Overview
overview
10Static
static
10VirusSign....9d.exe
windows10-ltsc 2021-x64
10VirusSign....1a.exe
windows10-ltsc 2021-x64
10VirusSign....ee.exe
windows10-ltsc 2021-x64
VirusSign....d1.exe
windows10-ltsc 2021-x64
10VirusSign....a2.exe
windows10-ltsc 2021-x64
10VirusSign....4c.exe
windows10-ltsc 2021-x64
10VirusSign....90.exe
windows10-ltsc 2021-x64
10VirusSign....c7.exe
windows10-ltsc 2021-x64
VirusSign....36.exe
windows10-ltsc 2021-x64
8VirusSign....f8.exe
windows10-ltsc 2021-x64
10VirusSign....33.exe
windows10-ltsc 2021-x64
10VirusSign....f5.exe
windows10-ltsc 2021-x64
10VirusSign....19.exe
windows10-ltsc 2021-x64
8VirusSign....ab.exe
windows10-ltsc 2021-x64
10VirusSign....5f.exe
windows10-ltsc 2021-x64
10VirusSign....11.exe
windows10-ltsc 2021-x64
10VirusSign....5c.exe
windows10-ltsc 2021-x64
VirusSign....a0.exe
windows10-ltsc 2021-x64
8VirusSign....ae.exe
windows10-ltsc 2021-x64
10VirusSign....b2.exe
windows10-ltsc 2021-x64
10VirusSign....7d.exe
windows10-ltsc 2021-x64
10VirusSign....96.exe
windows10-ltsc 2021-x64
7VirusSign....e4.exe
windows10-ltsc 2021-x64
8VirusSign....3a.exe
windows10-ltsc 2021-x64
10VirusSign....47.exe
windows10-ltsc 2021-x64
10VirusSign....19.dll
windows10-ltsc 2021-x64
8VirusSign....50.exe
windows10-ltsc 2021-x64
10VirusSign....e1.exe
windows10-ltsc 2021-x64
8VirusSign....9b.exe
windows10-ltsc 2021-x64
10VirusSign....33.exe
windows10-ltsc 2021-x64
10VirusSign....b9.exe
windows10-ltsc 2021-x64
10VirusSign....08.exe
windows10-ltsc 2021-x64
10Analysis
-
max time kernel
119s -
max time network
168s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
10/02/2025, 04:34
Static task
static1
upxaspackv2ratbackdoorfakeavspywareratvmprotectthemidajustice03berbewnjratmydoomprivateloaderriseprodcratfloxifurelasfakeavquasarkpotblackmoonmetasploitxredgh0stratneconyd
32 signatures
Behavioral task
behavioral1
Sample
VirusSign.2023.11.29/03ceea0ec59f89c49ba4357a83738d9d.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirusSign.2023.11.29/03d13a90719878d7a335bd8c5a0e4e1a.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
VirusSign.2023.11.29/03d2ad6a5f199b691d36e45d27801cee.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
VirusSign.2023.11.29/03d5f6bace8c6a0a2d14ef775d3c02d1.exe
Resource
win10ltsc2021-20250128-en
windows10-ltsc 2021-x64
8 signatures
150 seconds
Behavioral task
behavioral5
Sample
VirusSign.2023.11.29/03ed3d089e222fe691a1ce1ad04450a2.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral6
Sample
VirusSign.2023.11.29/03f25db066e67c1882cf9aed07a1694c.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
16 signatures
150 seconds
Behavioral task
behavioral7
Sample
VirusSign.2023.11.29/03f939a6959a4bd81c622c3a2d8b8690.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
14 signatures
150 seconds
Behavioral task
behavioral8
Sample
VirusSign.2023.11.29/042177a10a1a4cfd26c2caef9272e0c7.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
VirusSign.2023.11.29/042994e2bb89b9bc57e079d144152b36.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
4 signatures
150 seconds
Behavioral task
behavioral10
Sample
VirusSign.2023.11.29/0445405bb7106522c0b2157809e4d5f8.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral11
Sample
VirusSign.2023.11.29/045d80d0973c5d854927b589b123f733.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
9 signatures
150 seconds
Behavioral task
behavioral12
Sample
VirusSign.2023.11.29/047c2b7237010e343732b699d4b346f5.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral13
Sample
VirusSign.2023.11.29/047c7fed39ef255fecdd70e9a870ae19.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
7 signatures
150 seconds
Behavioral task
behavioral14
Sample
VirusSign.2023.11.29/0483b1eb3211b96e7272d3dea3753eab.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
10 signatures
150 seconds
Behavioral task
behavioral15
Sample
VirusSign.2023.11.29/0483de1a0d30f46fbff309fc8d87275f.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
10 signatures
150 seconds
Behavioral task
behavioral16
Sample
VirusSign.2023.11.29/0491a5abd0712b38f24778e1346c0811.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
8 signatures
150 seconds
Behavioral task
behavioral17
Sample
VirusSign.2023.11.29/04a2bc0c567a80f57b48e246b635045c.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
0 signatures
150 seconds
Behavioral task
behavioral18
Sample
VirusSign.2023.11.29/04b493b52f4b83a142a4979585575ea0.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
4 signatures
150 seconds
Behavioral task
behavioral19
Sample
VirusSign.2023.11.29/04c187920db980d8db16c5acb58049ae.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral20
Sample
VirusSign.2023.11.29/04cdfdef32e604c59822bff2f7412eb2.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
12 signatures
150 seconds
Behavioral task
behavioral21
Sample
VirusSign.2023.11.29/04d04a21b82309118775bdaff8a4d67d.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral22
Sample
VirusSign.2023.11.29/04d25950be48329252ec8b3d53535596.exe
Resource
win10ltsc2021-20250128-en
windows10-ltsc 2021-x64
7 signatures
150 seconds
Behavioral task
behavioral23
Sample
VirusSign.2023.11.29/04f06e5d9023ab4d69946c84cdc79ee4.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
4 signatures
150 seconds
Behavioral task
behavioral24
Sample
VirusSign.2023.11.29/04f43cc6be15c60aeb943bbe5bd3973a.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral25
Sample
VirusSign.2023.11.29/0517d55470df3590c88f39d41a416047.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
10 signatures
150 seconds
Behavioral task
behavioral26
Sample
VirusSign.2023.11.29/053bfcaa44a2c180bee9c2547b910919.dll
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
4 signatures
150 seconds
Behavioral task
behavioral27
Sample
VirusSign.2023.11.29/054c96f764aef24cbdccec3be12e2350.exe
Resource
win10ltsc2021-20250128-en
windows10-ltsc 2021-x64
9 signatures
150 seconds
Behavioral task
behavioral28
Sample
VirusSign.2023.11.29/0563721a9ecf7d25f720e2069e24c7e1.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
3 signatures
150 seconds
Behavioral task
behavioral29
Sample
VirusSign.2023.11.29/05639c84db366253210163a5c6c5f69b.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
Behavioral task
behavioral30
Sample
VirusSign.2023.11.29/0576f4bbcb57c686dbfc66760a969b33.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
12 signatures
150 seconds
Behavioral task
behavioral31
Sample
VirusSign.2023.11.29/05777e787a0105c14320a2426794b5b9.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
11 signatures
150 seconds
General
-
Target
VirusSign.2023.11.29/04d04a21b82309118775bdaff8a4d67d.exe
-
Size
256KB
-
MD5
04d04a21b82309118775bdaff8a4d67d
-
SHA1
56ee2d322abec955c0ede91a374012dd4aaa1621
-
SHA256
e3aeff1d7965291914e70deae3c04e7d80be856e03cdae1c991ef1866d47ed38
-
SHA512
31b07da34a2eb064d993e76d1ed8672499a9d9b467e84e9d69046d0f487eec85f67db3dfc8f87cf963ea8fd5635b0df1eefd408116bde3876b2f8d59f2b63834
-
SSDEEP
6144:XlKKPf+9C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:1+9C8HByvNv54B9f01ZmHBy9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmahknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogqmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Janpnfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbhnec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjanjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmcfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeanfkob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calbnnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfkna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcdnjcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfema32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqinng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihdnloc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fclohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nakhaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpkcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgamo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoocnpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpooanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omfcmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obnlpnbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Infhebbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Defheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okcogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afdkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liabjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpjfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pghaghfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaecdnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaabfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaofedkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdibplaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imfmgcdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfoad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmhgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcddkggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcipcnac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opiidhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knifging.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpmpkoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlifnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bikeni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaejhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgopgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgokdomj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moajmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 04d04a21b82309118775bdaff8a4d67d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljijci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hanlcjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnmfdpni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oomelheh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhgcbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npqmipjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqkigp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnknpqj.exe -
Berbew family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 13 5932 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 552 Hgeihiac.exe 2676 Hnpaec32.exe 3600 Hjfbjdnd.exe 3132 Ibnjkbog.exe 1460 Iabglnco.exe 2136 Infhebbh.exe 2892 Iholohii.exe 4036 Ijmhkchl.exe 3412 Iagqgn32.exe 2536 Ihaidhgf.exe 2208 Idhiii32.exe 828 Jbijgp32.exe 4124 Jaljbmkd.exe 4672 Jhfbog32.exe 4048 Jjdokb32.exe 4768 Jjgkab32.exe 3740 Jdopjh32.exe 4084 Jlfhke32.exe 2008 Jacpcl32.exe 3824 Jbbmmo32.exe 2244 Jhoeef32.exe 1864 Kdffjgpj.exe 3960 Kbgfhnhi.exe 4332 Kbjbnnfg.exe 2084 Khfkfedn.exe 4320 Kocphojh.exe 3260 Klgqabib.exe 3300 Ldbefe32.exe 3892 Lbcedmnl.exe 5084 Lojfin32.exe 2732 Ldfoad32.exe 4348 Lbhool32.exe 3156 Lkcccn32.exe 4544 Lamlphoo.exe 3668 Mlbpma32.exe 1752 Moalil32.exe 2736 Mdnebc32.exe 436 Maaekg32.exe 4200 Mdpagc32.exe 4140 Moefdljc.exe 1516 Mepnaf32.exe 2144 Mlifnphl.exe 4924 Mklfjm32.exe 4632 Mebkge32.exe 444 Mddkbbfg.exe 4524 Mahklf32.exe 4576 Nakhaf32.exe 2904 Nefdbekh.exe 2756 Nlqloo32.exe 2256 Nooikj32.exe 2248 Ndlacapp.exe 2204 Nhgmcp32.exe 1292 Napameoi.exe 3796 Nhjjip32.exe 2728 Nconfh32.exe 3836 Nfnjbdep.exe 4868 Nfpghccm.exe 4628 Ocdgahag.exe 3568 Odedipge.exe 980 Okolfj32.exe 3860 Odgqopeb.exe 2844 Oomelheh.exe 1948 Omaeem32.exe 4712 Ofijnbkb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhjjip32.exe Napameoi.exe File created C:\Windows\SysWOW64\Icciccmd.exe Infqklol.exe File opened for modification C:\Windows\SysWOW64\Keekjc32.exe Knkcmild.exe File opened for modification C:\Windows\SysWOW64\Kmbfiokn.exe Kciaqi32.exe File created C:\Windows\SysWOW64\Kcafemmh.dll Aohbbqme.exe File opened for modification C:\Windows\SysWOW64\Deidjf32.exe Ddhhbngi.exe File created C:\Windows\SysWOW64\Hdppaidl.exe Hnehdo32.exe File created C:\Windows\SysWOW64\Kaebce32.dll Hmpnqj32.exe File created C:\Windows\SysWOW64\Pghaghfn.exe Ppoijn32.exe File created C:\Windows\SysWOW64\Oagoeala.dll Mokdllim.exe File created C:\Windows\SysWOW64\Mdnebc32.exe Moalil32.exe File opened for modification C:\Windows\SysWOW64\Cdlhgpag.exe Cdjlap32.exe File opened for modification C:\Windows\SysWOW64\Lhjnfn32.exe Kaqejcep.exe File opened for modification C:\Windows\SysWOW64\Idmhqi32.exe Ioqohb32.exe File opened for modification C:\Windows\SysWOW64\Moajmk32.exe Mihbpalh.exe File opened for modification C:\Windows\SysWOW64\Kjlmbnof.exe Kbedaand.exe File opened for modification C:\Windows\SysWOW64\Ajggjq32.exe Acmomgoa.exe File opened for modification C:\Windows\SysWOW64\Ffahnd32.exe Emhdeoel.exe File created C:\Windows\SysWOW64\Qgdabflp.exe Qdfefkll.exe File created C:\Windows\SysWOW64\Jgaifgon.dll Bjhpqn32.exe File opened for modification C:\Windows\SysWOW64\Pihdnloc.exe Pbokab32.exe File created C:\Windows\SysWOW64\Acaanp32.exe Amdiei32.exe File created C:\Windows\SysWOW64\Hchbkneg.dll Amdiei32.exe File opened for modification C:\Windows\SysWOW64\Bcfkiock.exe Bllble32.exe File created C:\Windows\SysWOW64\Aimhmkgn.exe Aijlgkjq.exe File created C:\Windows\SysWOW64\Bcaiocbn.dll Laeoec32.exe File created C:\Windows\SysWOW64\Ddhbcl32.dll Bomknp32.exe File created C:\Windows\SysWOW64\Eeeolh32.dll Mhppik32.exe File created C:\Windows\SysWOW64\Ihheqd32.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Iokgno32.dll Fmndkd32.exe File created C:\Windows\SysWOW64\Hmlbij32.exe Hhojqcil.exe File created C:\Windows\SysWOW64\Bldgoeog.exe Bcicjbal.exe File created C:\Windows\SysWOW64\Dedkogqm.exe Dbfoclai.exe File created C:\Windows\SysWOW64\Nfndbnlp.dll Kfeagefd.exe File created C:\Windows\SysWOW64\Hfcinq32.exe Hnhdjn32.exe File created C:\Windows\SysWOW64\Icgbob32.exe Imnjbhaa.exe File created C:\Windows\SysWOW64\Acbhhf32.exe Aneppo32.exe File created C:\Windows\SysWOW64\Mbkmngfn.exe Mkadam32.exe File created C:\Windows\SysWOW64\Ikbphn32.exe Iplkje32.exe File opened for modification C:\Windows\SysWOW64\Mdpagc32.exe Maaekg32.exe File opened for modification C:\Windows\SysWOW64\Fjlpbb32.exe Fcbgfhii.exe File created C:\Windows\SysWOW64\Jijomapp.dll Mejnlpai.exe File created C:\Windows\SysWOW64\Nfmdccgi.dll Dlobmd32.exe File created C:\Windows\SysWOW64\Ogimlm32.dll Impldi32.exe File opened for modification C:\Windows\SysWOW64\Flfbcndo.exe Fgijkgeh.exe File opened for modification C:\Windows\SysWOW64\Bpdfpmoo.exe Beobcdoi.exe File opened for modification C:\Windows\SysWOW64\Cicqja32.exe Cnnllhpa.exe File created C:\Windows\SysWOW64\Bhcbdkfh.dll Engaon32.exe File created C:\Windows\SysWOW64\Lbenho32.exe Lmheph32.exe File opened for modification C:\Windows\SysWOW64\Mjehok32.exe Mboqnm32.exe File opened for modification C:\Windows\SysWOW64\Hklpaeno.exe Hdahek32.exe File opened for modification C:\Windows\SysWOW64\Lmhnea32.exe Ldqfddml.exe File opened for modification C:\Windows\SysWOW64\Qednnm32.exe Qojeabie.exe File created C:\Windows\SysWOW64\Ghcbohpp.exe Gedfblql.exe File created C:\Windows\SysWOW64\Kgqdfi32.exe Kiodha32.exe File created C:\Windows\SysWOW64\Decmjjie.exe Dilmeida.exe File opened for modification C:\Windows\SysWOW64\Fhbbmc32.exe Ejnbdp32.exe File created C:\Windows\SysWOW64\Klpjbg32.dll Dqfceoje.exe File created C:\Windows\SysWOW64\Lmkipncc.exe Lfaqcclf.exe File created C:\Windows\SysWOW64\Ohmepbki.exe Omgabj32.exe File created C:\Windows\SysWOW64\Hekpnp32.dll Enaaiifb.exe File opened for modification C:\Windows\SysWOW64\Mahklf32.exe Mddkbbfg.exe File created C:\Windows\SysWOW64\Dekapfke.exe Dpoiho32.exe File opened for modification C:\Windows\SysWOW64\Clmckmcq.exe Bnicai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10292 10248 WerFault.exe 1092 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkipncc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbahgbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllieg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knifging.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikjmbmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlhgpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomkkagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icminm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obqopddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgieajgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgjhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlacapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedipge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamcmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqkmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcofbifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohbbqme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoeef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjeej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enigjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgpbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbmiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfnphpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkggfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgbmffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgoigcip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbeggmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logbigbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeodqocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljchpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfceoje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakfglhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnimbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnkli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgjjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedaand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffahnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imknli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgokdomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppffec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipokfil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaaak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjfhbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmebnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqinng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmckbjdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcqod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghgpgqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npighq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omkmhlpf.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2484 MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccldebeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpfkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfnjbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkbak32.dll" Bnicai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meajdj32.dll" Fpnkdfko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhbhapha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejnbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jopaejlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbqdb32.dll" Lnanadfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfefdpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogjpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfkhqoc.dll" Dlkplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mihbpalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmkfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdkabmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogadadh.dll" Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdnhb32.dll" Pllieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pldcdhpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmqekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaaneok.dll" Igqbiacj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkgfdgpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohmepbki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcnmhpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhhmkg.dll" Gdkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcblbn32.dll" Imnjbhaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clmckmcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojicgi32.dll" Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npqmipjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klnkoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjhpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlponebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfpcngdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didhmpdm.dll" Ifaepolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daajam32.dll" Ggfobofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfajp32.dll" Imfmgcdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Calbnnkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdfefkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnomjn32.dll" Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moeoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpomglp.dll" Mihbpalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moofmeal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khlinedh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Habeni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdjhkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jicdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdqekdcj.dll" Cbfema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjcclq.dll" Fhchhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgiiclkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll" Ofijnbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cemeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflpcaoh.dll" Beobcdoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dabhomea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpinac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleoga32.dll" Kdeghfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lojfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll" Cmmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgmebnpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 552 2476 04d04a21b82309118775bdaff8a4d67d.exe 83 PID 2476 wrote to memory of 552 2476 04d04a21b82309118775bdaff8a4d67d.exe 83 PID 2476 wrote to memory of 552 2476 04d04a21b82309118775bdaff8a4d67d.exe 83 PID 552 wrote to memory of 2676 552 Hgeihiac.exe 84 PID 552 wrote to memory of 2676 552 Hgeihiac.exe 84 PID 552 wrote to memory of 2676 552 Hgeihiac.exe 84 PID 2676 wrote to memory of 3600 2676 Hnpaec32.exe 85 PID 2676 wrote to memory of 3600 2676 Hnpaec32.exe 85 PID 2676 wrote to memory of 3600 2676 Hnpaec32.exe 85 PID 3600 wrote to memory of 3132 3600 Hjfbjdnd.exe 86 PID 3600 wrote to memory of 3132 3600 Hjfbjdnd.exe 86 PID 3600 wrote to memory of 3132 3600 Hjfbjdnd.exe 86 PID 3132 wrote to memory of 1460 3132 Ibnjkbog.exe 87 PID 3132 wrote to memory of 1460 3132 Ibnjkbog.exe 87 PID 3132 wrote to memory of 1460 3132 Ibnjkbog.exe 87 PID 1460 wrote to memory of 2136 1460 Iabglnco.exe 88 PID 1460 wrote to memory of 2136 1460 Iabglnco.exe 88 PID 1460 wrote to memory of 2136 1460 Iabglnco.exe 88 PID 2136 wrote to memory of 2892 2136 Infhebbh.exe 89 PID 2136 wrote to memory of 2892 2136 Infhebbh.exe 89 PID 2136 wrote to memory of 2892 2136 Infhebbh.exe 89 PID 2892 wrote to memory of 4036 2892 Iholohii.exe 90 PID 2892 wrote to memory of 4036 2892 Iholohii.exe 90 PID 2892 wrote to memory of 4036 2892 Iholohii.exe 90 PID 4036 wrote to memory of 3412 4036 Ijmhkchl.exe 91 PID 4036 wrote to memory of 3412 4036 Ijmhkchl.exe 91 PID 4036 wrote to memory of 3412 4036 Ijmhkchl.exe 91 PID 3412 wrote to memory of 2536 3412 Iagqgn32.exe 92 PID 3412 wrote to memory of 2536 3412 Iagqgn32.exe 92 PID 3412 wrote to memory of 2536 3412 Iagqgn32.exe 92 PID 2536 wrote to memory of 2208 2536 Ihaidhgf.exe 93 PID 2536 wrote to memory of 2208 2536 Ihaidhgf.exe 93 PID 2536 wrote to memory of 2208 2536 Ihaidhgf.exe 93 PID 2208 wrote to memory of 828 2208 Idhiii32.exe 94 PID 2208 wrote to memory of 828 2208 Idhiii32.exe 94 PID 2208 wrote to memory of 828 2208 Idhiii32.exe 94 PID 828 wrote to memory of 4124 828 Jbijgp32.exe 95 PID 828 wrote to memory of 4124 828 Jbijgp32.exe 95 PID 828 wrote to memory of 4124 828 Jbijgp32.exe 95 PID 4124 wrote to memory of 4672 4124 Jaljbmkd.exe 96 PID 4124 wrote to memory of 4672 4124 Jaljbmkd.exe 96 PID 4124 wrote to memory of 4672 4124 Jaljbmkd.exe 96 PID 4672 wrote to memory of 4048 4672 Jhfbog32.exe 97 PID 4672 wrote to memory of 4048 4672 Jhfbog32.exe 97 PID 4672 wrote to memory of 4048 4672 Jhfbog32.exe 97 PID 4048 wrote to memory of 4768 4048 Jjdokb32.exe 98 PID 4048 wrote to memory of 4768 4048 Jjdokb32.exe 98 PID 4048 wrote to memory of 4768 4048 Jjdokb32.exe 98 PID 4768 wrote to memory of 3740 4768 Jjgkab32.exe 99 PID 4768 wrote to memory of 3740 4768 Jjgkab32.exe 99 PID 4768 wrote to memory of 3740 4768 Jjgkab32.exe 99 PID 3740 wrote to memory of 4084 3740 Jdopjh32.exe 100 PID 3740 wrote to memory of 4084 3740 Jdopjh32.exe 100 PID 3740 wrote to memory of 4084 3740 Jdopjh32.exe 100 PID 4084 wrote to memory of 2008 4084 Jlfhke32.exe 101 PID 4084 wrote to memory of 2008 4084 Jlfhke32.exe 101 PID 4084 wrote to memory of 2008 4084 Jlfhke32.exe 101 PID 2008 wrote to memory of 3824 2008 Jacpcl32.exe 102 PID 2008 wrote to memory of 3824 2008 Jacpcl32.exe 102 PID 2008 wrote to memory of 3824 2008 Jacpcl32.exe 102 PID 3824 wrote to memory of 2244 3824 Jbbmmo32.exe 103 PID 3824 wrote to memory of 2244 3824 Jbbmmo32.exe 103 PID 3824 wrote to memory of 2244 3824 Jbbmmo32.exe 103 PID 2244 wrote to memory of 1864 2244 Jhoeef32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04d04a21b82309118775bdaff8a4d67d.exe"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\04d04a21b82309118775bdaff8a4d67d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Jhfbog32.exeC:\Windows\system32\Jhfbog32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Jhoeef32.exeC:\Windows\system32\Jhoeef32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe23⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe24⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe25⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe26⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe27⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe28⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe29⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe30⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe33⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe34⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe35⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Mlbpma32.exeC:\Windows\system32\Mlbpma32.exe36⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe38⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Maaekg32.exeC:\Windows\system32\Maaekg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe40⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe41⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe42⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe44⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe45⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe47⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe49⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe50⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe51⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe53⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe55⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe58⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe59⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe61⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe62⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe64⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe66⤵PID:696
-
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3664 -
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe68⤵PID:3700
-
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe69⤵PID:1140
-
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe70⤵PID:932
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe71⤵PID:3256
-
C:\Windows\SysWOW64\Pfppoa32.exeC:\Windows\system32\Pfppoa32.exe72⤵PID:1816
-
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe74⤵PID:4724
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe75⤵PID:1820
-
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe76⤵PID:2212
-
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe77⤵
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe78⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe79⤵PID:1028
-
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe80⤵PID:2444
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe81⤵PID:3852
-
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe82⤵PID:4456
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe83⤵PID:4480
-
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe84⤵PID:4236
-
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe85⤵
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe86⤵PID:3332
-
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe87⤵PID:1520
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe88⤵PID:2036
-
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe90⤵PID:1868
-
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe91⤵PID:4312
-
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe92⤵PID:1872
-
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe93⤵PID:2864
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe94⤵PID:2172
-
C:\Windows\SysWOW64\Bfabmmhe.exeC:\Windows\system32\Bfabmmhe.exe95⤵PID:1092
-
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe96⤵PID:216
-
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe97⤵PID:1380
-
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe98⤵
- Modifies registry class
PID:3660 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe99⤵PID:2784
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe100⤵PID:2500
-
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe101⤵PID:740
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe103⤵
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe105⤵PID:1188
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe106⤵PID:2156
-
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe108⤵PID:328
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe109⤵PID:2560
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe110⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe111⤵PID:5092
-
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe112⤵PID:3620
-
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe114⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe115⤵PID:5220
-
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe116⤵PID:5256
-
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe117⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe118⤵PID:5332
-
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe119⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe120⤵PID:5404
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe121⤵PID:5440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-