Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 12:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe
-
Size
2.3MB
-
MD5
c954a2be53cf02745a7a5a8baaaaaab9
-
SHA1
1f3f718c9970faa1209827e6ca476e7163ba605e
-
SHA256
ecd759971e863b9b82b61e45d33df1d2c9f0976e33083d3b1c94d703d6c1d7e7
-
SHA512
a5cec1159084185d6d82fb7be9896f8e82505b2f25df047665e315f35f806dcf6fb51e6930e602f18786ea6108146bc6625a92d095c7f864a7cbb342ab62a921
-
SSDEEP
3072:GPfuuQvlOZ0I/I0Q5OPIN+/cuTQ2TgRX7Jg3A9z:G/QvlOZVgp54tRo7KA9z
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbadakjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgfnfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocopfon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmoegqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpdph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckqmohlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnfak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompdadqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnnlinc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhheeqcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbndonea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gndhmjjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonfccmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbkbhhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefaolam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmlnbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peqfcfmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinpnkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oighif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkieho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peehdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfphf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilimgci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icofliil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjipgndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcggaahl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefaolam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijgdpmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjlmblc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahpoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhkmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqlbciai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnabnafk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmnqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmdib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mneenknj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoenbmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikpfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegcmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipilflan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmoegqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohgedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopbibkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naealjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihnicpi.exe -
Executes dropped EXE 64 IoCs
pid Process 4264 Bqjpnqag.exe 3160 Bchljlqk.exe 2152 Cjbdgf32.exe 836 Cckipl32.exe 4956 Cigahb32.exe 1820 Ccmeek32.exe 1828 Cjgnbedb.exe 4104 Caafop32.exe 2640 Cgknlj32.exe 4216 Cmhfdq32.exe 3376 Cgmkai32.exe 4696 Ciogiagg.exe 2972 Dcdkfjfm.exe 2276 Diadna32.exe 4336 Dpklkkla.exe 3672 Dicqda32.exe 4892 Dcieaj32.exe 2868 Dmaijo32.exe 1304 Dhgngh32.exe 2076 Ddnnlinc.exe 3496 Dijgdpmj.exe 2732 Edddmhhk.exe 3536 Edgabhfh.exe 116 Emoekm32.exe 1776 Ehejifmo.exe 1472 Eiffpn32.exe 2088 Fhgfnfjl.exe 2028 Fpbkbhhg.exe 4988 Fkhppa32.exe 2112 Fabhmkoj.exe 4548 Faddbkmg.exe 3688 Fioifm32.exe 2776 Fhqiddba.exe 4600 Gainmj32.exe 4408 Ggffeagi.exe 4556 Gghckqef.exe 4656 Gifogldj.exe 1072 Ggjpqpcd.exe 3380 Gndhmjjq.exe 776 Gdnpjd32.exe 4044 Gkhhgoij.exe 4832 Ggoilp32.exe 2472 Hpgnde32.exe 4116 Hkmbbn32.exe 932 Hkoogn32.exe 2056 Hkakmmap.exe 1700 Hdjpfc32.exe 708 Hnbdohnq.exe 4448 Hhhhla32.exe 4500 Ijiecide.exe 4692 Ihjeaa32.exe 5104 Ingnjh32.exe 3936 Ihmbgqja.exe 2524 Igbohm32.exe 3524 Ijbhjhlj.exe 2780 Jjedohjg.exe 4540 Jbllqejj.exe 1508 Jjgaeg32.exe 4712 Jkgnojog.exe 2312 Jbqfld32.exe 1536 Jhknhona.exe 5020 Jjlkpgdp.exe 1932 Jdaompce.exe 2820 Jgpkikbi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Palpcg32.exe Pondgk32.exe File created C:\Windows\SysWOW64\Bjoqgp32.exe Bcehjf32.exe File created C:\Windows\SysWOW64\Qhigpilp.dll Gifhmfqo.exe File created C:\Windows\SysWOW64\Lgdfaame.exe Ldfjefna.exe File created C:\Windows\SysWOW64\Mklbmo32.exe Meajqdcd.exe File created C:\Windows\SysWOW64\Nbdmfmjj.exe Nljeicbm.exe File opened for modification C:\Windows\SysWOW64\Almdln32.exe Ajogpb32.exe File created C:\Windows\SysWOW64\Dchngc32.exe Dibjik32.exe File created C:\Windows\SysWOW64\Cbadakjf.exe Cobhepkb.exe File created C:\Windows\SysWOW64\Emghphoe.exe Efnpcn32.exe File created C:\Windows\SysWOW64\Ofpbncoj.dll Gkeegh32.exe File created C:\Windows\SysWOW64\Nhlehnhk.exe Nncapi32.exe File created C:\Windows\SysWOW64\Ahodlijc.exe Aaeloobf.exe File opened for modification C:\Windows\SysWOW64\Ajogpb32.exe Aahpoe32.exe File created C:\Windows\SysWOW64\Oooajbga.dll Odilnn32.exe File opened for modification C:\Windows\SysWOW64\Plldkjnl.exe Peblnp32.exe File opened for modification C:\Windows\SysWOW64\Aoilhc32.exe Ahodlijc.exe File created C:\Windows\SysWOW64\Dmoagh32.dll Kblegblg.exe File created C:\Windows\SysWOW64\Iapfbg32.dll Ecaamb32.exe File created C:\Windows\SysWOW64\Fmakfggj.exe Fjbojkhf.exe File opened for modification C:\Windows\SysWOW64\Kmnimkkb.exe Kkmmec32.exe File created C:\Windows\SysWOW64\Pcpkebeh.dll Kmnimkkb.exe File created C:\Windows\SysWOW64\Dhpfienm.exe Dbfnmk32.exe File created C:\Windows\SysWOW64\Bjocigcd.dll Cbmbab32.exe File created C:\Windows\SysWOW64\Boboob32.exe Bhhgbh32.exe File created C:\Windows\SysWOW64\Ebfgchhn.exe Ebdjnijq.exe File opened for modification C:\Windows\SysWOW64\Bqjpnqag.exe Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe File created C:\Windows\SysWOW64\Emoekm32.exe Edgabhfh.exe File created C:\Windows\SysWOW64\Ebijcn32.exe Eiqfkicf.exe File created C:\Windows\SysWOW64\Hldnpo32.exe Hkcahfla.exe File created C:\Windows\SysWOW64\Blgqglpc.dll Ompdadqj.exe File opened for modification C:\Windows\SysWOW64\Glindq32.exe Gkhalhfo.exe File created C:\Windows\SysWOW64\Dbigok32.dll Hmmdib32.exe File created C:\Windows\SysWOW64\Mnchikpm.exe Mnqkck32.exe File created C:\Windows\SysWOW64\Bjhoii32.dll Hkmbbn32.exe File created C:\Windows\SysWOW64\Ohhloc32.exe Oandbijl.exe File created C:\Windows\SysWOW64\Qhheeqcf.exe Qejiiedc.exe File created C:\Windows\SysWOW64\Hlbmklgf.dll Bkencj32.exe File opened for modification C:\Windows\SysWOW64\Ckqmohlm.exe Bjoqgp32.exe File created C:\Windows\SysWOW64\Pdcodm32.exe Pmighchp.exe File created C:\Windows\SysWOW64\Ldljdo32.dll Bjkglakd.exe File created C:\Windows\SysWOW64\Bqndlefa.dll Hbcfqkcj.exe File created C:\Windows\SysWOW64\Domnmk32.dll Hiddnc32.exe File created C:\Windows\SysWOW64\Iqfjce32.dll Pmpmhb32.exe File created C:\Windows\SysWOW64\Cocopfon.exe Cjfghoqf.exe File created C:\Windows\SysWOW64\Ecaamb32.exe Emghphoe.exe File opened for modification C:\Windows\SysWOW64\Hpnmknlk.exe Hiddnc32.exe File created C:\Windows\SysWOW64\Pmnqcb32.exe Plldkjnl.exe File created C:\Windows\SysWOW64\Ndbfnono.exe Nadjadok.exe File opened for modification C:\Windows\SysWOW64\Dhgngh32.exe Dmaijo32.exe File created C:\Windows\SysWOW64\Ohamba32.dll Mjmlnbgj.exe File created C:\Windows\SysWOW64\Padhnnfo.dll Nlelnc32.exe File created C:\Windows\SysWOW64\Dkdhmo32.dll Oandbijl.exe File created C:\Windows\SysWOW64\Bkjdnnfn.dll Gbicjlkd.exe File opened for modification C:\Windows\SysWOW64\Jkgnojog.exe Jjgaeg32.exe File created C:\Windows\SysWOW64\Jojghbfa.dll Bcnbjgej.exe File created C:\Windows\SysWOW64\Olqdol32.exe Odilnn32.exe File opened for modification C:\Windows\SysWOW64\Peblnp32.exe Pmkdmbfm.exe File created C:\Windows\SysWOW64\Ggffeagi.exe Gainmj32.exe File created C:\Windows\SysWOW64\Ijiecide.exe Hhhhla32.exe File created C:\Windows\SysWOW64\Lidjekgd.exe Lnoehb32.exe File created C:\Windows\SysWOW64\Hmmdib32.exe Hcgplj32.exe File created C:\Windows\SysWOW64\Ojloji32.exe Ndbfnono.exe File opened for modification C:\Windows\SysWOW64\Dibjik32.exe Dbiamqhj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10456 10368 WerFault.exe 499 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idclak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meomkeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhhla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopgfmki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqqghhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqklilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeiiha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlngopgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbfkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkafnmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaoea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebijcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopbibkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhkbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgjhjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaboipdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofpcdcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoqdead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olqdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggffeagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoggmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almdln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoenbmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpkikbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckcjdhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlmln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklfpqod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdmfmjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephabclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpfgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnnlinc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljambcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibfgikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obigalfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpkfpno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhinlned.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhlfehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhkmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqoogcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmdaqha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpqbgklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chipif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affhec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oapjmben.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpldbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbofpdng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklcci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmpiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdpjfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhqiddba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjipgndd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhloc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Begnpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edddmhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhoii32.dll" Hkmbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgamjb32.dll" Jjlkpgdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadanljg.dll" Pichdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofodiel.dll" Jnbfkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjlmblc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohdomc32.dll" Penbcqkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjedohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emjefhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgqogiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipcfmm32.dll" Ljlmln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dibcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdafbbm.dll" Jpcomkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okiepnoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcimnbac.dll" Pkddllem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niipebej.dll" Bhinlned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockocphi.dll" Bklcci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alanmn32.dll" Ephabclf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmakfggj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkamid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnfak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnabgcca.dll" Cjgnbedb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmdnice.dll" Leddjmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnabnafk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obigalfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmddffkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdhaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiblfbmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echgnaqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chndbo32.dll" Coplpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoenbmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcgdna.dll" Cgmkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pchfbd32.dll" Dcdkfjfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggjpqpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajcngpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bknpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ociamn32.dll" Fpldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmegcmh.dll" Odeccoll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhombg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglnooho.dll" Ciogiagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdjfnhh.dll" Dcieaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjdnnfn.dll" Gbicjlkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbqikkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afkdhbbe.dll" Kkmmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkkpnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifhmfqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkieho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidlomma.dll" Akpmmdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjepfi32.dll" Hkcahfla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikmdnecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaoeaom.dll" Qkgaalcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeqopah.dll" Affhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahddao32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4264 4528 Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe 83 PID 4528 wrote to memory of 4264 4528 Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe 83 PID 4528 wrote to memory of 4264 4528 Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe 83 PID 4264 wrote to memory of 3160 4264 Bqjpnqag.exe 85 PID 4264 wrote to memory of 3160 4264 Bqjpnqag.exe 85 PID 4264 wrote to memory of 3160 4264 Bqjpnqag.exe 85 PID 3160 wrote to memory of 2152 3160 Bchljlqk.exe 86 PID 3160 wrote to memory of 2152 3160 Bchljlqk.exe 86 PID 3160 wrote to memory of 2152 3160 Bchljlqk.exe 86 PID 2152 wrote to memory of 836 2152 Cjbdgf32.exe 88 PID 2152 wrote to memory of 836 2152 Cjbdgf32.exe 88 PID 2152 wrote to memory of 836 2152 Cjbdgf32.exe 88 PID 836 wrote to memory of 4956 836 Cckipl32.exe 89 PID 836 wrote to memory of 4956 836 Cckipl32.exe 89 PID 836 wrote to memory of 4956 836 Cckipl32.exe 89 PID 4956 wrote to memory of 1820 4956 Cigahb32.exe 91 PID 4956 wrote to memory of 1820 4956 Cigahb32.exe 91 PID 4956 wrote to memory of 1820 4956 Cigahb32.exe 91 PID 1820 wrote to memory of 1828 1820 Ccmeek32.exe 92 PID 1820 wrote to memory of 1828 1820 Ccmeek32.exe 92 PID 1820 wrote to memory of 1828 1820 Ccmeek32.exe 92 PID 1828 wrote to memory of 4104 1828 Cjgnbedb.exe 93 PID 1828 wrote to memory of 4104 1828 Cjgnbedb.exe 93 PID 1828 wrote to memory of 4104 1828 Cjgnbedb.exe 93 PID 4104 wrote to memory of 2640 4104 Caafop32.exe 94 PID 4104 wrote to memory of 2640 4104 Caafop32.exe 94 PID 4104 wrote to memory of 2640 4104 Caafop32.exe 94 PID 2640 wrote to memory of 4216 2640 Cgknlj32.exe 95 PID 2640 wrote to memory of 4216 2640 Cgknlj32.exe 95 PID 2640 wrote to memory of 4216 2640 Cgknlj32.exe 95 PID 4216 wrote to memory of 3376 4216 Cmhfdq32.exe 96 PID 4216 wrote to memory of 3376 4216 Cmhfdq32.exe 96 PID 4216 wrote to memory of 3376 4216 Cmhfdq32.exe 96 PID 3376 wrote to memory of 4696 3376 Cgmkai32.exe 97 PID 3376 wrote to memory of 4696 3376 Cgmkai32.exe 97 PID 3376 wrote to memory of 4696 3376 Cgmkai32.exe 97 PID 4696 wrote to memory of 2972 4696 Ciogiagg.exe 98 PID 4696 wrote to memory of 2972 4696 Ciogiagg.exe 98 PID 4696 wrote to memory of 2972 4696 Ciogiagg.exe 98 PID 2972 wrote to memory of 2276 2972 Dcdkfjfm.exe 99 PID 2972 wrote to memory of 2276 2972 Dcdkfjfm.exe 99 PID 2972 wrote to memory of 2276 2972 Dcdkfjfm.exe 99 PID 2276 wrote to memory of 4336 2276 Diadna32.exe 100 PID 2276 wrote to memory of 4336 2276 Diadna32.exe 100 PID 2276 wrote to memory of 4336 2276 Diadna32.exe 100 PID 4336 wrote to memory of 3672 4336 Dpklkkla.exe 101 PID 4336 wrote to memory of 3672 4336 Dpklkkla.exe 101 PID 4336 wrote to memory of 3672 4336 Dpklkkla.exe 101 PID 3672 wrote to memory of 4892 3672 Dicqda32.exe 102 PID 3672 wrote to memory of 4892 3672 Dicqda32.exe 102 PID 3672 wrote to memory of 4892 3672 Dicqda32.exe 102 PID 4892 wrote to memory of 2868 4892 Dcieaj32.exe 103 PID 4892 wrote to memory of 2868 4892 Dcieaj32.exe 103 PID 4892 wrote to memory of 2868 4892 Dcieaj32.exe 103 PID 2868 wrote to memory of 1304 2868 Dmaijo32.exe 104 PID 2868 wrote to memory of 1304 2868 Dmaijo32.exe 104 PID 2868 wrote to memory of 1304 2868 Dmaijo32.exe 104 PID 1304 wrote to memory of 2076 1304 Dhgngh32.exe 105 PID 1304 wrote to memory of 2076 1304 Dhgngh32.exe 105 PID 1304 wrote to memory of 2076 1304 Dhgngh32.exe 105 PID 2076 wrote to memory of 3496 2076 Ddnnlinc.exe 106 PID 2076 wrote to memory of 3496 2076 Ddnnlinc.exe 106 PID 2076 wrote to memory of 3496 2076 Ddnnlinc.exe 106 PID 3496 wrote to memory of 2732 3496 Dijgdpmj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe"C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_c954a2be53cf02745a7a5a8baaaaaab9.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Bqjpnqag.exeC:\Windows\system32\Bqjpnqag.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Bchljlqk.exeC:\Windows\system32\Bchljlqk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Cjbdgf32.exeC:\Windows\system32\Cjbdgf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Cckipl32.exeC:\Windows\system32\Cckipl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Cigahb32.exeC:\Windows\system32\Cigahb32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ccmeek32.exeC:\Windows\system32\Ccmeek32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Cjgnbedb.exeC:\Windows\system32\Cjgnbedb.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Caafop32.exeC:\Windows\system32\Caafop32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Cgknlj32.exeC:\Windows\system32\Cgknlj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Cmhfdq32.exeC:\Windows\system32\Cmhfdq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Cgmkai32.exeC:\Windows\system32\Cgmkai32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Ciogiagg.exeC:\Windows\system32\Ciogiagg.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Dcdkfjfm.exeC:\Windows\system32\Dcdkfjfm.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Diadna32.exeC:\Windows\system32\Diadna32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Dpklkkla.exeC:\Windows\system32\Dpklkkla.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Dicqda32.exeC:\Windows\system32\Dicqda32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Dcieaj32.exeC:\Windows\system32\Dcieaj32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Dmaijo32.exeC:\Windows\system32\Dmaijo32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dhgngh32.exeC:\Windows\system32\Dhgngh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Ddnnlinc.exeC:\Windows\system32\Ddnnlinc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Dijgdpmj.exeC:\Windows\system32\Dijgdpmj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Edddmhhk.exeC:\Windows\system32\Edddmhhk.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Edgabhfh.exeC:\Windows\system32\Edgabhfh.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Emoekm32.exeC:\Windows\system32\Emoekm32.exe25⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Ehejifmo.exeC:\Windows\system32\Ehejifmo.exe26⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Eiffpn32.exeC:\Windows\system32\Eiffpn32.exe27⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Fpbkbhhg.exeC:\Windows\system32\Fpbkbhhg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Fkhppa32.exeC:\Windows\system32\Fkhppa32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Fabhmkoj.exeC:\Windows\system32\Fabhmkoj.exe31⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Faddbkmg.exeC:\Windows\system32\Faddbkmg.exe32⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Fioifm32.exeC:\Windows\system32\Fioifm32.exe33⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Fhqiddba.exeC:\Windows\system32\Fhqiddba.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Gainmj32.exeC:\Windows\system32\Gainmj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Ggffeagi.exeC:\Windows\system32\Ggffeagi.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\Gghckqef.exeC:\Windows\system32\Gghckqef.exe37⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe38⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Ggjpqpcd.exeC:\Windows\system32\Ggjpqpcd.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Gdnpjd32.exeC:\Windows\system32\Gdnpjd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Gkhhgoij.exeC:\Windows\system32\Gkhhgoij.exe42⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ggoilp32.exeC:\Windows\system32\Ggoilp32.exe43⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Hpgnde32.exeC:\Windows\system32\Hpgnde32.exe44⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Hkmbbn32.exeC:\Windows\system32\Hkmbbn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4116 -
C:\Windows\SysWOW64\Hkoogn32.exeC:\Windows\system32\Hkoogn32.exe46⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Hkakmmap.exeC:\Windows\system32\Hkakmmap.exe47⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Hdjpfc32.exeC:\Windows\system32\Hdjpfc32.exe48⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Hnbdohnq.exeC:\Windows\system32\Hnbdohnq.exe49⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Hhhhla32.exeC:\Windows\system32\Hhhhla32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Ijiecide.exeC:\Windows\system32\Ijiecide.exe51⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Ihjeaa32.exeC:\Windows\system32\Ihjeaa32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ingnjh32.exeC:\Windows\system32\Ingnjh32.exe53⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Ihmbgqja.exeC:\Windows\system32\Ihmbgqja.exe54⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Igbohm32.exeC:\Windows\system32\Igbohm32.exe55⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ijbhjhlj.exeC:\Windows\system32\Ijbhjhlj.exe56⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Jjedohjg.exeC:\Windows\system32\Jjedohjg.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Jbllqejj.exeC:\Windows\system32\Jbllqejj.exe58⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Jjgaeg32.exeC:\Windows\system32\Jjgaeg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Jkgnojog.exeC:\Windows\system32\Jkgnojog.exe60⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Jbqfld32.exeC:\Windows\system32\Jbqfld32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jhknhona.exeC:\Windows\system32\Jhknhona.exe62⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Jjlkpgdp.exeC:\Windows\system32\Jjlkpgdp.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Jdaompce.exeC:\Windows\system32\Jdaompce.exe64⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Jgpkikbi.exeC:\Windows\system32\Jgpkikbi.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Jqhpbq32.exeC:\Windows\system32\Jqhpbq32.exe66⤵PID:748
-
C:\Windows\SysWOW64\Jiogcn32.exeC:\Windows\system32\Jiogcn32.exe67⤵PID:3528
-
C:\Windows\SysWOW64\Kbhllc32.exeC:\Windows\system32\Kbhllc32.exe68⤵PID:2900
-
C:\Windows\SysWOW64\Kgdddj32.exeC:\Windows\system32\Kgdddj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Kggajj32.exeC:\Windows\system32\Kggajj32.exe70⤵PID:1664
-
C:\Windows\SysWOW64\Kblegblg.exeC:\Windows\system32\Kblegblg.exe71⤵
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Kglkeihl.exeC:\Windows\system32\Kglkeihl.exe72⤵PID:2600
-
C:\Windows\SysWOW64\Kbaobb32.exeC:\Windows\system32\Kbaobb32.exe73⤵PID:4944
-
C:\Windows\SysWOW64\Kikgolpo.exeC:\Windows\system32\Kikgolpo.exe74⤵PID:4192
-
C:\Windows\SysWOW64\Ljlcgd32.exeC:\Windows\system32\Ljlcgd32.exe75⤵PID:5140
-
C:\Windows\SysWOW64\Laflcomj.exeC:\Windows\system32\Laflcomj.exe76⤵PID:5180
-
C:\Windows\SysWOW64\Lgpdph32.exeC:\Windows\system32\Lgpdph32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Lnjlmblc.exeC:\Windows\system32\Lnjlmblc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Leddjmcp.exeC:\Windows\system32\Leddjmcp.exe79⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Ljambcag.exeC:\Windows\system32\Ljambcag.exe80⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\Lefaolam.exeC:\Windows\system32\Lefaolam.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Lnoehb32.exeC:\Windows\system32\Lnoehb32.exe82⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Lidjekgd.exeC:\Windows\system32\Lidjekgd.exe83⤵PID:5480
-
C:\Windows\SysWOW64\Lnabnafk.exeC:\Windows\system32\Lnabnafk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Lekkjl32.exeC:\Windows\system32\Lekkjl32.exe85⤵PID:5568
-
C:\Windows\SysWOW64\Mhjgfg32.exeC:\Windows\system32\Mhjgfg32.exe86⤵PID:5612
-
C:\Windows\SysWOW64\Mabkomcl.exeC:\Windows\system32\Mabkomcl.exe87⤵PID:5656
-
C:\Windows\SysWOW64\Mhlclgji.exeC:\Windows\system32\Mhlclgji.exe88⤵PID:5700
-
C:\Windows\SysWOW64\Mnflia32.exeC:\Windows\system32\Mnflia32.exe89⤵PID:5744
-
C:\Windows\SysWOW64\Mikpfj32.exeC:\Windows\system32\Mikpfj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Mjmlnbgj.exeC:\Windows\system32\Mjmlnbgj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Magejl32.exeC:\Windows\system32\Magejl32.exe92⤵PID:5876
-
C:\Windows\SysWOW64\Mhqmgffd.exeC:\Windows\system32\Mhqmgffd.exe93⤵PID:5920
-
C:\Windows\SysWOW64\Mjoica32.exeC:\Windows\system32\Mjoica32.exe94⤵PID:5964
-
C:\Windows\SysWOW64\Maiaplmd.exeC:\Windows\system32\Maiaplmd.exe95⤵PID:6008
-
C:\Windows\SysWOW64\Mbhnjo32.exeC:\Windows\system32\Mbhnjo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Nibfgikd.exeC:\Windows\system32\Nibfgikd.exe97⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Windows\SysWOW64\Njdbna32.exeC:\Windows\system32\Njdbna32.exe98⤵
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Nbkkpnbd.exeC:\Windows\system32\Nbkkpnbd.exe99⤵
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Neigljah.exeC:\Windows\system32\Neigljah.exe100⤵PID:5272
-
C:\Windows\SysWOW64\Nlcohd32.exeC:\Windows\system32\Nlcohd32.exe101⤵PID:5372
-
C:\Windows\SysWOW64\Noakdo32.exeC:\Windows\system32\Noakdo32.exe102⤵PID:5440
-
C:\Windows\SysWOW64\Nelcaioe.exeC:\Windows\system32\Nelcaioe.exe103⤵PID:5520
-
C:\Windows\SysWOW64\Nlelnc32.exeC:\Windows\system32\Nlelnc32.exe104⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Nbpdkn32.exeC:\Windows\system32\Nbpdkn32.exe105⤵PID:5692
-
C:\Windows\SysWOW64\Niilghel.exeC:\Windows\system32\Niilghel.exe106⤵PID:5736
-
C:\Windows\SysWOW64\Nkkiop32.exeC:\Windows\system32\Nkkiop32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5796 -
C:\Windows\SysWOW64\Naealjbg.exeC:\Windows\system32\Naealjbg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860 -
C:\Windows\SysWOW64\Nilimgci.exeC:\Windows\system32\Nilimgci.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Nljeicbm.exeC:\Windows\system32\Nljeicbm.exe110⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Nbdmfmjj.exeC:\Windows\system32\Nbdmfmjj.exe111⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Windows\SysWOW64\Oinfbg32.exeC:\Windows\system32\Oinfbg32.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Olmbob32.exeC:\Windows\system32\Olmbob32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Obfjkmhg.exeC:\Windows\system32\Obfjkmhg.exe114⤵PID:5312
-
C:\Windows\SysWOW64\Oiqbhg32.exeC:\Windows\system32\Oiqbhg32.exe115⤵PID:5424
-
C:\Windows\SysWOW64\Oloodb32.exeC:\Windows\system32\Oloodb32.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Obigalfd.exeC:\Windows\system32\Obigalfd.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Oegcmh32.exeC:\Windows\system32\Oegcmh32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Olakjble.exeC:\Windows\system32\Olakjble.exe119⤵PID:5896
-
C:\Windows\SysWOW64\Oopgfmki.exeC:\Windows\system32\Oopgfmki.exe120⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Oandbijl.exeC:\Windows\system32\Oandbijl.exe121⤵
- Drops file in System32 directory
PID:6072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-