Analysis
-
max time kernel
51s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
80KB
-
MD5
a11bb022ddb64e9da4eab46d1bc8bbb0
-
SHA1
ef25871a960c821368aebb055860aedc7608c9e8
-
SHA256
34169804746468defdd252fbd0e1595ef78ae86f09419260f03663c348044798
-
SHA512
bf2578a4bf49c3eee156e8362804c8102b0c652a79648869c3f8f992cce51aae542b52d85a1965a08562b8056f971cee4ac7fb26bcb5e2eeb4b894980ce7f3e6
-
SSDEEP
1536:V6NS34TAIo2MsaikHya/eztdB8i2LmKaIZTJ+7LhkiB0:IAoAA7aiiya2ztdqZaMU7ui
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eldiehbk.exeEemnnn32.exeGpidki32.exeIebldo32.exeBddbjhlp.exeJimdcqom.exeCgaaah32.exeNpbklabl.exeNbpghl32.exeBgdkkc32.exeCkjamgmk.exeEibgpnjk.exeIamfdo32.exeAkcomepg.exeCocphf32.exeIlcalnii.exeKpdcfoph.exeBqolji32.exeFamaimfe.exeHcepqh32.exeBmnnkl32.exeFahhnn32.exeKlcgpkhh.exeDifqji32.exeDcllbhdn.exeFdkmeiei.exeKablnadm.exeLdpbpgoh.exeKbmfgk32.exeMloiec32.exeNmabjfek.exeEbnabb32.exeObokcqhk.exeKfibhjlj.exeLgpdglhn.exeBaefnmml.exeJfgebjnm.exeHgflflqg.exeLhhkapeh.exeCjjnhnbl.exeDeakjjbk.exeBjmeiq32.exeOippjl32.exeBogjaamh.exeEeagimdf.exeMfmndn32.exeEhlmljkm.exeLdjbkb32.exeAphjjf32.exeGekfnoog.exeIocgfhhc.exeEeldkonl.exeImodkadq.exeOiafee32.exeFlnlkgjq.exeKadica32.exeNabopjmj.exeMflgih32.exePacajg32.exeAdfbpega.exeDbabho32.exeFdgdji32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldiehbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbklabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgpnjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpdcfoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpbpgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmabjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnabb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfibhjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgflflqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgflflqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeagimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlmljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeldkonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlkgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacajg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbpega.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbabho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdji32.exe -
Executes dropped EXE 64 IoCs
Processes:
Jlphbbbg.exeJbjpom32.exeKoaqcn32.exeKkgahoel.exeKaajei32.exeKjmnjkjd.exeKgqocoin.exeKpicle32.exeKlpdaf32.exeLfhhjklc.exeLboiol32.exeLldmleam.exeLdpbpgoh.exeLoefnpnn.exeLohccp32.exeLhpglecl.exeMbhlek32.exeMcjhmcok.exeMqnifg32.exeMfjann32.exeMqpflg32.exeMfmndn32.exeMpebmc32.exeMimgeigj.exeMmicfh32.exeMpgobc32.exeNmkplgnq.exeNfdddm32.exeNbjeinje.exeNhgnaehm.exeNbmaon32.exeNhjjgd32.exeNabopjmj.exeNfoghakb.exeOdchbe32.exeOippjl32.exeOjomdoof.exeOlpilg32.exeOdgamdef.exeOffmipej.exeOeindm32.exeOmpefj32.exeOoabmbbe.exeOiffkkbk.exeOhiffh32.exeOococb32.exeObokcqhk.exeOemgplgo.exePlgolf32.exePkjphcff.exePbagipfi.exePepcelel.exePhnpagdp.exePohhna32.exePafdjmkq.exePhqmgg32.exePkoicb32.exePaiaplin.exePplaki32.exePgfjhcge.exePmpbdm32.exePdjjag32.exePkcbnanl.exePleofj32.exepid process 2136 Jlphbbbg.exe 1884 Jbjpom32.exe 2728 Koaqcn32.exe 2900 Kkgahoel.exe 2904 Kaajei32.exe 1900 Kjmnjkjd.exe 2660 Kgqocoin.exe 1912 Kpicle32.exe 780 Klpdaf32.exe 2872 Lfhhjklc.exe 1948 Lboiol32.exe 316 Lldmleam.exe 2252 Ldpbpgoh.exe 2376 Loefnpnn.exe 448 Lohccp32.exe 2072 Lhpglecl.exe 1304 Mbhlek32.exe 1980 Mcjhmcok.exe 692 Mqnifg32.exe 964 Mfjann32.exe 2248 Mqpflg32.exe 2188 Mfmndn32.exe 2444 Mpebmc32.exe 1972 Mimgeigj.exe 808 Mmicfh32.exe 2780 Mpgobc32.exe 2748 Nmkplgnq.exe 2784 Nfdddm32.exe 2760 Nbjeinje.exe 2692 Nhgnaehm.exe 1380 Nbmaon32.exe 2828 Nhjjgd32.exe 2864 Nabopjmj.exe 2944 Nfoghakb.exe 1444 Odchbe32.exe 584 Oippjl32.exe 1640 Ojomdoof.exe 2656 Olpilg32.exe 1500 Odgamdef.exe 1076 Offmipej.exe 988 Oeindm32.exe 1612 Ompefj32.exe 2156 Ooabmbbe.exe 2232 Oiffkkbk.exe 904 Ohiffh32.exe 2428 Oococb32.exe 2084 Obokcqhk.exe 2020 Oemgplgo.exe 2764 Plgolf32.exe 2816 Pkjphcff.exe 2288 Pbagipfi.exe 2736 Pepcelel.exe 2628 Phnpagdp.exe 2548 Pohhna32.exe 3000 Pafdjmkq.exe 2880 Phqmgg32.exe 2968 Pkoicb32.exe 1844 Paiaplin.exe 2324 Pplaki32.exe 2352 Pgfjhcge.exe 1588 Pmpbdm32.exe 672 Pdjjag32.exe 1496 Pkcbnanl.exe 1620 Pleofj32.exe -
Loads dropped DLL 64 IoCs
Processes:
Trojan.Win32.Cerber.exeJlphbbbg.exeJbjpom32.exeKoaqcn32.exeKkgahoel.exeKaajei32.exeKjmnjkjd.exeKgqocoin.exeKpicle32.exeKlpdaf32.exeLfhhjklc.exeLboiol32.exeLldmleam.exeLdpbpgoh.exeLoefnpnn.exeLohccp32.exeLhpglecl.exeMbhlek32.exeMcjhmcok.exeMqnifg32.exeMfjann32.exeMqpflg32.exeMfmndn32.exeMpebmc32.exeMimgeigj.exeMmicfh32.exeMpgobc32.exeNmkplgnq.exeNfdddm32.exeNbjeinje.exeNhgnaehm.exeNbmaon32.exepid process 1648 Trojan.Win32.Cerber.exe 1648 Trojan.Win32.Cerber.exe 2136 Jlphbbbg.exe 2136 Jlphbbbg.exe 1884 Jbjpom32.exe 1884 Jbjpom32.exe 2728 Koaqcn32.exe 2728 Koaqcn32.exe 2900 Kkgahoel.exe 2900 Kkgahoel.exe 2904 Kaajei32.exe 2904 Kaajei32.exe 1900 Kjmnjkjd.exe 1900 Kjmnjkjd.exe 2660 Kgqocoin.exe 2660 Kgqocoin.exe 1912 Kpicle32.exe 1912 Kpicle32.exe 780 Klpdaf32.exe 780 Klpdaf32.exe 2872 Lfhhjklc.exe 2872 Lfhhjklc.exe 1948 Lboiol32.exe 1948 Lboiol32.exe 316 Lldmleam.exe 316 Lldmleam.exe 2252 Ldpbpgoh.exe 2252 Ldpbpgoh.exe 2376 Loefnpnn.exe 2376 Loefnpnn.exe 448 Lohccp32.exe 448 Lohccp32.exe 2072 Lhpglecl.exe 2072 Lhpglecl.exe 1304 Mbhlek32.exe 1304 Mbhlek32.exe 1980 Mcjhmcok.exe 1980 Mcjhmcok.exe 692 Mqnifg32.exe 692 Mqnifg32.exe 964 Mfjann32.exe 964 Mfjann32.exe 2248 Mqpflg32.exe 2248 Mqpflg32.exe 2188 Mfmndn32.exe 2188 Mfmndn32.exe 2444 Mpebmc32.exe 2444 Mpebmc32.exe 1972 Mimgeigj.exe 1972 Mimgeigj.exe 808 Mmicfh32.exe 808 Mmicfh32.exe 2780 Mpgobc32.exe 2780 Mpgobc32.exe 2748 Nmkplgnq.exe 2748 Nmkplgnq.exe 2784 Nfdddm32.exe 2784 Nfdddm32.exe 2760 Nbjeinje.exe 2760 Nbjeinje.exe 2692 Nhgnaehm.exe 2692 Nhgnaehm.exe 1380 Nbmaon32.exe 1380 Nbmaon32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Npbklabl.exeLplbjm32.exeEkhmcelc.exeKmqmod32.exeBhonjg32.exeDifqji32.exeDcghkf32.exeKdeaelok.exeMimgeigj.exeApedah32.exeBqlfaj32.exeJdhifooi.exeNmabjfek.exeBddbjhlp.exeOmpefj32.exeGfkmie32.exeHegpjaac.exeIfbphh32.exeMokilo32.exeOflpgnld.exeKipmhc32.exeMfmndn32.exeDbiocd32.exeQoeamo32.exeMkipao32.exeDnqlmq32.exeDeondj32.exeFmfocnjg.exeQcogbdkg.exeElcpbigl.exeDaaenlng.exeEfljhq32.exeOhiffh32.exeGaihob32.exeApkgpf32.exeDkdmfe32.exeFggmldfp.exeNhjjgd32.exeIphgln32.exeHgciff32.exeJfjolf32.exeIjphofem.exeLnqjnhge.exeFadndbci.exePaaddgkj.exeEifmimch.exeHifbdnbi.exeCbppnbhm.exeGjifodii.exePbagipfi.exePpinkcnp.exeOippjl32.exeOlpilg32.exeFmlbjq32.exeKdbepm32.exeKindeddf.exeJggoqimd.exeImgnjb32.exeIeofkp32.exeKidjdpie.exeQejpoi32.exeCkeqga32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nbpghl32.exe Npbklabl.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Lplbjm32.exe File created C:\Windows\SysWOW64\Dffocgmn.dll Ekhmcelc.exe File opened for modification C:\Windows\SysWOW64\Kalipcmb.exe Kmqmod32.exe File created C:\Windows\SysWOW64\Nlqmdnof.dll Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Dkdmfe32.exe Difqji32.exe File created C:\Windows\SysWOW64\Ejaphpnp.exe Dcghkf32.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kdeaelok.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mimgeigj.exe File created C:\Windows\SysWOW64\Accqnc32.exe Apedah32.exe File created C:\Windows\SysWOW64\Hiablm32.dll Bqlfaj32.exe File created C:\Windows\SysWOW64\Ahknna32.dll Jdhifooi.exe File created C:\Windows\SysWOW64\Iinkmi32.dll Nmabjfek.exe File opened for modification C:\Windows\SysWOW64\Bhonjg32.exe Bddbjhlp.exe File created C:\Windows\SysWOW64\Mmicfh32.exe Mimgeigj.exe File created C:\Windows\SysWOW64\Jmgghnmp.dll Ompefj32.exe File opened for modification C:\Windows\SysWOW64\Gmeeepjp.exe Gfkmie32.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hegpjaac.exe File created C:\Windows\SysWOW64\Odecai32.dll Ifbphh32.exe File created C:\Windows\SysWOW64\Ghanagbo.dll Mokilo32.exe File created C:\Windows\SysWOW64\Pnchhllf.exe Oflpgnld.exe File opened for modification C:\Windows\SysWOW64\Kpieengb.exe Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Mpebmc32.exe Mfmndn32.exe File opened for modification C:\Windows\SysWOW64\Eibgpnjk.exe Dbiocd32.exe File opened for modification C:\Windows\SysWOW64\Aeoijidl.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Fjhqaemi.dll Mkipao32.exe File created C:\Windows\SysWOW64\Nbpghl32.exe Npbklabl.exe File opened for modification C:\Windows\SysWOW64\Dblhmoio.exe Dnqlmq32.exe File created C:\Windows\SysWOW64\Iqdekgib.dll Deondj32.exe File created C:\Windows\SysWOW64\Fpdkpiik.exe Fmfocnjg.exe File opened for modification C:\Windows\SysWOW64\Qkfocaki.exe Qcogbdkg.exe File opened for modification C:\Windows\SysWOW64\Eeldkonl.exe Elcpbigl.exe File opened for modification C:\Windows\SysWOW64\Dgknkf32.exe Daaenlng.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Efljhq32.exe File created C:\Windows\SysWOW64\Oococb32.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Heolqjho.dll Gaihob32.exe File created C:\Windows\SysWOW64\Adfbpega.exe Apkgpf32.exe File created C:\Windows\SysWOW64\Dncibp32.exe Dkdmfe32.exe File created C:\Windows\SysWOW64\Mpbclcja.dll Fggmldfp.exe File created C:\Windows\SysWOW64\Naejdn32.dll Nhjjgd32.exe File created C:\Windows\SysWOW64\Ddjmnoki.dll Iphgln32.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hgciff32.exe File created C:\Windows\SysWOW64\Lgjdnbkd.dll Jfjolf32.exe File created C:\Windows\SysWOW64\Iblkei32.dll Ijphofem.exe File opened for modification C:\Windows\SysWOW64\Ldjbkb32.exe Lnqjnhge.exe File created C:\Windows\SysWOW64\Kndccd32.dll Fadndbci.exe File opened for modification C:\Windows\SysWOW64\Pdppqbkn.exe Paaddgkj.exe File created C:\Windows\SysWOW64\Licpomcb.dll Eifmimch.exe File created C:\Windows\SysWOW64\Hqnjek32.exe Hifbdnbi.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Gqcnln32.exe Gjifodii.exe File created C:\Windows\SysWOW64\Pepcelel.exe Pbagipfi.exe File created C:\Windows\SysWOW64\Kejjjbbm.dll Ppinkcnp.exe File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe Olpilg32.exe File created C:\Windows\SysWOW64\Lmnnpb32.dll Fmlbjq32.exe File created C:\Windows\SysWOW64\Kfaalh32.exe Kdbepm32.exe File opened for modification C:\Windows\SysWOW64\Kkpqlm32.exe Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Gjljfn32.dll Imgnjb32.exe File created C:\Windows\SysWOW64\Ekcqmj32.dll Ieofkp32.exe File created C:\Windows\SysWOW64\Mmofpf32.dll Kidjdpie.exe File created C:\Windows\SysWOW64\Mahildbb.dll Qejpoi32.exe File created C:\Windows\SysWOW64\Jefndikl.dll Ckeqga32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6276 6248 WerFault.exe Lbjofi32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Flclam32.exeHgflflqg.exeAgglbp32.exeAnadojlo.exeBoifga32.exeDifqji32.exeHfhfhbce.exeOjomdoof.exeJplfkjbd.exeIgceej32.exeJgjkfi32.exeKbmome32.exeCocphf32.exeCiihklpj.exeGgdcbi32.exePopgboae.exeOdgamdef.exeGhdiokbq.exePfbfhm32.exeEdidqf32.exeLbjofi32.exeKfibhjlj.exeCbdiia32.exeDbfbnddq.exeLjnqdhga.exePmmneg32.exeAdaiee32.exeMpgobc32.exeFhjmfnok.exeNgdjaofc.exePbigmn32.exeAchjibcl.exePjihmmbk.exeMmccqbpm.exeDbabho32.exeIfbphh32.exePioeoi32.exeBogjaamh.exeHohkmj32.exeCaifjn32.exeCnkjnb32.exeEdlhqlfi.exeQhilkege.exeBcpimq32.exeDnqlmq32.exeMimgeigj.exeIieepbje.exeDnjoco32.exeJabponba.exeKpicle32.exeCfmhdpnc.exeEkmfne32.exeNpdhaq32.exeOnqkclni.exeApmcefmf.exePbagipfi.exeImgnjb32.exeMkdffoij.exeQhkipdeb.exeEicpcm32.exeEojlbb32.exeDcllbhdn.exeLboiol32.exePafdjmkq.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgflflqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdcbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfbnddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnqdhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjmfnok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioeoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimgeigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iieepbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabponba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmfne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdffoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcllbhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe -
Modifies registry class 64 IoCs
Processes:
Jfohgepi.exeEkhmcelc.exeFhjmfnok.exeHcajhi32.exeMfgnnhkc.exeIoeclg32.exeJabponba.exeHbidne32.exeKbmfgk32.exeKeeeje32.exeOfqmcj32.exeEjaphpnp.exeGgfpgi32.exeOmckoi32.exeBaefnmml.exeOeindm32.exeBmnnkl32.exeDinneo32.exePaiaplin.exeOdkgec32.exeCoicfd32.exeKalipcmb.exeNabopjmj.exeFapeic32.exeKmqmod32.exeCceogcfj.exeEoebgcol.exeJibnop32.exePbagipfi.exeFlapkmlj.exeLjnqdhga.exeApedah32.exeIfgicg32.exeHaqnea32.exeBoifga32.exeIgceej32.exeNmabjfek.exeOhfcfb32.exeBkbdabog.exeFggmldfp.exeIakino32.exePkcbnanl.exeEhlmljkm.exeLpflkb32.exeDokfme32.exeJmdgipkk.exeObjjnkie.exeCileqlmg.exeJajmjcoe.exeOmpefj32.exeObokcqhk.exeDgnjqe32.exeJpbcek32.exeBjmeiq32.exeFofbhgde.exeDblhmoio.exeHqiqjlga.exeHmpaom32.exeKfibhjlj.exeLopfhk32.exeNjgpij32.exeFkhibino.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffocgmn.dll" Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjmfnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkijcgjo.dll" Mfgnnhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmhh32.dll" Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjkcehe.dll" Ofqmcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbccnjjb.dll" Ggfpgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dinneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coicfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplagm32.dll" Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnllhjif.dll" Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceogcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flapkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Apedah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmiff32.dll" Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkbdabog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggmldfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehlmljkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpflkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faphfl32.dll" Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obobnb32.dll" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Ompefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Bjmeiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dblhmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlojnpb.dll" Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdlojdbk.dll" Lopfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njgpij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhibino.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeJlphbbbg.exeJbjpom32.exeKoaqcn32.exeKkgahoel.exeKaajei32.exeKjmnjkjd.exeKgqocoin.exeKpicle32.exeKlpdaf32.exeLfhhjklc.exeLboiol32.exeLldmleam.exeLdpbpgoh.exeLoefnpnn.exeLohccp32.exedescription pid process target process PID 1648 wrote to memory of 2136 1648 Trojan.Win32.Cerber.exe Jlphbbbg.exe PID 1648 wrote to memory of 2136 1648 Trojan.Win32.Cerber.exe Jlphbbbg.exe PID 1648 wrote to memory of 2136 1648 Trojan.Win32.Cerber.exe Jlphbbbg.exe PID 1648 wrote to memory of 2136 1648 Trojan.Win32.Cerber.exe Jlphbbbg.exe PID 2136 wrote to memory of 1884 2136 Jlphbbbg.exe Jbjpom32.exe PID 2136 wrote to memory of 1884 2136 Jlphbbbg.exe Jbjpom32.exe PID 2136 wrote to memory of 1884 2136 Jlphbbbg.exe Jbjpom32.exe PID 2136 wrote to memory of 1884 2136 Jlphbbbg.exe Jbjpom32.exe PID 1884 wrote to memory of 2728 1884 Jbjpom32.exe Koaqcn32.exe PID 1884 wrote to memory of 2728 1884 Jbjpom32.exe Koaqcn32.exe PID 1884 wrote to memory of 2728 1884 Jbjpom32.exe Koaqcn32.exe PID 1884 wrote to memory of 2728 1884 Jbjpom32.exe Koaqcn32.exe PID 2728 wrote to memory of 2900 2728 Koaqcn32.exe Kkgahoel.exe PID 2728 wrote to memory of 2900 2728 Koaqcn32.exe Kkgahoel.exe PID 2728 wrote to memory of 2900 2728 Koaqcn32.exe Kkgahoel.exe PID 2728 wrote to memory of 2900 2728 Koaqcn32.exe Kkgahoel.exe PID 2900 wrote to memory of 2904 2900 Kkgahoel.exe Kaajei32.exe PID 2900 wrote to memory of 2904 2900 Kkgahoel.exe Kaajei32.exe PID 2900 wrote to memory of 2904 2900 Kkgahoel.exe Kaajei32.exe PID 2900 wrote to memory of 2904 2900 Kkgahoel.exe Kaajei32.exe PID 2904 wrote to memory of 1900 2904 Kaajei32.exe Kjmnjkjd.exe PID 2904 wrote to memory of 1900 2904 Kaajei32.exe Kjmnjkjd.exe PID 2904 wrote to memory of 1900 2904 Kaajei32.exe Kjmnjkjd.exe PID 2904 wrote to memory of 1900 2904 Kaajei32.exe Kjmnjkjd.exe PID 1900 wrote to memory of 2660 1900 Kjmnjkjd.exe Kgqocoin.exe PID 1900 wrote to memory of 2660 1900 Kjmnjkjd.exe Kgqocoin.exe PID 1900 wrote to memory of 2660 1900 Kjmnjkjd.exe Kgqocoin.exe PID 1900 wrote to memory of 2660 1900 Kjmnjkjd.exe Kgqocoin.exe PID 2660 wrote to memory of 1912 2660 Kgqocoin.exe Kpicle32.exe PID 2660 wrote to memory of 1912 2660 Kgqocoin.exe Kpicle32.exe PID 2660 wrote to memory of 1912 2660 Kgqocoin.exe Kpicle32.exe PID 2660 wrote to memory of 1912 2660 Kgqocoin.exe Kpicle32.exe PID 1912 wrote to memory of 780 1912 Kpicle32.exe Klpdaf32.exe PID 1912 wrote to memory of 780 1912 Kpicle32.exe Klpdaf32.exe PID 1912 wrote to memory of 780 1912 Kpicle32.exe Klpdaf32.exe PID 1912 wrote to memory of 780 1912 Kpicle32.exe Klpdaf32.exe PID 780 wrote to memory of 2872 780 Klpdaf32.exe Lfhhjklc.exe PID 780 wrote to memory of 2872 780 Klpdaf32.exe Lfhhjklc.exe PID 780 wrote to memory of 2872 780 Klpdaf32.exe Lfhhjklc.exe PID 780 wrote to memory of 2872 780 Klpdaf32.exe Lfhhjklc.exe PID 2872 wrote to memory of 1948 2872 Lfhhjklc.exe Lboiol32.exe PID 2872 wrote to memory of 1948 2872 Lfhhjklc.exe Lboiol32.exe PID 2872 wrote to memory of 1948 2872 Lfhhjklc.exe Lboiol32.exe PID 2872 wrote to memory of 1948 2872 Lfhhjklc.exe Lboiol32.exe PID 1948 wrote to memory of 316 1948 Lboiol32.exe Lldmleam.exe PID 1948 wrote to memory of 316 1948 Lboiol32.exe Lldmleam.exe PID 1948 wrote to memory of 316 1948 Lboiol32.exe Lldmleam.exe PID 1948 wrote to memory of 316 1948 Lboiol32.exe Lldmleam.exe PID 316 wrote to memory of 2252 316 Lldmleam.exe Ldpbpgoh.exe PID 316 wrote to memory of 2252 316 Lldmleam.exe Ldpbpgoh.exe PID 316 wrote to memory of 2252 316 Lldmleam.exe Ldpbpgoh.exe PID 316 wrote to memory of 2252 316 Lldmleam.exe Ldpbpgoh.exe PID 2252 wrote to memory of 2376 2252 Ldpbpgoh.exe Loefnpnn.exe PID 2252 wrote to memory of 2376 2252 Ldpbpgoh.exe Loefnpnn.exe PID 2252 wrote to memory of 2376 2252 Ldpbpgoh.exe Loefnpnn.exe PID 2252 wrote to memory of 2376 2252 Ldpbpgoh.exe Loefnpnn.exe PID 2376 wrote to memory of 448 2376 Loefnpnn.exe Lohccp32.exe PID 2376 wrote to memory of 448 2376 Loefnpnn.exe Lohccp32.exe PID 2376 wrote to memory of 448 2376 Loefnpnn.exe Lohccp32.exe PID 2376 wrote to memory of 448 2376 Loefnpnn.exe Lohccp32.exe PID 448 wrote to memory of 2072 448 Lohccp32.exe Lhpglecl.exe PID 448 wrote to memory of 2072 448 Lohccp32.exe Lhpglecl.exe PID 448 wrote to memory of 2072 448 Lohccp32.exe Lhpglecl.exe PID 448 wrote to memory of 2072 448 Lohccp32.exe Lhpglecl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe35⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe36⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe41⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe44⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe45⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe47⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe49⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe50⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe51⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe53⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe55⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe57⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe58⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe60⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe61⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe62⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe63⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe65⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe66⤵PID:2236
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe67⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe68⤵PID:2512
-
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe69⤵PID:2100
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe70⤵PID:2528
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe71⤵PID:2808
-
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe72⤵PID:2644
-
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe74⤵PID:2208
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe76⤵PID:2680
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe77⤵PID:3064
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe78⤵PID:2068
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe79⤵PID:2144
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe80⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe81⤵PID:700
-
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe83⤵PID:1244
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe84⤵PID:1860
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe85⤵PID:2012
-
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe86⤵PID:2104
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe87⤵PID:1960
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe88⤵PID:2768
-
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe89⤵PID:2964
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe90⤵PID:2632
-
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe91⤵PID:2868
-
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe92⤵PID:1448
-
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe94⤵PID:2316
-
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe95⤵PID:2056
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe96⤵PID:1828
-
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe98⤵PID:608
-
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe99⤵PID:1824
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe100⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe101⤵PID:1492
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe102⤵PID:2488
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe103⤵PID:2924
-
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe104⤵PID:2672
-
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe105⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe106⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe107⤵PID:1480
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe109⤵PID:1232
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe110⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe111⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe114⤵PID:2820
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe118⤵PID:2836
-
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe119⤵PID:2392
-
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe120⤵PID:2504
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe121⤵PID:572
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe122⤵PID:1772
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe123⤵PID:1712
-
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe124⤵PID:2812
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe126⤵PID:1876
-
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe127⤵PID:1680
-
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe128⤵PID:380
-
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe129⤵PID:2996
-
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe130⤵PID:2372
-
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe131⤵PID:1632
-
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe132⤵PID:2108
-
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe133⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe134⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe135⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe136⤵PID:1200
-
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe137⤵PID:1728
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe138⤵PID:2440
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe139⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe141⤵PID:1440
-
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe142⤵PID:2524
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe143⤵PID:1816
-
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe144⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe145⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe147⤵PID:2988
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe148⤵
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe149⤵PID:1392
-
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe150⤵PID:872
-
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe152⤵PID:2972
-
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe153⤵PID:292
-
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe154⤵PID:1064
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe155⤵PID:1460
-
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe156⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe157⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe158⤵PID:1780
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe159⤵PID:2796
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe160⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe161⤵PID:2876
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe162⤵PID:1652
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe163⤵PID:2744
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe164⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe165⤵PID:1556
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe166⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe167⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe168⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe169⤵PID:2856
-
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe170⤵PID:2552
-
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe171⤵PID:2172
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe172⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe173⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe174⤵PID:3112
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe175⤵PID:3152
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe176⤵PID:3192
-
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe177⤵PID:3232
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe178⤵
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe179⤵PID:3312
-
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe180⤵
- Drops file in System32 directory
PID:3352 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe181⤵PID:3392
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe182⤵
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe183⤵PID:3476
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe184⤵PID:3516
-
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe185⤵PID:3556
-
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe186⤵PID:3596
-
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe187⤵
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe188⤵PID:3676
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe189⤵PID:3716
-
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe190⤵PID:3756
-
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe191⤵
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe192⤵PID:3836
-
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe193⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe194⤵PID:3916
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe195⤵PID:3960
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe196⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe197⤵PID:4040
-
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe198⤵PID:4080
-
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe199⤵PID:3088
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe200⤵PID:3144
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe201⤵
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe202⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3292 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe204⤵PID:3348
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe205⤵PID:3380
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe206⤵PID:3440
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe207⤵PID:3496
-
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe208⤵PID:3552
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe209⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe210⤵PID:3624
-
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe211⤵PID:3688
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe212⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe213⤵
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe214⤵PID:3828
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe215⤵PID:3892
-
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe216⤵PID:3932
-
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe217⤵
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe218⤵PID:4036
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe219⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe220⤵PID:3108
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe221⤵PID:3180
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe222⤵
- Drops file in System32 directory
PID:3220 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3304 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe224⤵PID:3372
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe225⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe226⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3564 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe228⤵PID:3604
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe229⤵PID:3692
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe230⤵PID:3736
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe231⤵PID:3804
-
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe232⤵PID:3864
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe233⤵PID:3936
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe234⤵PID:4012
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe235⤵PID:4068
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe236⤵PID:3096
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe237⤵PID:3172
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe238⤵PID:3256
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe239⤵PID:3328
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe240⤵PID:3368
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe241⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe242⤵
- Drops file in System32 directory
PID:3572