Analysis
-
max time kernel
78s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:10
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
94KB
-
MD5
3a036aa5a1984776d235df96bacac0c0
-
SHA1
37a783eb934cd0948111d16bc7254319e94905c2
-
SHA256
5bd3bb964de7ec8a29fba88ceb7750af54e8e2a5b5ec8fdf199ddafb79231343
-
SHA512
ed443ec293eb9f2453e9615aa4ceebc159bf7e3617560693cde3492aaf6ba14dce9aeb7d46e5dae7d16dee5488df36cc8f23aba20615eada22af921af5eb7b7a
-
SSDEEP
1536:IZbavAMXeO4K5G7oKEOLgqCNjbpHxIUt5jWwV62LhaIZTJ+7LhkiB0MPiKeEAgv:G24hiG8QANjbpHN7awZhaMU7uihJ5v
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oabdol32.exePceeei32.exeCgjlonld.exeAadbhl32.exeBmgfoi32.exeBkooed32.exeKlkmkoce.exeKhdjfpfg.exeIjacgnjj.exeIonlpdha.exeKepjbneo.exeAadnfo32.exeHdnggq32.exeJmoijc32.exeOhjhlqbc.exeNqpfil32.exeDlkggn32.exeKhbmqpii.exeLgobkdom.exeBndhle32.exeMpfmhg32.exeHndokfbb.exeJlgcqp32.exeBciaqnje.exeHigkdm32.exeDbgmglin.exeCbncfgnm.exeDchcdn32.exeObcekq32.exePbhcgn32.exeFphqehda.exeKoaohila.exeIcohfi32.exePmefidoj.exeGihdblpi.exeKaedmi32.exeLppjid32.exeCmocjn32.exeCefkkk32.exePflpecpa.exeCgbochop.exeDbcdlm32.exeDnqkammo.exeAlbijp32.exeAiofln32.exeBjcgdojn.exeHlnfof32.exeHipcfjea.exeNnccpo32.exeCppmgm32.exeBelhem32.exePbjpmmij.exeMkekeqjl.exeNcnplogn.exeIcmnib32.exeHqplhi32.exePmlmhodi.exeDolpiipk.exeGifjeeip.exePijhompm.exeJbdegeei.exeHjmjln32.exeKimbhl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabdol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pceeei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjlonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmgfoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkooed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klkmkoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijacgnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ionlpdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepjbneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadnfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnggq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmoijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjhlqbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkggn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbmqpii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgobkdom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndhle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpfmhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndokfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgcqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bciaqnje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higkdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgmglin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbncfgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchcdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcekq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhcgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphqehda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaohila.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icohfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmefidoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihdblpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaedmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmocjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefkkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflpecpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchcdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbochop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcdlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqkammo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albijp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiofln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcgdojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnfof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipcfjea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppmgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjpmmij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkekeqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnplogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmhodi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolpiipk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifjeeip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijhompm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdegeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmjln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimbhl32.exe -
Executes dropped EXE 64 IoCs
Processes:
Lnpejklj.exeMmebkg32.exeMocogc32.exeMfngdmgb.exeMqckaf32.exeMinpeh32.exeMeeqkijg.exeMbiadm32.exeMgfjld32.exeNieffgok.exeNnboonmb.exeNndkdn32.exeNnghjm32.exeNfbmnpfh.exeNbincq32.exeOjpedn32.exeObkjhpjj.exeOlcoaf32.exeOhjofgfo.exeOabdol32.exeOkkhhb32.exeOeqmek32.exeOkmena32.exePecikj32.exePokndp32.exePkboiamh.exePdjcaf32.exePigkjmap.exePdmpgfae.exePijhompm.exePlhdkhoq.exePgnhiaof.exeQlmnfh32.exeQaifoo32.exeAlojlgii.exeAhfkah32.exeAnbcio32.exeAhhhgh32.exeAjidnp32.exeAgmehd32.exeAngmdoho.exeAcdemegf.exeAfbbiafj.exeBokfaflj.exeBqjcli32.exeBjcgdojn.exeBoppmf32.exeBelhem32.exeBkfqbgni.exeBbpioa32.exeBgmagh32.exeBbbedqcc.exeCgpnlgak.exeCbebjpaa.exeCgbjbgph.exeCmocjn32.exeCefkkk32.exeCfggccdp.exeCmappn32.exeCgfdmf32.exeCihqdoaa.exeCpbiaiin.exeCijmjn32.exeEmeejpjc.exepid process 2620 Lnpejklj.exe 2680 Mmebkg32.exe 2696 Mocogc32.exe 2740 Mfngdmgb.exe 2808 Mqckaf32.exe 2588 Minpeh32.exe 2520 Meeqkijg.exe 2628 Mbiadm32.exe 620 Mgfjld32.exe 1688 Nieffgok.exe 2524 Nnboonmb.exe 1232 Nndkdn32.exe 2220 Nnghjm32.exe 3028 Nfbmnpfh.exe 1864 Nbincq32.exe 560 Ojpedn32.exe 2376 Obkjhpjj.exe 1856 Olcoaf32.exe 1124 Ohjofgfo.exe 3024 Oabdol32.exe 2424 Okkhhb32.exe 288 Oeqmek32.exe 880 Okmena32.exe 2288 Pecikj32.exe 1572 Pokndp32.exe 2792 Pkboiamh.exe 2700 Pdjcaf32.exe 1752 Pigkjmap.exe 2744 Pdmpgfae.exe 2584 Pijhompm.exe 2828 Plhdkhoq.exe 2660 Pgnhiaof.exe 1696 Qlmnfh32.exe 2468 Qaifoo32.exe 1624 Alojlgii.exe 2012 Ahfkah32.exe 2904 Anbcio32.exe 928 Ahhhgh32.exe 1204 Ajidnp32.exe 932 Agmehd32.exe 628 Angmdoho.exe 1660 Acdemegf.exe 1552 Afbbiafj.exe 2960 Bokfaflj.exe 2312 Bqjcli32.exe 1668 Bjcgdojn.exe 1776 Boppmf32.exe 1596 Belhem32.exe 2908 Bkfqbgni.exe 2544 Bbpioa32.exe 2276 Bgmagh32.exe 2752 Bbbedqcc.exe 2612 Cgpnlgak.exe 2712 Cbebjpaa.exe 2840 Cgbjbgph.exe 2672 Cmocjn32.exe 2436 Cefkkk32.exe 1676 Cfggccdp.exe 2876 Cmappn32.exe 2088 Cgfdmf32.exe 1812 Cihqdoaa.exe 1628 Cpbiaiin.exe 2780 Cijmjn32.exe 2096 Emeejpjc.exe -
Loads dropped DLL 64 IoCs
Processes:
Trojan.Win32.Cerber.exeLnpejklj.exeMmebkg32.exeMocogc32.exeMfngdmgb.exeMqckaf32.exeMinpeh32.exeMeeqkijg.exeMbiadm32.exeMgfjld32.exeNieffgok.exeNnboonmb.exeNndkdn32.exeNnghjm32.exeNfbmnpfh.exeNbincq32.exeOjpedn32.exeObkjhpjj.exeOlcoaf32.exeOhjofgfo.exeOabdol32.exeOkkhhb32.exeOeqmek32.exeOkmena32.exePecikj32.exePokndp32.exePkboiamh.exePdjcaf32.exePigkjmap.exePdmpgfae.exePijhompm.exePlhdkhoq.exepid process 2168 Trojan.Win32.Cerber.exe 2168 Trojan.Win32.Cerber.exe 2620 Lnpejklj.exe 2620 Lnpejklj.exe 2680 Mmebkg32.exe 2680 Mmebkg32.exe 2696 Mocogc32.exe 2696 Mocogc32.exe 2740 Mfngdmgb.exe 2740 Mfngdmgb.exe 2808 Mqckaf32.exe 2808 Mqckaf32.exe 2588 Minpeh32.exe 2588 Minpeh32.exe 2520 Meeqkijg.exe 2520 Meeqkijg.exe 2628 Mbiadm32.exe 2628 Mbiadm32.exe 620 Mgfjld32.exe 620 Mgfjld32.exe 1688 Nieffgok.exe 1688 Nieffgok.exe 2524 Nnboonmb.exe 2524 Nnboonmb.exe 1232 Nndkdn32.exe 1232 Nndkdn32.exe 2220 Nnghjm32.exe 2220 Nnghjm32.exe 3028 Nfbmnpfh.exe 3028 Nfbmnpfh.exe 1864 Nbincq32.exe 1864 Nbincq32.exe 560 Ojpedn32.exe 560 Ojpedn32.exe 2376 Obkjhpjj.exe 2376 Obkjhpjj.exe 1856 Olcoaf32.exe 1856 Olcoaf32.exe 1124 Ohjofgfo.exe 1124 Ohjofgfo.exe 3024 Oabdol32.exe 3024 Oabdol32.exe 2424 Okkhhb32.exe 2424 Okkhhb32.exe 288 Oeqmek32.exe 288 Oeqmek32.exe 880 Okmena32.exe 880 Okmena32.exe 2288 Pecikj32.exe 2288 Pecikj32.exe 1572 Pokndp32.exe 1572 Pokndp32.exe 2792 Pkboiamh.exe 2792 Pkboiamh.exe 2700 Pdjcaf32.exe 2700 Pdjcaf32.exe 1752 Pigkjmap.exe 1752 Pigkjmap.exe 2744 Pdmpgfae.exe 2744 Pdmpgfae.exe 2584 Pijhompm.exe 2584 Pijhompm.exe 2828 Plhdkhoq.exe 2828 Plhdkhoq.exe -
Drops file in System32 directory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeCpabgb32.exeEdljfd32.exeCnaempnp.exeJifmgman.exeIikgkq32.exeBkcmba32.exeNqfigjgi.exeFbaoegkb.exeOnadck32.exeEdbmec32.exeIppflkok.exeMnfhhicd.exeAnppiikk.exeDfambk32.exeNbfllc32.exeBddfhjma.exeEmeejpjc.exeEilfoapg.exeFkgemh32.exeDfdpbaeb.exeGdiamnki.exeHcnfllcd.exePmkjog32.exePfiafk32.exeBkmijk32.exeNbincq32.exeJmafocbb.exeCeablp32.exeFaanibeh.exeCmappn32.exeCgicko32.exeFmgjmfod.exeFinjag32.exeAghdboal.exeJpmoki32.exeMabfaqca.exeNcqmbn32.exePlmdqmpd.exeHkaicl32.exeBoppmf32.exeKeohie32.exeOflbmg32.exeDgdfocge.exeGgmnoo32.exeLbpcjpek.exeOihclk32.exeCjppclkp.exeApdodc32.exeCefkkk32.exeDchqkedl.exeGoojldgf.exeFogmaoib.exeInpeak32.exeBgmagh32.exeIekbob32.exeBcaqdl32.exeGpjodq32.exeDlkggn32.exeIpnigl32.exeCgoikj32.exeLpbkpa32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Lnpejklj.exe Trojan.Win32.Cerber.exe File opened for modification C:\Windows\SysWOW64\Diifph32.exe Cpabgb32.exe File opened for modification C:\Windows\SysWOW64\Emeoojfg.exe Edljfd32.exe File created C:\Windows\SysWOW64\Cfimnmoa.exe Cnaempnp.exe File opened for modification C:\Windows\SysWOW64\Klgeih32.exe Jifmgman.exe File created C:\Windows\SysWOW64\Poakaj32.dll Iikgkq32.exe File opened for modification C:\Windows\SysWOW64\Bdlakf32.exe Bkcmba32.exe File opened for modification C:\Windows\SysWOW64\Ngpadd32.exe Nqfigjgi.exe File created C:\Windows\SysWOW64\Fljcnl32.exe Fbaoegkb.exe File opened for modification C:\Windows\SysWOW64\Ohjhlqbc.exe Onadck32.exe File created C:\Windows\SysWOW64\Emkanhnb.exe Edbmec32.exe File created C:\Windows\SysWOW64\Iemoebmb.exe Ippflkok.exe File opened for modification C:\Windows\SysWOW64\Mgcflnfp.exe Mnfhhicd.exe File created C:\Windows\SysWOW64\Hepfllhh.dll Anppiikk.exe File created C:\Windows\SysWOW64\Dknejb32.exe Dfambk32.exe File opened for modification C:\Windows\SysWOW64\Obiiacpe.exe Nbfllc32.exe File created C:\Windows\SysWOW64\Ghmlll32.dll Bddfhjma.exe File created C:\Windows\SysWOW64\Eilfoapg.exe Emeejpjc.exe File opened for modification C:\Windows\SysWOW64\Edbjljpm.exe Eilfoapg.exe File opened for modification C:\Windows\SysWOW64\Faanibeh.exe Fkgemh32.exe File created C:\Windows\SysWOW64\Dchqkedl.exe Dfdpbaeb.exe File opened for modification C:\Windows\SysWOW64\Gifjeeip.exe Gdiamnki.exe File created C:\Windows\SysWOW64\Ihcaepei.dll Hcnfllcd.exe File created C:\Windows\SysWOW64\Pbhcgn32.exe Pmkjog32.exe File created C:\Windows\SysWOW64\Mdbido32.dll Pfiafk32.exe File created C:\Windows\SysWOW64\Pcghicbm.dll Bkmijk32.exe File opened for modification C:\Windows\SysWOW64\Ojpedn32.exe Nbincq32.exe File created C:\Windows\SysWOW64\Eicfhb32.dll Jmafocbb.exe File opened for modification C:\Windows\SysWOW64\Cgbochop.exe Ceablp32.exe File opened for modification C:\Windows\SysWOW64\Fhkffl32.exe Faanibeh.exe File created C:\Windows\SysWOW64\Fhpfpkog.dll Cmappn32.exe File created C:\Windows\SysWOW64\Cikocggb.exe Cgicko32.exe File created C:\Windows\SysWOW64\Mnhkma32.dll Fmgjmfod.exe File created C:\Windows\SysWOW64\Fokcjnbp.exe Finjag32.exe File created C:\Windows\SysWOW64\Pjlcdo32.dll Aghdboal.exe File created C:\Windows\SysWOW64\Iigclhhk.dll Jpmoki32.exe File created C:\Windows\SysWOW64\Mofgkebk.exe Mabfaqca.exe File created C:\Windows\SysWOW64\Gifjeeip.exe Gdiamnki.exe File opened for modification C:\Windows\SysWOW64\Nimeje32.exe Ncqmbn32.exe File created C:\Windows\SysWOW64\Fpglhael.dll Plmdqmpd.exe File created C:\Windows\SysWOW64\Jokpoh32.dll Hkaicl32.exe File opened for modification C:\Windows\SysWOW64\Cikocggb.exe Cgicko32.exe File created C:\Windows\SysWOW64\Kapemg32.dll Boppmf32.exe File created C:\Windows\SysWOW64\Kpdlfn32.exe Keohie32.exe File opened for modification C:\Windows\SysWOW64\Olijen32.exe Oflbmg32.exe File created C:\Windows\SysWOW64\Ifgpaqpb.dll Dgdfocge.exe File created C:\Windows\SysWOW64\Aehjcl32.dll Ggmnoo32.exe File created C:\Windows\SysWOW64\Knicoj32.dll Lbpcjpek.exe File created C:\Windows\SysWOW64\Ooblie32.exe Oihclk32.exe File opened for modification C:\Windows\SysWOW64\Colhlcig.exe Cjppclkp.exe File created C:\Windows\SysWOW64\Apflic32.exe Apdodc32.exe File created C:\Windows\SysWOW64\Cfggccdp.exe Cefkkk32.exe File created C:\Windows\SysWOW64\Pdmdki32.dll Dchqkedl.exe File created C:\Windows\SysWOW64\Ghhoej32.exe Goojldgf.exe File created C:\Windows\SysWOW64\Fpaneb32.dll Fogmaoib.exe File created C:\Windows\SysWOW64\Icmnib32.exe Inpeak32.exe File created C:\Windows\SysWOW64\Picqpfdf.dll Bgmagh32.exe File created C:\Windows\SysWOW64\Olanhheq.dll Iekbob32.exe File opened for modification C:\Windows\SysWOW64\Cgoikj32.exe Bcaqdl32.exe File created C:\Windows\SysWOW64\Dlnjfoml.dll Gpjodq32.exe File opened for modification C:\Windows\SysWOW64\Dfclpcik.exe Dlkggn32.exe File opened for modification C:\Windows\SysWOW64\Iekbob32.exe Ipnigl32.exe File created C:\Windows\SysWOW64\Bchngm32.dll Cgoikj32.exe File created C:\Windows\SysWOW64\Lkgpmj32.exe Lpbkpa32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2652 3532 WerFault.exe Ikjlij32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gqgmdkgm.exeHnapln32.exeOclkdd32.exeCgbochop.exeHojhnkap.exeHgjfnl32.exeNnghjm32.exeIbglhhdf.exeNhbbkahk.exeDnqkammo.exeKaedmi32.exeEbmikdml.exeEmifaa32.exeKknfme32.exeOindba32.exeFbmejg32.exePekkga32.exeKpkqnelp.exeLpdcddde.exeOeqmek32.exeHckblf32.exeKimbhl32.exeBkoepj32.exeFjddek32.exeQagehaon.exeDninfgol.exeNcnplogn.exeEbjfko32.exeLdpdfp32.exeQfnmjb32.exeBebmgc32.exeCeablp32.exeAhfkah32.exeCmocjn32.exeLpmgioed.exeKdlmdi32.exeDmqgmcba.exeBifhlp32.exeMinpeh32.exeOlcoaf32.exeNfkblc32.exeEajcgf32.exeKhbiob32.exeNkinfjan.exeLapnmn32.exeMnfhhicd.exeCpabgb32.exeMhobnqlg.exeFieiephm.exeGobnljhp.exeOihclk32.exeKlflfi32.exeDknejb32.exeMcdflilm.exeQnflff32.exeAfbbiafj.exeCfggccdp.exeOnadck32.exeOpgjfb32.exeMaldcblg.exeDbgmglin.exeCijmjn32.exePocmhnlk.exeImepio32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgmdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnapln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclkdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbochop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojhnkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnghjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibglhhdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbbkahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqkammo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaedmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmikdml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emifaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oindba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekkga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkqnelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdcddde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeqmek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimbhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjddek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagehaon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dninfgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnplogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjfko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpdfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfnmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebmgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceablp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmgioed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdlmdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmqgmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bifhlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olcoaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkblc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajcgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkinfjan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lapnmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhhicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpabgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhobnqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fieiephm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gobnljhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihclk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klflfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdflilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnflff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbbiafj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfggccdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onadck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldcblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgmglin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijmjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocmhnlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imepio32.exe -
Modifies registry class 64 IoCs
Processes:
Dccbohlj.exeBdlakf32.exeHapaekng.exeHlnfof32.exeHglcclhb.exeIpnigl32.exeDjdenoif.exeMlmmmh32.exeGdlncn32.exeAlbijp32.exeElahkl32.exeHckblf32.exeLpggdj32.exeBnplhm32.exeBmgfoi32.exeDknejb32.exePjhcphkf.exeIonlpdha.exeCphncpld.exeIbglhhdf.exeQechbf32.exeJifmgman.exeQagehaon.exeOoblie32.exeHlnihopi.exeEclqhfpp.exeIeeajmpo.exeAaddaecl.exeMcdflilm.exeEcppoc32.exeDfambk32.exeOopocfgl.exeIfnfkmgi.exeBokfaflj.exeGqmqkn32.exeJioplhdj.exeHglakcao.exeGingqjgd.exeDadkdj32.exeNnbagfdg.exeNhnhcnkg.exeOindba32.exeQcbndg32.exeDhddbo32.exeMfngdmgb.exeGfobndnj.exeGkdpdnfa.exeQmfiam32.exeGjpama32.exeFhcejjal.exeLkhbfcii.exeOhfggl32.exeBiheapeq.exeJeahpa32.exeBfojhngl.exeAiofln32.exeBmohgoao.exeMinpeh32.exeNggpgn32.exeAadbhl32.exeDiifph32.exeQpdenh32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccbohlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdlakf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hapaekng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feqkhl32.dll" Hlnfof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hglcclhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmcjlgi.dll" Ipnigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdenoif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmmmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdlncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albijp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elahkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckblf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpggdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnplhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmgfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmdjjfc.dll" Dknejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjbcd32.dll" Pjhcphkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciagloib.dll" Ionlpdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cphncpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndjpoaa.dll" Ibglhhdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qechbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcaib32.dll" Jifmgman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qagehaon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meqahhjj.dll" Ooblie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnihopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpjfblj.dll" Eclqhfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieeajmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaddaecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipphaeim.dll" Mcdflilm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoec32.dll" Dfambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeiedco.dll" Oopocfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifnfkmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjcad32.dll" Bokfaflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqmqkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddmlb32.dll" Jioplhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hglakcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gingqjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpcgjob.dll" Dadkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnfmpe.dll" Nnbagfdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnhcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oindba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpjkg32.dll" Dhddbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfobndnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkdpdnfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmfiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npcmhi32.dll" Gqmqkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpama32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohoja32.dll" Fhcejjal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhbfcii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfggl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biheapeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeahpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfojhngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdliha.dll" Aiofln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcii32.dll" Bmohgoao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Minpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjodqan.dll" Diifph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeddapc.dll" Qmfiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpdenh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeLnpejklj.exeMmebkg32.exeMocogc32.exeMfngdmgb.exeMqckaf32.exeMinpeh32.exeMeeqkijg.exeMbiadm32.exeMgfjld32.exeNieffgok.exeNnboonmb.exeNndkdn32.exeNnghjm32.exeNfbmnpfh.exeNbincq32.exedescription pid process target process PID 2168 wrote to memory of 2620 2168 Trojan.Win32.Cerber.exe Lnpejklj.exe PID 2168 wrote to memory of 2620 2168 Trojan.Win32.Cerber.exe Lnpejklj.exe PID 2168 wrote to memory of 2620 2168 Trojan.Win32.Cerber.exe Lnpejklj.exe PID 2168 wrote to memory of 2620 2168 Trojan.Win32.Cerber.exe Lnpejklj.exe PID 2620 wrote to memory of 2680 2620 Lnpejklj.exe Mmebkg32.exe PID 2620 wrote to memory of 2680 2620 Lnpejklj.exe Mmebkg32.exe PID 2620 wrote to memory of 2680 2620 Lnpejklj.exe Mmebkg32.exe PID 2620 wrote to memory of 2680 2620 Lnpejklj.exe Mmebkg32.exe PID 2680 wrote to memory of 2696 2680 Mmebkg32.exe Mocogc32.exe PID 2680 wrote to memory of 2696 2680 Mmebkg32.exe Mocogc32.exe PID 2680 wrote to memory of 2696 2680 Mmebkg32.exe Mocogc32.exe PID 2680 wrote to memory of 2696 2680 Mmebkg32.exe Mocogc32.exe PID 2696 wrote to memory of 2740 2696 Mocogc32.exe Mfngdmgb.exe PID 2696 wrote to memory of 2740 2696 Mocogc32.exe Mfngdmgb.exe PID 2696 wrote to memory of 2740 2696 Mocogc32.exe Mfngdmgb.exe PID 2696 wrote to memory of 2740 2696 Mocogc32.exe Mfngdmgb.exe PID 2740 wrote to memory of 2808 2740 Mfngdmgb.exe Mqckaf32.exe PID 2740 wrote to memory of 2808 2740 Mfngdmgb.exe Mqckaf32.exe PID 2740 wrote to memory of 2808 2740 Mfngdmgb.exe Mqckaf32.exe PID 2740 wrote to memory of 2808 2740 Mfngdmgb.exe Mqckaf32.exe PID 2808 wrote to memory of 2588 2808 Mqckaf32.exe Minpeh32.exe PID 2808 wrote to memory of 2588 2808 Mqckaf32.exe Minpeh32.exe PID 2808 wrote to memory of 2588 2808 Mqckaf32.exe Minpeh32.exe PID 2808 wrote to memory of 2588 2808 Mqckaf32.exe Minpeh32.exe PID 2588 wrote to memory of 2520 2588 Minpeh32.exe Meeqkijg.exe PID 2588 wrote to memory of 2520 2588 Minpeh32.exe Meeqkijg.exe PID 2588 wrote to memory of 2520 2588 Minpeh32.exe Meeqkijg.exe PID 2588 wrote to memory of 2520 2588 Minpeh32.exe Meeqkijg.exe PID 2520 wrote to memory of 2628 2520 Meeqkijg.exe Mbiadm32.exe PID 2520 wrote to memory of 2628 2520 Meeqkijg.exe Mbiadm32.exe PID 2520 wrote to memory of 2628 2520 Meeqkijg.exe Mbiadm32.exe PID 2520 wrote to memory of 2628 2520 Meeqkijg.exe Mbiadm32.exe PID 2628 wrote to memory of 620 2628 Mbiadm32.exe Mgfjld32.exe PID 2628 wrote to memory of 620 2628 Mbiadm32.exe Mgfjld32.exe PID 2628 wrote to memory of 620 2628 Mbiadm32.exe Mgfjld32.exe PID 2628 wrote to memory of 620 2628 Mbiadm32.exe Mgfjld32.exe PID 620 wrote to memory of 1688 620 Mgfjld32.exe Nieffgok.exe PID 620 wrote to memory of 1688 620 Mgfjld32.exe Nieffgok.exe PID 620 wrote to memory of 1688 620 Mgfjld32.exe Nieffgok.exe PID 620 wrote to memory of 1688 620 Mgfjld32.exe Nieffgok.exe PID 1688 wrote to memory of 2524 1688 Nieffgok.exe Nnboonmb.exe PID 1688 wrote to memory of 2524 1688 Nieffgok.exe Nnboonmb.exe PID 1688 wrote to memory of 2524 1688 Nieffgok.exe Nnboonmb.exe PID 1688 wrote to memory of 2524 1688 Nieffgok.exe Nnboonmb.exe PID 2524 wrote to memory of 1232 2524 Nnboonmb.exe Nndkdn32.exe PID 2524 wrote to memory of 1232 2524 Nnboonmb.exe Nndkdn32.exe PID 2524 wrote to memory of 1232 2524 Nnboonmb.exe Nndkdn32.exe PID 2524 wrote to memory of 1232 2524 Nnboonmb.exe Nndkdn32.exe PID 1232 wrote to memory of 2220 1232 Nndkdn32.exe Nnghjm32.exe PID 1232 wrote to memory of 2220 1232 Nndkdn32.exe Nnghjm32.exe PID 1232 wrote to memory of 2220 1232 Nndkdn32.exe Nnghjm32.exe PID 1232 wrote to memory of 2220 1232 Nndkdn32.exe Nnghjm32.exe PID 2220 wrote to memory of 3028 2220 Nnghjm32.exe Nfbmnpfh.exe PID 2220 wrote to memory of 3028 2220 Nnghjm32.exe Nfbmnpfh.exe PID 2220 wrote to memory of 3028 2220 Nnghjm32.exe Nfbmnpfh.exe PID 2220 wrote to memory of 3028 2220 Nnghjm32.exe Nfbmnpfh.exe PID 3028 wrote to memory of 1864 3028 Nfbmnpfh.exe Nbincq32.exe PID 3028 wrote to memory of 1864 3028 Nfbmnpfh.exe Nbincq32.exe PID 3028 wrote to memory of 1864 3028 Nfbmnpfh.exe Nbincq32.exe PID 3028 wrote to memory of 1864 3028 Nfbmnpfh.exe Nbincq32.exe PID 1864 wrote to memory of 560 1864 Nbincq32.exe Ojpedn32.exe PID 1864 wrote to memory of 560 1864 Nbincq32.exe Ojpedn32.exe PID 1864 wrote to memory of 560 1864 Nbincq32.exe Ojpedn32.exe PID 1864 wrote to memory of 560 1864 Nbincq32.exe Ojpedn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Lnpejklj.exeC:\Windows\system32\Lnpejklj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Mmebkg32.exeC:\Windows\system32\Mmebkg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mocogc32.exeC:\Windows\system32\Mocogc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Mfngdmgb.exeC:\Windows\system32\Mfngdmgb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mqckaf32.exeC:\Windows\system32\Mqckaf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Minpeh32.exeC:\Windows\system32\Minpeh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Meeqkijg.exeC:\Windows\system32\Meeqkijg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mbiadm32.exeC:\Windows\system32\Mbiadm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mgfjld32.exeC:\Windows\system32\Mgfjld32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Nieffgok.exeC:\Windows\system32\Nieffgok.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Nnboonmb.exeC:\Windows\system32\Nnboonmb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Nndkdn32.exeC:\Windows\system32\Nndkdn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Nnghjm32.exeC:\Windows\system32\Nnghjm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Nfbmnpfh.exeC:\Windows\system32\Nfbmnpfh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Nbincq32.exeC:\Windows\system32\Nbincq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Ojpedn32.exeC:\Windows\system32\Ojpedn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Obkjhpjj.exeC:\Windows\system32\Obkjhpjj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Olcoaf32.exeC:\Windows\system32\Olcoaf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Ohjofgfo.exeC:\Windows\system32\Ohjofgfo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Oabdol32.exeC:\Windows\system32\Oabdol32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Okkhhb32.exeC:\Windows\system32\Okkhhb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Oeqmek32.exeC:\Windows\system32\Oeqmek32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Okmena32.exeC:\Windows\system32\Okmena32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Pecikj32.exeC:\Windows\system32\Pecikj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Pokndp32.exeC:\Windows\system32\Pokndp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Pijhompm.exeC:\Windows\system32\Pijhompm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Plhdkhoq.exeC:\Windows\system32\Plhdkhoq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Pgnhiaof.exeC:\Windows\system32\Pgnhiaof.exe33⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe34⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Qaifoo32.exeC:\Windows\system32\Qaifoo32.exe35⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Alojlgii.exeC:\Windows\system32\Alojlgii.exe36⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ahfkah32.exeC:\Windows\system32\Ahfkah32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Anbcio32.exeC:\Windows\system32\Anbcio32.exe38⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ahhhgh32.exeC:\Windows\system32\Ahhhgh32.exe39⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ajidnp32.exeC:\Windows\system32\Ajidnp32.exe40⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Agmehd32.exeC:\Windows\system32\Agmehd32.exe41⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe42⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe43⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Afbbiafj.exeC:\Windows\system32\Afbbiafj.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Bokfaflj.exeC:\Windows\system32\Bokfaflj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe46⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Bjcgdojn.exeC:\Windows\system32\Bjcgdojn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Boppmf32.exeC:\Windows\system32\Boppmf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Belhem32.exeC:\Windows\system32\Belhem32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Bkfqbgni.exeC:\Windows\system32\Bkfqbgni.exe50⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bbpioa32.exeC:\Windows\system32\Bbpioa32.exe51⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Bgmagh32.exeC:\Windows\system32\Bgmagh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Bbbedqcc.exeC:\Windows\system32\Bbbedqcc.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe54⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Cbebjpaa.exeC:\Windows\system32\Cbebjpaa.exe55⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Cgbjbgph.exeC:\Windows\system32\Cgbjbgph.exe56⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Cmocjn32.exeC:\Windows\system32\Cmocjn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Cfggccdp.exeC:\Windows\system32\Cfggccdp.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Cmappn32.exeC:\Windows\system32\Cmappn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe61⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Cihqdoaa.exeC:\Windows\system32\Cihqdoaa.exe62⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Cpbiaiin.exeC:\Windows\system32\Cpbiaiin.exe63⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Cijmjn32.exeC:\Windows\system32\Cijmjn32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Emeejpjc.exeC:\Windows\system32\Emeejpjc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Eilfoapg.exeC:\Windows\system32\Eilfoapg.exe66⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Edbjljpm.exeC:\Windows\system32\Edbjljpm.exe67⤵PID:1716
-
C:\Windows\SysWOW64\Eiocdand.exeC:\Windows\system32\Eiocdand.exe68⤵PID:1528
-
C:\Windows\SysWOW64\Eddgaj32.exeC:\Windows\system32\Eddgaj32.exe69⤵PID:2172
-
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe70⤵PID:2872
-
C:\Windows\SysWOW64\Epkhfkco.exeC:\Windows\system32\Epkhfkco.exe71⤵PID:1008
-
C:\Windows\SysWOW64\Egepce32.exeC:\Windows\system32\Egepce32.exe72⤵PID:2756
-
C:\Windows\SysWOW64\Elahkl32.exeC:\Windows\system32\Elahkl32.exe73⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Eclqhfpp.exeC:\Windows\system32\Eclqhfpp.exe74⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Fieiephm.exeC:\Windows\system32\Fieiephm.exe75⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe76⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Faanibeh.exeC:\Windows\system32\Faanibeh.exe77⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Fhkffl32.exeC:\Windows\system32\Fhkffl32.exe78⤵PID:1904
-
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe79⤵PID:1680
-
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe80⤵PID:2384
-
C:\Windows\SysWOW64\Fdafkm32.exeC:\Windows\system32\Fdafkm32.exe81⤵PID:2072
-
C:\Windows\SysWOW64\Fogkhf32.exeC:\Windows\system32\Fogkhf32.exe82⤵PID:2144
-
C:\Windows\SysWOW64\Fphgpnhm.exeC:\Windows\system32\Fphgpnhm.exe83⤵PID:300
-
C:\Windows\SysWOW64\Fgbpmh32.exeC:\Windows\system32\Fgbpmh32.exe84⤵PID:916
-
C:\Windows\SysWOW64\Fjqlid32.exeC:\Windows\system32\Fjqlid32.exe85⤵PID:1984
-
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe86⤵PID:1096
-
C:\Windows\SysWOW64\Fgelbhmg.exeC:\Windows\system32\Fgelbhmg.exe87⤵PID:1964
-
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe88⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Gckmgi32.exeC:\Windows\system32\Gckmgi32.exe89⤵PID:2932
-
C:\Windows\SysWOW64\Gjeedcjh.exeC:\Windows\system32\Gjeedcjh.exe90⤵PID:1176
-
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe91⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Gflfidpl.exeC:\Windows\system32\Gflfidpl.exe92⤵PID:1040
-
C:\Windows\SysWOW64\Ghkbepop.exeC:\Windows\system32\Ghkbepop.exe93⤵PID:2388
-
C:\Windows\SysWOW64\Gfobndnj.exeC:\Windows\system32\Gfobndnj.exe94⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Gkkkgkla.exeC:\Windows\system32\Gkkkgkla.exe95⤵PID:108
-
C:\Windows\SysWOW64\Gbecce32.exeC:\Windows\system32\Gbecce32.exe96⤵PID:2592
-
C:\Windows\SysWOW64\Gmkgqncd.exeC:\Windows\system32\Gmkgqncd.exe97⤵PID:2896
-
C:\Windows\SysWOW64\Gfclic32.exeC:\Windows\system32\Gfclic32.exe98⤵PID:1380
-
C:\Windows\SysWOW64\Hiahfo32.exeC:\Windows\system32\Hiahfo32.exe99⤵PID:872
-
C:\Windows\SysWOW64\Holqbipe.exeC:\Windows\system32\Holqbipe.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Hbjmodph.exeC:\Windows\system32\Hbjmodph.exe101⤵PID:684
-
C:\Windows\SysWOW64\Hidekn32.exeC:\Windows\system32\Hidekn32.exe102⤵PID:2596
-
C:\Windows\SysWOW64\Hnanceem.exeC:\Windows\system32\Hnanceem.exe103⤵PID:2020
-
C:\Windows\SysWOW64\Hcnfllcd.exeC:\Windows\system32\Hcnfllcd.exe104⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Hncjiecj.exeC:\Windows\system32\Hncjiecj.exe105⤵PID:2224
-
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe106⤵PID:2964
-
C:\Windows\SysWOW64\Hglobj32.exeC:\Windows\system32\Hglobj32.exe107⤵PID:2236
-
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe108⤵PID:2560
-
C:\Windows\SysWOW64\Hiohob32.exeC:\Windows\system32\Hiohob32.exe109⤵PID:2852
-
C:\Windows\SysWOW64\Ibglhhdf.exeC:\Windows\system32\Ibglhhdf.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe111⤵PID:3012
-
C:\Windows\SysWOW64\Ifeenfjm.exeC:\Windows\system32\Ifeenfjm.exe112⤵PID:1504
-
C:\Windows\SysWOW64\Ipnigl32.exeC:\Windows\system32\Ipnigl32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Iekbob32.exeC:\Windows\system32\Iekbob32.exe114⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Ippflkok.exeC:\Windows\system32\Ippflkok.exe115⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Iemoebmb.exeC:\Windows\system32\Iemoebmb.exe116⤵PID:3016
-
C:\Windows\SysWOW64\Ibaonfll.exeC:\Windows\system32\Ibaonfll.exe117⤵PID:2784
-
C:\Windows\SysWOW64\Iikgkq32.exeC:\Windows\system32\Iikgkq32.exe118⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Johpcgap.exeC:\Windows\system32\Johpcgap.exe119⤵PID:2760
-
C:\Windows\SysWOW64\Jeahpa32.exeC:\Windows\system32\Jeahpa32.exe120⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Jojmigpn.exeC:\Windows\system32\Jojmigpn.exe121⤵PID:2360
-
C:\Windows\SysWOW64\Jedeea32.exeC:\Windows\system32\Jedeea32.exe122⤵PID:2576
-
C:\Windows\SysWOW64\Jmoijc32.exeC:\Windows\system32\Jmoijc32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Jhengldk.exeC:\Windows\system32\Jhengldk.exe124⤵PID:2900
-
C:\Windows\SysWOW64\Jmafocbb.exeC:\Windows\system32\Jmafocbb.exe125⤵
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Jlgcqp32.exeC:\Windows\system32\Jlgcqp32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Keohie32.exeC:\Windows\system32\Keohie32.exe127⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Kpdlfn32.exeC:\Windows\system32\Kpdlfn32.exe128⤵PID:2484
-
C:\Windows\SysWOW64\Klkmkoce.exeC:\Windows\system32\Klkmkoce.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Kceehijb.exeC:\Windows\system32\Kceehijb.exe130⤵PID:2344
-
C:\Windows\SysWOW64\Khbmqpii.exeC:\Windows\system32\Khbmqpii.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Kkqjmlhm.exeC:\Windows\system32\Kkqjmlhm.exe132⤵PID:1860
-
C:\Windows\SysWOW64\Khdjfpfg.exeC:\Windows\system32\Khdjfpfg.exe133⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Kamooe32.exeC:\Windows\system32\Kamooe32.exe134⤵PID:2196
-
C:\Windows\SysWOW64\Khgglp32.exeC:\Windows\system32\Khgglp32.exe135⤵PID:3004
-
C:\Windows\SysWOW64\Koaohila.exeC:\Windows\system32\Koaohila.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Lpbkpa32.exeC:\Windows\system32\Lpbkpa32.exe137⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Lkgpmj32.exeC:\Windows\system32\Lkgpmj32.exe138⤵PID:2976
-
C:\Windows\SysWOW64\Ldpdfp32.exeC:\Windows\system32\Ldpdfp32.exe139⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Lnhioeof.exeC:\Windows\system32\Lnhioeof.exe140⤵PID:1080
-
C:\Windows\SysWOW64\Ldbalp32.exeC:\Windows\system32\Ldbalp32.exe141⤵PID:752
-
C:\Windows\SysWOW64\Lfcmchla.exeC:\Windows\system32\Lfcmchla.exe142⤵PID:2068
-
C:\Windows\SysWOW64\Lcgnmlkk.exeC:\Windows\system32\Lcgnmlkk.exe143⤵PID:2836
-
C:\Windows\SysWOW64\Lhdfec32.exeC:\Windows\system32\Lhdfec32.exe144⤵PID:2952
-
C:\Windows\SysWOW64\Lcjkbl32.exeC:\Windows\system32\Lcjkbl32.exe145⤵PID:968
-
C:\Windows\SysWOW64\Mlbokapi.exeC:\Windows\system32\Mlbokapi.exe146⤵PID:1020
-
C:\Windows\SysWOW64\Mdmdpd32.exeC:\Windows\system32\Mdmdpd32.exe147⤵PID:2244
-
C:\Windows\SysWOW64\Mnfhhicd.exeC:\Windows\system32\Mnfhhicd.exe148⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Mgcflnfp.exeC:\Windows\system32\Mgcflnfp.exe149⤵PID:2988
-
C:\Windows\SysWOW64\Mqkked32.exeC:\Windows\system32\Mqkked32.exe150⤵PID:3052
-
C:\Windows\SysWOW64\Nggpgn32.exeC:\Windows\system32\Nggpgn32.exe151⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ncnplogn.exeC:\Windows\system32\Ncnplogn.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Nmgeedno.exeC:\Windows\system32\Nmgeedno.exe153⤵PID:2280
-
C:\Windows\SysWOW64\Ncqmbn32.exeC:\Windows\system32\Ncqmbn32.exe154⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Nimeje32.exeC:\Windows\system32\Nimeje32.exe155⤵PID:1464
-
C:\Windows\SysWOW64\Nllafq32.exeC:\Windows\system32\Nllafq32.exe156⤵PID:2272
-
C:\Windows\SysWOW64\Nfafci32.exeC:\Windows\system32\Nfafci32.exe157⤵PID:2856
-
C:\Windows\SysWOW64\Nhbbkahk.exeC:\Windows\system32\Nhbbkahk.exe158⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\Oheoaa32.exeC:\Windows\system32\Oheoaa32.exe159⤵PID:1928
-
C:\Windows\SysWOW64\Odlpfblm.exeC:\Windows\system32\Odlpfblm.exe160⤵PID:1068
-
C:\Windows\SysWOW64\Onadck32.exeC:\Windows\system32\Onadck32.exe161⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Ohjhlqbc.exeC:\Windows\system32\Ohjhlqbc.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Ohleappp.exeC:\Windows\system32\Ohleappp.exe163⤵PID:2404
-
C:\Windows\SysWOW64\Opgjfb32.exeC:\Windows\system32\Opgjfb32.exe164⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Pmkjog32.exeC:\Windows\system32\Pmkjog32.exe165⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Pbhcgn32.exeC:\Windows\system32\Pbhcgn32.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Plpgqc32.exeC:\Windows\system32\Plpgqc32.exe167⤵PID:2304
-
C:\Windows\SysWOW64\Pbjpmmij.exeC:\Windows\system32\Pbjpmmij.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Ppnpfagc.exeC:\Windows\system32\Ppnpfagc.exe169⤵PID:2264
-
C:\Windows\SysWOW64\Papmnj32.exeC:\Windows\system32\Papmnj32.exe170⤵PID:3048
-
C:\Windows\SysWOW64\Pocmhnlk.exeC:\Windows\system32\Pocmhnlk.exe171⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Pemedh32.exeC:\Windows\system32\Pemedh32.exe172⤵PID:1076
-
C:\Windows\SysWOW64\Qepbjh32.exeC:\Windows\system32\Qepbjh32.exe173⤵PID:1492
-
C:\Windows\SysWOW64\Qohfcmhf.exeC:\Windows\system32\Qohfcmhf.exe174⤵PID:2204
-
C:\Windows\SysWOW64\Akoghnnj.exeC:\Windows\system32\Akoghnnj.exe175⤵PID:1720
-
C:\Windows\SysWOW64\Anppiikk.exeC:\Windows\system32\Anppiikk.exe176⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Aghdboal.exeC:\Windows\system32\Aghdboal.exe177⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Acoegp32.exeC:\Windows\system32\Acoegp32.exe178⤵PID:2364
-
C:\Windows\SysWOW64\Ahlnpg32.exeC:\Windows\system32\Ahlnpg32.exe179⤵PID:804
-
C:\Windows\SysWOW64\Aadbhl32.exeC:\Windows\system32\Aadbhl32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Accobock.exeC:\Windows\system32\Accobock.exe181⤵PID:1448
-
C:\Windows\SysWOW64\Bhpgkfab.exeC:\Windows\system32\Bhpgkfab.exe182⤵PID:2440
-
C:\Windows\SysWOW64\Bfdhdj32.exeC:\Windows\system32\Bfdhdj32.exe183⤵PID:1604
-
C:\Windows\SysWOW64\Bnplhm32.exeC:\Windows\system32\Bnplhm32.exe184⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Bkcmba32.exeC:\Windows\system32\Bkcmba32.exe185⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Bdlakf32.exeC:\Windows\system32\Bdlakf32.exe186⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Bmgfoi32.exeC:\Windows\system32\Bmgfoi32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Bfojhngl.exeC:\Windows\system32\Bfojhngl.exe188⤵
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Cqeoegfb.exeC:\Windows\system32\Cqeoegfb.exe189⤵PID:3296
-
C:\Windows\SysWOW64\Cjmcnmmc.exeC:\Windows\system32\Cjmcnmmc.exe190⤵PID:3336
-
C:\Windows\SysWOW64\Ccehgb32.exeC:\Windows\system32\Ccehgb32.exe191⤵PID:3376
-
C:\Windows\SysWOW64\Cjppclkp.exeC:\Windows\system32\Cjppclkp.exe192⤵
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Colhlcig.exeC:\Windows\system32\Colhlcig.exe193⤵PID:3464
-
C:\Windows\SysWOW64\Cffqhmqd.exeC:\Windows\system32\Cffqhmqd.exe194⤵PID:3504
-
C:\Windows\SysWOW64\Cnaempnp.exeC:\Windows\system32\Cnaempnp.exe195⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Cfimnmoa.exeC:\Windows\system32\Cfimnmoa.exe196⤵PID:3584
-
C:\Windows\SysWOW64\Cpabgb32.exeC:\Windows\system32\Cpabgb32.exe197⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\Diifph32.exeC:\Windows\system32\Diifph32.exe198⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Dadkdj32.exeC:\Windows\system32\Dadkdj32.exe199⤵
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Dljoac32.exeC:\Windows\system32\Dljoac32.exe200⤵PID:3744
-
C:\Windows\SysWOW64\Debcjiod.exeC:\Windows\system32\Debcjiod.exe201⤵PID:3784
-
C:\Windows\SysWOW64\Dfdpbaeb.exeC:\Windows\system32\Dfdpbaeb.exe202⤵
- Drops file in System32 directory
PID:3824 -
C:\Windows\SysWOW64\Dchqkedl.exeC:\Windows\system32\Dchqkedl.exe203⤵
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Dmpedk32.exeC:\Windows\system32\Dmpedk32.exe204⤵PID:3904
-
C:\Windows\SysWOW64\Djdenoif.exeC:\Windows\system32\Djdenoif.exe205⤵
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Edljfd32.exeC:\Windows\system32\Edljfd32.exe206⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Emeoojfg.exeC:\Windows\system32\Emeoojfg.exe207⤵PID:4028
-
C:\Windows\SysWOW64\Efmchp32.exeC:\Windows\system32\Efmchp32.exe208⤵PID:4068
-
C:\Windows\SysWOW64\Ebddmq32.exeC:\Windows\system32\Ebddmq32.exe209⤵PID:3092
-
C:\Windows\SysWOW64\Einljkji.exeC:\Windows\system32\Einljkji.exe210⤵PID:3124
-
C:\Windows\SysWOW64\Eokdbahp.exeC:\Windows\system32\Eokdbahp.exe211⤵PID:3168
-
C:\Windows\SysWOW64\Ehcikg32.exeC:\Windows\system32\Ehcikg32.exe212⤵PID:3236
-
C:\Windows\SysWOW64\Fkdbmblb.exeC:\Windows\system32\Fkdbmblb.exe213⤵PID:3280
-
C:\Windows\SysWOW64\Fphqehda.exeC:\Windows\system32\Fphqehda.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3328 -
C:\Windows\SysWOW64\Fhcejjal.exeC:\Windows\system32\Fhcejjal.exe215⤵
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Fchigcab.exeC:\Windows\system32\Fchigcab.exe216⤵PID:3440
-
C:\Windows\SysWOW64\Goojldgf.exeC:\Windows\system32\Goojldgf.exe217⤵
- Drops file in System32 directory
PID:3488 -
C:\Windows\SysWOW64\Ghhoej32.exeC:\Windows\system32\Ghhoej32.exe218⤵PID:3532
-
C:\Windows\SysWOW64\Gndgmq32.exeC:\Windows\system32\Gndgmq32.exe219⤵PID:3592
-
C:\Windows\SysWOW64\Ggmlffbo.exeC:\Windows\system32\Ggmlffbo.exe220⤵PID:3636
-
C:\Windows\SysWOW64\Ggohlf32.exeC:\Windows\system32\Ggohlf32.exe221⤵PID:3692
-
C:\Windows\SysWOW64\Gqgmdkgm.exeC:\Windows\system32\Gqgmdkgm.exe222⤵
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Windows\SysWOW64\Gjpama32.exeC:\Windows\system32\Gjpama32.exe223⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Hqjijk32.exeC:\Windows\system32\Hqjijk32.exe224⤵PID:3844
-
C:\Windows\SysWOW64\Hmqjoljn.exeC:\Windows\system32\Hmqjoljn.exe225⤵PID:3900
-
C:\Windows\SysWOW64\Hckblf32.exeC:\Windows\system32\Hckblf32.exe226⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Higkdm32.exeC:\Windows\system32\Higkdm32.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3996 -
C:\Windows\SysWOW64\Hcmoafph.exeC:\Windows\system32\Hcmoafph.exe228⤵PID:4048
-
C:\Windows\SysWOW64\Hkhdfhmc.exeC:\Windows\system32\Hkhdfhmc.exe229⤵PID:4084
-
C:\Windows\SysWOW64\Hbdihbbn.exeC:\Windows\system32\Hbdihbbn.exe230⤵PID:3108
-
C:\Windows\SysWOW64\Ieeajmpo.exeC:\Windows\system32\Ieeajmpo.exe231⤵
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Innfbb32.exeC:\Windows\system32\Innfbb32.exe232⤵PID:3252
-
C:\Windows\SysWOW64\Ikaglgei.exeC:\Windows\system32\Ikaglgei.exe233⤵PID:3324
-
C:\Windows\SysWOW64\Ianodncp.exeC:\Windows\system32\Ianodncp.exe234⤵PID:3368
-
C:\Windows\SysWOW64\Imepio32.exeC:\Windows\system32\Imepio32.exe235⤵
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\Icohfi32.exeC:\Windows\system32\Icohfi32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3496 -
C:\Windows\SysWOW64\Jbdegeei.exeC:\Windows\system32\Jbdegeei.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3552 -
C:\Windows\SysWOW64\Jmjidneo.exeC:\Windows\system32\Jmjidneo.exe238⤵PID:3648
-
C:\Windows\SysWOW64\Jbfalecf.exeC:\Windows\system32\Jbfalecf.exe239⤵PID:3688
-
C:\Windows\SysWOW64\Jiqjiojc.exeC:\Windows\system32\Jiqjiojc.exe240⤵PID:3720
-
C:\Windows\SysWOW64\Jpmoki32.exeC:\Windows\system32\Jpmoki32.exe241⤵
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Jejgcp32.exeC:\Windows\system32\Jejgcp32.exe242⤵PID:3880