Analysis
-
max time kernel
117s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 23:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea2f30efd9110df512a3c76ea10c1340N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ea2f30efd9110df512a3c76ea10c1340N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ea2f30efd9110df512a3c76ea10c1340N.exe
-
Size
324KB
-
MD5
ea2f30efd9110df512a3c76ea10c1340
-
SHA1
9bf62173a1020b1513edbbb404ce1ddd8490daa1
-
SHA256
3e124467c916ef99b9a245fdc3179b3d645dbc06135146a11357fed0bf52cd98
-
SHA512
303db77ff2fc6cfc869c7148a48c38b8abcbe1dd2e921c525b38e2102f5313052cf762cb2f03f3e7573f0fe20e5fb1dbb200a39db9b53e1a41c4eeace2282c8c
-
SSDEEP
3072:QhJhzSQDCrxdbMqlWGRdA6sQO56TQY2mEmjwCzAhjQjxNX+W5RK0:uJhdDwbWGRdA6sQc/Y+mjwjOx5H
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfhfjgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcebnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajcaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poocmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmeffp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfdpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjnefm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhlmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigkmmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halkahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdbmblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfgoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhcad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deegjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabfaqca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfoobkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjgoaflj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqfefpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceijg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocbbbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmppmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmdljal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djolbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjghe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deljfqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iofiimkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acafnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dghgdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdfoiki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkdpafo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhoej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmeificb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbaqfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkafofde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaaajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdllk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcihdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcignoki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlndfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnbfjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjbecqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djoinbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfdpgd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1664 Jhfepfme.exe 2848 Jdmfdgbj.exe 2772 Jlhjijpe.exe 2784 Kaliaphd.exe 2684 Kkfjpemb.exe 2596 Kpcbhlki.exe 2104 Lfedlb32.exe 3008 Lckbkfbb.exe 2940 Llfcik32.exe 2652 Mfngbq32.exe 3044 Mchadifq.exe 1388 Mmafmo32.exe 1124 Mjgclcjh.exe 2428 Nbddfe32.exe 2260 Njdbefnf.exe 1964 Ohkpdj32.exe 2244 Opkndldc.exe 2124 Pbkgegad.exe 2292 Pelpgb32.exe 1448 Pacqlcdi.exe 1988 Pgbejj32.exe 328 Ppjjcogn.exe 908 Qicoleno.exe 2348 Aellfe32.exe 1500 Ajjeld32.exe 744 Bbolge32.exe 1548 Bjlnaghp.exe 2752 Bbjoki32.exe 2744 Conpdm32.exe 2640 Cfjdfg32.exe 2828 Cbcbag32.exe 2152 Djqcki32.exe 2068 Dcihdo32.exe 2568 Dpbenpqh.exe 1564 Dpdbdo32.exe 2900 Ehpgha32.exe 2600 Eefdgeig.exe 2228 Eehqme32.exe 2904 Ekeiel32.exe 1072 Fkjbpkag.exe 2180 Fhdlbd32.exe 2396 Flbehbqm.exe 2284 Gnenfjdh.exe 1804 Ggncop32.exe 1140 Ghmohcbl.exe 1908 Gnjhaj32.exe 1684 Gqkqbe32.exe 3060 Gjcekj32.exe 2344 Hmdnme32.exe 1984 Hjhofj32.exe 1120 Hbepplkh.exe 2760 Hnlqemal.exe 2756 Hnomkloi.exe 2936 Ieiegf32.exe 2644 Imdjlida.exe 2184 Incgfl32.exe 2324 Ifoljn32.exe 2256 Iadphghe.exe 2576 Iiodliep.exe 1968 Ifceemdj.exe 424 Jbjejojn.exe 1344 Jpnfdbig.exe 1676 Jlegic32.exe 1872 Jmhpfl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2884 ea2f30efd9110df512a3c76ea10c1340N.exe 2884 ea2f30efd9110df512a3c76ea10c1340N.exe 1664 Jhfepfme.exe 1664 Jhfepfme.exe 2848 Jdmfdgbj.exe 2848 Jdmfdgbj.exe 2772 Jlhjijpe.exe 2772 Jlhjijpe.exe 2784 Kaliaphd.exe 2784 Kaliaphd.exe 2684 Kkfjpemb.exe 2684 Kkfjpemb.exe 2596 Kpcbhlki.exe 2596 Kpcbhlki.exe 2104 Lfedlb32.exe 2104 Lfedlb32.exe 3008 Lckbkfbb.exe 3008 Lckbkfbb.exe 2940 Llfcik32.exe 2940 Llfcik32.exe 2652 Mfngbq32.exe 2652 Mfngbq32.exe 3044 Mchadifq.exe 3044 Mchadifq.exe 1388 Mmafmo32.exe 1388 Mmafmo32.exe 1124 Mjgclcjh.exe 1124 Mjgclcjh.exe 2428 Nbddfe32.exe 2428 Nbddfe32.exe 2260 Njdbefnf.exe 2260 Njdbefnf.exe 1964 Ohkpdj32.exe 1964 Ohkpdj32.exe 2244 Opkndldc.exe 2244 Opkndldc.exe 2124 Pbkgegad.exe 2124 Pbkgegad.exe 2292 Pelpgb32.exe 2292 Pelpgb32.exe 1448 Pacqlcdi.exe 1448 Pacqlcdi.exe 1988 Pgbejj32.exe 1988 Pgbejj32.exe 328 Ppjjcogn.exe 328 Ppjjcogn.exe 908 Qicoleno.exe 908 Qicoleno.exe 2348 Aellfe32.exe 2348 Aellfe32.exe 1500 Ajjeld32.exe 1500 Ajjeld32.exe 744 Bbolge32.exe 744 Bbolge32.exe 1548 Bjlnaghp.exe 1548 Bjlnaghp.exe 2752 Bbjoki32.exe 2752 Bbjoki32.exe 2744 Conpdm32.exe 2744 Conpdm32.exe 2640 Cfjdfg32.exe 2640 Cfjdfg32.exe 2828 Cbcbag32.exe 2828 Cbcbag32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kigkmmql.exe Kcjcefbd.exe File created C:\Windows\SysWOW64\Iiblgb32.dll Cibnfpjg.exe File created C:\Windows\SysWOW64\Ekhoehke.dll Nqcjiaah.exe File created C:\Windows\SysWOW64\Abjgjc32.exe Process not Found File created C:\Windows\SysWOW64\Elajhc32.dll Paqoef32.exe File created C:\Windows\SysWOW64\Nmgbmq32.dll Cdlppf32.exe File opened for modification C:\Windows\SysWOW64\Mhpeem32.exe Mlidplcf.exe File created C:\Windows\SysWOW64\Kjgoaflj.exe Kcmfeldm.exe File created C:\Windows\SysWOW64\Oqkimp32.exe Nnkpkdio.exe File opened for modification C:\Windows\SysWOW64\Hbmnfajm.exe Ghcmedmo.exe File created C:\Windows\SysWOW64\Gjcekj32.exe Gqkqbe32.exe File opened for modification C:\Windows\SysWOW64\Bfnnpbnn.exe Bhjngnod.exe File opened for modification C:\Windows\SysWOW64\Jnlfjjpl.exe Iecaad32.exe File opened for modification C:\Windows\SysWOW64\Fhnede32.exe Feoihi32.exe File created C:\Windows\SysWOW64\Fahdja32.exe Faegda32.exe File created C:\Windows\SysWOW64\Aeconf32.dll Jfeamimh.exe File created C:\Windows\SysWOW64\Bmnqaanm.dll Aellfe32.exe File created C:\Windows\SysWOW64\Gifhkpgk.exe Fblpnepn.exe File opened for modification C:\Windows\SysWOW64\Nbnajcig.exe Nmaialjp.exe File created C:\Windows\SysWOW64\Gljbaeaa.dll Alfpab32.exe File created C:\Windows\SysWOW64\Nagakhfn.exe Nhombc32.exe File created C:\Windows\SysWOW64\Dophid32.exe Dhfpljnn.exe File created C:\Windows\SysWOW64\Gogipbln.exe Ghmach32.exe File opened for modification C:\Windows\SysWOW64\Ccbojk32.exe Cmegbd32.exe File opened for modification C:\Windows\SysWOW64\Afolpb32.exe Aocgnh32.exe File created C:\Windows\SysWOW64\Cdnonb32.dll Gljfeimi.exe File opened for modification C:\Windows\SysWOW64\Mbgdonkd.exe Minpeh32.exe File created C:\Windows\SysWOW64\Emjggf32.dll Obpccped.exe File created C:\Windows\SysWOW64\Mmfcmcce.dll Obbpio32.exe File opened for modification C:\Windows\SysWOW64\Dbighojl.exe Dkookd32.exe File created C:\Windows\SysWOW64\Pgndaabf.dll Gfnnmboa.exe File created C:\Windows\SysWOW64\Ddnmhb32.exe Cfipgf32.exe File opened for modification C:\Windows\SysWOW64\Jajcaj32.exe Jahflj32.exe File created C:\Windows\SysWOW64\Nannejni.exe Mfdmdlaj.exe File opened for modification C:\Windows\SysWOW64\Gcpfbhof.exe Gnaadb32.exe File created C:\Windows\SysWOW64\Dcgppana.exe Dnkggjpj.exe File created C:\Windows\SysWOW64\Fkjbpkag.exe Ekeiel32.exe File opened for modification C:\Windows\SysWOW64\Cohlnkeg.exe Cqcomn32.exe File created C:\Windows\SysWOW64\Pnpbecig.dll Cbagdq32.exe File created C:\Windows\SysWOW64\Olcoaf32.exe Ojpedn32.exe File created C:\Windows\SysWOW64\Jkcjchco.exe Jfeamimh.exe File opened for modification C:\Windows\SysWOW64\Pabidiko.exe Phiekdeo.exe File opened for modification C:\Windows\SysWOW64\Hekhid32.exe Glbcpokl.exe File opened for modification C:\Windows\SysWOW64\Pjicnlqe.exe Paqoef32.exe File created C:\Windows\SysWOW64\Idlfpffo.dll Kkfoobkc.exe File created C:\Windows\SysWOW64\Gadllf32.dll Dmllgo32.exe File created C:\Windows\SysWOW64\Hgbnkf32.dll Eklbid32.exe File created C:\Windows\SysWOW64\Bmcefhll.dll Nnjghe32.exe File opened for modification C:\Windows\SysWOW64\Djolbp32.exe Dnikno32.exe File created C:\Windows\SysWOW64\Hjggnp32.exe Hmcgdlhl.exe File created C:\Windows\SysWOW64\Jkfncn32.exe Jhedachg.exe File opened for modification C:\Windows\SysWOW64\Giiibqdp.exe Goadik32.exe File created C:\Windows\SysWOW64\Oefcef32.exe Olnnlpqd.exe File created C:\Windows\SysWOW64\Dcbhfd32.dll Hnfigmhk.exe File opened for modification C:\Windows\SysWOW64\Obbpio32.exe Olhhmele.exe File opened for modification C:\Windows\SysWOW64\Eeijpdbd.exe Epmahmcm.exe File created C:\Windows\SysWOW64\Mhmfgdch.exe Modano32.exe File opened for modification C:\Windows\SysWOW64\Cgnpmg32.exe Cbagdq32.exe File created C:\Windows\SysWOW64\Ohdmhhod.exe Nlgfbh32.exe File created C:\Windows\SysWOW64\Hnanceem.exe Gfclic32.exe File opened for modification C:\Windows\SysWOW64\Aellfe32.exe Qicoleno.exe File opened for modification C:\Windows\SysWOW64\Pdnihiad.exe Phhhchlp.exe File created C:\Windows\SysWOW64\Denglpkc.exe Djibogkn.exe File created C:\Windows\SysWOW64\Kahedf32.exe Koglbkdl.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkhkifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdbefnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggncop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpngkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgadbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkgjgqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgfcbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjkgfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcjkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqiidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohofimje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdmhhod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgglko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbadfdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihgboc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkbfmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjofbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhhgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajogm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfoobkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabfqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmfgdch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfeldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aieihpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anebhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epimjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmajllkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocnhjdnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjglcmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhcankf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbnqfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaialjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpkgblc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokdnail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medggj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfmddff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdjgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icidlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idlgohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohljcnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeagpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbbiafj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidoamch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdiknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjiiemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfkhhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhombc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodhbe32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgiffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmeificb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjehflbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdmdlaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbhgfqec.dll" Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilffkp32.dll" Ilianckh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkpfcnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmbmn32.dll" Oifelfni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajibeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpdhiaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiakl32.dll" Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnfpjjj.dll" Kkmakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhinhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efneahdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blplkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjhfcbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldnjii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncggifep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdailaib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giogonlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekhid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhoej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apjdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqpij32.dll" Lolbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkodfeem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dblcnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcbem32.dll" Kacggiij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faegda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjhod32.dll" Ggaeae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icenedep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibmdpam.dll" Djoinbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjkhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoglnab.dll" Dieiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmbadfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgogjmp.dll" Clnnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaeoj32.dll" Pgbejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conhkl32.dll" Dkookd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfdldll.dll" Afjplj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gadidabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coidpiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldnjii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndolpa32.dll" Pdegnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhpfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fchigcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiogbn32.dll" Fblpnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnenojn.dll" Bljeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqfdlmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbiggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkaoai32.dll" Jnlfjjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhhmle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjgag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 1664 2884 ea2f30efd9110df512a3c76ea10c1340N.exe 29 PID 2884 wrote to memory of 1664 2884 ea2f30efd9110df512a3c76ea10c1340N.exe 29 PID 2884 wrote to memory of 1664 2884 ea2f30efd9110df512a3c76ea10c1340N.exe 29 PID 2884 wrote to memory of 1664 2884 ea2f30efd9110df512a3c76ea10c1340N.exe 29 PID 1664 wrote to memory of 2848 1664 Jhfepfme.exe 30 PID 1664 wrote to memory of 2848 1664 Jhfepfme.exe 30 PID 1664 wrote to memory of 2848 1664 Jhfepfme.exe 30 PID 1664 wrote to memory of 2848 1664 Jhfepfme.exe 30 PID 2848 wrote to memory of 2772 2848 Jdmfdgbj.exe 31 PID 2848 wrote to memory of 2772 2848 Jdmfdgbj.exe 31 PID 2848 wrote to memory of 2772 2848 Jdmfdgbj.exe 31 PID 2848 wrote to memory of 2772 2848 Jdmfdgbj.exe 31 PID 2772 wrote to memory of 2784 2772 Jlhjijpe.exe 32 PID 2772 wrote to memory of 2784 2772 Jlhjijpe.exe 32 PID 2772 wrote to memory of 2784 2772 Jlhjijpe.exe 32 PID 2772 wrote to memory of 2784 2772 Jlhjijpe.exe 32 PID 2784 wrote to memory of 2684 2784 Kaliaphd.exe 33 PID 2784 wrote to memory of 2684 2784 Kaliaphd.exe 33 PID 2784 wrote to memory of 2684 2784 Kaliaphd.exe 33 PID 2784 wrote to memory of 2684 2784 Kaliaphd.exe 33 PID 2684 wrote to memory of 2596 2684 Kkfjpemb.exe 34 PID 2684 wrote to memory of 2596 2684 Kkfjpemb.exe 34 PID 2684 wrote to memory of 2596 2684 Kkfjpemb.exe 34 PID 2684 wrote to memory of 2596 2684 Kkfjpemb.exe 34 PID 2596 wrote to memory of 2104 2596 Kpcbhlki.exe 35 PID 2596 wrote to memory of 2104 2596 Kpcbhlki.exe 35 PID 2596 wrote to memory of 2104 2596 Kpcbhlki.exe 35 PID 2596 wrote to memory of 2104 2596 Kpcbhlki.exe 35 PID 2104 wrote to memory of 3008 2104 Lfedlb32.exe 36 PID 2104 wrote to memory of 3008 2104 Lfedlb32.exe 36 PID 2104 wrote to memory of 3008 2104 Lfedlb32.exe 36 PID 2104 wrote to memory of 3008 2104 Lfedlb32.exe 36 PID 3008 wrote to memory of 2940 3008 Lckbkfbb.exe 37 PID 3008 wrote to memory of 2940 3008 Lckbkfbb.exe 37 PID 3008 wrote to memory of 2940 3008 Lckbkfbb.exe 37 PID 3008 wrote to memory of 2940 3008 Lckbkfbb.exe 37 PID 2940 wrote to memory of 2652 2940 Llfcik32.exe 38 PID 2940 wrote to memory of 2652 2940 Llfcik32.exe 38 PID 2940 wrote to memory of 2652 2940 Llfcik32.exe 38 PID 2940 wrote to memory of 2652 2940 Llfcik32.exe 38 PID 2652 wrote to memory of 3044 2652 Mfngbq32.exe 39 PID 2652 wrote to memory of 3044 2652 Mfngbq32.exe 39 PID 2652 wrote to memory of 3044 2652 Mfngbq32.exe 39 PID 2652 wrote to memory of 3044 2652 Mfngbq32.exe 39 PID 3044 wrote to memory of 1388 3044 Mchadifq.exe 40 PID 3044 wrote to memory of 1388 3044 Mchadifq.exe 40 PID 3044 wrote to memory of 1388 3044 Mchadifq.exe 40 PID 3044 wrote to memory of 1388 3044 Mchadifq.exe 40 PID 1388 wrote to memory of 1124 1388 Mmafmo32.exe 41 PID 1388 wrote to memory of 1124 1388 Mmafmo32.exe 41 PID 1388 wrote to memory of 1124 1388 Mmafmo32.exe 41 PID 1388 wrote to memory of 1124 1388 Mmafmo32.exe 41 PID 1124 wrote to memory of 2428 1124 Mjgclcjh.exe 42 PID 1124 wrote to memory of 2428 1124 Mjgclcjh.exe 42 PID 1124 wrote to memory of 2428 1124 Mjgclcjh.exe 42 PID 1124 wrote to memory of 2428 1124 Mjgclcjh.exe 42 PID 2428 wrote to memory of 2260 2428 Nbddfe32.exe 43 PID 2428 wrote to memory of 2260 2428 Nbddfe32.exe 43 PID 2428 wrote to memory of 2260 2428 Nbddfe32.exe 43 PID 2428 wrote to memory of 2260 2428 Nbddfe32.exe 43 PID 2260 wrote to memory of 1964 2260 Njdbefnf.exe 44 PID 2260 wrote to memory of 1964 2260 Njdbefnf.exe 44 PID 2260 wrote to memory of 1964 2260 Njdbefnf.exe 44 PID 2260 wrote to memory of 1964 2260 Njdbefnf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea2f30efd9110df512a3c76ea10c1340N.exe"C:\Users\Admin\AppData\Local\Temp\ea2f30efd9110df512a3c76ea10c1340N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Cbcbag32.exeC:\Windows\system32\Cbcbag32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe33⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe36⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe37⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe38⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe39⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe41⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe43⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe44⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ggncop32.exeC:\Windows\system32\Ggncop32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe46⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Gnjhaj32.exeC:\Windows\system32\Gnjhaj32.exe47⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe49⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe50⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe51⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe52⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe53⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe55⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe57⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe58⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Iadphghe.exeC:\Windows\system32\Iadphghe.exe59⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe60⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe61⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe62⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe63⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Jlegic32.exeC:\Windows\system32\Jlegic32.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe66⤵PID:1484
-
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe67⤵PID:1368
-
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe68⤵PID:1016
-
C:\Windows\SysWOW64\Mjofanld.exeC:\Windows\system32\Mjofanld.exe69⤵PID:2192
-
C:\Windows\SysWOW64\Nkhhie32.exeC:\Windows\system32\Nkhhie32.exe70⤵PID:2056
-
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe71⤵PID:1792
-
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe72⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe73⤵PID:2648
-
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe74⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe75⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe76⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe77⤵PID:2376
-
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe78⤵PID:2712
-
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe79⤵PID:1264
-
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe80⤵PID:3052
-
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe81⤵PID:2264
-
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe82⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe83⤵PID:2516
-
C:\Windows\SysWOW64\Pmgnan32.exeC:\Windows\system32\Pmgnan32.exe84⤵PID:2588
-
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe85⤵PID:1560
-
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe86⤵PID:1712
-
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe87⤵PID:872
-
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe89⤵PID:2164
-
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe90⤵PID:1796
-
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe92⤵PID:2328
-
C:\Windows\SysWOW64\Ajpgkb32.exeC:\Windows\system32\Ajpgkb32.exe93⤵PID:2700
-
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe94⤵PID:640
-
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe95⤵PID:2040
-
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe96⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe97⤵PID:2392
-
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe98⤵PID:1040
-
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe99⤵PID:1864
-
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe100⤵PID:2360
-
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe101⤵PID:1256
-
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe102⤵PID:2100
-
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe106⤵PID:2456
-
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe107⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe108⤵PID:2484
-
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe109⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Djibogkn.exeC:\Windows\system32\Djibogkn.exe111⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe112⤵PID:2024
-
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe113⤵PID:912
-
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe114⤵PID:2000
-
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe115⤵PID:1724
-
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe116⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe117⤵PID:2688
-
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe118⤵PID:1616
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe119⤵PID:1976
-
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe120⤵PID:1740
-
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe121⤵PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-