Analysis
-
max time kernel
93s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
94KB
-
MD5
5c5968fcb825c27fb62451ccebfce790
-
SHA1
2213182d12f4690679a9fe2af3650b693170e88b
-
SHA256
dafc51abf246d2680da1671a06d3050b82e8dacfde94eed12064e0d0039ae90f
-
SHA512
4df659db8b28fa73a36423c5c370756d8e3b1a281e8543c8c9ea6db550c323e39a1ded76f7b082309eebea77409d97653dc6c201ac8302474cf4a6752467a29f
-
SSDEEP
1536:c6veUM5cDQI1x/qeoH14Cqpy2LZS5DUHRbPa9b6i+sImo71+jqx:c69LP+4Np/ZS5DSCopsIm81+jqx
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kjhloj32.exeMmkkmc32.exeBakgoh32.exeEokqkh32.exeGpfjma32.exeIgedlh32.exeMlpokp32.exePapfgbmg.exeOadfkdgd.exeJjpode32.exeBhkfkmmg.exeEdeeci32.exePkhjph32.exePahilmoc.exeLjeafb32.exeGbeejp32.exeBogkmgba.exeMmmqhl32.exeNbnpcj32.exeNemmoe32.exeGfheof32.exeHgfapd32.exeOeehkn32.exePmblagmf.exeOigllh32.exeCnhgjaml.exeLmdnbn32.exeNfohgqlg.exeKgopidgf.exeLjkifn32.exeKjmfjj32.exeGldglf32.exeAamknj32.exeDigehphc.exeOpcqnb32.exePoodpmca.exePhjenbhp.exeFmqgpgoc.exeEjlbhh32.exeAoioli32.exeChnlgjlb.exeNklbmllg.exePlejdkmm.exeHkfglb32.exeGehbjm32.exeMlklkgei.exePpopjp32.exeQhakoa32.exeCidjbmcp.exeKlhnfo32.exeJlobkg32.exeLekmnajj.exeBbnkonbd.exeMkhapk32.exeHdehni32.exeOeheqm32.exeEoideh32.exeEgcaod32.exeAlkijdci.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eokqkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfjma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igedlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpokp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkfkmmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfohgqlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgopidgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmfjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcqnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poodpmca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlbhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehbjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppopjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhakoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidjbmcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnkonbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhapk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeheqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcaod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe -
Executes dropped EXE 64 IoCs
Processes:
Keonap32.exeKlifnj32.exeKbbokdlk.exeKfnkkb32.exeKeakgpko.exeKpgodhkd.exeKfqgab32.exeKhbdikip.exeKpiljh32.exeKfcdfbqo.exeKiaqcnpb.exeLpkiph32.exeLbjelc32.exeLehaho32.exeLidmhmnp.exeLnqeqd32.exeLejnmncd.exeLldfjh32.exeLbnngbbn.exeLihfcm32.exeLlgcph32.exeLpbopfag.exeLflgmqhd.exeLpekef32.exeLfodbqfa.exeMlklkgei.exeMedqcmki.exeMpieqeko.exeMefmimif.exeMoobbb32.exeMhgfkg32.exeMblkhq32.exeMifcejnj.exeMockmala.exeNiipjj32.exeNpchgdcd.exeNeppokal.exeNbcqiope.exeNpgabc32.exeNipekiep.exeNomncpcg.exeNgdfdmdi.exeNheble32.exeNookip32.exeOeicejia.exeOlckbd32.exeOghppm32.exeOigllh32.exeOpadhb32.exeOocddono.exeOcopdn32.exeOlgemcli.exeOpcqnb32.exeOileggkb.exeOpemca32.exeOgpepl32.exeOhqbhdpj.exeOcffempp.exePjpobg32.exePcicklnn.exePjbkgfej.exePoodpmca.exePckppl32.exePhhhhc32.exepid process 840 Keonap32.exe 4764 Klifnj32.exe 1428 Kbbokdlk.exe 4348 Kfnkkb32.exe 2484 Keakgpko.exe 676 Kpgodhkd.exe 872 Kfqgab32.exe 2116 Khbdikip.exe 4688 Kpiljh32.exe 3104 Kfcdfbqo.exe 2816 Kiaqcnpb.exe 1248 Lpkiph32.exe 3608 Lbjelc32.exe 3920 Lehaho32.exe 220 Lidmhmnp.exe 3112 Lnqeqd32.exe 2624 Lejnmncd.exe 2656 Lldfjh32.exe 5056 Lbnngbbn.exe 3940 Lihfcm32.exe 2392 Llgcph32.exe 1844 Lpbopfag.exe 1120 Lflgmqhd.exe 4776 Lpekef32.exe 4012 Lfodbqfa.exe 3848 Mlklkgei.exe 1240 Medqcmki.exe 2724 Mpieqeko.exe 3796 Mefmimif.exe 3032 Moobbb32.exe 3916 Mhgfkg32.exe 3604 Mblkhq32.exe 2024 Mifcejnj.exe 912 Mockmala.exe 2180 Niipjj32.exe 4792 Npchgdcd.exe 1852 Neppokal.exe 4436 Nbcqiope.exe 2132 Npgabc32.exe 2684 Nipekiep.exe 2220 Nomncpcg.exe 3108 Ngdfdmdi.exe 1404 Nheble32.exe 2120 Nookip32.exe 1804 Oeicejia.exe 3356 Olckbd32.exe 1988 Oghppm32.exe 2204 Oigllh32.exe 2348 Opadhb32.exe 2044 Oocddono.exe 4248 Ocopdn32.exe 2780 Olgemcli.exe 1472 Opcqnb32.exe 2708 Oileggkb.exe 3120 Opemca32.exe 896 Ogpepl32.exe 1344 Ohqbhdpj.exe 2732 Ocffempp.exe 4708 Pjpobg32.exe 5040 Pcicklnn.exe 5052 Pjbkgfej.exe 3048 Poodpmca.exe 1036 Pckppl32.exe 1968 Phhhhc32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Idghpmnp.exeMbbagk32.exeManmoq32.exeKjhloj32.exeMcbpjg32.exeEalkjh32.exeAhfdjanb.exePhodcg32.exeHfcnpn32.exeBpkdjofm.exeDiffglam.exeChkobkod.exeQcclld32.exeKnfeeimj.exeKfnfjehl.exeAmcehdod.exeIdfaefkd.exeJnlkedai.exeBogkmgba.exeBoldhf32.exeDpckjfgg.exeFmlneg32.exeNhpbfpka.exePemomqcn.exeBfbaonae.exeBkobmnka.exeGinnfgop.exeJgeghp32.exePmnbfhal.exeKcpahpmd.exeNdflak32.exeFmkqpkla.exeCjhfpa32.exeOmgmeigd.exeEnkmfolf.exeLldfjh32.exeMockmala.exePhjenbhp.exeAgdhbi32.exeAihaoqlp.exeGehbjm32.exeNajceeoo.exeEmdajb32.exeDqnjgl32.exeBcinna32.exeCbfgkffn.exeKfpcoefj.exeAamknj32.exeHpmpnp32.exePojcjh32.exeGlcaambb.exeGdcliikj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ihbdplfi.exe Idghpmnp.exe File created C:\Windows\SysWOW64\Jiooia32.dll Mbbagk32.exe File created C:\Windows\SysWOW64\Feenjgfq.exe File created C:\Windows\SysWOW64\Iacngdgj.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Manmoq32.exe File created C:\Windows\SysWOW64\Iahgad32.exe File created C:\Windows\SysWOW64\Cnokmj32.dll File created C:\Windows\SysWOW64\Nfcconde.dll Kjhloj32.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Edjgfcec.exe Ealkjh32.exe File opened for modification C:\Windows\SysWOW64\Ackigjmh.exe Ahfdjanb.exe File created C:\Windows\SysWOW64\Oklfllgp.dll Phodcg32.exe File opened for modification C:\Windows\SysWOW64\Hmmfmhll.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Dkbnla32.dll Bpkdjofm.exe File created C:\Windows\SysWOW64\Dikhjofo.dll Diffglam.exe File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Chkobkod.exe File created C:\Windows\SysWOW64\Fjebhadm.dll Qcclld32.exe File created C:\Windows\SysWOW64\Aljejh32.dll Knfeeimj.exe File created C:\Windows\SysWOW64\Jbhfhgch.dll Kfnfjehl.exe File opened for modification C:\Windows\SysWOW64\Qaflgago.exe Qcclld32.exe File created C:\Windows\SysWOW64\Apaadpng.exe Amcehdod.exe File created C:\Windows\SysWOW64\Igdnabjh.exe Idfaefkd.exe File opened for modification C:\Windows\SysWOW64\Jlolpq32.exe Jnlkedai.exe File created C:\Windows\SysWOW64\Bhpofl32.exe Bogkmgba.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Boldhf32.exe File created C:\Windows\SysWOW64\Nqcejcha.exe File created C:\Windows\SysWOW64\Nagfjh32.dll Dpckjfgg.exe File opened for modification C:\Windows\SysWOW64\Fagjfflb.exe Fmlneg32.exe File created C:\Windows\SysWOW64\Nknobkje.exe Nhpbfpka.exe File opened for modification C:\Windows\SysWOW64\Qkjgegae.exe Pemomqcn.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bfbaonae.exe File created C:\Windows\SysWOW64\Bnmoijje.exe Bkobmnka.exe File created C:\Windows\SysWOW64\Jldbpl32.exe File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe File created C:\Windows\SysWOW64\Migidc32.dll Ginnfgop.exe File created C:\Windows\SysWOW64\Eonklp32.dll Jgeghp32.exe File created C:\Windows\SysWOW64\Phcgcqab.exe Pmnbfhal.exe File created C:\Windows\SysWOW64\Hemqgjog.dll Kcpahpmd.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Fnlmhc32.exe Fmkqpkla.exe File opened for modification C:\Windows\SysWOW64\Mlljnf32.exe File created C:\Windows\SysWOW64\Cikglnkj.exe Cjhfpa32.exe File created C:\Windows\SysWOW64\Hkfoel32.dll Omgmeigd.exe File created C:\Windows\SysWOW64\Lbfecjhc.dll File created C:\Windows\SysWOW64\Bcoaln32.dll Enkmfolf.exe File created C:\Windows\SysWOW64\Lbnngbbn.exe Lldfjh32.exe File created C:\Windows\SysWOW64\Niipjj32.exe Mockmala.exe File opened for modification C:\Windows\SysWOW64\Niipjj32.exe Mockmala.exe File created C:\Windows\SysWOW64\Ppamophb.exe Phjenbhp.exe File created C:\Windows\SysWOW64\Afghneoo.exe Agdhbi32.exe File created C:\Windows\SysWOW64\Lbcnlf32.dll Aihaoqlp.exe File opened for modification C:\Windows\SysWOW64\Gmojkj32.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Niakfbpa.exe Najceeoo.exe File opened for modification C:\Windows\SysWOW64\Fpbmfn32.exe Emdajb32.exe File created C:\Windows\SysWOW64\Dhdbhifj.exe Dqnjgl32.exe File created C:\Windows\SysWOW64\Aqdjon32.dll Bcinna32.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cbfgkffn.exe File created C:\Windows\SysWOW64\Hemikcpm.dll Kfpcoefj.exe File opened for modification C:\Windows\SysWOW64\Mmkdcm32.exe Mcbpjg32.exe File created C:\Windows\SysWOW64\Adkgje32.exe Aamknj32.exe File opened for modification C:\Windows\SysWOW64\Hgghjjid.exe Hpmpnp32.exe File created C:\Windows\SysWOW64\Pcepkfld.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Dcdcmh32.dll Glcaambb.exe File created C:\Windows\SysWOW64\Ggahedjn.exe Gdcliikj.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 8208 9372 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ahofoogd.exeDoccpcja.exeMblkhq32.exeNgdfdmdi.exeDpckjfgg.exeEoideh32.exeAmjillkj.exeOmbcji32.exePcpikkge.exeGbofcghl.exeKqphfe32.exeOmegjomb.exeAflaie32.exeDglkoeio.exeFkihnmhj.exeMcbpjg32.exeOnapdl32.exeCdimqm32.exePhfjcf32.exeJgmjmjnb.exeEbifmm32.exeCikglnkj.exeHnhghcki.exeJhijqj32.exeKggcnoic.exeGddbcp32.exeLcjcnoej.exeFiaael32.exeJpenfp32.exeDodjjimm.exeIdieem32.exeLeopnglc.exeCjgpfk32.exeOogpjbbb.exeKbpkkn32.exeBmabggdm.exeHildmn32.exeFqeioiam.exeNclikl32.exeNlfnaicd.exeDqbcbkab.exeKqbdldnq.exeCfcqpa32.exeDiicml32.exeDpphjp32.exeAmnlme32.exeIphioh32.exePajeam32.exeFpmggb32.exeIdghpmnp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblkhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdfdmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpckjfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoideh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglkoeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkihnmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdimqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikglnkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeioiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqbcbkab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbdldnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcqpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diicml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnlme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghpmnp.exe -
Modifies registry class 64 IoCs
Processes:
Fmkqpkla.exeHfcnpn32.exeCiafbg32.exeNclikl32.exePdenmbkk.exeJddnfd32.exeGpbpbecj.exeHgfapd32.exeHnfjbdmk.exeDoccpcja.exeIkkpgafg.exePdjgha32.exeDmennnni.exeBobabg32.exeHpmpnp32.exeLcjcnoej.exeIhbdplfi.exeGgahedjn.exeKqdaadln.exeLobjni32.exeMcbpjg32.exeLfodbqfa.exeInjcmc32.exeNknobkje.exeOmbcji32.exePlhnda32.exeNjiegl32.exeKqnbkl32.exeGlengm32.exeJnhpoamf.exeImiehfao.exeFqgedh32.exeDdgplado.exeKngkqbgl.exeAhqddk32.exeCoiaiakf.exeNfjola32.exeOgpepl32.exeOifeab32.exeIliinc32.exeDgeenfog.exeHgelek32.exeBlielbfi.exeNahgoe32.exeHienlpel.exeHfhgkmpj.exeChiblk32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjhee32.dll" Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaemfem.dll" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfid32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmhbpmi.dll" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Bobabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnhl32.dll" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benibond.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfodbqfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqomopfd.dll" Nknobkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebqacjl.dll" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmlag32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhielqhi.dll" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejomj32.dll" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeacidl.dll" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahqddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coiaiakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpepl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfkblnn.dll" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Blielbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfdngj32.dll" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hfhgkmpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chiblk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeKeonap32.exeKlifnj32.exeKbbokdlk.exeKfnkkb32.exeKeakgpko.exeKpgodhkd.exeKfqgab32.exeKhbdikip.exeKpiljh32.exeKfcdfbqo.exeKiaqcnpb.exeLpkiph32.exeLbjelc32.exeLehaho32.exeLidmhmnp.exeLnqeqd32.exeLejnmncd.exeLldfjh32.exeLbnngbbn.exeLihfcm32.exeLlgcph32.exedescription pid process target process PID 3256 wrote to memory of 840 3256 Trojan.Win32.Cerber.exe Keonap32.exe PID 3256 wrote to memory of 840 3256 Trojan.Win32.Cerber.exe Keonap32.exe PID 3256 wrote to memory of 840 3256 Trojan.Win32.Cerber.exe Keonap32.exe PID 840 wrote to memory of 4764 840 Keonap32.exe Klifnj32.exe PID 840 wrote to memory of 4764 840 Keonap32.exe Klifnj32.exe PID 840 wrote to memory of 4764 840 Keonap32.exe Klifnj32.exe PID 4764 wrote to memory of 1428 4764 Klifnj32.exe Kbbokdlk.exe PID 4764 wrote to memory of 1428 4764 Klifnj32.exe Kbbokdlk.exe PID 4764 wrote to memory of 1428 4764 Klifnj32.exe Kbbokdlk.exe PID 1428 wrote to memory of 4348 1428 Kbbokdlk.exe Kfnkkb32.exe PID 1428 wrote to memory of 4348 1428 Kbbokdlk.exe Kfnkkb32.exe PID 1428 wrote to memory of 4348 1428 Kbbokdlk.exe Kfnkkb32.exe PID 4348 wrote to memory of 2484 4348 Kfnkkb32.exe Keakgpko.exe PID 4348 wrote to memory of 2484 4348 Kfnkkb32.exe Keakgpko.exe PID 4348 wrote to memory of 2484 4348 Kfnkkb32.exe Keakgpko.exe PID 2484 wrote to memory of 676 2484 Keakgpko.exe Kpgodhkd.exe PID 2484 wrote to memory of 676 2484 Keakgpko.exe Kpgodhkd.exe PID 2484 wrote to memory of 676 2484 Keakgpko.exe Kpgodhkd.exe PID 676 wrote to memory of 872 676 Kpgodhkd.exe Kfqgab32.exe PID 676 wrote to memory of 872 676 Kpgodhkd.exe Kfqgab32.exe PID 676 wrote to memory of 872 676 Kpgodhkd.exe Kfqgab32.exe PID 872 wrote to memory of 2116 872 Kfqgab32.exe Khbdikip.exe PID 872 wrote to memory of 2116 872 Kfqgab32.exe Khbdikip.exe PID 872 wrote to memory of 2116 872 Kfqgab32.exe Khbdikip.exe PID 2116 wrote to memory of 4688 2116 Khbdikip.exe Kpiljh32.exe PID 2116 wrote to memory of 4688 2116 Khbdikip.exe Kpiljh32.exe PID 2116 wrote to memory of 4688 2116 Khbdikip.exe Kpiljh32.exe PID 4688 wrote to memory of 3104 4688 Kpiljh32.exe Kfcdfbqo.exe PID 4688 wrote to memory of 3104 4688 Kpiljh32.exe Kfcdfbqo.exe PID 4688 wrote to memory of 3104 4688 Kpiljh32.exe Kfcdfbqo.exe PID 3104 wrote to memory of 2816 3104 Kfcdfbqo.exe Kiaqcnpb.exe PID 3104 wrote to memory of 2816 3104 Kfcdfbqo.exe Kiaqcnpb.exe PID 3104 wrote to memory of 2816 3104 Kfcdfbqo.exe Kiaqcnpb.exe PID 2816 wrote to memory of 1248 2816 Kiaqcnpb.exe Lpkiph32.exe PID 2816 wrote to memory of 1248 2816 Kiaqcnpb.exe Lpkiph32.exe PID 2816 wrote to memory of 1248 2816 Kiaqcnpb.exe Lpkiph32.exe PID 1248 wrote to memory of 3608 1248 Lpkiph32.exe Lbjelc32.exe PID 1248 wrote to memory of 3608 1248 Lpkiph32.exe Lbjelc32.exe PID 1248 wrote to memory of 3608 1248 Lpkiph32.exe Lbjelc32.exe PID 3608 wrote to memory of 3920 3608 Lbjelc32.exe Lehaho32.exe PID 3608 wrote to memory of 3920 3608 Lbjelc32.exe Lehaho32.exe PID 3608 wrote to memory of 3920 3608 Lbjelc32.exe Lehaho32.exe PID 3920 wrote to memory of 220 3920 Lehaho32.exe Lidmhmnp.exe PID 3920 wrote to memory of 220 3920 Lehaho32.exe Lidmhmnp.exe PID 3920 wrote to memory of 220 3920 Lehaho32.exe Lidmhmnp.exe PID 220 wrote to memory of 3112 220 Lidmhmnp.exe Lnqeqd32.exe PID 220 wrote to memory of 3112 220 Lidmhmnp.exe Lnqeqd32.exe PID 220 wrote to memory of 3112 220 Lidmhmnp.exe Lnqeqd32.exe PID 3112 wrote to memory of 2624 3112 Lnqeqd32.exe Lejnmncd.exe PID 3112 wrote to memory of 2624 3112 Lnqeqd32.exe Lejnmncd.exe PID 3112 wrote to memory of 2624 3112 Lnqeqd32.exe Lejnmncd.exe PID 2624 wrote to memory of 2656 2624 Lejnmncd.exe Lldfjh32.exe PID 2624 wrote to memory of 2656 2624 Lejnmncd.exe Lldfjh32.exe PID 2624 wrote to memory of 2656 2624 Lejnmncd.exe Lldfjh32.exe PID 2656 wrote to memory of 5056 2656 Lldfjh32.exe Lbnngbbn.exe PID 2656 wrote to memory of 5056 2656 Lldfjh32.exe Lbnngbbn.exe PID 2656 wrote to memory of 5056 2656 Lldfjh32.exe Lbnngbbn.exe PID 5056 wrote to memory of 3940 5056 Lbnngbbn.exe Lihfcm32.exe PID 5056 wrote to memory of 3940 5056 Lbnngbbn.exe Lihfcm32.exe PID 5056 wrote to memory of 3940 5056 Lbnngbbn.exe Lihfcm32.exe PID 3940 wrote to memory of 2392 3940 Lihfcm32.exe Llgcph32.exe PID 3940 wrote to memory of 2392 3940 Lihfcm32.exe Llgcph32.exe PID 3940 wrote to memory of 2392 3940 Lihfcm32.exe Llgcph32.exe PID 2392 wrote to memory of 1844 2392 Llgcph32.exe Lpbopfag.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe23⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe24⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe25⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe28⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe29⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe30⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe31⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe32⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe34⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe36⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe37⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe38⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe39⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe40⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe41⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe42⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe44⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe45⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe46⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe47⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe48⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe50⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe51⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe52⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe53⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe55⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe56⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe58⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe59⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe60⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe61⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe62⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe64⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe65⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe67⤵PID:1048
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe69⤵PID:2956
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe70⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe71⤵PID:3328
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe72⤵
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe73⤵PID:1112
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe74⤵PID:3444
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe75⤵PID:2096
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe76⤵PID:116
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe78⤵PID:3360
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe79⤵PID:4880
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe80⤵PID:2176
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe81⤵PID:1296
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe82⤵PID:3036
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe83⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe84⤵PID:4972
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe85⤵
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe86⤵PID:3044
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe87⤵
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe88⤵PID:1100
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe89⤵PID:2164
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe90⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe91⤵PID:652
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe92⤵PID:1516
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe93⤵PID:4340
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe94⤵PID:2352
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe95⤵PID:3908
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe96⤵PID:4716
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe97⤵PID:224
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe98⤵PID:3408
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe99⤵PID:3600
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe100⤵PID:64
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe101⤵PID:4524
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe102⤵PID:2952
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe103⤵PID:3652
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe104⤵PID:4636
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe105⤵PID:2908
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe106⤵PID:4488
-
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe107⤵PID:2776
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe108⤵
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe109⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe110⤵PID:5188
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe111⤵PID:5232
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe112⤵PID:5276
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe113⤵PID:5320
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe114⤵PID:5356
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe115⤵PID:5408
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe116⤵PID:5452
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe117⤵PID:5496
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe118⤵PID:5540
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe120⤵PID:5628
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe121⤵PID:5672
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe122⤵PID:5716
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe124⤵PID:5804
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe125⤵PID:5848
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe126⤵PID:5892
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe127⤵
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe128⤵PID:5980
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe129⤵PID:6028
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe130⤵PID:6068
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe131⤵
- System Location Discovery: System Language Discovery
PID:6116 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe132⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe133⤵PID:5200
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe134⤵PID:5260
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe135⤵PID:5340
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe136⤵PID:5416
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe137⤵PID:5480
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe138⤵PID:5548
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe139⤵PID:5620
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe140⤵PID:5684
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe141⤵PID:5756
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe142⤵PID:5792
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe143⤵PID:5884
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe144⤵PID:5956
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe145⤵PID:6060
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe146⤵PID:6108
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe147⤵PID:5156
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe148⤵PID:5256
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe149⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe150⤵PID:5492
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe151⤵PID:5528
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe152⤵PID:5700
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe153⤵PID:5816
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe154⤵PID:5860
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe155⤵PID:6036
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe156⤵PID:6136
-
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe157⤵PID:5244
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe158⤵PID:5448
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe159⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe160⤵PID:5880
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe161⤵PID:6092
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe162⤵PID:5296
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe163⤵PID:5668
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe164⤵PID:5840
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe165⤵PID:5140
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe166⤵PID:5664
-
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe167⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe168⤵PID:6020
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe169⤵PID:6048
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe170⤵PID:6000
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe171⤵
- System Location Discovery: System Language Discovery
PID:6172 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe172⤵PID:6216
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe173⤵PID:6252
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6304 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe175⤵PID:6348
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe176⤵PID:6392
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe177⤵PID:6436
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe178⤵PID:6480
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe179⤵PID:6524
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe180⤵PID:6568
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe181⤵PID:6608
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe182⤵PID:6656
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe183⤵PID:6700
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe184⤵PID:6744
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6788 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe186⤵PID:6832
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe187⤵
- Drops file in System32 directory
PID:6876 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe188⤵PID:6920
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe189⤵
- System Location Discovery: System Language Discovery
PID:6964 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe190⤵PID:7008
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe191⤵PID:7052
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe192⤵PID:7084
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe193⤵PID:7128
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe194⤵
- Modifies registry class
PID:6160 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe195⤵PID:6228
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe196⤵
- Drops file in System32 directory
- Modifies registry class
PID:6296 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe197⤵PID:6360
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe198⤵PID:6444
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe199⤵PID:6516
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe200⤵PID:6580
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe201⤵PID:6652
-
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe202⤵PID:6724
-
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe203⤵PID:6772
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe204⤵PID:6848
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe205⤵PID:6912
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe206⤵
- Modifies registry class
PID:7000 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe207⤵PID:7068
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe208⤵PID:7124
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe209⤵PID:6188
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe210⤵
- System Location Discovery: System Language Discovery
PID:6312 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe211⤵PID:6408
-
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe212⤵PID:6500
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe213⤵
- Modifies registry class
PID:6624 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe214⤵PID:6728
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe215⤵PID:6840
-
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe216⤵PID:6956
-
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe217⤵PID:6976
-
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe218⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6164 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe219⤵
- Modifies registry class
PID:6380 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6512 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe221⤵PID:6676
-
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe222⤵
- System Location Discovery: System Language Discovery
PID:6872 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe223⤵PID:7060
-
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe224⤵PID:6224
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe225⤵PID:6456
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe226⤵PID:6712
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe227⤵PID:7016
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe228⤵PID:6324
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe229⤵
- System Location Discovery: System Language Discovery
PID:6780 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe230⤵PID:7144
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe231⤵PID:6556
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe232⤵PID:6356
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe233⤵PID:6428
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe234⤵PID:7044
-
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe235⤵
- Modifies registry class
PID:7204 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe236⤵PID:7248
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe237⤵PID:7296
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe238⤵PID:7340
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe239⤵PID:7384
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe240⤵PID:7428
-
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe241⤵PID:7472
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe242⤵PID:7516