEEP
6144:SJQkTW8BTsa81+jq4peBK02SjSM0zI6rH:JkTjTs1+jheBwSv0E6rH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcodog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeabloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Innfgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfbnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nooidp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbmnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edakbbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkimc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoionbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biqkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eipigqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkfjlib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbqkfhfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbacekmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihjnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbeinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imieblgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblhlpne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgdjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgiclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpklja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdlgflje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhppgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmplopo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpoddj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgnkgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfeldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkabeng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnehndbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplimi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmhaklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbioa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkgomnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjnkkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloaamqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejglc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpjihee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpkapgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfahn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdeof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ninijb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpafkdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaadpqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhjji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbphncfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipdjfoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfqjmka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfcgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjioknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkllgnco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhfmhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdfheal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmka32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022ce2-7.dat family_berbew behavioral2/files/0x0007000000022ce2-8.dat family_berbew behavioral2/files/0x0007000000022ce4-15.dat family_berbew behavioral2/files/0x0008000000022ce6-18.dat family_berbew behavioral2/files/0x0007000000022ce4-17.dat family_berbew behavioral2/files/0x0008000000022ce6-23.dat family_berbew behavioral2/files/0x0008000000022ce6-25.dat family_berbew behavioral2/files/0x0008000000022ce9-31.dat family_berbew behavioral2/files/0x0008000000022ce9-33.dat family_berbew behavioral2/files/0x0006000000022ced-39.dat family_berbew behavioral2/files/0x0006000000022ced-41.dat family_berbew behavioral2/files/0x0006000000022cf0-47.dat family_berbew behavioral2/files/0x0006000000022cf0-49.dat family_berbew behavioral2/files/0x0006000000022cf2-55.dat family_berbew behavioral2/files/0x0006000000022cf2-57.dat family_berbew behavioral2/files/0x0006000000022cf4-63.dat family_berbew behavioral2/files/0x0006000000022cf4-65.dat family_berbew behavioral2/files/0x0006000000022cf6-71.dat family_berbew behavioral2/files/0x0006000000022cf6-73.dat family_berbew behavioral2/files/0x0006000000022cf9-80.dat family_berbew behavioral2/files/0x0006000000022cf9-82.dat family_berbew behavioral2/files/0x0006000000022cfb-87.dat family_berbew behavioral2/files/0x0006000000022cfb-90.dat family_berbew behavioral2/files/0x0006000000022cfe-96.dat family_berbew behavioral2/files/0x0006000000022cfe-98.dat family_berbew behavioral2/files/0x0007000000022cfd-104.dat family_berbew behavioral2/files/0x0007000000022cfd-106.dat family_berbew behavioral2/files/0x0006000000022d01-112.dat family_berbew behavioral2/files/0x0006000000022d01-114.dat family_berbew behavioral2/files/0x0006000000022d04-115.dat family_berbew behavioral2/files/0x0006000000022d04-120.dat family_berbew behavioral2/files/0x0006000000022d04-122.dat family_berbew behavioral2/files/0x0006000000022d06-128.dat family_berbew behavioral2/files/0x0006000000022d06-130.dat family_berbew behavioral2/files/0x0006000000022d11-138.dat family_berbew behavioral2/files/0x0006000000022d11-136.dat family_berbew behavioral2/files/0x0006000000022d13-144.dat family_berbew behavioral2/files/0x0006000000022d13-146.dat family_berbew behavioral2/files/0x0006000000022d15-147.dat family_berbew behavioral2/files/0x0006000000022d15-152.dat family_berbew behavioral2/files/0x0006000000022d15-154.dat family_berbew behavioral2/files/0x0006000000022d18-160.dat family_berbew behavioral2/files/0x0006000000022d18-161.dat family_berbew behavioral2/files/0x0007000000022d0a-168.dat family_berbew behavioral2/files/0x0007000000022d0a-170.dat family_berbew behavioral2/files/0x0007000000022d0c-176.dat family_berbew behavioral2/files/0x0007000000022d0c-178.dat family_berbew behavioral2/files/0x0006000000022d1c-185.dat family_berbew behavioral2/files/0x0006000000022d1c-187.dat family_berbew behavioral2/files/0x0006000000022d23-188.dat family_berbew behavioral2/files/0x0006000000022d23-193.dat family_berbew behavioral2/files/0x0006000000022d23-194.dat family_berbew behavioral2/files/0x0006000000022d25-201.dat family_berbew behavioral2/files/0x0006000000022d25-202.dat family_berbew behavioral2/files/0x0006000000022d27-209.dat family_berbew behavioral2/files/0x0006000000022d27-210.dat family_berbew behavioral2/files/0x0006000000022d29-217.dat family_berbew behavioral2/files/0x0006000000022d29-219.dat family_berbew behavioral2/files/0x0006000000022d2b-225.dat family_berbew behavioral2/files/0x0006000000022d2b-227.dat family_berbew behavioral2/files/0x0006000000022d2d-233.dat family_berbew behavioral2/files/0x0006000000022d2d-234.dat family_berbew behavioral2/files/0x0006000000022d30-241.dat family_berbew behavioral2/files/0x0006000000022d30-242.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1944 Haaocp32.exe 4088 Jnoopm32.exe 1028 Kkjejqcl.exe 5100 Kbfjljhf.exe 1816 Lfnfhg32.exe 4936 Nfnooe32.exe 4416 Oimdbnip.exe 2412 Plgpjhnf.exe 4648 Ppgeff32.exe 840 Apcead32.exe 4808 Boohcpgm.exe 3944 Cofndo32.exe 4952 Cllkcbnl.exe 712 Djjobedk.exe 1576 Fceihh32.exe 4488 Fplimi32.exe 4968 Ghanoeel.exe 2420 Ghcjedcj.exe 4228 Ifipmo32.exe 532 Mbfmha32.exe 3840 Oelhljaq.exe 3740 Oaeegjeb.exe 1048 Ophbja32.exe 3432 Baojkdqb.exe 4368 Deiblamk.exe 4004 Dpcpei32.exe 4028 Efgono32.exe 4548 Ffbnin32.exe 2204 Gmclgghc.exe 952 Giofggia.exe 3448 Hmaihekc.exe 4156 Hikfbeod.exe 4200 Icgqqmib.exe 1332 Kmlmlo32.exe 4784 Lalchm32.exe 2016 Mphfjhjf.exe 3224 Mnlfclip.exe 940 Ncpelbap.exe 4000 Nnolojhk.exe 1832 Oggqho32.exe 3484 Pjhbah32.exe 2168 Abimhd32.exe 3916 Ajikhfpg.exe 3052 Aenpeoom.exe 1504 Bbbpnc32.exe 3372 Bdhfaj32.exe 4624 Daolgl32.exe 4664 Dboiaoff.exe 4012 Eoaianan.exe 2116 Ednajepe.exe 4336 Fdpnpe32.exe 4556 Ffpjihee.exe 2848 Fklcbocl.exe 1232 Ghlcga32.exe 4276 Hfgjad32.exe 3796 Hkdbik32.exe 5024 Hoakpi32.exe 4820 Hcpcehko.exe 2216 Icgjfgef.exe 3216 Iblfgc32.exe 3532 Jijhom32.exe 1360 Jbcmhb32.exe 3548 Jbeinb32.exe 2500 Kikafjoc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oqhooh32.exe Ojnfbnbl.exe File created C:\Windows\SysWOW64\Lfbonm32.dll Dihjnf32.exe File created C:\Windows\SysWOW64\Fgffdg32.exe Fplnhmbo.exe File created C:\Windows\SysWOW64\Cbphncfo.exe Aoofej32.exe File opened for modification C:\Windows\SysWOW64\Odjeepna.exe Oloaamqf.exe File opened for modification C:\Windows\SysWOW64\Fbbhla32.exe Fkhppgic.exe File created C:\Windows\SysWOW64\Eaohihfd.dll Fjbmfi32.exe File created C:\Windows\SysWOW64\Bfqblcgo.dll Jmmjkngo.exe File opened for modification C:\Windows\SysWOW64\Fiilladj.exe Fcodog32.exe File opened for modification C:\Windows\SysWOW64\Hkohmnal.exe Haidpeaf.exe File opened for modification C:\Windows\SysWOW64\Knmplopo.exe Kndmfphj.exe File created C:\Windows\SysWOW64\Ebcdcigk.exe Eeodjeha.exe File created C:\Windows\SysWOW64\Baojkdqb.exe Ophbja32.exe File created C:\Windows\SysWOW64\Paoalphk.dll Jdhndlno.exe File created C:\Windows\SysWOW64\Bkkinj32.dll Onkimc32.exe File created C:\Windows\SysWOW64\Qbkcna32.exe Qkakagqn.exe File opened for modification C:\Windows\SysWOW64\Akhabf32.exe Afkijo32.exe File created C:\Windows\SysWOW64\Liffbl32.dll Ljcjgi32.exe File opened for modification C:\Windows\SysWOW64\Edhjji32.exe Ejofacfb.exe File opened for modification C:\Windows\SysWOW64\Gpimflqb.exe Fechhcal.exe File created C:\Windows\SysWOW64\Mkoenj32.dll Aiplff32.exe File opened for modification C:\Windows\SysWOW64\Aggean32.exe Aifdcgcp.exe File created C:\Windows\SysWOW64\Mlbpggdb.exe Mamljndl.exe File created C:\Windows\SysWOW64\Decdnfbo.exe Dfngmjnf.exe File created C:\Windows\SysWOW64\Iaobiplh.dll Fdpnpe32.exe File opened for modification C:\Windows\SysWOW64\Jldbiabp.exe Jaonlhbj.exe File opened for modification C:\Windows\SysWOW64\Mcabopgi.exe Mhialhjf.exe File opened for modification C:\Windows\SysWOW64\Eidqdkkn.exe Dgcgbp32.exe File created C:\Windows\SysWOW64\Dclijbbm.dll Fjicfhhf.exe File created C:\Windows\SysWOW64\Ollkql32.dll Bndiponj.exe File opened for modification C:\Windows\SysWOW64\Ejofacfb.exe Epjadk32.exe File created C:\Windows\SysWOW64\Idfqajkm.dll Gnohgk32.exe File created C:\Windows\SysWOW64\Cbamqf32.dll Iepial32.exe File created C:\Windows\SysWOW64\Ghlcga32.exe Fklcbocl.exe File created C:\Windows\SysWOW64\Ndcoeq32.exe Nmighf32.exe File created C:\Windows\SysWOW64\Mahheodp.dll Lafmce32.exe File created C:\Windows\SysWOW64\Djmdcnnf.dll Klmnejfj.exe File created C:\Windows\SysWOW64\Oeopgc32.exe Ognpilmp.exe File opened for modification C:\Windows\SysWOW64\Qbkcna32.exe Qkakagqn.exe File created C:\Windows\SysWOW64\Inhgaipf.exe Ignndo32.exe File opened for modification C:\Windows\SysWOW64\Okolppdo.exe Ofbcgifh.exe File created C:\Windows\SysWOW64\Cnfahn32.exe Ckhelb32.exe File created C:\Windows\SysWOW64\Okmpjpfa.exe Odbgmf32.exe File created C:\Windows\SysWOW64\Fqphbi32.exe Fclhidhj.exe File created C:\Windows\SysWOW64\Onbbaboi.dll Gcfqjmka.exe File opened for modification C:\Windows\SysWOW64\Ncpelbap.exe Mnlfclip.exe File created C:\Windows\SysWOW64\Hlnqfanb.exe Hipdjfoo.exe File opened for modification C:\Windows\SysWOW64\Leplndhk.exe Loedajao.exe File opened for modification C:\Windows\SysWOW64\Bghdme32.exe Bbkleojh.exe File created C:\Windows\SysWOW64\Gofddhca.exe Fiilladj.exe File opened for modification C:\Windows\SysWOW64\Hfekoc32.exe Hlpfak32.exe File created C:\Windows\SysWOW64\Laiqhg32.dll Leplndhk.exe File created C:\Windows\SysWOW64\Jclaea32.dll Fkempa32.exe File opened for modification C:\Windows\SysWOW64\Kkjejqcl.exe Jnoopm32.exe File created C:\Windows\SysWOW64\Gfaikoad.exe Gaadpqmp.exe File opened for modification C:\Windows\SysWOW64\Lpjjgl32.exe Ledeicdf.exe File created C:\Windows\SysWOW64\Noihojgo.exe Mackpg32.exe File opened for modification C:\Windows\SysWOW64\Hkdbik32.exe Hfgjad32.exe File created C:\Windows\SysWOW64\Egcfmlqp.dll Bccfleqi.exe File opened for modification C:\Windows\SysWOW64\Mopeilpj.exe Majhjh32.exe File opened for modification C:\Windows\SysWOW64\Efgono32.exe Dpcpei32.exe File created C:\Windows\SysWOW64\Gaikchfj.dll Ibadoc32.exe File created C:\Windows\SysWOW64\Afpjoaeo.exe Qdldgg32.exe File opened for modification C:\Windows\SysWOW64\Ompfnoci.exe Onkimc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6612 5680 WerFault.exe 665 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddkpqmke.dll" Mlbpggdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdnfiai.dll" Cmfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjfpab.dll" Hipdjfoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjceed32.dll" Ofbcgifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdjhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbjnhkd.dll" Fplnhmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlglpkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofhkgeij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagenneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokhlg32.dll" Neakpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmopop32.dll" Bhipiihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnggbp32.dll" Qhfcbfdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibknohff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nipfobbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjgpgkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ighfgodn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiekkkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbidpj32.dll" Hlhife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecdbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmplopo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibngh32.dll" Mjeaph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkibk32.dll" Ganlnmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhamf32.dll" Mdbnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aealea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbiaih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpnknlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbbhd32.dll" Fgkfjlib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaeegjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbqkfhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjlolg.dll" Eekjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miipochm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haidpeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgiclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhbbmim.dll" Cofndo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolan32.dll" Ajbmmcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmcnf32.dll" Nipfobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghcjedcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikafjoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlfo32.dll" Ggcjphja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbiopbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmpkkpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmaihekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpelbap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkeglfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfqjmka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlcga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmdhheh.dll" Kamjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemhmh32.dll" Eaebfmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbfjljhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocpghj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpkhelp.dll" Bgeabloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naaqhlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmomm32.dll" Hdlphjaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgeabloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceehhk32.dll" Dkbgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodcnkh.dll" Pfijhhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgomnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knpmcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 1944 3984 NEAS.268eace6a6e2b16244234529a9d6f5d0.exe 90 PID 3984 wrote to memory of 1944 3984 NEAS.268eace6a6e2b16244234529a9d6f5d0.exe 90 PID 3984 wrote to memory of 1944 3984 NEAS.268eace6a6e2b16244234529a9d6f5d0.exe 90 PID 1944 wrote to memory of 4088 1944 Haaocp32.exe 91 PID 1944 wrote to memory of 4088 1944 Haaocp32.exe 91 PID 1944 wrote to memory of 4088 1944 Haaocp32.exe 91 PID 4088 wrote to memory of 1028 4088 Jnoopm32.exe 93 PID 4088 wrote to memory of 1028 4088 Jnoopm32.exe 93 PID 4088 wrote to memory of 1028 4088 Jnoopm32.exe 93 PID 1028 wrote to memory of 5100 1028 Kkjejqcl.exe 94 PID 1028 wrote to memory of 5100 1028 Kkjejqcl.exe 94 PID 1028 wrote to memory of 5100 1028 Kkjejqcl.exe 94 PID 5100 wrote to memory of 1816 5100 Kbfjljhf.exe 96 PID 5100 wrote to memory of 1816 5100 Kbfjljhf.exe 96 PID 5100 wrote to memory of 1816 5100 Kbfjljhf.exe 96 PID 1816 wrote to memory of 4936 1816 Lfnfhg32.exe 97 PID 1816 wrote to memory of 4936 1816 Lfnfhg32.exe 97 PID 1816 wrote to memory of 4936 1816 Lfnfhg32.exe 97 PID 4936 wrote to memory of 4416 4936 Nfnooe32.exe 98 PID 4936 wrote to memory of 4416 4936 Nfnooe32.exe 98 PID 4936 wrote to memory of 4416 4936 Nfnooe32.exe 98 PID 4416 wrote to memory of 2412 4416 Oimdbnip.exe 99 PID 4416 wrote to memory of 2412 4416 Oimdbnip.exe 99 PID 4416 wrote to memory of 2412 4416 Oimdbnip.exe 99 PID 2412 wrote to memory of 4648 2412 Plgpjhnf.exe 100 PID 2412 wrote to memory of 4648 2412 Plgpjhnf.exe 100 PID 2412 wrote to memory of 4648 2412 Plgpjhnf.exe 100 PID 4648 wrote to memory of 840 4648 Ppgeff32.exe 101 PID 4648 wrote to memory of 840 4648 Ppgeff32.exe 101 PID 4648 wrote to memory of 840 4648 Ppgeff32.exe 101 PID 840 wrote to memory of 4808 840 Apcead32.exe 102 PID 840 wrote to memory of 4808 840 Apcead32.exe 102 PID 840 wrote to memory of 4808 840 Apcead32.exe 102 PID 4808 wrote to memory of 3944 4808 Boohcpgm.exe 103 PID 4808 wrote to memory of 3944 4808 Boohcpgm.exe 103 PID 4808 wrote to memory of 3944 4808 Boohcpgm.exe 103 PID 3944 wrote to memory of 4952 3944 Cofndo32.exe 104 PID 3944 wrote to memory of 4952 3944 Cofndo32.exe 104 PID 3944 wrote to memory of 4952 3944 Cofndo32.exe 104 PID 4952 wrote to memory of 712 4952 Cllkcbnl.exe 105 PID 4952 wrote to memory of 712 4952 Cllkcbnl.exe 105 PID 4952 wrote to memory of 712 4952 Cllkcbnl.exe 105 PID 712 wrote to memory of 1576 712 Djjobedk.exe 106 PID 712 wrote to memory of 1576 712 Djjobedk.exe 106 PID 712 wrote to memory of 1576 712 Djjobedk.exe 106 PID 1576 wrote to memory of 4488 1576 Fceihh32.exe 107 PID 1576 wrote to memory of 4488 1576 Fceihh32.exe 107 PID 1576 wrote to memory of 4488 1576 Fceihh32.exe 107 PID 4488 wrote to memory of 4968 4488 Fplimi32.exe 108 PID 4488 wrote to memory of 4968 4488 Fplimi32.exe 108 PID 4488 wrote to memory of 4968 4488 Fplimi32.exe 108 PID 4968 wrote to memory of 2420 4968 Ghanoeel.exe 109 PID 4968 wrote to memory of 2420 4968 Ghanoeel.exe 109 PID 4968 wrote to memory of 2420 4968 Ghanoeel.exe 109 PID 2420 wrote to memory of 4228 2420 Ghcjedcj.exe 111 PID 2420 wrote to memory of 4228 2420 Ghcjedcj.exe 111 PID 2420 wrote to memory of 4228 2420 Ghcjedcj.exe 111 PID 4228 wrote to memory of 532 4228 Ifipmo32.exe 113 PID 4228 wrote to memory of 532 4228 Ifipmo32.exe 113 PID 4228 wrote to memory of 532 4228 Ifipmo32.exe 113 PID 532 wrote to memory of 3840 532 Mbfmha32.exe 114 PID 532 wrote to memory of 3840 532 Mbfmha32.exe 114 PID 532 wrote to memory of 3840 532 Mbfmha32.exe 114 PID 3840 wrote to memory of 3740 3840 Oelhljaq.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.268eace6a6e2b16244234529a9d6f5d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.268eace6a6e2b16244234529a9d6f5d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Haaocp32.exeC:\Windows\system32\Haaocp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Jnoopm32.exeC:\Windows\system32\Jnoopm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Kkjejqcl.exeC:\Windows\system32\Kkjejqcl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Kbfjljhf.exeC:\Windows\system32\Kbfjljhf.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Nfnooe32.exeC:\Windows\system32\Nfnooe32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Plgpjhnf.exeC:\Windows\system32\Plgpjhnf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ppgeff32.exeC:\Windows\system32\Ppgeff32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Boohcpgm.exeC:\Windows\system32\Boohcpgm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Cofndo32.exeC:\Windows\system32\Cofndo32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Cllkcbnl.exeC:\Windows\system32\Cllkcbnl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Djjobedk.exeC:\Windows\system32\Djjobedk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Fceihh32.exeC:\Windows\system32\Fceihh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Ghanoeel.exeC:\Windows\system32\Ghanoeel.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ifipmo32.exeC:\Windows\system32\Ifipmo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Oelhljaq.exeC:\Windows\system32\Oelhljaq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Oaeegjeb.exeC:\Windows\system32\Oaeegjeb.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Ophbja32.exeC:\Windows\system32\Ophbja32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Baojkdqb.exeC:\Windows\system32\Baojkdqb.exe25⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Deiblamk.exeC:\Windows\system32\Deiblamk.exe26⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Dpcpei32.exeC:\Windows\system32\Dpcpei32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Efgono32.exeC:\Windows\system32\Efgono32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe29⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Gmclgghc.exeC:\Windows\system32\Gmclgghc.exe30⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Giofggia.exeC:\Windows\system32\Giofggia.exe31⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hmaihekc.exeC:\Windows\system32\Hmaihekc.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Hikfbeod.exeC:\Windows\system32\Hikfbeod.exe33⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe34⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Kmlmlo32.exeC:\Windows\system32\Kmlmlo32.exe35⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Lalchm32.exeC:\Windows\system32\Lalchm32.exe36⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Mphfjhjf.exeC:\Windows\system32\Mphfjhjf.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mnlfclip.exeC:\Windows\system32\Mnlfclip.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Ncpelbap.exeC:\Windows\system32\Ncpelbap.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Nnolojhk.exeC:\Windows\system32\Nnolojhk.exe40⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Oggqho32.exeC:\Windows\system32\Oggqho32.exe41⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Pjhbah32.exeC:\Windows\system32\Pjhbah32.exe42⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Abimhd32.exeC:\Windows\system32\Abimhd32.exe43⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ajikhfpg.exeC:\Windows\system32\Ajikhfpg.exe44⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Aenpeoom.exeC:\Windows\system32\Aenpeoom.exe45⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bbbpnc32.exeC:\Windows\system32\Bbbpnc32.exe46⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Bdhfaj32.exeC:\Windows\system32\Bdhfaj32.exe47⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Daolgl32.exeC:\Windows\system32\Daolgl32.exe48⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Dboiaoff.exeC:\Windows\system32\Dboiaoff.exe49⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Eoaianan.exeC:\Windows\system32\Eoaianan.exe50⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Ednajepe.exeC:\Windows\system32\Ednajepe.exe51⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Fdpnpe32.exeC:\Windows\system32\Fdpnpe32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Ffpjihee.exeC:\Windows\system32\Ffpjihee.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Fklcbocl.exeC:\Windows\system32\Fklcbocl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Ghlcga32.exeC:\Windows\system32\Ghlcga32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Hfgjad32.exeC:\Windows\system32\Hfgjad32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\Hkdbik32.exeC:\Windows\system32\Hkdbik32.exe57⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Hoakpi32.exeC:\Windows\system32\Hoakpi32.exe58⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Hcpcehko.exeC:\Windows\system32\Hcpcehko.exe59⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Icgjfgef.exeC:\Windows\system32\Icgjfgef.exe60⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Iblfgc32.exeC:\Windows\system32\Iblfgc32.exe61⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Jijhom32.exeC:\Windows\system32\Jijhom32.exe62⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Jbcmhb32.exeC:\Windows\system32\Jbcmhb32.exe63⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Jbeinb32.exeC:\Windows\system32\Jbeinb32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Kikafjoc.exeC:\Windows\system32\Kikafjoc.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Lekeajmm.exeC:\Windows\system32\Lekeajmm.exe66⤵PID:4320
-
C:\Windows\SysWOW64\Mingbhon.exeC:\Windows\system32\Mingbhon.exe67⤵PID:1512
-
C:\Windows\SysWOW64\Ocpghj32.exeC:\Windows\system32\Ocpghj32.exe68⤵
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Pgpmdh32.exeC:\Windows\system32\Pgpmdh32.exe69⤵PID:2424
-
C:\Windows\SysWOW64\Bccfleqi.exeC:\Windows\system32\Bccfleqi.exe70⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Bmkjdj32.exeC:\Windows\system32\Bmkjdj32.exe71⤵PID:3512
-
C:\Windows\SysWOW64\Bnkgomnl.exeC:\Windows\system32\Bnkgomnl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Bjagcndq.exeC:\Windows\system32\Bjagcndq.exe73⤵PID:1844
-
C:\Windows\SysWOW64\Balpph32.exeC:\Windows\system32\Balpph32.exe74⤵PID:3296
-
C:\Windows\SysWOW64\Bfhhho32.exeC:\Windows\system32\Bfhhho32.exe75⤵PID:4448
-
C:\Windows\SysWOW64\Cdoegcfl.exeC:\Windows\system32\Cdoegcfl.exe76⤵PID:2412
-
C:\Windows\SysWOW64\Feapdaof.exeC:\Windows\system32\Feapdaof.exe77⤵PID:1840
-
C:\Windows\SysWOW64\Fahajbek.exeC:\Windows\system32\Fahajbek.exe78⤵PID:4500
-
C:\Windows\SysWOW64\Fgeibicb.exeC:\Windows\system32\Fgeibicb.exe79⤵PID:4372
-
C:\Windows\SysWOW64\Fhdfll32.exeC:\Windows\system32\Fhdfll32.exe80⤵PID:3404
-
C:\Windows\SysWOW64\Gnaodbhl.exeC:\Windows\system32\Gnaodbhl.exe81⤵PID:1264
-
C:\Windows\SysWOW64\Gkeonggf.exeC:\Windows\system32\Gkeonggf.exe82⤵PID:2128
-
C:\Windows\SysWOW64\Gaadpqmp.exeC:\Windows\system32\Gaadpqmp.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3128 -
C:\Windows\SysWOW64\Gfaikoad.exeC:\Windows\system32\Gfaikoad.exe84⤵PID:100
-
C:\Windows\SysWOW64\Hkobdeok.exeC:\Windows\system32\Hkobdeok.exe85⤵PID:4980
-
C:\Windows\SysWOW64\Hgebif32.exeC:\Windows\system32\Hgebif32.exe86⤵PID:4652
-
C:\Windows\SysWOW64\Hnokeqll.exeC:\Windows\system32\Hnokeqll.exe87⤵PID:3924
-
C:\Windows\SysWOW64\Hkckoe32.exeC:\Windows\system32\Hkckoe32.exe88⤵PID:4376
-
C:\Windows\SysWOW64\Hdlphjaf.exeC:\Windows\system32\Hdlphjaf.exe89⤵
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Hkehdd32.exeC:\Windows\system32\Hkehdd32.exe90⤵PID:2912
-
C:\Windows\SysWOW64\Ifpemmdd.exeC:\Windows\system32\Ifpemmdd.exe91⤵PID:3312
-
C:\Windows\SysWOW64\Iohjebkd.exeC:\Windows\system32\Iohjebkd.exe92⤵PID:3096
-
C:\Windows\SysWOW64\Ifbbbl32.exeC:\Windows\system32\Ifbbbl32.exe93⤵PID:4388
-
C:\Windows\SysWOW64\Ikokkc32.exeC:\Windows\system32\Ikokkc32.exe94⤵PID:5132
-
C:\Windows\SysWOW64\Inpclnnj.exeC:\Windows\system32\Inpclnnj.exe95⤵PID:5180
-
C:\Windows\SysWOW64\Jigdoglm.exeC:\Windows\system32\Jigdoglm.exe96⤵PID:5224
-
C:\Windows\SysWOW64\Jiokpfee.exeC:\Windows\system32\Jiokpfee.exe97⤵PID:5268
-
C:\Windows\SysWOW64\Knpmcl32.exeC:\Windows\system32\Knpmcl32.exe98⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Kppimogj.exeC:\Windows\system32\Kppimogj.exe99⤵PID:5352
-
C:\Windows\SysWOW64\Kfiajinf.exeC:\Windows\system32\Kfiajinf.exe100⤵PID:5392
-
C:\Windows\SysWOW64\Kfnkeh32.exeC:\Windows\system32\Kfnkeh32.exe101⤵PID:5444
-
C:\Windows\SysWOW64\Lfcdph32.exeC:\Windows\system32\Lfcdph32.exe102⤵PID:5488
-
C:\Windows\SysWOW64\Lfgnkgbf.exeC:\Windows\system32\Lfgnkgbf.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Lldfcn32.exeC:\Windows\system32\Lldfcn32.exe104⤵PID:5576
-
C:\Windows\SysWOW64\Lbnnphhk.exeC:\Windows\system32\Lbnnphhk.exe105⤵PID:5624
-
C:\Windows\SysWOW64\Mbqkfhfh.exeC:\Windows\system32\Mbqkfhfh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Mbchkg32.exeC:\Windows\system32\Mbchkg32.exe107⤵PID:5716
-
C:\Windows\SysWOW64\Nppkkj32.exeC:\Windows\system32\Nppkkj32.exe108⤵PID:5764
-
C:\Windows\SysWOW64\Nlglpkpi.exeC:\Windows\system32\Nlglpkpi.exe109⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Ncfmhecp.exeC:\Windows\system32\Ncfmhecp.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Nhbfpl32.exeC:\Windows\system32\Nhbfpl32.exe111⤵PID:5892
-
C:\Windows\SysWOW64\Oeffip32.exeC:\Windows\system32\Oeffip32.exe112⤵PID:5936
-
C:\Windows\SysWOW64\Ohjlqklp.exeC:\Windows\system32\Ohjlqklp.exe113⤵PID:5996
-
C:\Windows\SysWOW64\Pcmloa32.exeC:\Windows\system32\Pcmloa32.exe114⤵PID:6044
-
C:\Windows\SysWOW64\Acilkp32.exeC:\Windows\system32\Acilkp32.exe115⤵PID:6080
-
C:\Windows\SysWOW64\Aifdcgcp.exeC:\Windows\system32\Aifdcgcp.exe116⤵
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Aggean32.exeC:\Windows\system32\Aggean32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Bqdbec32.exeC:\Windows\system32\Bqdbec32.exe118⤵PID:5192
-
C:\Windows\SysWOW64\Bgnkamef.exeC:\Windows\system32\Bgnkamef.exe119⤵PID:5248
-
C:\Windows\SysWOW64\Bfchcijo.exeC:\Windows\system32\Bfchcijo.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Bmomecoi.exeC:\Windows\system32\Bmomecoi.exe121⤵PID:5400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-