Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe
-
Size
72KB
-
MD5
6e8ea982cdf1381ae7a56d11cede7262
-
SHA1
cdc0a38ca75de531ed82ca0588481582da106fa6
-
SHA256
c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330
-
SHA512
53177132a8645c69ab425db81241fe6a643d70ae5c4f59588c821d74d08ebd0194c7d9268fda4cdde9e174615432db6b3773431e8f2f0aad851691e5e0db1f16
-
SSDEEP
1536:46+69QiBZOaQ/aRPfMcp+nXe4DpPI5rGzrfAnNW:4R69Eel415kYEN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mdlfngcc.exeApclnj32.exeImhqbkbm.exeKamlhl32.exeMaanab32.exeNcipjieo.exeBhdjno32.exeGoocenaa.exeQcmkhi32.exeCgdciiod.exeNfdfmfle.exePilbocej.exeGecklbih.exePlpqim32.exeEifobe32.exePfkimhhi.exeEhkcpc32.exeAnecfgdc.exeBoeoek32.exeCcgnelll.exeCiglaa32.exeQmenhe32.exePmkdhq32.exeLmbabj32.exeKckjmpko.exeGeqlnjcf.exePidaba32.exeLofkoamf.exeNkfkidmk.exeLljipmdl.exeClciod32.exeGpoibp32.exeHpnlndkp.exeKiemmh32.exeAedlhg32.exeGgklka32.exeNqpmimbe.exeIcgdcm32.exeJlnmel32.exePadjmfdg.exeKfacdqhf.exeFfiepg32.exeLlpoohik.exeKenjgi32.exeBoobki32.exeEmdhhdqb.exeHkjnenbp.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdlfngcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apclnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imhqbkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maanab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncipjieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgdciiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdfmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pilbocej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gecklbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifobe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciglaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmenhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmkdhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidaba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofkoamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljipmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clciod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpoibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnlndkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiemmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggklka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icgdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfacdqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpoohik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boobki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdhhdqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jabponba.exeJbclgf32.exeJfohgepi.exeJpgmpk32.exeJedehaea.exeJlnmel32.exeJbhebfck.exeJibnop32.exeJlqjkk32.exeJnofgg32.exeKidjdpie.exeKlcgpkhh.exeKapohbfp.exeKhjgel32.exeKjhcag32.exeKhldkllj.exeKoflgf32.exeKpgionie.exeKipmhc32.exeKdeaelok.exeKbhbai32.exeLmmfnb32.exeLplbjm32.exeLidgcclp.exeLmpcca32.exeLpnopm32.exeLekghdad.exeLhiddoph.exeLcohahpn.exeLemdncoa.exeLkjmfjmi.exeLdbaopdj.exeLljipmdl.exeMebnic32.exeMgcjpkak.exeMploiq32.exeMhcfjnhm.exeMkacfiga.exeMnpobefe.exeMnblhddb.exeMpphdpcf.exeMgjpaj32.exeMjilmejf.exeMqbejp32.exeMcaafk32.exeMgmmfjip.exeMfpmbf32.exeMjkibehc.exeNqeapo32.exeNbfnggeo.exeNhpfdaml.exeNllbdp32.exeNojnql32.exeNbhkmg32.exeNfdfmfle.exeNhbciaki.exeNomkfk32.exeNnokahip.exeNdicnb32.exeNhepoaif.exeNkclkl32.exeNoohlkpc.exeNbmdhfog.exeNigldq32.exepid Process 2376 Jabponba.exe 2776 Jbclgf32.exe 2724 Jfohgepi.exe 2720 Jpgmpk32.exe 2624 Jedehaea.exe 2348 Jlnmel32.exe 2512 Jbhebfck.exe 2208 Jibnop32.exe 2460 Jlqjkk32.exe 2832 Jnofgg32.exe 1916 Kidjdpie.exe 2932 Klcgpkhh.exe 484 Kapohbfp.exe 1648 Khjgel32.exe 884 Kjhcag32.exe 2144 Khldkllj.exe 2092 Koflgf32.exe 1424 Kpgionie.exe 1684 Kipmhc32.exe 2524 Kdeaelok.exe 1924 Kbhbai32.exe 988 Lmmfnb32.exe 1220 Lplbjm32.exe 2404 Lidgcclp.exe 2176 Lmpcca32.exe 2408 Lpnopm32.exe 2744 Lekghdad.exe 2796 Lhiddoph.exe 2988 Lcohahpn.exe 2584 Lemdncoa.exe 2260 Lkjmfjmi.exe 2440 Ldbaopdj.exe 2116 Lljipmdl.exe 1588 Mebnic32.exe 568 Mgcjpkak.exe 1800 Mploiq32.exe 2124 Mhcfjnhm.exe 1548 Mkacfiga.exe 628 Mnpobefe.exe 2328 Mnblhddb.exe 344 Mpphdpcf.exe 2076 Mgjpaj32.exe 2468 Mjilmejf.exe 2548 Mqbejp32.exe 1204 Mcaafk32.exe 3052 Mgmmfjip.exe 2196 Mfpmbf32.exe 1216 Mjkibehc.exe 2108 Nqeapo32.exe 1364 Nbfnggeo.exe 2716 Nhpfdaml.exe 2604 Nllbdp32.exe 2784 Nojnql32.exe 2644 Nbhkmg32.exe 3064 Nfdfmfle.exe 1868 Nhbciaki.exe 1296 Nomkfk32.exe 2168 Nnokahip.exe 576 Ndicnb32.exe 2200 Nhepoaif.exe 1544 Nkclkl32.exe 1164 Noohlkpc.exe 1244 Nbmdhfog.exe 2244 Nigldq32.exe -
Loads dropped DLL 64 IoCs
Processes:
c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exeJabponba.exeJbclgf32.exeJfohgepi.exeJpgmpk32.exeJedehaea.exeJlnmel32.exeJbhebfck.exeJibnop32.exeJlqjkk32.exeJnofgg32.exeKidjdpie.exeKlcgpkhh.exeKapohbfp.exeKhjgel32.exeKjhcag32.exeKhldkllj.exeKoflgf32.exeKpgionie.exeKipmhc32.exeKdeaelok.exeKbhbai32.exeLmmfnb32.exeLplbjm32.exeLidgcclp.exeLmpcca32.exeLpnopm32.exeLekghdad.exeLhiddoph.exeLcohahpn.exeLemdncoa.exeLkjmfjmi.exepid Process 2188 c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe 2188 c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe 2376 Jabponba.exe 2376 Jabponba.exe 2776 Jbclgf32.exe 2776 Jbclgf32.exe 2724 Jfohgepi.exe 2724 Jfohgepi.exe 2720 Jpgmpk32.exe 2720 Jpgmpk32.exe 2624 Jedehaea.exe 2624 Jedehaea.exe 2348 Jlnmel32.exe 2348 Jlnmel32.exe 2512 Jbhebfck.exe 2512 Jbhebfck.exe 2208 Jibnop32.exe 2208 Jibnop32.exe 2460 Jlqjkk32.exe 2460 Jlqjkk32.exe 2832 Jnofgg32.exe 2832 Jnofgg32.exe 1916 Kidjdpie.exe 1916 Kidjdpie.exe 2932 Klcgpkhh.exe 2932 Klcgpkhh.exe 484 Kapohbfp.exe 484 Kapohbfp.exe 1648 Khjgel32.exe 1648 Khjgel32.exe 884 Kjhcag32.exe 884 Kjhcag32.exe 2144 Khldkllj.exe 2144 Khldkllj.exe 2092 Koflgf32.exe 2092 Koflgf32.exe 1424 Kpgionie.exe 1424 Kpgionie.exe 1684 Kipmhc32.exe 1684 Kipmhc32.exe 2524 Kdeaelok.exe 2524 Kdeaelok.exe 1924 Kbhbai32.exe 1924 Kbhbai32.exe 988 Lmmfnb32.exe 988 Lmmfnb32.exe 1220 Lplbjm32.exe 1220 Lplbjm32.exe 2404 Lidgcclp.exe 2404 Lidgcclp.exe 2176 Lmpcca32.exe 2176 Lmpcca32.exe 2408 Lpnopm32.exe 2408 Lpnopm32.exe 2744 Lekghdad.exe 2744 Lekghdad.exe 2796 Lhiddoph.exe 2796 Lhiddoph.exe 2988 Lcohahpn.exe 2988 Lcohahpn.exe 2584 Lemdncoa.exe 2584 Lemdncoa.exe 2260 Lkjmfjmi.exe 2260 Lkjmfjmi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ephdjeol.exeGpgjnbnl.exeJnlepioj.exeCkmpkpbl.exePpdfimji.exeJlnmel32.exeNohaklfk.exeFejfmk32.exePhobjp32.exeIfpelq32.exeOfobgc32.exeOmhkcnfg.exeHmqieh32.exeIjopjhfh.exeLdhgnk32.exeAdgein32.exeKhjgel32.exeLhimji32.exeFnmjpk32.exeGoocenaa.exeAdmgglep.exeGlijnmdj.exeIcplje32.exeCncolfcl.exeHoipnl32.exeAahimb32.exeBlqmid32.exeEmeobj32.exeKjhfjpdd.exeMhcicf32.exeLamjph32.exeDkjhjm32.exeFhbbcail.exeFjckelfm.exeFdnlcakk.exeHganjo32.exeHlpchfdi.exeCodeih32.exePnnmeh32.exeJbhebfck.exeOmiand32.exeFldabn32.exeJqfhqe32.exedescription ioc Process File created C:\Windows\SysWOW64\Bijlibjp.dll Ephdjeol.exe File opened for modification C:\Windows\SysWOW64\Gfabkl32.exe Gpgjnbnl.exe File opened for modification C:\Windows\SysWOW64\Kqkalenn.exe Jnlepioj.exe File created C:\Windows\SysWOW64\Qnpeijla.exe File opened for modification C:\Windows\SysWOW64\Cbghhj32.exe Ckmpkpbl.exe File created C:\Windows\SysWOW64\Pglojj32.exe Ppdfimji.exe File created C:\Windows\SysWOW64\Jbhebfck.exe Jlnmel32.exe File opened for modification C:\Windows\SysWOW64\Nbfnggeo.exe Nohaklfk.exe File opened for modification C:\Windows\SysWOW64\Dlpdfjjp.exe File created C:\Windows\SysWOW64\Flnjii32.dll File created C:\Windows\SysWOW64\Fhhbif32.exe Fejfmk32.exe File opened for modification C:\Windows\SysWOW64\Pnhjgj32.exe Phobjp32.exe File created C:\Windows\SysWOW64\Jfhbig32.dll Ifpelq32.exe File opened for modification C:\Windows\SysWOW64\Ohmoco32.exe Ofobgc32.exe File opened for modification C:\Windows\SysWOW64\Ooggpiek.exe Omhkcnfg.exe File created C:\Windows\SysWOW64\Hehafe32.exe Hmqieh32.exe File created C:\Windows\SysWOW64\Qmcelb32.dll Ijopjhfh.exe File created C:\Windows\SysWOW64\Hncklnkp.dll File created C:\Windows\SysWOW64\Klalgq32.dll Ldhgnk32.exe File created C:\Windows\SysWOW64\Eenfifcn.dll Adgein32.exe File opened for modification C:\Windows\SysWOW64\Bmdefk32.exe File created C:\Windows\SysWOW64\Foefccmp.dll File created C:\Windows\SysWOW64\Pjppmlhm.exe File created C:\Windows\SysWOW64\Kjhcag32.exe Khjgel32.exe File opened for modification C:\Windows\SysWOW64\Lkgifd32.exe Lhimji32.exe File created C:\Windows\SysWOW64\Dhfljfho.dll Fnmjpk32.exe File created C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Ahhchk32.exe Admgglep.exe File created C:\Windows\SysWOW64\Gngfjicn.exe Glijnmdj.exe File created C:\Windows\SysWOW64\Nihodebm.dll File created C:\Windows\SysWOW64\Afbpnlcd.exe File opened for modification C:\Windows\SysWOW64\Igkhjdde.exe Icplje32.exe File created C:\Windows\SysWOW64\Fagimi32.dll Glijnmdj.exe File created C:\Windows\SysWOW64\Caokmd32.exe Cncolfcl.exe File created C:\Windows\SysWOW64\Hahljg32.exe Hoipnl32.exe File created C:\Windows\SysWOW64\Aiflpm32.exe File opened for modification C:\Windows\SysWOW64\Bbimbpld.exe File created C:\Windows\SysWOW64\Adgein32.exe Aahimb32.exe File opened for modification C:\Windows\SysWOW64\Gpeoakhc.exe File created C:\Windows\SysWOW64\Fgjdgifj.dll Blqmid32.exe File created C:\Windows\SysWOW64\Dlijld32.dll Emeobj32.exe File opened for modification C:\Windows\SysWOW64\Kbpnkm32.exe Kjhfjpdd.exe File created C:\Windows\SysWOW64\Enjqlaec.dll Mhcicf32.exe File opened for modification C:\Windows\SysWOW64\Lckflc32.exe Lamjph32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Djpjjl32.dll Fhbbcail.exe File opened for modification C:\Windows\SysWOW64\Fmbgageq.exe Fjckelfm.exe File created C:\Windows\SysWOW64\Ffmipmjn.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Pfgqnf32.dll Hganjo32.exe File opened for modification C:\Windows\SysWOW64\Hdgkicek.exe Hlpchfdi.exe File opened for modification C:\Windows\SysWOW64\Cabaec32.exe Codeih32.exe File created C:\Windows\SysWOW64\Iaehne32.dll Hmqieh32.exe File created C:\Windows\SysWOW64\Kcipdg32.dll File created C:\Windows\SysWOW64\Qcpnob32.dll File created C:\Windows\SysWOW64\Kokahpfn.dll Pnnmeh32.exe File opened for modification C:\Windows\SysWOW64\Ilmlfcel.exe Ijopjhfh.exe File created C:\Windows\SysWOW64\Polobd32.exe File created C:\Windows\SysWOW64\Oqagbp32.dll File created C:\Windows\SysWOW64\Meeopdhb.exe File opened for modification C:\Windows\SysWOW64\Baecehhh.exe File opened for modification C:\Windows\SysWOW64\Jibnop32.exe Jbhebfck.exe File created C:\Windows\SysWOW64\Pppgjnfc.dll Omiand32.exe File opened for modification C:\Windows\SysWOW64\Fppmcmah.exe Fldabn32.exe File created C:\Windows\SysWOW64\Jhmpbc32.exe Jqfhqe32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 5404 5480 1513 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hpnlndkp.exeJjfmem32.exeQaqlbmbn.exeNbpqmfmd.exeEejjnhgc.exeBahelebm.exeGbmlkl32.exeJghqia32.exeHgfooe32.exeQlggjlep.exeBkkioeig.exeMioeeifi.exeCdqkifmb.exeLlpoohik.exeIhpgce32.exeAicfgn32.exeJcfoihhp.exeQnqjkh32.exeKenjgi32.exeKikokf32.exeKpgdnp32.exePmfjmake.exeOjndpqpq.exeDpcnbn32.exeFmlecinf.exeCaokmd32.exeOjpaeq32.exeQmcclolh.exeAlaccj32.exeQigebglj.exeCamnge32.exeCapdpcge.exeNpkdnnfk.exeAdgein32.exeEcnpdnho.exeCnlnpd32.exeDjeljd32.exeJlqjkk32.exeBlniinac.exeCggcofkf.exeCniajdkg.exeElmkmo32.exeIokhcodo.exeEelgcg32.exeOhengmcf.exeJhhfgcgj.exeKjcedj32.exeOqjibkek.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpqmfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejjnhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahelebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmlkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghqia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkioeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqkifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfoihhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikokf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfjmake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojndpqpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlecinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qigebglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlnpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqjkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cniajdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohengmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhfgcgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcedj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Chggdoee.exeDjeljd32.exeIlmlfcel.exeChocodch.exeKihpmnbb.exeHkejnl32.exeMioeeifi.exeKoflgf32.exeAphehidc.exeCabaec32.exeJcckibfg.exeKenjgi32.exeOqjibkek.exeAhcjmkbo.exeOmhkcnfg.exeQpniokan.exeJqnhmgmk.exeDonojm32.exeNlldmimi.exeEhmpeb32.exeMdojnm32.exeOjeakfnd.exeQlggjlep.exeBobleeef.exeKhagijcd.exeLmbabj32.exeLlhocfnb.exeMhalngad.exeCniajdkg.exeFhkagonc.exeChbihc32.exeFmbgageq.exeGekhgh32.exeJbakpi32.exeMlpngd32.exeGipngg32.exeIgkjcm32.exeIkicikap.exeNipefmkb.exeFldabn32.exeLkifkdjm.exeNnlhab32.exeNqpmimbe.exeKpbhjh32.exeKimjhnnl.exeAdgein32.exeEgebjmdn.exeNnokahip.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madfkk32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgjeonp.dll" Djeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limiaafb.dll" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhlopf.dll" Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpnjeha.dll" Hkejnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mioeeifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegphc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll" Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejkoijd.dll" Kenjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmknff32.dll" Ahcjmkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdqcfdkh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekbn32.dll" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll" Donojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnmei32.dll" Nlldmimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkagib32.dll" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll" Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdegnfli.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghomh32.dll" Khagijcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcejbh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobpcbd.dll" Lmbabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llhocfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll" Cniajdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhkagonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmbgageq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gekhgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naflocji.dll" Mlpngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobmj32.dll" Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agiidifg.dll" Igkjcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikicikap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nipefmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fldabn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgmmkof.dll" Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfqnhjl.dll" Nqpmimbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpbhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenfifcn.dll" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehddcn32.dll" Nnokahip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chocodch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exeJabponba.exeJbclgf32.exeJfohgepi.exeJpgmpk32.exeJedehaea.exeJlnmel32.exeJbhebfck.exeJibnop32.exeJlqjkk32.exeJnofgg32.exeKidjdpie.exeKlcgpkhh.exeKapohbfp.exeKhjgel32.exeKjhcag32.exedescription pid Process procid_target PID 2188 wrote to memory of 2376 2188 c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe 30 PID 2188 wrote to memory of 2376 2188 c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe 30 PID 2188 wrote to memory of 2376 2188 c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe 30 PID 2188 wrote to memory of 2376 2188 c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe 30 PID 2376 wrote to memory of 2776 2376 Jabponba.exe 31 PID 2376 wrote to memory of 2776 2376 Jabponba.exe 31 PID 2376 wrote to memory of 2776 2376 Jabponba.exe 31 PID 2376 wrote to memory of 2776 2376 Jabponba.exe 31 PID 2776 wrote to memory of 2724 2776 Jbclgf32.exe 32 PID 2776 wrote to memory of 2724 2776 Jbclgf32.exe 32 PID 2776 wrote to memory of 2724 2776 Jbclgf32.exe 32 PID 2776 wrote to memory of 2724 2776 Jbclgf32.exe 32 PID 2724 wrote to memory of 2720 2724 Jfohgepi.exe 33 PID 2724 wrote to memory of 2720 2724 Jfohgepi.exe 33 PID 2724 wrote to memory of 2720 2724 Jfohgepi.exe 33 PID 2724 wrote to memory of 2720 2724 Jfohgepi.exe 33 PID 2720 wrote to memory of 2624 2720 Jpgmpk32.exe 34 PID 2720 wrote to memory of 2624 2720 Jpgmpk32.exe 34 PID 2720 wrote to memory of 2624 2720 Jpgmpk32.exe 34 PID 2720 wrote to memory of 2624 2720 Jpgmpk32.exe 34 PID 2624 wrote to memory of 2348 2624 Jedehaea.exe 35 PID 2624 wrote to memory of 2348 2624 Jedehaea.exe 35 PID 2624 wrote to memory of 2348 2624 Jedehaea.exe 35 PID 2624 wrote to memory of 2348 2624 Jedehaea.exe 35 PID 2348 wrote to memory of 2512 2348 Jlnmel32.exe 36 PID 2348 wrote to memory of 2512 2348 Jlnmel32.exe 36 PID 2348 wrote to memory of 2512 2348 Jlnmel32.exe 36 PID 2348 wrote to memory of 2512 2348 Jlnmel32.exe 36 PID 2512 wrote to memory of 2208 2512 Jbhebfck.exe 37 PID 2512 wrote to memory of 2208 2512 Jbhebfck.exe 37 PID 2512 wrote to memory of 2208 2512 Jbhebfck.exe 37 PID 2512 wrote to memory of 2208 2512 Jbhebfck.exe 37 PID 2208 wrote to memory of 2460 2208 Jibnop32.exe 38 PID 2208 wrote to memory of 2460 2208 Jibnop32.exe 38 PID 2208 wrote to memory of 2460 2208 Jibnop32.exe 38 PID 2208 wrote to memory of 2460 2208 Jibnop32.exe 38 PID 2460 wrote to memory of 2832 2460 Jlqjkk32.exe 39 PID 2460 wrote to memory of 2832 2460 Jlqjkk32.exe 39 PID 2460 wrote to memory of 2832 2460 Jlqjkk32.exe 39 PID 2460 wrote to memory of 2832 2460 Jlqjkk32.exe 39 PID 2832 wrote to memory of 1916 2832 Jnofgg32.exe 40 PID 2832 wrote to memory of 1916 2832 Jnofgg32.exe 40 PID 2832 wrote to memory of 1916 2832 Jnofgg32.exe 40 PID 2832 wrote to memory of 1916 2832 Jnofgg32.exe 40 PID 1916 wrote to memory of 2932 1916 Kidjdpie.exe 41 PID 1916 wrote to memory of 2932 1916 Kidjdpie.exe 41 PID 1916 wrote to memory of 2932 1916 Kidjdpie.exe 41 PID 1916 wrote to memory of 2932 1916 Kidjdpie.exe 41 PID 2932 wrote to memory of 484 2932 Klcgpkhh.exe 42 PID 2932 wrote to memory of 484 2932 Klcgpkhh.exe 42 PID 2932 wrote to memory of 484 2932 Klcgpkhh.exe 42 PID 2932 wrote to memory of 484 2932 Klcgpkhh.exe 42 PID 484 wrote to memory of 1648 484 Kapohbfp.exe 43 PID 484 wrote to memory of 1648 484 Kapohbfp.exe 43 PID 484 wrote to memory of 1648 484 Kapohbfp.exe 43 PID 484 wrote to memory of 1648 484 Kapohbfp.exe 43 PID 1648 wrote to memory of 884 1648 Khjgel32.exe 44 PID 1648 wrote to memory of 884 1648 Khjgel32.exe 44 PID 1648 wrote to memory of 884 1648 Khjgel32.exe 44 PID 1648 wrote to memory of 884 1648 Khjgel32.exe 44 PID 884 wrote to memory of 2144 884 Kjhcag32.exe 45 PID 884 wrote to memory of 2144 884 Kjhcag32.exe 45 PID 884 wrote to memory of 2144 884 Kjhcag32.exe 45 PID 884 wrote to memory of 2144 884 Kjhcag32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe"C:\Users\Admin\AppData\Local\Temp\c01c6056bbed98e749c6e50a2a84aea4847a9f39341f7a8261f20b120582e330.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jfohgepi.exeC:\Windows\system32\Jfohgepi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jedehaea.exeC:\Windows\system32\Jedehaea.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Kidjdpie.exeC:\Windows\system32\Kidjdpie.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Kjhcag32.exeC:\Windows\system32\Kjhcag32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Koflgf32.exeC:\Windows\system32\Koflgf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe33⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Mebnic32.exeC:\Windows\system32\Mebnic32.exe35⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe36⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe37⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe38⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe39⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe40⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe41⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe42⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe43⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe44⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe45⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe46⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe47⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe48⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe49⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe50⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe51⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe52⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nhpfdaml.exeC:\Windows\system32\Nhpfdaml.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe54⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe55⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nfdfmfle.exeC:\Windows\system32\Nfdfmfle.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe58⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe59⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe61⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe62⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe63⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe64⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe65⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe66⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe67⤵PID:380
-
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe68⤵PID:1628
-
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe69⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe70⤵PID:1492
-
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe71⤵PID:1540
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe72⤵PID:2868
-
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe73⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe74⤵PID:1572
-
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe75⤵PID:1564
-
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe76⤵PID:1728
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe77⤵PID:2836
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe78⤵PID:2848
-
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe79⤵PID:2940
-
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe82⤵PID:1144
-
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe83⤵PID:1436
-
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe84⤵PID:2660
-
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe86⤵PID:664
-
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe87⤵PID:2160
-
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe88⤵PID:2780
-
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe90⤵PID:2268
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe92⤵PID:1032
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe93⤵PID:804
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe94⤵PID:572
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe97⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe98⤵PID:264
-
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe99⤵PID:2400
-
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe100⤵PID:2732
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe101⤵PID:2608
-
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe102⤵PID:2696
-
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe103⤵PID:2648
-
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe104⤵PID:2064
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe105⤵PID:2812
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe106⤵PID:2096
-
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe107⤵PID:332
-
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe108⤵PID:2372
-
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe109⤵PID:1168
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe110⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe111⤵PID:2300
-
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe112⤵PID:2688
-
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe113⤵PID:2120
-
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe115⤵PID:2752
-
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe116⤵PID:1680
-
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe117⤵PID:2816
-
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe118⤵PID:2344
-
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe119⤵PID:2420
-
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe120⤵PID:2552
-
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe121⤵PID:2104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-