Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 01:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe
-
Size
173KB
-
MD5
bc6dca3d9fb767e427452b7018ec6ec2
-
SHA1
0e6e6336bf9729e5c535ae5095511f1b49be206d
-
SHA256
a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b
-
SHA512
cd6c5507602c7888df5ab20ca585244c567f2abb464a15981c3c3a5ca38dc6a1f54dfb28b769f996ce8ead28c025e313ee6b123b505b1e6f6406d4f907c010cb
-
SSDEEP
3072:6IKVQ6nZuyqU+YDAB+s/vacknVwNtvSO06+ebX:R5EupSDlsHhYyNtvSO0e
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delmmigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfejcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodnebpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahikqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbbjcif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgkoiqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmphinm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcopdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqiaclhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgpkpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khoebi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnocpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljafg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhgip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjcblbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoimh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacnbjml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnflo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgmijgc.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x0011000000012262-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000800000001686d-18.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000016c56-38.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000016c7a-45.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016eb9-59.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017477-72.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017495-88.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0014000000018669-98.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018686-111.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186f1-124.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018739-138.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018787-151.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001878d-170.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019228-177.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001925d-196.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019275-205.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019283-220.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019381-230.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193a5-239.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2304-248-0x0000000000400000-0x0000000000455000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019433-250.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019457-259.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019491-269.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194b8-279.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ef-290.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019507-300.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001957d-309.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195e3-318.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961c-328.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961f-337.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019622-348.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019626-356.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019638-368.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000196bd-378.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000199b8-389.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c54-400.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c71-410.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d60-419.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019dd5-430.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019fd8-441.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a09c-451.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a320-460.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a43c-470.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a440-479.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a44b-490.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4a9-499.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b1-508.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4c7-516.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4cf-528.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4d3-538.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4d7-549.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4db-560.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4df-571.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4e3-580.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4e7-591.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4eb-600.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4ef-610.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4f3-619.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4f8-627.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4fc-636.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a500-646.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a505-655.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a509-665.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a510-674.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2336 Igihbknb.exe 2040 Igkdgk32.exe 2676 Jmhmpb32.exe 2732 Jmjjea32.exe 1520 Jfcnngnd.exe 2464 Jbjochdi.exe 2960 Jehkodcm.exe 2556 Jfghif32.exe 2944 Jgidao32.exe 300 Kihqkagp.exe 752 Kneicieh.exe 1892 Kngfih32.exe 2804 Keanebkb.exe 1076 Kmmcjehm.exe 1784 Kgbggnhc.exe 620 Kpmlkp32.exe 2888 Kmaled32.exe 1080 Lemaif32.exe 2304 Lpbefoai.exe 1268 Leonofpp.exe 1388 Logbhl32.exe 1696 Lafndg32.exe 3052 Lojomkdn.exe 2404 Llnofpcg.exe 2372 Lmolnh32.exe 872 Ldidkbpb.exe 2112 Mggpgmof.exe 1576 Mmahdggc.exe 3056 Mdkqqa32.exe 2620 Mkeimlfm.exe 1660 Mmceigep.exe 2220 Mdmmfa32.exe 2632 Mlibjc32.exe 2588 Mdpjlajk.exe 2312 Moiklogi.exe 2948 Mlmlecec.exe 3020 Nefpnhlc.exe 1536 Nhdlkdkg.exe 1644 Namqci32.exe 2776 Nlbeqb32.exe 2772 Nejiih32.exe 712 Nkgbbo32.exe 1632 Naajoinb.exe 2300 Ngnbgplj.exe 2008 Ndbcpd32.exe 2192 Oklkmnbp.exe 1528 Onjgiiad.exe 1040 Oddpfc32.exe 608 Olpdjf32.exe 1740 Ocimgp32.exe 2120 Oclilp32.exe 2904 Oobjaqaj.exe 880 Ocnfbo32.exe 1568 Oikojfgk.exe 2328 Okikfagn.exe 1804 Onhgbmfb.exe 2668 Pimkpfeh.exe 2028 Pklhlael.exe 1700 Pbfpik32.exe 2540 Pkndaa32.exe 2976 Pjadmnic.exe 1284 Pbhmnkjf.exe 3000 Pciifc32.exe 1792 Pjcabmga.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe 2348 a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe 2336 Igihbknb.exe 2336 Igihbknb.exe 2040 Igkdgk32.exe 2040 Igkdgk32.exe 2676 Jmhmpb32.exe 2676 Jmhmpb32.exe 2732 Jmjjea32.exe 2732 Jmjjea32.exe 1520 Jfcnngnd.exe 1520 Jfcnngnd.exe 2464 Jbjochdi.exe 2464 Jbjochdi.exe 2960 Jehkodcm.exe 2960 Jehkodcm.exe 2556 Jfghif32.exe 2556 Jfghif32.exe 2944 Jgidao32.exe 2944 Jgidao32.exe 300 Kihqkagp.exe 300 Kihqkagp.exe 752 Kneicieh.exe 752 Kneicieh.exe 1892 Kngfih32.exe 1892 Kngfih32.exe 2804 Keanebkb.exe 2804 Keanebkb.exe 1076 Kmmcjehm.exe 1076 Kmmcjehm.exe 1784 Kgbggnhc.exe 1784 Kgbggnhc.exe 620 Kpmlkp32.exe 620 Kpmlkp32.exe 2888 Kmaled32.exe 2888 Kmaled32.exe 1080 Lemaif32.exe 1080 Lemaif32.exe 2304 Lpbefoai.exe 2304 Lpbefoai.exe 1268 Leonofpp.exe 1268 Leonofpp.exe 1388 Logbhl32.exe 1388 Logbhl32.exe 1696 Lafndg32.exe 1696 Lafndg32.exe 3052 Lojomkdn.exe 3052 Lojomkdn.exe 2404 Llnofpcg.exe 2404 Llnofpcg.exe 2372 Lmolnh32.exe 2372 Lmolnh32.exe 872 Ldidkbpb.exe 872 Ldidkbpb.exe 2112 Mggpgmof.exe 2112 Mggpgmof.exe 1576 Mmahdggc.exe 1576 Mmahdggc.exe 3056 Mdkqqa32.exe 3056 Mdkqqa32.exe 2620 Mkeimlfm.exe 2620 Mkeimlfm.exe 1660 Mmceigep.exe 1660 Mmceigep.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Higeofeq.dll Gdgcpi32.exe File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe Ckiigmcd.exe File opened for modification C:\Windows\SysWOW64\Ejgemkbm.exe Ecnmpa32.exe File created C:\Windows\SysWOW64\Mhapiheo.dll Bplhnoej.exe File opened for modification C:\Windows\SysWOW64\Cedpbd32.exe Cmmhaf32.exe File created C:\Windows\SysWOW64\Femijbfb.dll Process not Found File created C:\Windows\SysWOW64\Jneohcll.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Picnndmb.exe Pgbafl32.exe File created C:\Windows\SysWOW64\Enlglnci.exe Eknkpbdf.exe File created C:\Windows\SysWOW64\Niebgj32.dll Process not Found File created C:\Windows\SysWOW64\Mhofcjea.dll Dfffnn32.exe File created C:\Windows\SysWOW64\Dnjngk32.exe Dkkbkp32.exe File created C:\Windows\SysWOW64\Baepmlkg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ieidmbcc.exe Ipllekdl.exe File created C:\Windows\SysWOW64\Macalohk.dll Mofglh32.exe File created C:\Windows\SysWOW64\Chhldeho.exe Cejphiik.exe File created C:\Windows\SysWOW64\Hedbmpnc.dll Process not Found File created C:\Windows\SysWOW64\Jkhgfq32.dll Dggcffhg.exe File opened for modification C:\Windows\SysWOW64\Fljafg32.exe Fikejl32.exe File created C:\Windows\SysWOW64\Pikhak32.dll Lnbbbffj.exe File created C:\Windows\SysWOW64\Nbhfke32.exe Npijoj32.exe File opened for modification C:\Windows\SysWOW64\Gjbmelgm.exe Gcheib32.exe File created C:\Windows\SysWOW64\Konijaag.dll Npolmh32.exe File created C:\Windows\SysWOW64\Mgalqkbk.exe Mholen32.exe File created C:\Windows\SysWOW64\Ojbkibad.dll Fbmfkkbm.exe File opened for modification C:\Windows\SysWOW64\Lqncaj32.exe Lblcfnhj.exe File created C:\Windows\SysWOW64\Aqmamm32.exe Ajcipc32.exe File created C:\Windows\SysWOW64\Knkgpi32.exe Process not Found File created C:\Windows\SysWOW64\Aqcifjof.dll Process not Found File created C:\Windows\SysWOW64\Bdpoifde.dll Jmplcp32.exe File opened for modification C:\Windows\SysWOW64\Oopfakpa.exe Oghopm32.exe File created C:\Windows\SysWOW64\Bckjhl32.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Fgnokb32.exe Fcbbjcif.exe File created C:\Windows\SysWOW64\Pdbahpec.exe Pcaepg32.exe File created C:\Windows\SysWOW64\Dnoldn32.dll Lbnpkmfg.exe File created C:\Windows\SysWOW64\Bhhognbb.dll Lpbefoai.exe File created C:\Windows\SysWOW64\Niikceid.exe Ncpcfkbg.exe File opened for modification C:\Windows\SysWOW64\Anlfbi32.exe Ajpjakhc.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Mbpipp32.exe Mndmoaog.exe File created C:\Windows\SysWOW64\Lipecm32.exe Lahmbo32.exe File created C:\Windows\SysWOW64\Bmphhc32.exe Bjallg32.exe File created C:\Windows\SysWOW64\Pgbdodnh.exe Poklngnf.exe File opened for modification C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Bpnddn32.exe Bmphhc32.exe File created C:\Windows\SysWOW64\Ajqljc32.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Lhiakf32.exe Process not Found File created C:\Windows\SysWOW64\Fbnbckhg.dll Process not Found File created C:\Windows\SysWOW64\Ebjglbml.exe Eqijej32.exe File created C:\Windows\SysWOW64\Hibeif32.dll Ohaeia32.exe File created C:\Windows\SysWOW64\Bhajdblk.exe Biojif32.exe File created C:\Windows\SysWOW64\Cojhejbh.exe Chqoipkk.exe File opened for modification C:\Windows\SysWOW64\Hbknkl32.exe Hjdfjo32.exe File opened for modification C:\Windows\SysWOW64\Ooabmbbe.exe Process not Found File created C:\Windows\SysWOW64\Gefmne32.dll Qfmafg32.exe File opened for modification C:\Windows\SysWOW64\Gjdjklek.exe Ggfnopfg.exe File created C:\Windows\SysWOW64\Hinqgg32.exe Hebdfind.exe File created C:\Windows\SysWOW64\Bhdmagqq.dll Clmbddgp.exe File created C:\Windows\SysWOW64\Mcfidhng.dll Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Dmhdkdlg.exe Doecog32.exe File opened for modification C:\Windows\SysWOW64\Inlkik32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Process not Found File created C:\Windows\SysWOW64\Bngpjpqe.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4260 4416 Process not Found 1340 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqkfc32.dll" Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjmpbopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joihjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdihiook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkfeo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhndalhm.dll" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liobdl32.dll" Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcidp32.dll" Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfbbc32.dll" Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehnpfik.dll" Mbpipp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoocd32.dll" Ekpheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkepldda.dll" Nlnnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bolejaam.dll" Gifaciae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mndmoaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnflo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjdfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmleofn.dll" Fafcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfplhjm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeaiio32.dll" Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnmhkin.dll" Hapicp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmkljal.dll" Aababceh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2336 2348 a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe 28 PID 2348 wrote to memory of 2336 2348 a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe 28 PID 2348 wrote to memory of 2336 2348 a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe 28 PID 2348 wrote to memory of 2336 2348 a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe 28 PID 2336 wrote to memory of 2040 2336 Igihbknb.exe 29 PID 2336 wrote to memory of 2040 2336 Igihbknb.exe 29 PID 2336 wrote to memory of 2040 2336 Igihbknb.exe 29 PID 2336 wrote to memory of 2040 2336 Igihbknb.exe 29 PID 2040 wrote to memory of 2676 2040 Igkdgk32.exe 30 PID 2040 wrote to memory of 2676 2040 Igkdgk32.exe 30 PID 2040 wrote to memory of 2676 2040 Igkdgk32.exe 30 PID 2040 wrote to memory of 2676 2040 Igkdgk32.exe 30 PID 2676 wrote to memory of 2732 2676 Jmhmpb32.exe 31 PID 2676 wrote to memory of 2732 2676 Jmhmpb32.exe 31 PID 2676 wrote to memory of 2732 2676 Jmhmpb32.exe 31 PID 2676 wrote to memory of 2732 2676 Jmhmpb32.exe 31 PID 2732 wrote to memory of 1520 2732 Jmjjea32.exe 32 PID 2732 wrote to memory of 1520 2732 Jmjjea32.exe 32 PID 2732 wrote to memory of 1520 2732 Jmjjea32.exe 32 PID 2732 wrote to memory of 1520 2732 Jmjjea32.exe 32 PID 1520 wrote to memory of 2464 1520 Jfcnngnd.exe 33 PID 1520 wrote to memory of 2464 1520 Jfcnngnd.exe 33 PID 1520 wrote to memory of 2464 1520 Jfcnngnd.exe 33 PID 1520 wrote to memory of 2464 1520 Jfcnngnd.exe 33 PID 2464 wrote to memory of 2960 2464 Jbjochdi.exe 34 PID 2464 wrote to memory of 2960 2464 Jbjochdi.exe 34 PID 2464 wrote to memory of 2960 2464 Jbjochdi.exe 34 PID 2464 wrote to memory of 2960 2464 Jbjochdi.exe 34 PID 2960 wrote to memory of 2556 2960 Jehkodcm.exe 35 PID 2960 wrote to memory of 2556 2960 Jehkodcm.exe 35 PID 2960 wrote to memory of 2556 2960 Jehkodcm.exe 35 PID 2960 wrote to memory of 2556 2960 Jehkodcm.exe 35 PID 2556 wrote to memory of 2944 2556 Jfghif32.exe 36 PID 2556 wrote to memory of 2944 2556 Jfghif32.exe 36 PID 2556 wrote to memory of 2944 2556 Jfghif32.exe 36 PID 2556 wrote to memory of 2944 2556 Jfghif32.exe 36 PID 2944 wrote to memory of 300 2944 Jgidao32.exe 37 PID 2944 wrote to memory of 300 2944 Jgidao32.exe 37 PID 2944 wrote to memory of 300 2944 Jgidao32.exe 37 PID 2944 wrote to memory of 300 2944 Jgidao32.exe 37 PID 300 wrote to memory of 752 300 Kihqkagp.exe 38 PID 300 wrote to memory of 752 300 Kihqkagp.exe 38 PID 300 wrote to memory of 752 300 Kihqkagp.exe 38 PID 300 wrote to memory of 752 300 Kihqkagp.exe 38 PID 752 wrote to memory of 1892 752 Kneicieh.exe 39 PID 752 wrote to memory of 1892 752 Kneicieh.exe 39 PID 752 wrote to memory of 1892 752 Kneicieh.exe 39 PID 752 wrote to memory of 1892 752 Kneicieh.exe 39 PID 1892 wrote to memory of 2804 1892 Kngfih32.exe 40 PID 1892 wrote to memory of 2804 1892 Kngfih32.exe 40 PID 1892 wrote to memory of 2804 1892 Kngfih32.exe 40 PID 1892 wrote to memory of 2804 1892 Kngfih32.exe 40 PID 2804 wrote to memory of 1076 2804 Keanebkb.exe 41 PID 2804 wrote to memory of 1076 2804 Keanebkb.exe 41 PID 2804 wrote to memory of 1076 2804 Keanebkb.exe 41 PID 2804 wrote to memory of 1076 2804 Keanebkb.exe 41 PID 1076 wrote to memory of 1784 1076 Kmmcjehm.exe 42 PID 1076 wrote to memory of 1784 1076 Kmmcjehm.exe 42 PID 1076 wrote to memory of 1784 1076 Kmmcjehm.exe 42 PID 1076 wrote to memory of 1784 1076 Kmmcjehm.exe 42 PID 1784 wrote to memory of 620 1784 Kgbggnhc.exe 43 PID 1784 wrote to memory of 620 1784 Kgbggnhc.exe 43 PID 1784 wrote to memory of 620 1784 Kgbggnhc.exe 43 PID 1784 wrote to memory of 620 1784 Kgbggnhc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe"C:\Users\Admin\AppData\Local\Temp\a472fb9b1c65a2675e3ac608acd95004d3a77c801de95918cc495bf05082170b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe33⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe34⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe35⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe36⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe37⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe38⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe39⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe40⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe41⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe42⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe44⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe45⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe47⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe48⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe49⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe50⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe51⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe52⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe53⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe54⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe55⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe56⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe57⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe58⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe59⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe60⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe61⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe62⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe64⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe65⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe66⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:480 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe68⤵PID:1136
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe69⤵PID:1880
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe70⤵PID:268
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe71⤵PID:1296
-
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe72⤵PID:2420
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe73⤵PID:1376
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe74⤵PID:836
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe75⤵PID:936
-
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe76⤵PID:2276
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe77⤵PID:2376
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe79⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe80⤵PID:2868
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe81⤵PID:2476
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe82⤵PID:2968
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe83⤵PID:2840
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe84⤵PID:1992
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe85⤵PID:664
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe87⤵
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe88⤵PID:2268
-
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe89⤵PID:1212
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe90⤵PID:3024
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe91⤵PID:1828
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe92⤵PID:2412
-
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe93⤵PID:2656
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe94⤵PID:2472
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe95⤵PID:540
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe96⤵PID:2824
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe97⤵PID:1228
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe98⤵PID:2044
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe99⤵PID:2528
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe100⤵PID:2648
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe101⤵PID:984
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe102⤵PID:1320
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe103⤵PID:1552
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe104⤵PID:2928
-
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe105⤵PID:2152
-
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe106⤵PID:3064
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe107⤵PID:2652
-
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe108⤵PID:2324
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe109⤵PID:2596
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe110⤵PID:2636
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe111⤵PID:340
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe112⤵PID:2996
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe113⤵PID:1084
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe114⤵PID:1276
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe115⤵PID:1588
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe116⤵PID:2892
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe117⤵PID:1180
-
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe118⤵PID:2780
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe119⤵PID:832
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe120⤵PID:1128
-
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-