Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 23:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe
-
Size
80KB
-
MD5
98a979ed40f2b97a64eef0e8554c6114
-
SHA1
ff4cb4c6c583b35dd7d947bf2d463031a7ff4c6e
-
SHA256
711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702
-
SHA512
d3292141165c7257173f6b10d6b7b518afd1469ac31d4850bbcb60cd0c2764bf7cdd3309423c3198f0fa24297a83e4ddf146b012d2722544e7a9e51db25fba35
-
SSDEEP
1536:wTTJOC+Lle6NHBFkeOwoIJRogxwkAD4So2LXaIZTJ+7LhkiB0:W1n+LlnNhFkslA0S5XaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlhkbhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palpneop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfoboml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnmdgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnemfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmcmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefamlak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebappk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngnfnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahhgnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdedde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigimdjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbdl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2400 Gjdhbc32.exe 2292 Gbaileio.exe 2704 Gbcfadgl.exe 1996 Hojgfemq.exe 2896 Heglio32.exe 2480 Hmbpmapf.exe 1104 Hdnepk32.exe 2816 Hgmalg32.exe 920 Igakgfpn.exe 1424 Iheddndj.exe 1456 Ilcmjl32.exe 1272 Ikhjki32.exe 528 Jkmcfhkc.exe 2036 Jgcdki32.exe 3016 Jjdmmdnh.exe 2148 Jfknbe32.exe 2268 Kofopj32.exe 2380 Kklpekno.exe 1780 Kkolkk32.exe 1544 Kegqdqbl.exe 1980 Lclnemgd.exe 888 Lgjfkk32.exe 2448 Lcagpl32.exe 2900 Laegiq32.exe 2104 Lmlhnagm.exe 1492 Mbkmlh32.exe 1584 Migbnb32.exe 2404 Modkfi32.exe 2624 Mmihhelk.exe 2744 Mholen32.exe 2724 Mpjqiq32.exe 3028 Naimccpo.exe 2520 Ngibaj32.exe 1624 Ncpcfkbg.exe 680 Neplhf32.exe 2852 Oegbheiq.exe 2152 Odlojanh.exe 2000 Ogmhkmki.exe 1240 Pfbelipa.exe 1384 Pokieo32.exe 1348 Pcibkm32.exe 1136 Pfikmh32.exe 1976 Pndpajgd.exe 1080 Qkhpkoen.exe 2576 Qngmgjeb.exe 2276 Qkkmqnck.exe 1068 Abeemhkh.exe 1184 Aajbne32.exe 1740 Annbhi32.exe 2936 Apoooa32.exe 1732 Aigchgkh.exe 872 Afkdakjb.exe 1560 Apdhjq32.exe 2996 Aeqabgoj.exe 2676 Blkioa32.exe 2604 Biojif32.exe 2592 Bphbeplm.exe 2416 Bbikgk32.exe 2784 Bhfcpb32.exe 2868 Boplllob.exe 2384 Bhhpeafc.exe 1908 Baadng32.exe 2160 Cilibi32.exe 848 Cdanpb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2200 711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe 2200 711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe 2400 Gjdhbc32.exe 2400 Gjdhbc32.exe 2292 Gbaileio.exe 2292 Gbaileio.exe 2704 Gbcfadgl.exe 2704 Gbcfadgl.exe 1996 Hojgfemq.exe 1996 Hojgfemq.exe 2896 Heglio32.exe 2896 Heglio32.exe 2480 Hmbpmapf.exe 2480 Hmbpmapf.exe 1104 Hdnepk32.exe 1104 Hdnepk32.exe 2816 Hgmalg32.exe 2816 Hgmalg32.exe 920 Igakgfpn.exe 920 Igakgfpn.exe 1424 Iheddndj.exe 1424 Iheddndj.exe 1456 Ilcmjl32.exe 1456 Ilcmjl32.exe 1272 Ikhjki32.exe 1272 Ikhjki32.exe 528 Jkmcfhkc.exe 528 Jkmcfhkc.exe 2036 Jgcdki32.exe 2036 Jgcdki32.exe 3016 Jjdmmdnh.exe 3016 Jjdmmdnh.exe 2148 Jfknbe32.exe 2148 Jfknbe32.exe 2268 Kofopj32.exe 2268 Kofopj32.exe 2380 Kklpekno.exe 2380 Kklpekno.exe 1780 Kkolkk32.exe 1780 Kkolkk32.exe 1544 Kegqdqbl.exe 1544 Kegqdqbl.exe 1980 Lclnemgd.exe 1980 Lclnemgd.exe 888 Lgjfkk32.exe 888 Lgjfkk32.exe 2448 Lcagpl32.exe 2448 Lcagpl32.exe 2900 Laegiq32.exe 2900 Laegiq32.exe 2104 Lmlhnagm.exe 2104 Lmlhnagm.exe 1492 Mbkmlh32.exe 1492 Mbkmlh32.exe 1584 Migbnb32.exe 1584 Migbnb32.exe 2404 Modkfi32.exe 2404 Modkfi32.exe 2624 Mmihhelk.exe 2624 Mmihhelk.exe 2744 Mholen32.exe 2744 Mholen32.exe 2724 Mpjqiq32.exe 2724 Mpjqiq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljbkig32.exe Process not Found File created C:\Windows\SysWOW64\Kpcbhlki.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dbfbnddq.exe Dfpaic32.exe File created C:\Windows\SysWOW64\Ageompfe.exe Aiaoclgl.exe File created C:\Windows\SysWOW64\Dnonkf32.dll Fkkhpadq.exe File created C:\Windows\SysWOW64\Lohnpfim.dll Process not Found File opened for modification C:\Windows\SysWOW64\Abpjjeim.exe Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Dkmljcdh.exe Dfpcblfp.exe File created C:\Windows\SysWOW64\Mlbmem32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ndoelpid.exe Process not Found File created C:\Windows\SysWOW64\Lgejidgn.exe Process not Found File created C:\Windows\SysWOW64\Pegqpacp.exe Pomhcg32.exe File created C:\Windows\SysWOW64\Genlgnhd.exe Glfgnh32.exe File created C:\Windows\SysWOW64\Bhonin32.dll Process not Found File created C:\Windows\SysWOW64\Plokomjo.dll Process not Found File created C:\Windows\SysWOW64\Miehak32.exe Mfglep32.exe File opened for modification C:\Windows\SysWOW64\Clhecl32.exe Cabaec32.exe File created C:\Windows\SysWOW64\Jlamnm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pglojj32.exe Pncjad32.exe File created C:\Windows\SysWOW64\Ehameajg.dll Glnkcc32.exe File opened for modification C:\Windows\SysWOW64\Chjmmnnb.exe Ccnddg32.exe File created C:\Windows\SysWOW64\Ddliklgk.exe Process not Found File created C:\Windows\SysWOW64\Ejfnda32.exe Process not Found File created C:\Windows\SysWOW64\Bepjha32.exe Bnfblgca.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Kekkiq32.exe File created C:\Windows\SysWOW64\Iqapnjli.exe Hkdgecna.exe File opened for modification C:\Windows\SysWOW64\Lcfhpf32.exe Process not Found File created C:\Windows\SysWOW64\Jakjjcnd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nejdjf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Helmiiec.exe Process not Found File created C:\Windows\SysWOW64\Lpcklckl.dll Process not Found File created C:\Windows\SysWOW64\Mfhabe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eghdanac.exe Process not Found File created C:\Windows\SysWOW64\Bdpnlo32.exe Process not Found File created C:\Windows\SysWOW64\Epbahp32.dll Imlhebfc.exe File created C:\Windows\SysWOW64\Omfpmb32.dll Jjfkmdlg.exe File created C:\Windows\SysWOW64\Pbomli32.exe Opodknco.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jbnlaqhi.exe File created C:\Windows\SysWOW64\Eoeadjbl.dll Nladco32.exe File created C:\Windows\SysWOW64\Dplclg32.dll Kglfcd32.exe File created C:\Windows\SysWOW64\Eijffhjd.exe Process not Found File created C:\Windows\SysWOW64\Nhejknlm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Foccjood.exe Fdnolfon.exe File opened for modification C:\Windows\SysWOW64\Ckhdggom.exe Cenljmgq.exe File created C:\Windows\SysWOW64\Deenjpcd.exe Dbfbnddq.exe File opened for modification C:\Windows\SysWOW64\Bblpae32.exe Process not Found File created C:\Windows\SysWOW64\Bgjbpi32.dll Blqmid32.exe File created C:\Windows\SysWOW64\Fkihmn32.dll Process not Found File created C:\Windows\SysWOW64\Kagbmg32.dll Process not Found File created C:\Windows\SysWOW64\Mpqjmh32.exe Mkdbea32.exe File created C:\Windows\SysWOW64\Ljjhdm32.exe Process not Found File created C:\Windows\SysWOW64\Lcomce32.exe Lnpgeopa.exe File created C:\Windows\SysWOW64\Ibibfa32.exe Igpaec32.exe File created C:\Windows\SysWOW64\Bkcojhgk.dll Omcngamh.exe File created C:\Windows\SysWOW64\Mlnccahb.dll Process not Found File created C:\Windows\SysWOW64\Oiffkkbk.exe Obmnna32.exe File created C:\Windows\SysWOW64\Jqnhmgmk.exe Ikapdqoc.exe File created C:\Windows\SysWOW64\Adffdidl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Igakgfpn.exe Hgmalg32.exe File created C:\Windows\SysWOW64\Iggbhk32.dll Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Jgabdlfb.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Lekjal32.exe Lmpeljkm.exe File created C:\Windows\SysWOW64\Nqmcde32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nigafnck.exe Nbniid32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2884 1780 Process not Found 1720 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppipdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goeoie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahhgnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adifpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidlkkk.dll" Fmodaadg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchdpibh.dll" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqogi32.dll" Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmhbk32.dll" Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmapka.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadjgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagocg32.dll" Efpbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll" Ejfllhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmidgbj.dll" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijamjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmadmn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikgjlgb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflcaaja.dll" Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Embbek32.dll" Cgogealf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll" Dochelmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blkioa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adblnnbk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2400 2200 711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe 28 PID 2200 wrote to memory of 2400 2200 711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe 28 PID 2200 wrote to memory of 2400 2200 711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe 28 PID 2200 wrote to memory of 2400 2200 711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe 28 PID 2400 wrote to memory of 2292 2400 Gjdhbc32.exe 29 PID 2400 wrote to memory of 2292 2400 Gjdhbc32.exe 29 PID 2400 wrote to memory of 2292 2400 Gjdhbc32.exe 29 PID 2400 wrote to memory of 2292 2400 Gjdhbc32.exe 29 PID 2292 wrote to memory of 2704 2292 Gbaileio.exe 30 PID 2292 wrote to memory of 2704 2292 Gbaileio.exe 30 PID 2292 wrote to memory of 2704 2292 Gbaileio.exe 30 PID 2292 wrote to memory of 2704 2292 Gbaileio.exe 30 PID 2704 wrote to memory of 1996 2704 Gbcfadgl.exe 31 PID 2704 wrote to memory of 1996 2704 Gbcfadgl.exe 31 PID 2704 wrote to memory of 1996 2704 Gbcfadgl.exe 31 PID 2704 wrote to memory of 1996 2704 Gbcfadgl.exe 31 PID 1996 wrote to memory of 2896 1996 Hojgfemq.exe 32 PID 1996 wrote to memory of 2896 1996 Hojgfemq.exe 32 PID 1996 wrote to memory of 2896 1996 Hojgfemq.exe 32 PID 1996 wrote to memory of 2896 1996 Hojgfemq.exe 32 PID 2896 wrote to memory of 2480 2896 Heglio32.exe 33 PID 2896 wrote to memory of 2480 2896 Heglio32.exe 33 PID 2896 wrote to memory of 2480 2896 Heglio32.exe 33 PID 2896 wrote to memory of 2480 2896 Heglio32.exe 33 PID 2480 wrote to memory of 1104 2480 Hmbpmapf.exe 34 PID 2480 wrote to memory of 1104 2480 Hmbpmapf.exe 34 PID 2480 wrote to memory of 1104 2480 Hmbpmapf.exe 34 PID 2480 wrote to memory of 1104 2480 Hmbpmapf.exe 34 PID 1104 wrote to memory of 2816 1104 Hdnepk32.exe 35 PID 1104 wrote to memory of 2816 1104 Hdnepk32.exe 35 PID 1104 wrote to memory of 2816 1104 Hdnepk32.exe 35 PID 1104 wrote to memory of 2816 1104 Hdnepk32.exe 35 PID 2816 wrote to memory of 920 2816 Hgmalg32.exe 36 PID 2816 wrote to memory of 920 2816 Hgmalg32.exe 36 PID 2816 wrote to memory of 920 2816 Hgmalg32.exe 36 PID 2816 wrote to memory of 920 2816 Hgmalg32.exe 36 PID 920 wrote to memory of 1424 920 Igakgfpn.exe 37 PID 920 wrote to memory of 1424 920 Igakgfpn.exe 37 PID 920 wrote to memory of 1424 920 Igakgfpn.exe 37 PID 920 wrote to memory of 1424 920 Igakgfpn.exe 37 PID 1424 wrote to memory of 1456 1424 Iheddndj.exe 38 PID 1424 wrote to memory of 1456 1424 Iheddndj.exe 38 PID 1424 wrote to memory of 1456 1424 Iheddndj.exe 38 PID 1424 wrote to memory of 1456 1424 Iheddndj.exe 38 PID 1456 wrote to memory of 1272 1456 Ilcmjl32.exe 39 PID 1456 wrote to memory of 1272 1456 Ilcmjl32.exe 39 PID 1456 wrote to memory of 1272 1456 Ilcmjl32.exe 39 PID 1456 wrote to memory of 1272 1456 Ilcmjl32.exe 39 PID 1272 wrote to memory of 528 1272 Ikhjki32.exe 40 PID 1272 wrote to memory of 528 1272 Ikhjki32.exe 40 PID 1272 wrote to memory of 528 1272 Ikhjki32.exe 40 PID 1272 wrote to memory of 528 1272 Ikhjki32.exe 40 PID 528 wrote to memory of 2036 528 Jkmcfhkc.exe 41 PID 528 wrote to memory of 2036 528 Jkmcfhkc.exe 41 PID 528 wrote to memory of 2036 528 Jkmcfhkc.exe 41 PID 528 wrote to memory of 2036 528 Jkmcfhkc.exe 41 PID 2036 wrote to memory of 3016 2036 Jgcdki32.exe 42 PID 2036 wrote to memory of 3016 2036 Jgcdki32.exe 42 PID 2036 wrote to memory of 3016 2036 Jgcdki32.exe 42 PID 2036 wrote to memory of 3016 2036 Jgcdki32.exe 42 PID 3016 wrote to memory of 2148 3016 Jjdmmdnh.exe 43 PID 3016 wrote to memory of 2148 3016 Jjdmmdnh.exe 43 PID 3016 wrote to memory of 2148 3016 Jjdmmdnh.exe 43 PID 3016 wrote to memory of 2148 3016 Jjdmmdnh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe"C:\Users\Admin\AppData\Local\Temp\711159369ffe7942c2b329295d49a1c1b0c7ecc2d3b725531db5d0c60a12a702.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe33⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe34⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe35⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe36⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe37⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe38⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe39⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe40⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe41⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe42⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe43⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe44⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe45⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe46⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe47⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe48⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe50⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe51⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe52⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe53⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe54⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe55⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe58⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe59⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe60⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe61⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe64⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe65⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe66⤵PID:844
-
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe67⤵PID:2080
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe68⤵PID:2076
-
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe69⤵PID:2296
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe70⤵PID:1052
-
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe71⤵PID:2944
-
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe72⤵PID:2300
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe73⤵PID:792
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe74⤵PID:3056
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe75⤵PID:1688
-
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe76⤵PID:1912
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe77⤵PID:1672
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe78⤵PID:2668
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe79⤵PID:2288
-
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe80⤵PID:2596
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe81⤵PID:2732
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe82⤵PID:2456
-
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe83⤵PID:2856
-
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe85⤵PID:1824
-
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe86⤵PID:2536
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe87⤵PID:2780
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe88⤵PID:1112
-
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe89⤵PID:2432
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe90⤵PID:2692
-
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe91⤵PID:428
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe92⤵PID:1472
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe93⤵PID:2940
-
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe95⤵PID:1700
-
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe96⤵PID:2172
-
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe97⤵PID:1588
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe98⤵PID:2928
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe99⤵PID:2728
-
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe100⤵PID:1096
-
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe101⤵PID:2792
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe102⤵PID:2884
-
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe103⤵PID:1628
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe104⤵PID:1204
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe105⤵PID:2912
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe106⤵PID:1064
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe107⤵PID:2092
-
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe111⤵PID:2236
-
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe112⤵PID:1764
-
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe113⤵PID:2180
-
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe114⤵PID:2512
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe115⤵PID:2540
-
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe116⤵PID:1076
-
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe117⤵PID:2840
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe118⤵PID:1984
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe119⤵PID:1404
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe120⤵PID:1088
-
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe121⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-