Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 19:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe
-
Size
80KB
-
MD5
af119bb7dbb1fd12a550e3de3c49b8cc
-
SHA1
4eec4e9b5409af726381f060d1d37bca5a24fd2a
-
SHA256
153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d
-
SHA512
5e92f658b8306e0d0ddbc47b63884768d634c6a76ca4f838f7255d67b5fed6eecc1a8cbc2aa58a9bae4fa143346a1f470ee3f6cdab61495494e4028cd468c5a4
-
SSDEEP
1536:xeNJFmIMjspusSC+HOQq/YF/2LHwaIZTJ+7LhkiB0:x8F6THj8YFEQaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojknblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmonbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajpelhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apomfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeqbkkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe -
Executes dropped EXE 64 IoCs
pid Process 1032 Ncancbha.exe 2632 Njkfpl32.exe 2608 Nmjblg32.exe 2420 Nohnhc32.exe 2396 Nbfjdn32.exe 2912 Ofbfdmeb.exe 2748 Omloag32.exe 2948 Oojknblb.exe 2736 Obigjnkf.exe 2372 Oicpfh32.exe 2284 Ogfpbeim.exe 2696 Oomhcbjp.exe 2036 Obkdonic.exe 2144 Odjpkihg.exe 2712 Oiellh32.exe 680 Ojficpfn.exe 1572 Onbddoog.exe 2960 Obnqem32.exe 1464 Oelmai32.exe 1804 Ogjimd32.exe 3024 Ojieip32.exe 1688 Omgaek32.exe 700 Oenifh32.exe 108 Ogmfbd32.exe 2340 Ofpfnqjp.exe 2260 Ongnonkb.exe 2272 Pgobhcac.exe 2548 Pjmodopf.exe 2668 Pmlkpjpj.exe 2664 Ppjglfon.exe 2516 Piblek32.exe 2572 Plahag32.exe 1104 Pbkpna32.exe 1488 Piehkkcl.exe 2720 Ppoqge32.exe 852 Pbmmcq32.exe 1416 Pfiidobe.exe 1544 Pelipl32.exe 2648 Pigeqkai.exe 1504 Plfamfpm.exe 2012 Ppamme32.exe 1948 Pbpjiphi.exe 1984 Pabjem32.exe 2244 Pijbfj32.exe 540 Qlhnbf32.exe 1036 Qbbfopeg.exe 2368 Qaefjm32.exe 1172 Qeqbkkej.exe 1456 Qdccfh32.exe 2084 Qmlgonbe.exe 800 Qagcpljo.exe 1596 Qecoqk32.exe 648 Adeplhib.exe 856 Ahakmf32.exe 2872 Afdlhchf.exe 1528 Ajphib32.exe 2524 Ankdiqih.exe 1500 Aajpelhl.exe 2796 Aplpai32.exe 2564 Adhlaggp.exe 312 Ahchbf32.exe 2440 Affhncfc.exe 2756 Ajbdna32.exe 2944 Ampqjm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1712 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe 1712 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe 1032 Ncancbha.exe 1032 Ncancbha.exe 2632 Njkfpl32.exe 2632 Njkfpl32.exe 2608 Nmjblg32.exe 2608 Nmjblg32.exe 2420 Nohnhc32.exe 2420 Nohnhc32.exe 2396 Nbfjdn32.exe 2396 Nbfjdn32.exe 2912 Ofbfdmeb.exe 2912 Ofbfdmeb.exe 2748 Omloag32.exe 2748 Omloag32.exe 2948 Oojknblb.exe 2948 Oojknblb.exe 2736 Obigjnkf.exe 2736 Obigjnkf.exe 2372 Oicpfh32.exe 2372 Oicpfh32.exe 2284 Ogfpbeim.exe 2284 Ogfpbeim.exe 2696 Oomhcbjp.exe 2696 Oomhcbjp.exe 2036 Obkdonic.exe 2036 Obkdonic.exe 2144 Odjpkihg.exe 2144 Odjpkihg.exe 2712 Oiellh32.exe 2712 Oiellh32.exe 680 Ojficpfn.exe 680 Ojficpfn.exe 1572 Onbddoog.exe 1572 Onbddoog.exe 2960 Obnqem32.exe 2960 Obnqem32.exe 1464 Oelmai32.exe 1464 Oelmai32.exe 1804 Ogjimd32.exe 1804 Ogjimd32.exe 3024 Ojieip32.exe 3024 Ojieip32.exe 1688 Omgaek32.exe 1688 Omgaek32.exe 700 Oenifh32.exe 700 Oenifh32.exe 108 Ogmfbd32.exe 108 Ogmfbd32.exe 2340 Ofpfnqjp.exe 2340 Ofpfnqjp.exe 2260 Ongnonkb.exe 2260 Ongnonkb.exe 2272 Pgobhcac.exe 2272 Pgobhcac.exe 2548 Pjmodopf.exe 2548 Pjmodopf.exe 2668 Pmlkpjpj.exe 2668 Pmlkpjpj.exe 2664 Ppjglfon.exe 2664 Ppjglfon.exe 2516 Piblek32.exe 2516 Piblek32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lqamandk.dll Adhlaggp.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Jbfpbmji.dll Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Ckignd32.exe File created C:\Windows\SysWOW64\Cciemedf.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Afdlhchf.exe File created C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Ogfpbeim.exe Oicpfh32.exe File opened for modification C:\Windows\SysWOW64\Ogjimd32.exe Oelmai32.exe File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe Bcaomf32.exe File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe Clomqk32.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Aigaon32.exe File created C:\Windows\SysWOW64\Bkfjhd32.exe Bgknheej.exe File opened for modification C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gopkmhjk.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Lmkgjhfn.dll Ppoqge32.exe File created C:\Windows\SysWOW64\Ahchbf32.exe Adhlaggp.exe File created C:\Windows\SysWOW64\Aigaon32.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Pdmaibnf.dll Cpjiajeb.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Gbnccfpb.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Kpikfj32.dll Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Kjpnhh32.dll Pelipl32.exe File opened for modification C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Geolea32.exe Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Jfcfmmpb.dll Aepojo32.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Obigjnkf.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Feeiob32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Qeqbkkej.exe Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Bcaomf32.exe Bpcbqk32.exe File created C:\Windows\SysWOW64\Mghjoa32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Fjdbnf32.exe Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Nmjblg32.exe Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Pfiidobe.exe Pbmmcq32.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Pbpjiphi.exe Ppamme32.exe File created C:\Windows\SysWOW64\Affhncfc.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Jkbcpgjj.dll Coklgg32.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File created C:\Windows\SysWOW64\Iknecn32.dll Onbddoog.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File created C:\Windows\SysWOW64\Cjpqdp32.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Ebpkce32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File created C:\Windows\SysWOW64\Bcaomf32.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Nejeco32.dll Comimg32.exe File created C:\Windows\SysWOW64\Njmekj32.dll Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Fenhecef.dll Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1580 3244 WerFault.exe 293 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiek32.dll" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Begeknan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Pmlkpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnccfpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhgoq32.dll" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Ongnonkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnefdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obigjnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddagfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Fejgko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealffeej.dll" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beehencq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhljm32.dll" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oelmai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1032 1712 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe 28 PID 1712 wrote to memory of 1032 1712 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe 28 PID 1712 wrote to memory of 1032 1712 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe 28 PID 1712 wrote to memory of 1032 1712 153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe 28 PID 1032 wrote to memory of 2632 1032 Ncancbha.exe 29 PID 1032 wrote to memory of 2632 1032 Ncancbha.exe 29 PID 1032 wrote to memory of 2632 1032 Ncancbha.exe 29 PID 1032 wrote to memory of 2632 1032 Ncancbha.exe 29 PID 2632 wrote to memory of 2608 2632 Njkfpl32.exe 30 PID 2632 wrote to memory of 2608 2632 Njkfpl32.exe 30 PID 2632 wrote to memory of 2608 2632 Njkfpl32.exe 30 PID 2632 wrote to memory of 2608 2632 Njkfpl32.exe 30 PID 2608 wrote to memory of 2420 2608 Nmjblg32.exe 31 PID 2608 wrote to memory of 2420 2608 Nmjblg32.exe 31 PID 2608 wrote to memory of 2420 2608 Nmjblg32.exe 31 PID 2608 wrote to memory of 2420 2608 Nmjblg32.exe 31 PID 2420 wrote to memory of 2396 2420 Nohnhc32.exe 32 PID 2420 wrote to memory of 2396 2420 Nohnhc32.exe 32 PID 2420 wrote to memory of 2396 2420 Nohnhc32.exe 32 PID 2420 wrote to memory of 2396 2420 Nohnhc32.exe 32 PID 2396 wrote to memory of 2912 2396 Nbfjdn32.exe 33 PID 2396 wrote to memory of 2912 2396 Nbfjdn32.exe 33 PID 2396 wrote to memory of 2912 2396 Nbfjdn32.exe 33 PID 2396 wrote to memory of 2912 2396 Nbfjdn32.exe 33 PID 2912 wrote to memory of 2748 2912 Ofbfdmeb.exe 34 PID 2912 wrote to memory of 2748 2912 Ofbfdmeb.exe 34 PID 2912 wrote to memory of 2748 2912 Ofbfdmeb.exe 34 PID 2912 wrote to memory of 2748 2912 Ofbfdmeb.exe 34 PID 2748 wrote to memory of 2948 2748 Omloag32.exe 35 PID 2748 wrote to memory of 2948 2748 Omloag32.exe 35 PID 2748 wrote to memory of 2948 2748 Omloag32.exe 35 PID 2748 wrote to memory of 2948 2748 Omloag32.exe 35 PID 2948 wrote to memory of 2736 2948 Oojknblb.exe 36 PID 2948 wrote to memory of 2736 2948 Oojknblb.exe 36 PID 2948 wrote to memory of 2736 2948 Oojknblb.exe 36 PID 2948 wrote to memory of 2736 2948 Oojknblb.exe 36 PID 2736 wrote to memory of 2372 2736 Obigjnkf.exe 37 PID 2736 wrote to memory of 2372 2736 Obigjnkf.exe 37 PID 2736 wrote to memory of 2372 2736 Obigjnkf.exe 37 PID 2736 wrote to memory of 2372 2736 Obigjnkf.exe 37 PID 2372 wrote to memory of 2284 2372 Oicpfh32.exe 38 PID 2372 wrote to memory of 2284 2372 Oicpfh32.exe 38 PID 2372 wrote to memory of 2284 2372 Oicpfh32.exe 38 PID 2372 wrote to memory of 2284 2372 Oicpfh32.exe 38 PID 2284 wrote to memory of 2696 2284 Ogfpbeim.exe 39 PID 2284 wrote to memory of 2696 2284 Ogfpbeim.exe 39 PID 2284 wrote to memory of 2696 2284 Ogfpbeim.exe 39 PID 2284 wrote to memory of 2696 2284 Ogfpbeim.exe 39 PID 2696 wrote to memory of 2036 2696 Oomhcbjp.exe 40 PID 2696 wrote to memory of 2036 2696 Oomhcbjp.exe 40 PID 2696 wrote to memory of 2036 2696 Oomhcbjp.exe 40 PID 2696 wrote to memory of 2036 2696 Oomhcbjp.exe 40 PID 2036 wrote to memory of 2144 2036 Obkdonic.exe 41 PID 2036 wrote to memory of 2144 2036 Obkdonic.exe 41 PID 2036 wrote to memory of 2144 2036 Obkdonic.exe 41 PID 2036 wrote to memory of 2144 2036 Obkdonic.exe 41 PID 2144 wrote to memory of 2712 2144 Odjpkihg.exe 42 PID 2144 wrote to memory of 2712 2144 Odjpkihg.exe 42 PID 2144 wrote to memory of 2712 2144 Odjpkihg.exe 42 PID 2144 wrote to memory of 2712 2144 Odjpkihg.exe 42 PID 2712 wrote to memory of 680 2712 Oiellh32.exe 43 PID 2712 wrote to memory of 680 2712 Oiellh32.exe 43 PID 2712 wrote to memory of 680 2712 Oiellh32.exe 43 PID 2712 wrote to memory of 680 2712 Oiellh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe"C:\Users\Admin\AppData\Local\Temp\153374c0e6cb22a7ae3b49ccacd54399b78ef3a79519d403317ecafd9cd7fa8d.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe40⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe41⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe44⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe46⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe50⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe52⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe53⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe57⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe60⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:312 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe66⤵PID:2924
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe67⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe69⤵PID:2740
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe70⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe71⤵PID:2732
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe72⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe73⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe74⤵PID:2376
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe75⤵PID:1744
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe76⤵PID:1696
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe77⤵PID:1400
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe78⤵PID:1976
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe79⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe80⤵PID:1592
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe81⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe82⤵PID:2972
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe83⤵PID:2792
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe84⤵PID:1736
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe86⤵PID:1524
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe88⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe89⤵PID:2456
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe90⤵PID:2464
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe91⤵PID:2900
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe92⤵PID:2916
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe93⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe94⤵PID:2764
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe95⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe96⤵PID:1364
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe99⤵PID:1616
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe102⤵PID:1944
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe103⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe104⤵PID:956
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe105⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe106⤵PID:2508
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe107⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe108⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe109⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe111⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe112⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe113⤵PID:2772
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe115⤵PID:1196
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe116⤵PID:1680
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe117⤵PID:584
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe118⤵PID:1780
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-