Overview
overview
10Static
static
10virussign....b0.exe
windows7-x64
10virussign....b0.exe
windows10-2004-x64
10virussign....60.exe
windows7-x64
7virussign....60.exe
windows10-2004-x64
7virussign....40.exe
windows7-x64
7virussign....40.exe
windows10-2004-x64
7virussign....e0.exe
windows7-x64
7virussign....e0.exe
windows10-2004-x64
7virussign....00.exe
windows7-x64
10virussign....00.exe
windows10-2004-x64
10virussign....90.exe
windows7-x64
7virussign....90.exe
windows10-2004-x64
7virussign....40.exe
windows7-x64
7virussign....40.exe
windows10-2004-x64
7virussign....10.exe
windows7-x64
5virussign....10.exe
windows10-2004-x64
5virussign....60.exe
windows7-x64
7virussign....60.exe
windows10-2004-x64
7virussign....c0.exe
windows7-x64
10virussign....c0.exe
windows10-2004-x64
10virussign....d0.exe
windows7-x64
7virussign....d0.exe
windows10-2004-x64
7virussign....b0.exe
windows7-x64
10virussign....b0.exe
windows10-2004-x64
10virussign....10.exe
windows7-x64
7virussign....10.exe
windows10-2004-x64
7virussign....e0.exe
windows7-x64
7virussign....e0.exe
windows10-2004-x64
7virussign....20.exe
windows7-x64
7virussign....20.exe
windows10-2004-x64
7virussign....c0.exe
windows7-x64
7virussign....c0.exe
windows10-2004-x64
7Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 17:08
Behavioral task
behavioral1
Sample
virussign.com_b1d2087d1d88f80870106373da2011b0.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
virussign.com_b1d2087d1d88f80870106373da2011b0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral3
Sample
virussign.com_b4a073dab1d51b27d63f81649310ab60.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral4
Sample
virussign.com_b4a073dab1d51b27d63f81649310ab60.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral5
Sample
virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral6
Sample
virussign.com_b793dc2ed636fdaee1a701e05fde1640.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral7
Sample
virussign.com_ba1f70e629bc3e70fba35036be583ce0.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral8
Sample
virussign.com_ba1f70e629bc3e70fba35036be583ce0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral9
Sample
virussign.com_bcab6f30045483fd648d1924aba88b00.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral10
Sample
virussign.com_bcab6f30045483fd648d1924aba88b00.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral11
Sample
virussign.com_bf4239be7de1ad8dddc78d1aff0d6090.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral12
Sample
virussign.com_bf4239be7de1ad8dddc78d1aff0d6090.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral13
Sample
virussign.com_c251643a9964695966b3f7a545401440.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral14
Sample
virussign.com_c251643a9964695966b3f7a545401440.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral15
Sample
virussign.com_c3fa4d199e50171575cfa553fd205a10.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral16
Sample
virussign.com_c3fa4d199e50171575cfa553fd205a10.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral17
Sample
virussign.com_c527d92958bc1247a6471765e5449c60.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral18
Sample
virussign.com_c527d92958bc1247a6471765e5449c60.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral19
Sample
virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral20
Sample
virussign.com_c7d033cce29ec681f70bfb5f2ec867c0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral21
Sample
virussign.com_ca6b0e41f6273b8c6a022729b7a7efd0.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral22
Sample
virussign.com_ca6b0e41f6273b8c6a022729b7a7efd0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral23
Sample
virussign.com_ccf2dfc7e36c604f207bf823231b57b0.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral24
Sample
virussign.com_ccf2dfc7e36c604f207bf823231b57b0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
Behavioral task
behavioral25
Sample
virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral26
Sample
virussign.com_cf449b9fd99f5da93cbb91c84e64e710.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral27
Sample
virussign.com_d2157a5e0405795aa865f9264e231ee0.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral28
Sample
virussign.com_d2157a5e0405795aa865f9264e231ee0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral29
Sample
virussign.com_d4dd384ae38fed77098536c5b075c320.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral30
Sample
virussign.com_d4dd384ae38fed77098536c5b075c320.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral31
Sample
virussign.com_d7c1eea17ae01e04b622ede80b6732c0.exe
Resource
win7-20241023-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral32
Sample
virussign.com_d7c1eea17ae01e04b622ede80b6732c0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
virussign.com_b1d2087d1d88f80870106373da2011b0.exe
-
Size
872KB
-
MD5
b1d2087d1d88f80870106373da2011b0
-
SHA1
8b6c761cd06d8e8e025ce85d48f3e9dffb9b7bba
-
SHA256
1427b7aebb298e1f9e488982e3c6d22f53e23c185c0a33bfc6478679e72fdcbc
-
SHA512
86177f6c5c14caae72c1bb999f53567d519767bae056f6610e07ff76c034dbbffe06d9fae909bdb187828d7ed7d081568afe9fe718520333e86035bbbf1954af
-
SSDEEP
24576:RHDDHFh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:NDxbazR0v
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjcopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfcjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfcdnjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmpkqqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbiniff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmijllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpojead.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohejo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjmdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpeafcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phajna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchidda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjaifp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlppno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpeaoih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlpqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkgmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokdnjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnafno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjoppf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeddnp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3520 Dhhnpjmh.exe 2680 Dkifae32.exe 2940 Dfpgffpm.exe 2172 Edfdej32.exe 2280 Fggfnc32.exe 3020 Gglpibgm.exe 4772 Gaadfkgc.exe 2488 Gnkaalkd.exe 4692 Ggeboaob.exe 3716 Hheoid32.exe 4588 Hoadkn32.exe 3708 Hkhdqoac.exe 3668 Hdpiid32.exe 4324 Hkjafn32.exe 1064 Hfpecg32.exe 4496 Hgabkoee.exe 2776 Ifbbig32.exe 2340 Igcoqocb.exe 1616 Inmgmijo.exe 548 Idgojc32.exe 4668 Iomcgl32.exe 4972 Ibkpcg32.exe 2412 Ighhln32.exe 2164 Ibnligoc.exe 4360 Igjeanmj.exe 1048 Indmnh32.exe 4388 Igmagnkg.exe 2728 Jngjch32.exe 760 Jilnqqbj.exe 1204 Joffnk32.exe 4876 Jfpojead.exe 4112 Jgakbm32.exe 556 Jnkcogno.exe 4444 Jiaglp32.exe 1484 Jpkphjeb.exe 452 Jehhaaci.exe 2272 Jpmlnjco.exe 1420 Jejefqaf.exe 8 Kppici32.exe 5112 Kelalp32.exe 4936 Kpbfii32.exe 4636 Klifnj32.exe 3620 Kfnkkb32.exe 4884 Khpgckkb.exe 3436 Kpgodhkd.exe 2720 Kfqgab32.exe 4068 Klmpiiai.exe 396 Kfcdfbqo.exe 4408 Lhdqnj32.exe 3744 Lnnikdnj.exe 2788 Lidmhmnp.exe 2040 Lpneegel.exe 5016 Lfhnaa32.exe 4372 Lhijijbg.exe 4424 Locbfd32.exe 3684 Lemkcnaa.exe 4596 Llgcph32.exe 2584 Lbqklb32.exe 3428 Leoghn32.exe 2256 Llipehgk.exe 5040 Lbchba32.exe 1564 Mimpolee.exe 3472 Mpghkf32.exe 368 Mfaqhp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jfpojead.exe Joffnk32.exe File created C:\Windows\SysWOW64\Hhbkinel.exe Gahcmd32.exe File opened for modification C:\Windows\SysWOW64\Cdbfab32.exe Cofnik32.exe File opened for modification C:\Windows\SysWOW64\Hjlkge32.exe Hpdfnolo.exe File created C:\Windows\SysWOW64\Higjaoci.exe Hcmbee32.exe File created C:\Windows\SysWOW64\Kbjodaqj.dll Fiaael32.exe File opened for modification C:\Windows\SysWOW64\Ahgjejhd.exe Aanbhp32.exe File created C:\Windows\SysWOW64\Bgaclkia.dll Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Lnjgfb32.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Oncelonn.dll Edbiniff.exe File created C:\Windows\SysWOW64\Dqiieebk.dll Kfcdfbqo.exe File created C:\Windows\SysWOW64\Ccchof32.exe Cmipblaq.exe File created C:\Windows\SysWOW64\Lndham32.exe Lgkpdcmi.exe File created C:\Windows\SysWOW64\Oekiqccc.exe Ooqqdi32.exe File opened for modification C:\Windows\SysWOW64\Kefiopki.exe Klndfj32.exe File created C:\Windows\SysWOW64\Noppeaed.exe Nhegig32.exe File created C:\Windows\SysWOW64\Hlpihhpj.dll Hnibokbd.exe File created C:\Windows\SysWOW64\Icahfh32.dll Kqpoakco.exe File opened for modification C:\Windows\SysWOW64\Dkhnjk32.exe Dflfac32.exe File opened for modification C:\Windows\SysWOW64\Ifomll32.exe Iohejo32.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Opnbae32.exe File created C:\Windows\SysWOW64\Hmbphg32.exe Hpnoncim.exe File created C:\Windows\SysWOW64\Jcknij32.dll Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Eqlfhjig.exe File created C:\Windows\SysWOW64\Pmkofa32.exe Pfagighf.exe File created C:\Windows\SysWOW64\Kpbgeaba.dll Mohidbkl.exe File created C:\Windows\SysWOW64\Oohgdhfn.exe Ohnohn32.exe File created C:\Windows\SysWOW64\Qlgpod32.exe Qdphngfl.exe File opened for modification C:\Windows\SysWOW64\Gnepna32.exe Gmdcfidg.exe File opened for modification C:\Windows\SysWOW64\Hlpfhe32.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Ipflihfq.exe Ingpmmgm.exe File opened for modification C:\Windows\SysWOW64\Lojmcdgl.exe Lhqefjpo.exe File created C:\Windows\SysWOW64\Bihice32.dll Omalpc32.exe File created C:\Windows\SysWOW64\Pkjpfdin.dll Idgojc32.exe File opened for modification C:\Windows\SysWOW64\Mfcmmp32.exe Molelb32.exe File created C:\Windows\SysWOW64\Ladnhcdo.dll Gnjjfegi.exe File opened for modification C:\Windows\SysWOW64\Ooejohhq.exe Olgncmim.exe File created C:\Windows\SysWOW64\Diffglam.exe Dcjnoece.exe File created C:\Windows\SysWOW64\Jbaojpgb.exe Jjjghcfp.exe File created C:\Windows\SysWOW64\Phajna32.exe Pagbaglh.exe File opened for modification C:\Windows\SysWOW64\Fgcjfbed.exe Fajbjh32.exe File created C:\Windows\SysWOW64\Mioaanec.dll Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Hhaggp32.exe Hnibokbd.exe File created C:\Windows\SysWOW64\Imqpnq32.dll Mbibfm32.exe File created C:\Windows\SysWOW64\Kpgodhkd.exe Khpgckkb.exe File opened for modification C:\Windows\SysWOW64\Ghhhcomg.exe Gpaqbbld.exe File created C:\Windows\SysWOW64\Kmfhkf32.exe Kgipcogp.exe File opened for modification C:\Windows\SysWOW64\Pnfiplog.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Cnfaohbj.exe Cleegp32.exe File created C:\Windows\SysWOW64\Oocddono.exe Ohjlgefb.exe File created C:\Windows\SysWOW64\Lqndhcdc.exe Ljclki32.exe File opened for modification C:\Windows\SysWOW64\Ahgcjddh.exe Aehgnied.exe File opened for modification C:\Windows\SysWOW64\Camddhoi.exe Ckclhn32.exe File opened for modification C:\Windows\SysWOW64\Mcgiefen.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Cnggkf32.dll Ekonpckp.exe File opened for modification C:\Windows\SysWOW64\Dafppp32.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Kgipcogp.exe Kqphfe32.exe File created C:\Windows\SysWOW64\Bndfbikc.dll Blielbfi.exe File opened for modification C:\Windows\SysWOW64\Gfodeohd.exe Gpelhd32.exe File opened for modification C:\Windows\SysWOW64\Impliekg.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Cdecgbfa.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Jefjbddd.dll Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Bphgeo32.exe Bpfkpp32.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Oabhfg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8040 3296 WerFault.exe 879 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diffglam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehcfaboo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iddljmpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhimica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badanigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedlip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkahilkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fganqbgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmhdmea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjehmfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnnmhfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Molelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgeqmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbobf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlglfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjgoaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojjcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnlom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbebbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bifmqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdgnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmlnjco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhfkopc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klifnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhakoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhfkopc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgigo32.dll" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcdlpbd.dll" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflpengd.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Qhjmdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbbig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiejmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlambk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leopnglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpncq32.dll" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbohpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhnpjmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hheoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheihn32.dll" Ehfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klndfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllmfjk.dll" Ocmconhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeddnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll" Jikoopij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngomin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqffjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logooemi.dll" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhain32.dll" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimpolee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmphaaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahobhgo.dll" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjaaljm.dll" Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmejc32.dll" Damfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhkjegqi.dll" Polppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odmbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefklj32.dll" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nciopppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll" Njgqhicg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2424 wrote to memory of 3520 2424 virussign.com_b1d2087d1d88f80870106373da2011b0.exe 84 PID 2424 wrote to memory of 3520 2424 virussign.com_b1d2087d1d88f80870106373da2011b0.exe 84 PID 2424 wrote to memory of 3520 2424 virussign.com_b1d2087d1d88f80870106373da2011b0.exe 84 PID 3520 wrote to memory of 2680 3520 Dhhnpjmh.exe 85 PID 3520 wrote to memory of 2680 3520 Dhhnpjmh.exe 85 PID 3520 wrote to memory of 2680 3520 Dhhnpjmh.exe 85 PID 2680 wrote to memory of 2940 2680 Dkifae32.exe 87 PID 2680 wrote to memory of 2940 2680 Dkifae32.exe 87 PID 2680 wrote to memory of 2940 2680 Dkifae32.exe 87 PID 2940 wrote to memory of 2172 2940 Dfpgffpm.exe 88 PID 2940 wrote to memory of 2172 2940 Dfpgffpm.exe 88 PID 2940 wrote to memory of 2172 2940 Dfpgffpm.exe 88 PID 2172 wrote to memory of 2280 2172 Edfdej32.exe 89 PID 2172 wrote to memory of 2280 2172 Edfdej32.exe 89 PID 2172 wrote to memory of 2280 2172 Edfdej32.exe 89 PID 2280 wrote to memory of 3020 2280 Fggfnc32.exe 90 PID 2280 wrote to memory of 3020 2280 Fggfnc32.exe 90 PID 2280 wrote to memory of 3020 2280 Fggfnc32.exe 90 PID 3020 wrote to memory of 4772 3020 Gglpibgm.exe 91 PID 3020 wrote to memory of 4772 3020 Gglpibgm.exe 91 PID 3020 wrote to memory of 4772 3020 Gglpibgm.exe 91 PID 4772 wrote to memory of 2488 4772 Gaadfkgc.exe 92 PID 4772 wrote to memory of 2488 4772 Gaadfkgc.exe 92 PID 4772 wrote to memory of 2488 4772 Gaadfkgc.exe 92 PID 2488 wrote to memory of 4692 2488 Gnkaalkd.exe 93 PID 2488 wrote to memory of 4692 2488 Gnkaalkd.exe 93 PID 2488 wrote to memory of 4692 2488 Gnkaalkd.exe 93 PID 4692 wrote to memory of 3716 4692 Ggeboaob.exe 94 PID 4692 wrote to memory of 3716 4692 Ggeboaob.exe 94 PID 4692 wrote to memory of 3716 4692 Ggeboaob.exe 94 PID 3716 wrote to memory of 4588 3716 Hheoid32.exe 95 PID 3716 wrote to memory of 4588 3716 Hheoid32.exe 95 PID 3716 wrote to memory of 4588 3716 Hheoid32.exe 95 PID 4588 wrote to memory of 3708 4588 Hoadkn32.exe 96 PID 4588 wrote to memory of 3708 4588 Hoadkn32.exe 96 PID 4588 wrote to memory of 3708 4588 Hoadkn32.exe 96 PID 3708 wrote to memory of 3668 3708 Hkhdqoac.exe 97 PID 3708 wrote to memory of 3668 3708 Hkhdqoac.exe 97 PID 3708 wrote to memory of 3668 3708 Hkhdqoac.exe 97 PID 3668 wrote to memory of 4324 3668 Hdpiid32.exe 98 PID 3668 wrote to memory of 4324 3668 Hdpiid32.exe 98 PID 3668 wrote to memory of 4324 3668 Hdpiid32.exe 98 PID 4324 wrote to memory of 1064 4324 Hkjafn32.exe 99 PID 4324 wrote to memory of 1064 4324 Hkjafn32.exe 99 PID 4324 wrote to memory of 1064 4324 Hkjafn32.exe 99 PID 1064 wrote to memory of 4496 1064 Hfpecg32.exe 100 PID 1064 wrote to memory of 4496 1064 Hfpecg32.exe 100 PID 1064 wrote to memory of 4496 1064 Hfpecg32.exe 100 PID 4496 wrote to memory of 2776 4496 Hgabkoee.exe 101 PID 4496 wrote to memory of 2776 4496 Hgabkoee.exe 101 PID 4496 wrote to memory of 2776 4496 Hgabkoee.exe 101 PID 2776 wrote to memory of 2340 2776 Ifbbig32.exe 102 PID 2776 wrote to memory of 2340 2776 Ifbbig32.exe 102 PID 2776 wrote to memory of 2340 2776 Ifbbig32.exe 102 PID 2340 wrote to memory of 1616 2340 Igcoqocb.exe 103 PID 2340 wrote to memory of 1616 2340 Igcoqocb.exe 103 PID 2340 wrote to memory of 1616 2340 Igcoqocb.exe 103 PID 1616 wrote to memory of 548 1616 Inmgmijo.exe 104 PID 1616 wrote to memory of 548 1616 Inmgmijo.exe 104 PID 1616 wrote to memory of 548 1616 Inmgmijo.exe 104 PID 548 wrote to memory of 4668 548 Idgojc32.exe 105 PID 548 wrote to memory of 4668 548 Idgojc32.exe 105 PID 548 wrote to memory of 4668 548 Idgojc32.exe 105 PID 4668 wrote to memory of 4972 4668 Iomcgl32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_b1d2087d1d88f80870106373da2011b0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_b1d2087d1d88f80870106373da2011b0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe23⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe24⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe25⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe26⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe27⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe28⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe29⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe30⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe33⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe34⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe35⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe36⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe37⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe39⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe41⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe42⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe44⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe46⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe48⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe50⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe51⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe52⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe53⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe54⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe55⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe56⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe57⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe58⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe59⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe60⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe61⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe62⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe64⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe66⤵PID:2416
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe68⤵PID:5156
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe69⤵PID:5196
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe72⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe73⤵PID:5356
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe74⤵PID:5396
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe75⤵PID:5436
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe76⤵PID:5476
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe77⤵PID:5516
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe78⤵PID:5556
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe79⤵
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe80⤵PID:5636
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5680 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe82⤵PID:5720
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe83⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe84⤵
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe85⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe86⤵PID:5888
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe87⤵PID:5932
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe88⤵PID:5972
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe89⤵PID:6024
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe90⤵PID:6064
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6108 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe92⤵PID:740
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe93⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe94⤵
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe95⤵PID:2136
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe96⤵PID:768
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe97⤵PID:5140
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5204 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe99⤵PID:5284
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe100⤵PID:5364
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe101⤵
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe102⤵PID:5508
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe103⤵PID:3732
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe105⤵
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe106⤵PID:5748
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe107⤵PID:5800
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe108⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe109⤵PID:5964
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe110⤵PID:2748
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe111⤵PID:6092
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe112⤵
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe113⤵PID:2368
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe114⤵
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe115⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe116⤵PID:4584
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe117⤵PID:3512
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe118⤵PID:2392
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe119⤵PID:5188
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe120⤵PID:5692
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe121⤵PID:5308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-