Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 23:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe
-
Size
313KB
-
MD5
8bebff77e974b98685bdad8e89606d34
-
SHA1
e76e8f9a940a32d2516b8ed76e6857729b5d104e
-
SHA256
871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965
-
SHA512
3532c3eeb2cbb197d4c27627ab4a64b61c4321eb4976b07b5348c967b5072a67ec50dc2c397f2a0846999376cbab9b478b23b4abb6e521fab227abb82ba4c16e
-
SSDEEP
6144:o16W5sH+xpCmgcUmKyIxLDXXoq9FJZCUmKyIxLX:Yzc+xpCW32XXf9Do3+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklnhlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbmelbid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajkhdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboigi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljcmlfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkbebbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qajadlja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Occkojkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmpcdfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpocjdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogcpjhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alkdnboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfngap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfifmnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liddbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncianepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaljgidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkidenlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llcpoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkljak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dceohhja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegandp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncldnkae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ildkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpppnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpppnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nloiakho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbdmpqcb.exe -
Executes dropped EXE 64 IoCs
pid Process 2280 Jbfpobpb.exe 2268 Jiphkm32.exe 1124 Jbhmdbnp.exe 888 Jjpeepnb.exe 4864 Jmnaakne.exe 2584 Jbkjjblm.exe 2792 Jaljgidl.exe 812 Jbmfoa32.exe 3892 Jangmibi.exe 4432 Jdmcidam.exe 2228 Jiikak32.exe 3504 Kpccnefa.exe 2168 Kbapjafe.exe 516 Kilhgk32.exe 3192 Kbdmpqcb.exe 3532 Kinemkko.exe 1484 Kphmie32.exe 2352 Kmlnbi32.exe 2372 Kpjjod32.exe 2516 Kmnjhioc.exe 1248 Kgfoan32.exe 1636 Liekmj32.exe 2556 Lpocjdld.exe 2236 Lgikfn32.exe 1660 Laopdgcg.exe 4204 Lpappc32.exe 4304 Lkgdml32.exe 1352 Lpcmec32.exe 1472 Lcbiao32.exe 2032 Lpfijcfl.exe 3216 Lklnhlfb.exe 4580 Lnjjdgee.exe 2392 Lphfpbdi.exe 4592 Lgbnmm32.exe 1080 Mnlfigcc.exe 3588 Mpkbebbf.exe 3232 Mciobn32.exe 3220 Mjcgohig.exe 3228 Majopeii.exe 560 Mpmokb32.exe 4292 Mkbchk32.exe 520 Mnapdf32.exe 4624 Mdkhapfj.exe 1460 Mgidml32.exe 1536 Mjhqjg32.exe 1972 Mpaifalo.exe 2688 Mdmegp32.exe 1240 Mglack32.exe 1144 Mjjmog32.exe 4792 Maaepd32.exe 1320 Mdpalp32.exe 2532 Mgnnhk32.exe 4608 Nnhfee32.exe 4524 Ndbnboqb.exe 4308 Ngpjnkpf.exe 808 Nnjbke32.exe 1776 Nqiogp32.exe 4428 Ngcgcjnc.exe 4928 Nnmopdep.exe 2072 Nqklmpdd.exe 464 Nkqpjidj.exe 4544 Njcpee32.exe 1800 Nbkhfc32.exe 4968 Ncldnkae.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogljjiei.exe Odnnnnfe.exe File created C:\Windows\SysWOW64\Qmkadgpo.exe Pfaigm32.exe File created C:\Windows\SysWOW64\Acqimo32.exe Andqdh32.exe File created C:\Windows\SysWOW64\Oqdoboli.exe Onfbfc32.exe File opened for modification C:\Windows\SysWOW64\Qnkdhpjn.exe Qkmhlekj.exe File opened for modification C:\Windows\SysWOW64\Kbceejpf.exe Klimip32.exe File created C:\Windows\SysWOW64\Lenamdem.exe Lboeaifi.exe File created C:\Windows\SysWOW64\Miifeq32.exe Mgkjhe32.exe File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe Calhnpgn.exe File opened for modification C:\Windows\SysWOW64\Adcmmeog.exe Aaepqjpd.exe File created C:\Windows\SysWOW64\Khchklef.dll Jpnchp32.exe File created C:\Windows\SysWOW64\Qfbgbeai.dll Odapnf32.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Kilhgk32.exe Kbapjafe.exe File opened for modification C:\Windows\SysWOW64\Lgikfn32.exe Lpocjdld.exe File created C:\Windows\SysWOW64\Phkjck32.dll Lebkhc32.exe File opened for modification C:\Windows\SysWOW64\Pjhlml32.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Aclpap32.exe File created C:\Windows\SysWOW64\Megkhf32.dll Bhdbhcck.exe File created C:\Windows\SysWOW64\Jpgmha32.exe Jlkagbej.exe File created C:\Windows\SysWOW64\Djoeni32.dll Odkjng32.exe File created C:\Windows\SysWOW64\Jbfpobpb.exe 871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe File created C:\Windows\SysWOW64\Kedoge32.exe Kdcbom32.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Cefofm32.dll Jedeph32.exe File created C:\Windows\SysWOW64\Jbhfjljd.exe Jpijnqkp.exe File opened for modification C:\Windows\SysWOW64\Ofeilobp.exe Oddmdf32.exe File created C:\Windows\SysWOW64\Ogfilp32.dll Bcoenmao.exe File created C:\Windows\SysWOW64\Cabfga32.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Eaacilcc.dll Qcepkg32.exe File created C:\Windows\SysWOW64\Aaqgek32.exe Abngjnmo.exe File created C:\Windows\SysWOW64\Enlqgg32.dll Hioiji32.exe File created C:\Windows\SysWOW64\Pagdol32.exe Pnihcq32.exe File created C:\Windows\SysWOW64\Qloebdig.exe Qchmagie.exe File opened for modification C:\Windows\SysWOW64\Dopigd32.exe Ddjejl32.exe File opened for modification C:\Windows\SysWOW64\Alkdnboj.exe Adcmmeog.exe File created C:\Windows\SysWOW64\Fgnjkdco.dll Balfaiil.exe File opened for modification C:\Windows\SysWOW64\Dkoggkjo.exe Dhpjkojk.exe File opened for modification C:\Windows\SysWOW64\Icplcpgo.exe Ilidbbgl.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bagflcje.exe File created C:\Windows\SysWOW64\Okjbpglo.exe Occkojkm.exe File opened for modification C:\Windows\SysWOW64\Okjbpglo.exe Occkojkm.exe File created C:\Windows\SysWOW64\Pnpemb32.exe Pcjapi32.exe File created C:\Windows\SysWOW64\Jffggf32.dll Cagobalc.exe File created C:\Windows\SysWOW64\Bjdkjo32.exe Bdkcmdhp.exe File created C:\Windows\SysWOW64\Mgimcebb.exe Mgfqmfde.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Mpkbebbf.exe Mnlfigcc.exe File opened for modification C:\Windows\SysWOW64\Mgidml32.exe Mdkhapfj.exe File opened for modification C:\Windows\SysWOW64\Pcjapi32.exe Oqkdcn32.exe File opened for modification C:\Windows\SysWOW64\Pqnaim32.exe Pnpemb32.exe File created C:\Windows\SysWOW64\Chokikeb.exe Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Cecbmf32.exe Cojjqlpk.exe File created C:\Windows\SysWOW64\Edbklofb.exe Eadopc32.exe File opened for modification C:\Windows\SysWOW64\Ildkgc32.exe Iejcji32.exe File opened for modification C:\Windows\SysWOW64\Bnmcjg32.exe Bffkij32.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dhhnpjmh.exe File opened for modification C:\Windows\SysWOW64\Lpcmec32.exe Lkgdml32.exe File created C:\Windows\SysWOW64\Mdkhapfj.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Jiejmbkl.dll Ojopad32.exe File created C:\Windows\SysWOW64\Hidipe32.dll Okjbpglo.exe File created C:\Windows\SysWOW64\Dpqdba32.dll Bdmpcdfm.exe File created C:\Windows\SysWOW64\Gohibf32.dll Cliaoq32.exe File created C:\Windows\SysWOW64\Kbceejpf.exe Klimip32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10032 9784 WerFault.exe 468 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilidbbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnneknob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll" Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beihma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okeieh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll" Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lenamdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdmnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll" Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll" Mgfqmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npjebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olfobjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngcgcjnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaqgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll" Jpppnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll" Lfhdlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmnlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjdkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgcknmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfpobpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll" Imfdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkjlge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccejahl.dll" Qchmagie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnigkegh.dll" Chpada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmcojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgimcebb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmlhii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlmbpgdl.dll" Eapedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll" Medgncoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpjhl32.dll" Bajjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Balfaiil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dceohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeanii32.dll" Jpgmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll" Kbhoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiaefcan.dll" Dhnnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddoeojd.dll" Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldhcm32.dll" Hoiafcic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qloebdig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgimcebb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnmcjg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4508 wrote to memory of 2280 4508 871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe 83 PID 4508 wrote to memory of 2280 4508 871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe 83 PID 4508 wrote to memory of 2280 4508 871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe 83 PID 2280 wrote to memory of 2268 2280 Jbfpobpb.exe 84 PID 2280 wrote to memory of 2268 2280 Jbfpobpb.exe 84 PID 2280 wrote to memory of 2268 2280 Jbfpobpb.exe 84 PID 2268 wrote to memory of 1124 2268 Jiphkm32.exe 85 PID 2268 wrote to memory of 1124 2268 Jiphkm32.exe 85 PID 2268 wrote to memory of 1124 2268 Jiphkm32.exe 85 PID 1124 wrote to memory of 888 1124 Jbhmdbnp.exe 86 PID 1124 wrote to memory of 888 1124 Jbhmdbnp.exe 86 PID 1124 wrote to memory of 888 1124 Jbhmdbnp.exe 86 PID 888 wrote to memory of 4864 888 Jjpeepnb.exe 87 PID 888 wrote to memory of 4864 888 Jjpeepnb.exe 87 PID 888 wrote to memory of 4864 888 Jjpeepnb.exe 87 PID 4864 wrote to memory of 2584 4864 Jmnaakne.exe 88 PID 4864 wrote to memory of 2584 4864 Jmnaakne.exe 88 PID 4864 wrote to memory of 2584 4864 Jmnaakne.exe 88 PID 2584 wrote to memory of 2792 2584 Jbkjjblm.exe 90 PID 2584 wrote to memory of 2792 2584 Jbkjjblm.exe 90 PID 2584 wrote to memory of 2792 2584 Jbkjjblm.exe 90 PID 2792 wrote to memory of 812 2792 Jaljgidl.exe 91 PID 2792 wrote to memory of 812 2792 Jaljgidl.exe 91 PID 2792 wrote to memory of 812 2792 Jaljgidl.exe 91 PID 812 wrote to memory of 3892 812 Jbmfoa32.exe 92 PID 812 wrote to memory of 3892 812 Jbmfoa32.exe 92 PID 812 wrote to memory of 3892 812 Jbmfoa32.exe 92 PID 3892 wrote to memory of 4432 3892 Jangmibi.exe 93 PID 3892 wrote to memory of 4432 3892 Jangmibi.exe 93 PID 3892 wrote to memory of 4432 3892 Jangmibi.exe 93 PID 4432 wrote to memory of 2228 4432 Jdmcidam.exe 94 PID 4432 wrote to memory of 2228 4432 Jdmcidam.exe 94 PID 4432 wrote to memory of 2228 4432 Jdmcidam.exe 94 PID 2228 wrote to memory of 3504 2228 Jiikak32.exe 95 PID 2228 wrote to memory of 3504 2228 Jiikak32.exe 95 PID 2228 wrote to memory of 3504 2228 Jiikak32.exe 95 PID 3504 wrote to memory of 2168 3504 Kpccnefa.exe 96 PID 3504 wrote to memory of 2168 3504 Kpccnefa.exe 96 PID 3504 wrote to memory of 2168 3504 Kpccnefa.exe 96 PID 2168 wrote to memory of 516 2168 Kbapjafe.exe 97 PID 2168 wrote to memory of 516 2168 Kbapjafe.exe 97 PID 2168 wrote to memory of 516 2168 Kbapjafe.exe 97 PID 516 wrote to memory of 3192 516 Kilhgk32.exe 98 PID 516 wrote to memory of 3192 516 Kilhgk32.exe 98 PID 516 wrote to memory of 3192 516 Kilhgk32.exe 98 PID 3192 wrote to memory of 3532 3192 Kbdmpqcb.exe 99 PID 3192 wrote to memory of 3532 3192 Kbdmpqcb.exe 99 PID 3192 wrote to memory of 3532 3192 Kbdmpqcb.exe 99 PID 3532 wrote to memory of 1484 3532 Kinemkko.exe 100 PID 3532 wrote to memory of 1484 3532 Kinemkko.exe 100 PID 3532 wrote to memory of 1484 3532 Kinemkko.exe 100 PID 1484 wrote to memory of 2352 1484 Kphmie32.exe 101 PID 1484 wrote to memory of 2352 1484 Kphmie32.exe 101 PID 1484 wrote to memory of 2352 1484 Kphmie32.exe 101 PID 2352 wrote to memory of 2372 2352 Kmlnbi32.exe 102 PID 2352 wrote to memory of 2372 2352 Kmlnbi32.exe 102 PID 2352 wrote to memory of 2372 2352 Kmlnbi32.exe 102 PID 2372 wrote to memory of 2516 2372 Kpjjod32.exe 103 PID 2372 wrote to memory of 2516 2372 Kpjjod32.exe 103 PID 2372 wrote to memory of 2516 2372 Kpjjod32.exe 103 PID 2516 wrote to memory of 1248 2516 Kmnjhioc.exe 104 PID 2516 wrote to memory of 1248 2516 Kmnjhioc.exe 104 PID 2516 wrote to memory of 1248 2516 Kmnjhioc.exe 104 PID 1248 wrote to memory of 1636 1248 Kgfoan32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe"C:\Users\Admin\AppData\Local\Temp\871158b52fd72ef3d5000740969848c4c537c2c1c92cfcdd892254610ff04965.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe23⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe25⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe26⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe27⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe29⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe30⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe31⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe33⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe34⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe35⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe38⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe39⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe40⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe41⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe42⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4624 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe45⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe49⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe50⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe51⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe52⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe53⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe54⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe55⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe56⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe57⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe58⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe60⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe61⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe63⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe64⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3556 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3292 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe68⤵PID:1684
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe69⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe70⤵PID:5100
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe71⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe72⤵PID:3560
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe73⤵
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe74⤵PID:3076
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe76⤵
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe77⤵PID:3548
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe78⤵PID:4636
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe79⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe80⤵PID:2412
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe82⤵PID:4024
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe84⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe85⤵
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe86⤵PID:2616
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe87⤵PID:3460
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe88⤵PID:2484
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe89⤵PID:2356
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe90⤵PID:1412
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe91⤵PID:5024
-
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe92⤵PID:5132
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe94⤵PID:5252
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe95⤵PID:5320
-
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe96⤵PID:5364
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe97⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe99⤵PID:5516
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe100⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:5604 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe102⤵PID:5652
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe105⤵
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe106⤵PID:5840
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe107⤵PID:5880
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe108⤵PID:5924
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe109⤵PID:5972
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe110⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe111⤵PID:6060
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe112⤵PID:6104
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe113⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe114⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe115⤵PID:5268
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe116⤵PID:5348
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe117⤵PID:5464
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe120⤵
- Drops file in System32 directory
PID:5660 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-