Analysis
-
max time kernel
50s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 12:33
Behavioral task
behavioral1
Sample
Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe
-
Size
337KB
-
MD5
e7535a5bf45492fceb86529a7fc9262d
-
SHA1
3794cd79ac81a757a3a5472425d636d09542bf82
-
SHA256
f786169ec6bf76ccf3ae7e231f5721926d668e8162a3772adb4d60edf27ed4e7
-
SHA512
d19ccb540b28a04bc15b69686a14603c2cabeb5308012e7af42ad05c264584849e10d030604306dfaff553ca292345e873b9a1cf9a1221c9024761c0cc4692ab
-
SSDEEP
3072:3Sst4XV4aNygYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:3r4XVJy1+fIyG5jZkCwi8r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokccnci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deegjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgoqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofqhdnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgoem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miekhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncmknkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqiohh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceghn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkcmqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pboihm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplcabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jflfbdqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loicnemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidledja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieepad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donlcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkqlodpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcgdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdqbbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mipjbokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhdiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncmknkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljogknmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnodob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdohq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmckikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmplm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcajpjoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkkhckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epamlegl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Megkgpaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmcdjmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgcdjip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epamlegl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbllfmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doibhekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnkgnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdqbbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeinphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neojknfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foencfda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llagegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlddbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hleegpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkkkqlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeqhlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akahokho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeecibci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaohila.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndfclia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkhmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klinmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpliac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbbkahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njeikpij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bciohe32.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Cpadpg32.exe 2248 Cjiiim32.exe 2732 Ccamabgg.exe 2264 Dpenkgfq.exe 2612 Djnbdlla.exe 2588 Dokjlcjh.exe 952 Ddgcdjip.exe 2420 Dnpgmp32.exe 1236 Dndahokk.exe 2560 Ekiaac32.exe 2872 Ecdffe32.exe 1744 Emlkoknp.exe 2128 Efdohq32.exe 2392 Epmcqf32.exe 1632 Eiehilaa.exe 108 Efihcpqk.exe 696 Epamlegl.exe 1052 Fijadk32.exe 2348 Fbbfmqdm.exe 832 Flkjffkm.exe 1800 Fcfojhhh.exe 2504 Fdhlphff.exe 1388 Fpoleilj.exe 628 Fjdqbbkp.exe 1496 Gpaikiig.exe 2160 Gjgmhaim.exe 1604 Gdobqgpn.exe 2608 Gmhfjm32.exe 2648 Gbdobc32.exe 2244 Glmckikf.exe 1324 Gajlcp32.exe 2864 Gonlld32.exe 612 Hopibdfd.exe 2168 Hejaon32.exe 1664 Hmefcp32.exe 776 Hhkjpi32.exe 1528 Hpfoekhm.exe 1260 Hkkcbdhc.exe 2084 Hphljkfk.exe 2372 Ilolol32.exe 2936 Ijcmipjh.exe 1940 Iopeagip.exe 2756 Ijeinphf.exe 1740 Iobbfggm.exe 1908 Ihjfolmn.exe 2476 Iodolf32.exe 1160 Ifngiqlg.exe 2640 Ikkoagjo.exe 1540 Ibehna32.exe 2968 Jgbpfhpc.exe 2404 Jnlhbb32.exe 2296 Jciaki32.exe 1304 Jjcigcmd.exe 1716 Jdhmel32.exe 1856 Jnqanbcj.exe 2280 Jobnej32.exe 1640 Jflfbdqe.exe 1780 Jqakompl.exe 2860 Jkklpk32.exe 2600 Mlfgkleh.exe 2432 Mojmbg32.exe 2452 Miekhd32.exe 2568 Ncnoaj32.exe 2520 Nmccnc32.exe -
Loads dropped DLL 64 IoCs
pid Process 904 Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe 904 Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe 2356 Cpadpg32.exe 2356 Cpadpg32.exe 2248 Cjiiim32.exe 2248 Cjiiim32.exe 2732 Ccamabgg.exe 2732 Ccamabgg.exe 2264 Dpenkgfq.exe 2264 Dpenkgfq.exe 2612 Djnbdlla.exe 2612 Djnbdlla.exe 2588 Dokjlcjh.exe 2588 Dokjlcjh.exe 952 Ddgcdjip.exe 952 Ddgcdjip.exe 2420 Dnpgmp32.exe 2420 Dnpgmp32.exe 1236 Dndahokk.exe 1236 Dndahokk.exe 2560 Ekiaac32.exe 2560 Ekiaac32.exe 2872 Ecdffe32.exe 2872 Ecdffe32.exe 1744 Emlkoknp.exe 1744 Emlkoknp.exe 2128 Efdohq32.exe 2128 Efdohq32.exe 2392 Epmcqf32.exe 2392 Epmcqf32.exe 1632 Eiehilaa.exe 1632 Eiehilaa.exe 108 Efihcpqk.exe 108 Efihcpqk.exe 696 Epamlegl.exe 696 Epamlegl.exe 1052 Fijadk32.exe 1052 Fijadk32.exe 2348 Fbbfmqdm.exe 2348 Fbbfmqdm.exe 832 Flkjffkm.exe 832 Flkjffkm.exe 1800 Fcfojhhh.exe 1800 Fcfojhhh.exe 2504 Fdhlphff.exe 2504 Fdhlphff.exe 1388 Fpoleilj.exe 1388 Fpoleilj.exe 628 Fjdqbbkp.exe 628 Fjdqbbkp.exe 1496 Gpaikiig.exe 1496 Gpaikiig.exe 2160 Gjgmhaim.exe 2160 Gjgmhaim.exe 1604 Gdobqgpn.exe 1604 Gdobqgpn.exe 2608 Gmhfjm32.exe 2608 Gmhfjm32.exe 2648 Gbdobc32.exe 2648 Gbdobc32.exe 2244 Glmckikf.exe 2244 Glmckikf.exe 1324 Gajlcp32.exe 1324 Gajlcp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhdfec32.exe Lgcjmkcd.exe File created C:\Windows\SysWOW64\Kjeemh32.dll Meonlkcm.exe File opened for modification C:\Windows\SysWOW64\Ipcjlaqd.exe Iiiapg32.exe File created C:\Windows\SysWOW64\Nieffgok.exe Npmana32.exe File created C:\Windows\SysWOW64\Hnanceem.exe Hggegknp.exe File created C:\Windows\SysWOW64\Kgoief32.exe Jqeqhlii.exe File created C:\Windows\SysWOW64\Ehbdif32.exe Enmplm32.exe File opened for modification C:\Windows\SysWOW64\Idlgohcl.exe Iegjnkod.exe File created C:\Windows\SysWOW64\Iidajaiq.exe Hgnkgjgh.exe File created C:\Windows\SysWOW64\Dmllanbg.dll Naeigf32.exe File created C:\Windows\SysWOW64\Anigaeoh.exe Acdcdm32.exe File created C:\Windows\SysWOW64\Igdnbm32.dll Bkdclgpl.exe File opened for modification C:\Windows\SysWOW64\Godjaj32.exe Ghkbepop.exe File created C:\Windows\SysWOW64\Dcbgef32.dll Lgcjmkcd.exe File opened for modification C:\Windows\SysWOW64\Docjpa32.exe Dclikp32.exe File opened for modification C:\Windows\SysWOW64\Qokjcc32.exe Qhabfibb.exe File opened for modification C:\Windows\SysWOW64\Nmdhpd32.exe Nfjpcjhe.exe File opened for modification C:\Windows\SysWOW64\Miekhd32.exe Mojmbg32.exe File created C:\Windows\SysWOW64\Qqfnpq32.dll Llkijb32.exe File opened for modification C:\Windows\SysWOW64\Pibkdhbi.exe Pbhcgn32.exe File created C:\Windows\SysWOW64\Dpnioi32.dll Ijcmipjh.exe File created C:\Windows\SysWOW64\Plnhbk32.exe Oecpeqdo.exe File opened for modification C:\Windows\SysWOW64\Gepjgaid.exe Gnfajgbg.exe File created C:\Windows\SysWOW64\Hpfndjil.dll Dhimaill.exe File opened for modification C:\Windows\SysWOW64\Baoahf32.exe Boadlk32.exe File created C:\Windows\SysWOW64\Gnahoh32.exe Gmqlgppo.exe File opened for modification C:\Windows\SysWOW64\Ohjhlqbc.exe Omddohbm.exe File opened for modification C:\Windows\SysWOW64\Pekhohfk.exe Ppnpfagc.exe File opened for modification C:\Windows\SysWOW64\Anigaeoh.exe Acdcdm32.exe File created C:\Windows\SysWOW64\Obnbajho.dll Odiagj32.exe File created C:\Windows\SysWOW64\Jmepmj32.dll Memagk32.exe File opened for modification C:\Windows\SysWOW64\Kgienc32.exe Kbllfmfc.exe File created C:\Windows\SysWOW64\Anciif32.dll Mafoal32.exe File created C:\Windows\SysWOW64\Qpcgkfno.dll Kdkkkqlk.exe File opened for modification C:\Windows\SysWOW64\Ilianckh.exe Ieoiai32.exe File created C:\Windows\SysWOW64\Pmbaklha.dll Cjpgnbol.exe File opened for modification C:\Windows\SysWOW64\Jpboan32.exe Jihgdd32.exe File opened for modification C:\Windows\SysWOW64\Kfiajj32.exe Kpliac32.exe File created C:\Windows\SysWOW64\Jbpcgo32.exe Jhgonj32.exe File created C:\Windows\SysWOW64\Jfoeqmfg.exe Jlfahgpf.exe File created C:\Windows\SysWOW64\Nmglpjak.exe Nhjcgccc.exe File opened for modification C:\Windows\SysWOW64\Bijakkmc.exe Bbpioa32.exe File created C:\Windows\SysWOW64\Jaohhcjh.dll Bkocgape.exe File opened for modification C:\Windows\SysWOW64\Cfimnmoa.exe Cnaempnp.exe File opened for modification C:\Windows\SysWOW64\Amalcd32.exe Qcigjolm.exe File created C:\Windows\SysWOW64\Daocjoig.dll Kigkmmql.exe File created C:\Windows\SysWOW64\Jokbkn32.dll Emlkoknp.exe File created C:\Windows\SysWOW64\Boqjdl32.dll Mbdepe32.exe File opened for modification C:\Windows\SysWOW64\Ipkkhckl.exe Iiablido.exe File created C:\Windows\SysWOW64\Jdklcebk.exe Jlddbgai.exe File created C:\Windows\SysWOW64\Omdbfo32.exe Ogjjie32.exe File created C:\Windows\SysWOW64\Kckbchmg.dll Naqkki32.exe File created C:\Windows\SysWOW64\Afebpmal.exe Qokjcc32.exe File created C:\Windows\SysWOW64\Bijakkmc.exe Bbpioa32.exe File opened for modification C:\Windows\SysWOW64\Ghndjd32.exe Ejcaanfg.exe File created C:\Windows\SysWOW64\Fmakdkle.dll Pekhohfk.exe File created C:\Windows\SysWOW64\Acoegp32.exe Alemjfpc.exe File opened for modification C:\Windows\SysWOW64\Bkocgape.exe Bfbknkbn.exe File created C:\Windows\SysWOW64\Dolondiq.exe Deckeo32.exe File created C:\Windows\SysWOW64\Nmgbmq32.dll Cpadpg32.exe File created C:\Windows\SysWOW64\Iklchphj.dll Fdhlphff.exe File created C:\Windows\SysWOW64\Ehlolh32.dll Jnlhbb32.exe File created C:\Windows\SysWOW64\Bfjhippb.exe Bkdclgpl.exe File created C:\Windows\SysWOW64\Cjiiim32.exe Cpadpg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8988 2032 WerFault.exe 868 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jobnej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmccnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfahgpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoinj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamcjgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkgdjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedaddif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iobbfggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfflal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijbkpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foencfda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpkepnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhcmkkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkheal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnkgnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmjmodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pneiaidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khonbhch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggofcmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npmana32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feofpqkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbknkbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfbilgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjkgbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjpmmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onacgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koifob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpdfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpadpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfojhngl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdcdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmoijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahdmanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Konpjafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnifia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohbaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobqgpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqbaqccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgedkko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgcdjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjldiln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanlla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncijanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbabpodi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmloeec.dll" Fffckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addgcj32.dll" Iikneggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghha32.dll" Ielllj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idjlbqmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdqbbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpgfhg32.dll" Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbqfb32.dll" Enmplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfobndnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnaempnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhgonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgfbfkh.dll" Bbpioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafmnjko.dll" Cbhhbojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikochhm.dll" Hopibdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ainllp32.dll" Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeglfneh.dll" Pcajpjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmepmj32.dll" Memagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Negffbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anppiikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijeinphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgnai32.dll" Ofbgbaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiiapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhonnbag.dll" Nieffgok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgcjmkcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmcqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjjblih.dll" Ccmdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedaddif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofbnd32.dll" Lqiohh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obhdpaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgobdm32.dll" Omfadgqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hopibdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfhghgie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mipjbokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfoeqmfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjgmhaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enjcfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajladp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acoegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnaaj32.dll" Inmdjjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhhkkbe.dll" Eeecibci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjhfcbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolondiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djjeji32.dll" Ieoiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekolc32.dll" Injnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkkgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfnpq32.dll" Llkijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafhafjm.dll" Lbffga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqakem32.dll" Mlogojjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfgoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmnkn32.dll" Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeffak32.dll" Ecggmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnpjadd.dll" Cnaempnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahnhhpq.dll" Nbqnobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkbna32.dll" Bcfbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piipibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikmob32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 904 wrote to memory of 2356 904 Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe 29 PID 904 wrote to memory of 2356 904 Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe 29 PID 904 wrote to memory of 2356 904 Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe 29 PID 904 wrote to memory of 2356 904 Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe 29 PID 2356 wrote to memory of 2248 2356 Cpadpg32.exe 30 PID 2356 wrote to memory of 2248 2356 Cpadpg32.exe 30 PID 2356 wrote to memory of 2248 2356 Cpadpg32.exe 30 PID 2356 wrote to memory of 2248 2356 Cpadpg32.exe 30 PID 2248 wrote to memory of 2732 2248 Cjiiim32.exe 31 PID 2248 wrote to memory of 2732 2248 Cjiiim32.exe 31 PID 2248 wrote to memory of 2732 2248 Cjiiim32.exe 31 PID 2248 wrote to memory of 2732 2248 Cjiiim32.exe 31 PID 2732 wrote to memory of 2264 2732 Ccamabgg.exe 32 PID 2732 wrote to memory of 2264 2732 Ccamabgg.exe 32 PID 2732 wrote to memory of 2264 2732 Ccamabgg.exe 32 PID 2732 wrote to memory of 2264 2732 Ccamabgg.exe 32 PID 2264 wrote to memory of 2612 2264 Dpenkgfq.exe 33 PID 2264 wrote to memory of 2612 2264 Dpenkgfq.exe 33 PID 2264 wrote to memory of 2612 2264 Dpenkgfq.exe 33 PID 2264 wrote to memory of 2612 2264 Dpenkgfq.exe 33 PID 2612 wrote to memory of 2588 2612 Djnbdlla.exe 34 PID 2612 wrote to memory of 2588 2612 Djnbdlla.exe 34 PID 2612 wrote to memory of 2588 2612 Djnbdlla.exe 34 PID 2612 wrote to memory of 2588 2612 Djnbdlla.exe 34 PID 2588 wrote to memory of 952 2588 Dokjlcjh.exe 35 PID 2588 wrote to memory of 952 2588 Dokjlcjh.exe 35 PID 2588 wrote to memory of 952 2588 Dokjlcjh.exe 35 PID 2588 wrote to memory of 952 2588 Dokjlcjh.exe 35 PID 952 wrote to memory of 2420 952 Ddgcdjip.exe 36 PID 952 wrote to memory of 2420 952 Ddgcdjip.exe 36 PID 952 wrote to memory of 2420 952 Ddgcdjip.exe 36 PID 952 wrote to memory of 2420 952 Ddgcdjip.exe 36 PID 2420 wrote to memory of 1236 2420 Dnpgmp32.exe 37 PID 2420 wrote to memory of 1236 2420 Dnpgmp32.exe 37 PID 2420 wrote to memory of 1236 2420 Dnpgmp32.exe 37 PID 2420 wrote to memory of 1236 2420 Dnpgmp32.exe 37 PID 1236 wrote to memory of 2560 1236 Dndahokk.exe 38 PID 1236 wrote to memory of 2560 1236 Dndahokk.exe 38 PID 1236 wrote to memory of 2560 1236 Dndahokk.exe 38 PID 1236 wrote to memory of 2560 1236 Dndahokk.exe 38 PID 2560 wrote to memory of 2872 2560 Ekiaac32.exe 39 PID 2560 wrote to memory of 2872 2560 Ekiaac32.exe 39 PID 2560 wrote to memory of 2872 2560 Ekiaac32.exe 39 PID 2560 wrote to memory of 2872 2560 Ekiaac32.exe 39 PID 2872 wrote to memory of 1744 2872 Ecdffe32.exe 40 PID 2872 wrote to memory of 1744 2872 Ecdffe32.exe 40 PID 2872 wrote to memory of 1744 2872 Ecdffe32.exe 40 PID 2872 wrote to memory of 1744 2872 Ecdffe32.exe 40 PID 1744 wrote to memory of 2128 1744 Emlkoknp.exe 41 PID 1744 wrote to memory of 2128 1744 Emlkoknp.exe 41 PID 1744 wrote to memory of 2128 1744 Emlkoknp.exe 41 PID 1744 wrote to memory of 2128 1744 Emlkoknp.exe 41 PID 2128 wrote to memory of 2392 2128 Efdohq32.exe 42 PID 2128 wrote to memory of 2392 2128 Efdohq32.exe 42 PID 2128 wrote to memory of 2392 2128 Efdohq32.exe 42 PID 2128 wrote to memory of 2392 2128 Efdohq32.exe 42 PID 2392 wrote to memory of 1632 2392 Epmcqf32.exe 43 PID 2392 wrote to memory of 1632 2392 Epmcqf32.exe 43 PID 2392 wrote to memory of 1632 2392 Epmcqf32.exe 43 PID 2392 wrote to memory of 1632 2392 Epmcqf32.exe 43 PID 1632 wrote to memory of 108 1632 Eiehilaa.exe 44 PID 1632 wrote to memory of 108 1632 Eiehilaa.exe 44 PID 1632 wrote to memory of 108 1632 Eiehilaa.exe 44 PID 1632 wrote to memory of 108 1632 Eiehilaa.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe"C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_e7535a5bf45492fceb86529a7fc9262d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Ekiaac32.exeC:\Windows\system32\Ekiaac32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Gajlcp32.exeC:\Windows\system32\Gajlcp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe33⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe35⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe36⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe37⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe39⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe40⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe41⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe43⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ijeinphf.exeC:\Windows\system32\Ijeinphf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Ihjfolmn.exeC:\Windows\system32\Ihjfolmn.exe46⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe47⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe48⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe49⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe50⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe51⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe53⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe54⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe56⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Jflfbdqe.exeC:\Windows\system32\Jflfbdqe.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe59⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe60⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe61⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ncnoaj32.exeC:\Windows\system32\Ncnoaj32.exe64⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe66⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe67⤵PID:2904
-
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe68⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe69⤵PID:2812
-
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe70⤵PID:772
-
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe71⤵PID:1500
-
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe74⤵PID:3172
-
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe75⤵PID:3232
-
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe76⤵PID:3300
-
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe77⤵PID:3356
-
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe78⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe79⤵PID:3484
-
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe80⤵PID:3548
-
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe81⤵PID:3608
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe82⤵PID:3672
-
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe83⤵PID:3732
-
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe84⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe85⤵PID:3848
-
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe86⤵PID:3912
-
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe87⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe88⤵
- System Location Discovery: System Language Discovery
PID:4028 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe89⤵
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe90⤵PID:3100
-
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe91⤵
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe92⤵PID:3244
-
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe93⤵PID:3316
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe94⤵
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe95⤵PID:3452
-
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe96⤵PID:3532
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe97⤵PID:3592
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe98⤵PID:3664
-
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe99⤵PID:3772
-
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe100⤵PID:3804
-
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe101⤵PID:3892
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe102⤵PID:3948
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe103⤵PID:4040
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe104⤵PID:3076
-
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe105⤵PID:3184
-
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe106⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Baoahf32.exeC:\Windows\system32\Baoahf32.exe107⤵PID:3368
-
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe108⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe110⤵PID:3644
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe111⤵PID:2928
-
C:\Windows\SysWOW64\Bdbfpafn.exeC:\Windows\system32\Bdbfpafn.exe112⤵PID:3824
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe113⤵PID:3932
-
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe114⤵PID:4044
-
C:\Windows\SysWOW64\Cgcoal32.exeC:\Windows\system32\Cgcoal32.exe115⤵PID:3120
-
C:\Windows\SysWOW64\Chdlidjm.exeC:\Windows\system32\Chdlidjm.exe116⤵PID:3212
-
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe117⤵PID:3328
-
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe118⤵PID:3428
-
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe119⤵PID:3604
-
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe120⤵
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe121⤵PID:3820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-