Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 06:01
Behavioral task
behavioral1
Sample
NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe
-
Size
450KB
-
MD5
1b3cb2e041a8240f5bc597b6c3bb9eb0
-
SHA1
0f9aaa4e881e97de66b8fc7218aca60965c72f70
-
SHA256
8000370fcf90ef0bfa7d8739fc909cfd408942cd6c03690b0a5bbcaa48e497cd
-
SHA512
1ca9ebb1139467456142fd4da6a704b1bba81fa97570b9cec9776618381781fe0d666918b0077710b6acd44fa9cb2a313d008df5f2b863a075968669959920ee
-
SSDEEP
12288:1syx3fXFC9m7ufXFC9xfIkMuXFC9m7ufXFC9Wm:myZfc9Iufc9xsuc9Iufc9Wm
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohapb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqcfjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnalmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajmmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piaiqlak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkeifga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciefek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpamabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kongmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halhfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjjmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpelqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcndeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gclafmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhicoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohhie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajodef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmjdkda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limpiomm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqiehnml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acccdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajbaika.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhmqlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkpiled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbblhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlcmdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dendok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koljgppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlikg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enemaimp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnpmkbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkemfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijcpmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlpjdgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjpld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqkmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqklnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagajlal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqbeoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afceko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlikg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqmpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpnjdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cblebgfh.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022ce1-6.dat family_berbew behavioral2/files/0x0006000000022ce1-7.dat family_berbew behavioral2/files/0x0006000000022ce5-14.dat family_berbew behavioral2/files/0x0006000000022ce5-15.dat family_berbew behavioral2/files/0x0006000000022ce8-22.dat family_berbew behavioral2/files/0x0006000000022ce8-23.dat family_berbew behavioral2/files/0x0006000000022cea-30.dat family_berbew behavioral2/files/0x0006000000022cea-31.dat family_berbew behavioral2/files/0x000a000000022bfe-38.dat family_berbew behavioral2/files/0x000a000000022bfe-40.dat family_berbew behavioral2/files/0x0006000000022cf2-46.dat family_berbew behavioral2/files/0x0006000000022cf2-48.dat family_berbew behavioral2/files/0x0007000000022cec-54.dat family_berbew behavioral2/files/0x0007000000022cec-55.dat family_berbew behavioral2/files/0x0006000000022cf9-62.dat family_berbew behavioral2/files/0x0006000000022cf9-64.dat family_berbew behavioral2/files/0x000a000000022bfd-71.dat family_berbew behavioral2/files/0x000a000000022bfd-72.dat family_berbew behavioral2/files/0x000d000000022bf3-79.dat family_berbew behavioral2/files/0x000d000000022bf3-81.dat family_berbew behavioral2/files/0x0006000000022cfd-87.dat family_berbew behavioral2/files/0x0006000000022cfd-90.dat family_berbew behavioral2/files/0x0006000000022cff-96.dat family_berbew behavioral2/files/0x0006000000022cff-99.dat family_berbew behavioral2/files/0x0008000000022cee-105.dat family_berbew behavioral2/files/0x0008000000022cee-107.dat family_berbew behavioral2/files/0x0009000000022cf6-114.dat family_berbew behavioral2/files/0x0009000000022cf6-116.dat family_berbew behavioral2/files/0x0007000000022d00-122.dat family_berbew behavioral2/files/0x0007000000022d00-124.dat family_berbew behavioral2/files/0x0006000000022d03-131.dat family_berbew behavioral2/files/0x0006000000022d03-133.dat family_berbew behavioral2/files/0x0006000000022d05-140.dat family_berbew behavioral2/files/0x0006000000022d05-142.dat family_berbew behavioral2/files/0x0006000000022d07-149.dat family_berbew behavioral2/files/0x0006000000022d07-151.dat family_berbew behavioral2/files/0x0006000000022d09-158.dat family_berbew behavioral2/files/0x0006000000022d09-160.dat family_berbew behavioral2/files/0x0006000000022d0b-167.dat family_berbew behavioral2/files/0x0006000000022d0b-168.dat family_berbew behavioral2/files/0x0006000000022d0d-176.dat family_berbew behavioral2/files/0x0006000000022d0f-180.dat family_berbew behavioral2/files/0x0006000000022d0d-178.dat family_berbew behavioral2/files/0x0006000000022d0f-185.dat family_berbew behavioral2/files/0x0006000000022d0f-188.dat family_berbew behavioral2/files/0x0006000000022d12-194.dat family_berbew behavioral2/files/0x0006000000022d12-195.dat family_berbew behavioral2/files/0x0006000000022d14-202.dat family_berbew behavioral2/files/0x0006000000022d14-204.dat family_berbew behavioral2/files/0x0006000000022d16-212.dat family_berbew behavioral2/files/0x0006000000022d16-214.dat family_berbew behavioral2/files/0x0004000000022308-221.dat family_berbew behavioral2/files/0x0004000000022308-223.dat family_berbew behavioral2/files/0x0006000000022d19-230.dat family_berbew behavioral2/files/0x0006000000022d19-232.dat family_berbew behavioral2/files/0x0006000000022d1b-239.dat family_berbew behavioral2/files/0x0006000000022d1b-240.dat family_berbew behavioral2/files/0x0006000000022d1d-247.dat family_berbew behavioral2/files/0x0006000000022d1d-250.dat family_berbew behavioral2/files/0x0006000000022d1f-257.dat family_berbew behavioral2/files/0x0006000000022d1f-259.dat family_berbew behavioral2/files/0x0006000000022d21-265.dat family_berbew behavioral2/files/0x0006000000022d21-266.dat family_berbew behavioral2/files/0x0006000000022d25-274.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4576 Kpmdfonj.exe 1292 Lcgpni32.exe 4992 Lopmii32.exe 3556 Mnjqmpgg.exe 3896 Nclbpf32.exe 32 Nqbpojnp.exe 2216 Nceefd32.exe 4080 Ocjoadei.exe 1496 Oghghb32.exe 1504 Pnifekmd.exe 1768 Paiogf32.exe 468 Pnplfj32.exe 4924 Qodeajbg.exe 3568 Akkffkhk.exe 4408 Aoioli32.exe 2560 Aggpfkjj.exe 3056 Ahfmpnql.exe 3724 Bhkfkmmg.exe 2056 Bdagpnbk.exe 4292 Bdfpkm32.exe 320 Boldhf32.exe 3612 Coqncejg.exe 4620 Dgcihgaj.exe 4644 Dnonkq32.exe 4192 Dkcndeen.exe 3564 Enhpao32.exe 1056 Ebfign32.exe 1640 Fooclapd.exe 1608 Fdnhih32.exe 2900 Filapfbo.exe 2960 Fajbjh32.exe 2908 Gicgpelg.exe 4480 Halhfe32.exe 4436 Ipdndloi.exe 4560 Iimcma32.exe 4320 Ihbponja.exe 4632 Keifdpif.exe 3204 Kcmfnd32.exe 4548 Kcoccc32.exe 1648 Lcclncbh.exe 2116 Lindkm32.exe 868 Ledepn32.exe 4064 Lpjjmg32.exe 4524 Mpapnfhg.exe 4284 Mhldbh32.exe 3096 Mpeiie32.exe 4716 Mlofcf32.exe 2044 Nqoloc32.exe 2820 Nijqcf32.exe 700 Ncpeaoih.exe 3660 Nimmifgo.exe 112 Ojnfihmo.exe 2432 Oqhoeb32.exe 3080 Oqklkbbi.exe 2904 Oophlo32.exe 1908 Oihmedma.exe 1288 Oikjkc32.exe 5056 Ppdbgncl.exe 3092 Pbhgoh32.exe 496 Pmphaaln.exe 4976 Pciqnk32.exe 3928 Qpbnhl32.exe 3820 Acccdj32.exe 1360 Bagmdllg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Beoimjce.exe Bbalaoda.exe File created C:\Windows\SysWOW64\Pkjhlh32.dll Cpcila32.exe File opened for modification C:\Windows\SysWOW64\Dinjjf32.exe Clijablo.exe File created C:\Windows\SysWOW64\Cjkpjo32.dll Pkedbmab.exe File created C:\Windows\SysWOW64\Ojenek32.dll Ocjoadei.exe File created C:\Windows\SysWOW64\Flbldfbp.dll Gjficg32.exe File opened for modification C:\Windows\SysWOW64\Mhpgca32.exe Mdbnmbhj.exe File created C:\Windows\SysWOW64\Dmbiackg.exe Dpoiho32.exe File created C:\Windows\SysWOW64\Emjfif32.dll Clbmfm32.exe File created C:\Windows\SysWOW64\Acccdj32.exe Qpbnhl32.exe File created C:\Windows\SysWOW64\Hjfbiobf.dll Fgjpfqpi.exe File created C:\Windows\SysWOW64\Kciaqi32.exe Kjamhd32.exe File opened for modification C:\Windows\SysWOW64\Gqmnpk32.exe Gfgjbb32.exe File created C:\Windows\SysWOW64\Cfihoghm.dll Abdoqd32.exe File opened for modification C:\Windows\SysWOW64\Bjhgke32.exe Bdlncn32.exe File created C:\Windows\SysWOW64\Npgqep32.dll Dpalgenf.exe File created C:\Windows\SysWOW64\Jclbijhm.dll Dpkehi32.exe File opened for modification C:\Windows\SysWOW64\Eohhie32.exe Ehnpmkbg.exe File created C:\Windows\SysWOW64\Ajbfppjh.dll Foonjd32.exe File created C:\Windows\SysWOW64\Bhjdnn32.dll Adnilfnl.exe File created C:\Windows\SysWOW64\Kebodc32.exe Jepbodhg.exe File created C:\Windows\SysWOW64\Bqkigp32.exe Agcdnjcl.exe File created C:\Windows\SysWOW64\Pijcpmhc.exe Ocmjhfjl.exe File created C:\Windows\SysWOW64\Gpaaneok.dll Igqbiacj.exe File created C:\Windows\SysWOW64\Kjamhd32.exe Kcgekjgp.exe File opened for modification C:\Windows\SysWOW64\Djmima32.exe Dbbdip32.exe File created C:\Windows\SysWOW64\Idcdeb32.dll Bemlhj32.exe File opened for modification C:\Windows\SysWOW64\Bagmdllg.exe Acccdj32.exe File created C:\Windows\SysWOW64\Jhoeef32.exe Jjkdlall.exe File created C:\Windows\SysWOW64\Jjigocdh.dll Mdpagc32.exe File created C:\Windows\SysWOW64\Bepdmhnd.dll Lokldg32.exe File created C:\Windows\SysWOW64\Eemgkpef.exe Eldbbjof.exe File opened for modification C:\Windows\SysWOW64\Jifabb32.exe Jqklnp32.exe File created C:\Windows\SysWOW64\Mlofcf32.exe Mpeiie32.exe File created C:\Windows\SysWOW64\Hkmlnimb.exe Hqghqpnl.exe File opened for modification C:\Windows\SysWOW64\Lhmafcnf.exe Khkdad32.exe File created C:\Windows\SysWOW64\Dbooabbb.dll Qfgfpp32.exe File created C:\Windows\SysWOW64\Ekimjn32.exe Enemaimp.exe File created C:\Windows\SysWOW64\Hfqgoo32.dll Qelcamcj.exe File created C:\Windows\SysWOW64\Okkjkh32.dll Fdmjdkda.exe File created C:\Windows\SysWOW64\Mhppik32.exe Mmjlkb32.exe File created C:\Windows\SysWOW64\Oklifdmi.exe Oacdmo32.exe File created C:\Windows\SysWOW64\Cpdnjd32.dll Akjnnpcf.exe File created C:\Windows\SysWOW64\Amfemoei.dll Eohhie32.exe File created C:\Windows\SysWOW64\Lifmdfkg.dll Enpknplq.exe File created C:\Windows\SysWOW64\Jjgkan32.dll Oikjkc32.exe File created C:\Windows\SysWOW64\Afqifo32.exe Alkeifga.exe File created C:\Windows\SysWOW64\Jjhjae32.exe Jobfdl32.exe File opened for modification C:\Windows\SysWOW64\Abdoqd32.exe Agnkck32.exe File created C:\Windows\SysWOW64\Encnaa32.dll Mcoepkdo.exe File created C:\Windows\SysWOW64\Fhgmqghl.dll Fcbnpnme.exe File opened for modification C:\Windows\SysWOW64\Abpcja32.exe Qelcamcj.exe File opened for modification C:\Windows\SysWOW64\Oakjnnap.exe Oediim32.exe File opened for modification C:\Windows\SysWOW64\Fekclnif.exe Fpnkdfko.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Cgjcfgoa.exe File created C:\Windows\SysWOW64\Lpjjmg32.exe Ledepn32.exe File opened for modification C:\Windows\SysWOW64\Icpecm32.exe Ihjafd32.exe File created C:\Windows\SysWOW64\Fcdfimja.dll Ihjafd32.exe File created C:\Windows\SysWOW64\Gqmnpk32.exe Gfgjbb32.exe File created C:\Windows\SysWOW64\Ciaddaaj.exe Becknc32.exe File created C:\Windows\SysWOW64\Lhnoigkk.dll Oihmedma.exe File opened for modification C:\Windows\SysWOW64\Qpbnhl32.exe Pciqnk32.exe File opened for modification C:\Windows\SysWOW64\Hqghqpnl.exe Hepgkohh.exe File opened for modification C:\Windows\SysWOW64\Mcoepkdo.exe Mhiabbdi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9504 10224 WerFault.exe 518 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icgbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhppik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqoloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll" Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmjlkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakjnnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbehienn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eldbbjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbbimih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll" Kefbdjgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohkai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdlmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcfcmnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmlnimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkdohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjpfqpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhchc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajkfn32.dll" Qjeaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajbaika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbiackg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbqalle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciaddaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdahb32.dll" Cbiabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnjbhaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cappkh32.dll" Gjghdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jopiom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkqde32.dll" Gllajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accheolp.dll" Fcbgfhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meoggpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapmnano.dll" Hepgkohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kahinkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekibcga.dll" Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paiogf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcoccc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omloon32.dll" Lacbpccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll" Fqbeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdpagc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeamcmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcgekjgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdlncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loancd32.dll" Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaddkgn.dll" Lpghfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdpakhk.dll" Bflagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehbdjma.dll" Jeilne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfoaam32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 4576 2792 NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe 89 PID 2792 wrote to memory of 4576 2792 NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe 89 PID 2792 wrote to memory of 4576 2792 NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe 89 PID 4576 wrote to memory of 1292 4576 Kpmdfonj.exe 90 PID 4576 wrote to memory of 1292 4576 Kpmdfonj.exe 90 PID 4576 wrote to memory of 1292 4576 Kpmdfonj.exe 90 PID 1292 wrote to memory of 4992 1292 Lcgpni32.exe 92 PID 1292 wrote to memory of 4992 1292 Lcgpni32.exe 92 PID 1292 wrote to memory of 4992 1292 Lcgpni32.exe 92 PID 4992 wrote to memory of 3556 4992 Lopmii32.exe 93 PID 4992 wrote to memory of 3556 4992 Lopmii32.exe 93 PID 4992 wrote to memory of 3556 4992 Lopmii32.exe 93 PID 3556 wrote to memory of 3896 3556 Mnjqmpgg.exe 94 PID 3556 wrote to memory of 3896 3556 Mnjqmpgg.exe 94 PID 3556 wrote to memory of 3896 3556 Mnjqmpgg.exe 94 PID 3896 wrote to memory of 32 3896 Nclbpf32.exe 96 PID 3896 wrote to memory of 32 3896 Nclbpf32.exe 96 PID 3896 wrote to memory of 32 3896 Nclbpf32.exe 96 PID 32 wrote to memory of 2216 32 Nqbpojnp.exe 97 PID 32 wrote to memory of 2216 32 Nqbpojnp.exe 97 PID 32 wrote to memory of 2216 32 Nqbpojnp.exe 97 PID 2216 wrote to memory of 4080 2216 Nceefd32.exe 98 PID 2216 wrote to memory of 4080 2216 Nceefd32.exe 98 PID 2216 wrote to memory of 4080 2216 Nceefd32.exe 98 PID 4080 wrote to memory of 1496 4080 Ocjoadei.exe 99 PID 4080 wrote to memory of 1496 4080 Ocjoadei.exe 99 PID 4080 wrote to memory of 1496 4080 Ocjoadei.exe 99 PID 1496 wrote to memory of 1504 1496 Oghghb32.exe 100 PID 1496 wrote to memory of 1504 1496 Oghghb32.exe 100 PID 1496 wrote to memory of 1504 1496 Oghghb32.exe 100 PID 1504 wrote to memory of 1768 1504 Pnifekmd.exe 101 PID 1504 wrote to memory of 1768 1504 Pnifekmd.exe 101 PID 1504 wrote to memory of 1768 1504 Pnifekmd.exe 101 PID 1768 wrote to memory of 468 1768 Paiogf32.exe 102 PID 1768 wrote to memory of 468 1768 Paiogf32.exe 102 PID 1768 wrote to memory of 468 1768 Paiogf32.exe 102 PID 468 wrote to memory of 4924 468 Pnplfj32.exe 103 PID 468 wrote to memory of 4924 468 Pnplfj32.exe 103 PID 468 wrote to memory of 4924 468 Pnplfj32.exe 103 PID 4924 wrote to memory of 3568 4924 Qodeajbg.exe 104 PID 4924 wrote to memory of 3568 4924 Qodeajbg.exe 104 PID 4924 wrote to memory of 3568 4924 Qodeajbg.exe 104 PID 3568 wrote to memory of 4408 3568 Akkffkhk.exe 105 PID 3568 wrote to memory of 4408 3568 Akkffkhk.exe 105 PID 3568 wrote to memory of 4408 3568 Akkffkhk.exe 105 PID 4408 wrote to memory of 2560 4408 Aoioli32.exe 106 PID 4408 wrote to memory of 2560 4408 Aoioli32.exe 106 PID 4408 wrote to memory of 2560 4408 Aoioli32.exe 106 PID 2560 wrote to memory of 3056 2560 Aggpfkjj.exe 107 PID 2560 wrote to memory of 3056 2560 Aggpfkjj.exe 107 PID 2560 wrote to memory of 3056 2560 Aggpfkjj.exe 107 PID 3056 wrote to memory of 3724 3056 Ahfmpnql.exe 108 PID 3056 wrote to memory of 3724 3056 Ahfmpnql.exe 108 PID 3056 wrote to memory of 3724 3056 Ahfmpnql.exe 108 PID 3724 wrote to memory of 2056 3724 Bhkfkmmg.exe 109 PID 3724 wrote to memory of 2056 3724 Bhkfkmmg.exe 109 PID 3724 wrote to memory of 2056 3724 Bhkfkmmg.exe 109 PID 2056 wrote to memory of 4292 2056 Bdagpnbk.exe 110 PID 2056 wrote to memory of 4292 2056 Bdagpnbk.exe 110 PID 2056 wrote to memory of 4292 2056 Bdagpnbk.exe 110 PID 4292 wrote to memory of 320 4292 Bdfpkm32.exe 111 PID 4292 wrote to memory of 320 4292 Bdfpkm32.exe 111 PID 4292 wrote to memory of 320 4292 Bdfpkm32.exe 111 PID 320 wrote to memory of 3612 320 Boldhf32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1b3cb2e041a8240f5bc597b6c3bb9eb0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe23⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe24⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe27⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe28⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe29⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe30⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe31⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe32⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe35⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Iimcma32.exeC:\Windows\system32\Iimcma32.exe36⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe37⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe38⤵PID:2480
-
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe39⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4548 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe42⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe43⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Lpjjmg32.exeC:\Windows\system32\Lpjjmg32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe46⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe47⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Mlofcf32.exeC:\Windows\system32\Mlofcf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe52⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe53⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe54⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe55⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe56⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe57⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe60⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe66⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4972 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe68⤵PID:1836
-
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe69⤵
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe70⤵PID:1816
-
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe71⤵PID:3964
-
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe72⤵PID:4788
-
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3848 -
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe76⤵
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe78⤵PID:4868
-
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe79⤵PID:4424
-
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe80⤵PID:4592
-
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe84⤵PID:5256
-
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe85⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe86⤵PID:5344
-
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe87⤵PID:5388
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe88⤵PID:5432
-
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe90⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe92⤵PID:5600
-
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe94⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe95⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe96⤵PID:5784
-
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe97⤵PID:5828
-
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe98⤵PID:5864
-
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe99⤵PID:5912
-
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe100⤵PID:5956
-
C:\Windows\SysWOW64\Iencmm32.exeC:\Windows\system32\Iencmm32.exe101⤵PID:6000
-
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe103⤵PID:6084
-
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe104⤵PID:6128
-
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe106⤵PID:5200
-
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe107⤵PID:5284
-
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe108⤵PID:5356
-
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe109⤵PID:5416
-
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe110⤵PID:5496
-
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe111⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe112⤵PID:5640
-
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe113⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe114⤵PID:5772
-
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe115⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe117⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe119⤵PID:6136
-
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe120⤵PID:5180
-
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe121⤵
- Drops file in System32 directory
PID:5376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-