Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 19:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe
-
Size
296KB
-
MD5
a1fccc4dbcc035d2eaccaafa5b5cafc8
-
SHA1
c4cce2de05f2f021331e67305a94914f4075356d
-
SHA256
20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e
-
SHA512
c1144a1c7a22c756011ed3116b57e5b628ccf4459c5c8f5a940e29bf091669fae83f906a09b10a4b67692090cb65ba9e5205d263a289d630702d65c922ebf4e2
-
SSDEEP
3072:jgEHu68LDpEaXm+zARA1+6NhZ6P0c9fpxg6pg:XuZDpFm+dNPKG6g
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmfchei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dekdikhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aennba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enlidg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacbmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkffng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loqmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpnaca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmpblnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnflo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpjeialg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmepkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqcnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgnokb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehklddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfpel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmbqhif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchijone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibfajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddblgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihqgbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggfpgi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2996 Dddfdejn.exe 2232 Djclbl32.exe 1640 Ejehgkdp.exe 2596 Ejgemkbm.exe 2260 Efnfbl32.exe 1296 Efqbglen.exe 2132 Enlglnci.exe 2112 Fokdfajl.exe 2956 Fgfhjcgg.exe 2656 Fgiepced.exe 1936 Fqajihle.exe 1148 Fqcfnhjb.exe 1972 Fgnokb32.exe 344 Ffcllo32.exe 2156 Gicdnj32.exe 2296 Gpnmjd32.exe 1344 Gbnflo32.exe 2408 Ghkndf32.exe 1784 Gnefapmj.exe 1656 Gacbmk32.exe 2068 Gligjd32.exe 1292 Gngcgp32.exe 2472 Hhpgpebh.exe 2380 Hjndlqal.exe 2756 Hpkldg32.exe 2700 Hdiejfej.exe 2716 Hfgafadm.exe 2928 Hfjnla32.exe 2552 Hihjhl32.exe 576 Hpbbdfik.exe 784 Ihmgiiff.exe 604 Ieagbm32.exe 1964 Ihpdoh32.exe 1172 Iecdhm32.exe 2892 Ihbqdh32.exe 2944 Iajemnia.exe 1512 Idiaii32.exe 2460 Idknoi32.exe 2000 Igijkd32.exe 756 Incbgnmc.exe 2164 Jglgpdcc.exe 2060 Jpdkii32.exe 1168 Jgncfcaa.exe 696 Jjmpbopd.exe 1380 Jcedkd32.exe 692 Jfcqgpfi.exe 1136 Jlmicj32.exe 2976 Jcgapdeb.exe 880 Jfemlpdf.exe 1988 Jhdihkcj.exe 2688 Jblnaq32.exe 2724 Jdkjnl32.exe 3068 Kbokgpgg.exe 1036 Kfjggo32.exe 296 Khiccj32.exe 1068 Kkgopf32.exe 2916 Kbaglpee.exe 2776 Kdpcikdi.exe 2800 Kjllab32.exe 2012 Kqfdnljm.exe 3000 Kceqjhiq.exe 1216 Kjoifb32.exe 860 Kmmebm32.exe 2648 Kddmdk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2704 20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe 2704 20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe 2996 Dddfdejn.exe 2996 Dddfdejn.exe 2232 Djclbl32.exe 2232 Djclbl32.exe 1640 Ejehgkdp.exe 1640 Ejehgkdp.exe 2596 Ejgemkbm.exe 2596 Ejgemkbm.exe 2260 Efnfbl32.exe 2260 Efnfbl32.exe 1296 Efqbglen.exe 1296 Efqbglen.exe 2132 Enlglnci.exe 2132 Enlglnci.exe 2112 Fokdfajl.exe 2112 Fokdfajl.exe 2956 Fgfhjcgg.exe 2956 Fgfhjcgg.exe 2656 Fgiepced.exe 2656 Fgiepced.exe 1936 Fqajihle.exe 1936 Fqajihle.exe 1148 Fqcfnhjb.exe 1148 Fqcfnhjb.exe 1972 Fgnokb32.exe 1972 Fgnokb32.exe 344 Ffcllo32.exe 344 Ffcllo32.exe 2156 Gicdnj32.exe 2156 Gicdnj32.exe 2296 Gpnmjd32.exe 2296 Gpnmjd32.exe 1344 Gbnflo32.exe 1344 Gbnflo32.exe 2408 Ghkndf32.exe 2408 Ghkndf32.exe 1784 Gnefapmj.exe 1784 Gnefapmj.exe 1656 Gacbmk32.exe 1656 Gacbmk32.exe 2068 Gligjd32.exe 2068 Gligjd32.exe 1292 Gngcgp32.exe 1292 Gngcgp32.exe 2472 Hhpgpebh.exe 2472 Hhpgpebh.exe 2380 Hjndlqal.exe 2380 Hjndlqal.exe 2756 Hpkldg32.exe 2756 Hpkldg32.exe 2700 Hdiejfej.exe 2700 Hdiejfej.exe 2716 Hfgafadm.exe 2716 Hfgafadm.exe 2928 Hfjnla32.exe 2928 Hfjnla32.exe 2552 Hihjhl32.exe 2552 Hihjhl32.exe 576 Hpbbdfik.exe 576 Hpbbdfik.exe 784 Ihmgiiff.exe 784 Ihmgiiff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ieagbm32.exe Ihmgiiff.exe File created C:\Windows\SysWOW64\Ahgdim32.dll Mclcijfd.exe File opened for modification C:\Windows\SysWOW64\Gqahqd32.exe Gbohehoj.exe File created C:\Windows\SysWOW64\Ldheebad.exe Keeeje32.exe File created C:\Windows\SysWOW64\Ifhckf32.dll Mkqqnq32.exe File created C:\Windows\SysWOW64\Jbhebfck.exe Process not Found File created C:\Windows\SysWOW64\Epbahp32.dll Ipjdameg.exe File created C:\Windows\SysWOW64\Phoogg32.dll Anadojlo.exe File created C:\Windows\SysWOW64\Ahemgiea.dll Elibpg32.exe File created C:\Windows\SysWOW64\Ebfkilbo.dll Fmfocnjg.exe File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Kgbipf32.exe Kddmdk32.exe File created C:\Windows\SysWOW64\Aboaff32.exe Akeijlfq.exe File created C:\Windows\SysWOW64\Nphgph32.dll Jbcjnnpl.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Kncaojfb.exe File created C:\Windows\SysWOW64\Ikfhplbf.dll Cedpbd32.exe File opened for modification C:\Windows\SysWOW64\Gghkdp32.exe Gcmoda32.exe File created C:\Windows\SysWOW64\Ncmljjmf.dll Cncmcm32.exe File opened for modification C:\Windows\SysWOW64\Dafoikjb.exe Dlifadkk.exe File opened for modification C:\Windows\SysWOW64\Agglbp32.exe Alageg32.exe File created C:\Windows\SysWOW64\Kadfkhkf.exe Knhjjj32.exe File opened for modification C:\Windows\SysWOW64\Andgop32.exe Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Godaakic.exe Gnbejb32.exe File opened for modification C:\Windows\SysWOW64\Bhbkpgbf.exe Bbhccm32.exe File created C:\Windows\SysWOW64\Hkjjmbgi.dll Pcaepg32.exe File created C:\Windows\SysWOW64\Feiddbbj.exe Fgfdie32.exe File created C:\Windows\SysWOW64\Gckdgjeb.exe Gaihob32.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qaapcj32.exe File opened for modification C:\Windows\SysWOW64\Ljkaeo32.exe Lgmeid32.exe File created C:\Windows\SysWOW64\Jaoobkci.dll Aiaoclgl.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Dafoikjb.exe File created C:\Windows\SysWOW64\Qkielpdf.exe Qaapcj32.exe File created C:\Windows\SysWOW64\Lbfchlee.dll Ifolhann.exe File created C:\Windows\SysWOW64\Lflplbpi.exe Lcncpfaf.exe File created C:\Windows\SysWOW64\Iabhah32.exe Hfmddp32.exe File opened for modification C:\Windows\SysWOW64\Loefnpnn.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Mjpbcokk.dll Olpilg32.exe File created C:\Windows\SysWOW64\Dfigpahm.dll Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cjakccop.exe File created C:\Windows\SysWOW64\Aeeeakip.dll Cgkocj32.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Danmmd32.exe Ckcepj32.exe File created C:\Windows\SysWOW64\Gkepinpk.dll Jdcmbgkj.exe File created C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Chlojnpb.dll Kfibhjlj.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Oflpgnld.exe File created C:\Windows\SysWOW64\Jcdaaanl.dll Cmmcpi32.exe File created C:\Windows\SysWOW64\Gjnbeb32.dll Jcedkd32.exe File opened for modification C:\Windows\SysWOW64\Npaich32.exe Njdqka32.exe File created C:\Windows\SysWOW64\Jialfgcc.exe Jajcdjca.exe File created C:\Windows\SysWOW64\Eeldkonl.exe Ekfpmf32.exe File created C:\Windows\SysWOW64\Ajmfad32.exe Abfnpg32.exe File created C:\Windows\SysWOW64\Nfnneb32.exe Npdfhhhe.exe File opened for modification C:\Windows\SysWOW64\Nkkmgncb.exe Mqehjecl.exe File created C:\Windows\SysWOW64\Jpbpbbdb.dll Japciodd.exe File created C:\Windows\SysWOW64\Oihqgbhd.exe Oaaifdhb.exe File created C:\Windows\SysWOW64\Lqncaj32.exe Lnpgeopa.exe File created C:\Windows\SysWOW64\Kjokokha.exe Kgqocoin.exe File created C:\Windows\SysWOW64\Jnofgg32.exe Process not Found File created C:\Windows\SysWOW64\Cikbhc32.exe Cadjgf32.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Oioggmmc.exe File created C:\Windows\SysWOW64\Eoajel32.exe Edlfhc32.exe File created C:\Windows\SysWOW64\Cjakccop.exe Cchbgi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 696 3716 Process not Found 1081 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbhfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckeolc32.dll" Oihqgbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmijfmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeldkonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbjddfk.dll" Hihjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhckf32.dll" Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Halbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inhanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agolnbok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjohmbpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfefh32.dll" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmhmlbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jieaofmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqnaaen.dll" Fqglggcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddfdejn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffmkfifa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dphfbiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhcmc32.dll" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgkhdddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehoblpm.dll" Qaapcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlmicj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geoghd32.dll" Ieofkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmobfna.dll" Gcmamj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadjgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnmlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgebdipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihieggm.dll" Jkbojpna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jglgpdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkfbfjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnppecd.dll" Bcpgdhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kilgoe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2996 2704 20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe 30 PID 2704 wrote to memory of 2996 2704 20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe 30 PID 2704 wrote to memory of 2996 2704 20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe 30 PID 2704 wrote to memory of 2996 2704 20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe 30 PID 2996 wrote to memory of 2232 2996 Dddfdejn.exe 31 PID 2996 wrote to memory of 2232 2996 Dddfdejn.exe 31 PID 2996 wrote to memory of 2232 2996 Dddfdejn.exe 31 PID 2996 wrote to memory of 2232 2996 Dddfdejn.exe 31 PID 2232 wrote to memory of 1640 2232 Djclbl32.exe 32 PID 2232 wrote to memory of 1640 2232 Djclbl32.exe 32 PID 2232 wrote to memory of 1640 2232 Djclbl32.exe 32 PID 2232 wrote to memory of 1640 2232 Djclbl32.exe 32 PID 1640 wrote to memory of 2596 1640 Ejehgkdp.exe 33 PID 1640 wrote to memory of 2596 1640 Ejehgkdp.exe 33 PID 1640 wrote to memory of 2596 1640 Ejehgkdp.exe 33 PID 1640 wrote to memory of 2596 1640 Ejehgkdp.exe 33 PID 2596 wrote to memory of 2260 2596 Ejgemkbm.exe 34 PID 2596 wrote to memory of 2260 2596 Ejgemkbm.exe 34 PID 2596 wrote to memory of 2260 2596 Ejgemkbm.exe 34 PID 2596 wrote to memory of 2260 2596 Ejgemkbm.exe 34 PID 2260 wrote to memory of 1296 2260 Efnfbl32.exe 35 PID 2260 wrote to memory of 1296 2260 Efnfbl32.exe 35 PID 2260 wrote to memory of 1296 2260 Efnfbl32.exe 35 PID 2260 wrote to memory of 1296 2260 Efnfbl32.exe 35 PID 1296 wrote to memory of 2132 1296 Efqbglen.exe 36 PID 1296 wrote to memory of 2132 1296 Efqbglen.exe 36 PID 1296 wrote to memory of 2132 1296 Efqbglen.exe 36 PID 1296 wrote to memory of 2132 1296 Efqbglen.exe 36 PID 2132 wrote to memory of 2112 2132 Enlglnci.exe 37 PID 2132 wrote to memory of 2112 2132 Enlglnci.exe 37 PID 2132 wrote to memory of 2112 2132 Enlglnci.exe 37 PID 2132 wrote to memory of 2112 2132 Enlglnci.exe 37 PID 2112 wrote to memory of 2956 2112 Fokdfajl.exe 38 PID 2112 wrote to memory of 2956 2112 Fokdfajl.exe 38 PID 2112 wrote to memory of 2956 2112 Fokdfajl.exe 38 PID 2112 wrote to memory of 2956 2112 Fokdfajl.exe 38 PID 2956 wrote to memory of 2656 2956 Fgfhjcgg.exe 39 PID 2956 wrote to memory of 2656 2956 Fgfhjcgg.exe 39 PID 2956 wrote to memory of 2656 2956 Fgfhjcgg.exe 39 PID 2956 wrote to memory of 2656 2956 Fgfhjcgg.exe 39 PID 2656 wrote to memory of 1936 2656 Fgiepced.exe 40 PID 2656 wrote to memory of 1936 2656 Fgiepced.exe 40 PID 2656 wrote to memory of 1936 2656 Fgiepced.exe 40 PID 2656 wrote to memory of 1936 2656 Fgiepced.exe 40 PID 1936 wrote to memory of 1148 1936 Fqajihle.exe 41 PID 1936 wrote to memory of 1148 1936 Fqajihle.exe 41 PID 1936 wrote to memory of 1148 1936 Fqajihle.exe 41 PID 1936 wrote to memory of 1148 1936 Fqajihle.exe 41 PID 1148 wrote to memory of 1972 1148 Fqcfnhjb.exe 42 PID 1148 wrote to memory of 1972 1148 Fqcfnhjb.exe 42 PID 1148 wrote to memory of 1972 1148 Fqcfnhjb.exe 42 PID 1148 wrote to memory of 1972 1148 Fqcfnhjb.exe 42 PID 1972 wrote to memory of 344 1972 Fgnokb32.exe 43 PID 1972 wrote to memory of 344 1972 Fgnokb32.exe 43 PID 1972 wrote to memory of 344 1972 Fgnokb32.exe 43 PID 1972 wrote to memory of 344 1972 Fgnokb32.exe 43 PID 344 wrote to memory of 2156 344 Ffcllo32.exe 44 PID 344 wrote to memory of 2156 344 Ffcllo32.exe 44 PID 344 wrote to memory of 2156 344 Ffcllo32.exe 44 PID 344 wrote to memory of 2156 344 Ffcllo32.exe 44 PID 2156 wrote to memory of 2296 2156 Gicdnj32.exe 45 PID 2156 wrote to memory of 2296 2156 Gicdnj32.exe 45 PID 2156 wrote to memory of 2296 2156 Gicdnj32.exe 45 PID 2156 wrote to memory of 2296 2156 Gicdnj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe"C:\Users\Admin\AppData\Local\Temp\20ee184c695495588e213c45933084ae40f8e0ee0c7edd73a7a96d296cb02c8e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe33⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe34⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe35⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe36⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe38⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe39⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe40⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe41⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe43⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe44⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe45⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe47⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe49⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe50⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe51⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe52⤵PID:2820
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe54⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe55⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe56⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe57⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe58⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe61⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe62⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe63⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe64⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe65⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe67⤵
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe68⤵PID:2032
-
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe69⤵PID:648
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe70⤵PID:2100
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe71⤵PID:1576
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe72⤵PID:2712
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe74⤵PID:2120
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe75⤵PID:1000
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe76⤵PID:2612
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe77⤵
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe78⤵PID:1960
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe80⤵PID:2816
-
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe81⤵PID:1104
-
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe82⤵PID:2412
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe84⤵PID:1876
-
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe85⤵PID:2332
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe86⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe87⤵PID:2316
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe89⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe90⤵PID:1624
-
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe91⤵PID:2864
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe92⤵PID:2748
-
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe93⤵PID:1428
-
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe94⤵PID:2960
-
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe95⤵PID:2252
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe96⤵PID:1760
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe97⤵PID:2524
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe98⤵PID:1688
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe99⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe100⤵PID:2360
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe101⤵PID:2848
-
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe102⤵PID:2968
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe103⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe104⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe105⤵PID:1932
-
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe106⤵PID:2932
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe107⤵PID:1212
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe108⤵PID:2168
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe109⤵PID:1696
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe110⤵PID:1644
-
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe111⤵PID:1704
-
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe112⤵PID:1816
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe113⤵PID:556
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe114⤵PID:2676
-
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe115⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe116⤵PID:1028
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe117⤵PID:2888
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe118⤵PID:2900
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe119⤵PID:2276
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe120⤵PID:2036
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe121⤵PID:952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-