Analysis
-
max time kernel
44s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
80KB
-
MD5
47392928d933392cf8a6966163c70fd0
-
SHA1
8f567204f8be07bc083ced872177d713822f727b
-
SHA256
eee4dbe01a4a6541aa2f2c4797e4eebf217c1e8f75cb69ae108f9952910546b1
-
SHA512
ea5f8416032ecde13d533b30628ca07195ff540540b8d436c9b382ff6c96b8008509d3f7bf74d457d44a7a41fe9faf14fa8d9abee7e920cdc87a5723a2107d6f
-
SSDEEP
1536:8TbYyS8OF2l8K1V+3DURqJIFvJokqGQ2LcaIZTJ+7LhkiB0:8TbYYO2l8K1V6DUkJI3vqGcaMU7ui
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Klapha32.exeEhilgikj.exeIodlcnmf.exeNmkklflj.exeNgfhbd32.exeFbjchfaq.exeDnfkefad.exeJkpfcnoe.exeKejdqffo.exeGkjahg32.exeNcpjnahm.exeOncndnlq.exeFidkep32.exeAlqplmlb.exeGcfioj32.exeJmelfeqn.exeLggpdmap.exeMlfebcnd.exeJjdcdjcm.exeOmmdqi32.exePbcooo32.exeGpccgppq.exeMgglcqdk.exeBnjipn32.exeColegflh.exePeakkj32.exeGhnaaljp.exeDjffihmp.exeFkmhij32.exeGcdmikma.exeIgdndl32.exeNmmgafjh.exeHqemlbqi.exeHcfenn32.exeQjcmoqlf.exeBkefcc32.exeEibbqmhd.exeGoemhfco.exeHgpeimhf.exeLaenqg32.exeOfqonp32.exeOpicgenj.exeQifnjm32.exeIfndph32.exeKehgkgha.exeMqoqlfkl.exeOmhjejai.exePnefiq32.exeHfiofefm.exeLihifhoq.exeAbnbccia.exeQjqqianh.exeAbbknb32.exeCfjgopop.exeGokmnlcf.exeGhcbga32.exeOpkpme32.exeBhdmahpn.exeDddmkkpb.exeEelfedpa.exeKeekeg32.exeMdfcaegj.exeAmcfpl32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehilgikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkklflj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfhbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnfkefad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpfcnoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkjahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggpdmap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfebcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommdqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbcooo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgglcqdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnjipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colegflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peakkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghnaaljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmhij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmgafjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqemlbqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcfenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjcmoqlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbqmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goemhfco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmhij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laenqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opicgenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifndph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehgkgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqoqlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnefiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfiofefm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihifhoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnbccia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjqqianh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokmnlcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddmkkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfcaegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcfpl32.exe -
Executes dropped EXE 64 IoCs
Processes:
Adekhkng.exeAgchdfmk.exeAlqplmlb.exeBcjhig32.exeBjdqfajl.exeBlcmbmip.exeBjgmka32.exeBkhjcing.exeBdpnlo32.exeBofbih32.exeBdbkaoce.exeBgagnjbi.exeBqilfp32.exeBhqdgm32.exeCnmlpd32.exeCdgdlnop.exeCnpieceq.exeCmbiap32.exeCfknjfbl.exeCnbfkccn.exeCqqbgoba.exeCgjjdijo.exeCilfka32.exeCmgblphf.exeCjkcedgp.exeCincaq32.exeCklpml32.exeDfbdje32.exeDippfplg.exeDkolblkk.exeDbidof32.exeDegqka32.exeDgemgm32.exeDkaihkih.exeDbkaee32.exeDanaqbgp.exeDieiap32.exeDghjmlnm.exeDjffihmp.exeDnbbjf32.exeDapnfb32.exeDeljfqmf.exeDgjfbllj.exeDndoof32.exeDmgokcja.exeDenglpkc.exeDhmchljg.exeDjkodg32.exeDjkodg32.exeDnfkefad.exeEaegaaah.exeEccdmmpk.exeEhopnk32.exeEjmljg32.exeEmlhfb32.exeEagdgaoe.exeEbhani32.exeEfdmohmm.exeEjpipf32.exeEmnelbdi.exeEpmahmcm.exeEdhmhl32.exeEffidg32.exeEiefqc32.exepid process 2696 Adekhkng.exe 2180 Agchdfmk.exe 2984 Alqplmlb.exe 2876 Bcjhig32.exe 2872 Bjdqfajl.exe 2640 Blcmbmip.exe 1556 Bjgmka32.exe 2648 Bkhjcing.exe 2496 Bdpnlo32.exe 1820 Bofbih32.exe 2520 Bdbkaoce.exe 2904 Bgagnjbi.exe 1972 Bqilfp32.exe 2428 Bhqdgm32.exe 2184 Cnmlpd32.exe 1888 Cdgdlnop.exe 236 Cnpieceq.exe 1000 Cmbiap32.exe 1908 Cfknjfbl.exe 1560 Cnbfkccn.exe 1292 Cqqbgoba.exe 2456 Cgjjdijo.exe 1612 Cilfka32.exe 3068 Cmgblphf.exe 2540 Cjkcedgp.exe 2968 Cincaq32.exe 2632 Cklpml32.exe 1068 Dfbdje32.exe 2684 Dippfplg.exe 1712 Dkolblkk.exe 2452 Dbidof32.exe 2580 Degqka32.exe 888 Dgemgm32.exe 2896 Dkaihkih.exe 2932 Dbkaee32.exe 2156 Danaqbgp.exe 2424 Dieiap32.exe 2208 Dghjmlnm.exe 2272 Djffihmp.exe 892 Dnbbjf32.exe 2164 Dapnfb32.exe 584 Deljfqmf.exe 1356 Dgjfbllj.exe 624 Dndoof32.exe 928 Dmgokcja.exe 1372 Denglpkc.exe 1276 Dhmchljg.exe 588 Djkodg32.exe 1920 Djkodg32.exe 2764 Dnfkefad.exe 2728 Eaegaaah.exe 2076 Eccdmmpk.exe 2060 Ehopnk32.exe 1140 Ejmljg32.exe 2092 Emlhfb32.exe 2244 Eagdgaoe.exe 1964 Ebhani32.exe 1924 Efdmohmm.exe 1056 Ejpipf32.exe 1156 Emnelbdi.exe 2160 Epmahmcm.exe 2256 Edhmhl32.exe 2992 Effidg32.exe 2340 Eiefqc32.exe -
Loads dropped DLL 64 IoCs
Processes:
Trojan.Win32.Cerber.exeAdekhkng.exeAgchdfmk.exeAlqplmlb.exeBcjhig32.exeBjdqfajl.exeBlcmbmip.exeBjgmka32.exeBkhjcing.exeBdpnlo32.exeBofbih32.exeBdbkaoce.exeBgagnjbi.exeBqilfp32.exeBhqdgm32.exeCnmlpd32.exeCdgdlnop.exeCnpieceq.exeCmbiap32.exeCfknjfbl.exeCnbfkccn.exeCqqbgoba.exeCgjjdijo.exeCilfka32.exeCmgblphf.exeCjkcedgp.exeCincaq32.exeCklpml32.exeDfbdje32.exeDippfplg.exeDkolblkk.exeDbidof32.exepid process 2528 Trojan.Win32.Cerber.exe 2528 Trojan.Win32.Cerber.exe 2696 Adekhkng.exe 2696 Adekhkng.exe 2180 Agchdfmk.exe 2180 Agchdfmk.exe 2984 Alqplmlb.exe 2984 Alqplmlb.exe 2876 Bcjhig32.exe 2876 Bcjhig32.exe 2872 Bjdqfajl.exe 2872 Bjdqfajl.exe 2640 Blcmbmip.exe 2640 Blcmbmip.exe 1556 Bjgmka32.exe 1556 Bjgmka32.exe 2648 Bkhjcing.exe 2648 Bkhjcing.exe 2496 Bdpnlo32.exe 2496 Bdpnlo32.exe 1820 Bofbih32.exe 1820 Bofbih32.exe 2520 Bdbkaoce.exe 2520 Bdbkaoce.exe 2904 Bgagnjbi.exe 2904 Bgagnjbi.exe 1972 Bqilfp32.exe 1972 Bqilfp32.exe 2428 Bhqdgm32.exe 2428 Bhqdgm32.exe 2184 Cnmlpd32.exe 2184 Cnmlpd32.exe 1888 Cdgdlnop.exe 1888 Cdgdlnop.exe 236 Cnpieceq.exe 236 Cnpieceq.exe 1000 Cmbiap32.exe 1000 Cmbiap32.exe 1908 Cfknjfbl.exe 1908 Cfknjfbl.exe 1560 Cnbfkccn.exe 1560 Cnbfkccn.exe 1292 Cqqbgoba.exe 1292 Cqqbgoba.exe 2456 Cgjjdijo.exe 2456 Cgjjdijo.exe 1612 Cilfka32.exe 1612 Cilfka32.exe 3068 Cmgblphf.exe 3068 Cmgblphf.exe 2540 Cjkcedgp.exe 2540 Cjkcedgp.exe 2968 Cincaq32.exe 2968 Cincaq32.exe 2632 Cklpml32.exe 2632 Cklpml32.exe 1068 Dfbdje32.exe 1068 Dfbdje32.exe 2684 Dippfplg.exe 2684 Dippfplg.exe 1712 Dkolblkk.exe 1712 Dkolblkk.exe 2452 Dbidof32.exe 2452 Dbidof32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mdajff32.exeFoacmg32.exeGmkjjbhg.exeEjmljg32.exeKkglim32.exeDqmkflcd.exeHkdkhl32.exeNmmgafjh.exeIgoagpja.exeJmcpqfba.exeHnljkf32.exeGklnmgic.exeFmmjpoci.exeMdcfle32.exeNokdnail.exeOgiegc32.exePmoqfi32.exeBhfjgh32.exeFhgkqmph.exeFeklja32.exeHdolga32.exeJmhile32.exeChmlfj32.exeLiqcei32.exeCbokoa32.exeKbgnil32.exeGngdadoj.exeJehklc32.exeFbdpjgjf.exeKhhpmbeb.exeJgidnobg.exeNmmgafjh.exeDgefmf32.exeDbidof32.exeFdhigo32.exeHgpeimhf.exePmamliin.exePlbaafak.exePeakkj32.exeAogpmcmb.exeFdemap32.exeKiafff32.exePihnqj32.exeCjcfjoil.exeEoanij32.exeHomfboco.exeFncddc32.exeFmknko32.exeIniidj32.exeOjnhdn32.exeEnlncdio.exeEfdmohmm.exeDflpdb32.exeKpkocpjj.exeKjdpcnfi.exeFpijgk32.exeDmgokcja.exeJmelfeqn.exeKmjfae32.exeMgglcqdk.exeJnncoini.exeNkmkgc32.exedescription ioc process File created C:\Windows\SysWOW64\Mhmfgdch.exe Mdajff32.exe File opened for modification C:\Windows\SysWOW64\Fblpnepn.exe Foacmg32.exe File opened for modification C:\Windows\SysWOW64\Gpiffngk.exe Gmkjjbhg.exe File created C:\Windows\SysWOW64\Emlhfb32.exe Ejmljg32.exe File opened for modification C:\Windows\SysWOW64\Kmeiei32.exe Kkglim32.exe File created C:\Windows\SysWOW64\Dclgbgbh.exe Dqmkflcd.exe File created C:\Windows\SysWOW64\Lkajof32.dll Hkdkhl32.exe File opened for modification C:\Windows\SysWOW64\Nokdnail.exe Nmmgafjh.exe File created C:\Windows\SysWOW64\Lacmbg32.dll Igoagpja.exe File created C:\Windows\SysWOW64\Jpalmaad.exe Jmcpqfba.exe File created C:\Windows\SysWOW64\Jbldcifi.dll Hnljkf32.exe File opened for modification C:\Windows\SysWOW64\Gmkjjbhg.exe Gklnmgic.exe File created C:\Windows\SysWOW64\Andgadch.dll Fmmjpoci.exe File created C:\Windows\SysWOW64\Mgbcha32.exe Mdcfle32.exe File created C:\Windows\SysWOW64\Imbdocbi.dll Nokdnail.exe File created C:\Windows\SysWOW64\Okdahbmm.exe Ogiegc32.exe File created C:\Windows\SysWOW64\Plbaafak.exe Pmoqfi32.exe File created C:\Windows\SysWOW64\Mmklad32.dll Bhfjgh32.exe File created C:\Windows\SysWOW64\Foacmg32.exe Fhgkqmph.exe File opened for modification C:\Windows\SysWOW64\Ghihfl32.exe Feklja32.exe File created C:\Windows\SysWOW64\Hhjhgpcn.exe Hdolga32.exe File opened for modification C:\Windows\SysWOW64\Jpfehq32.exe Jmhile32.exe File opened for modification C:\Windows\SysWOW64\Dklibf32.exe Chmlfj32.exe File opened for modification C:\Windows\SysWOW64\Llooad32.exe Liqcei32.exe File opened for modification C:\Windows\SysWOW64\Cfjgopop.exe Cbokoa32.exe File created C:\Windows\SysWOW64\Enhkifei.dll Kbgnil32.exe File opened for modification C:\Windows\SysWOW64\Gpfpmonn.exe Gngdadoj.exe File opened for modification C:\Windows\SysWOW64\Jckkhplq.exe Jehklc32.exe File created C:\Windows\SysWOW64\Febmfcjj.exe Fbdpjgjf.exe File created C:\Windows\SysWOW64\Kkglim32.exe Khhpmbeb.exe File created C:\Windows\SysWOW64\Jfkdik32.exe Jgidnobg.exe File opened for modification C:\Windows\SysWOW64\Nofnglhg.dll Nmmgafjh.exe File created C:\Windows\SysWOW64\Iicbdnjn.dll Dgefmf32.exe File created C:\Windows\SysWOW64\Degqka32.exe Dbidof32.exe File created C:\Windows\SysWOW64\Fkbadifn.exe Fdhigo32.exe File opened for modification C:\Windows\SysWOW64\Hnimeg32.exe Hgpeimhf.exe File opened for modification C:\Windows\SysWOW64\Pldnge32.exe Pmamliin.exe File created C:\Windows\SysWOW64\Ppnmbd32.exe Plbaafak.exe File created C:\Windows\SysWOW64\Lbchijge.dll Peakkj32.exe File opened for modification C:\Windows\SysWOW64\Abbknb32.exe Aogpmcmb.exe File created C:\Windows\SysWOW64\Enckek32.dll Fdemap32.exe File opened for modification C:\Windows\SysWOW64\Klocba32.exe Kiafff32.exe File opened for modification C:\Windows\SysWOW64\Plfjme32.exe Pihnqj32.exe File created C:\Windows\SysWOW64\Agljbf32.dll Cjcfjoil.exe File created C:\Windows\SysWOW64\Mejojlab.dll Eoanij32.exe File created C:\Windows\SysWOW64\Igdndl32.exe Homfboco.exe File created C:\Windows\SysWOW64\Fdpmljan.exe Fncddc32.exe File created C:\Windows\SysWOW64\Pnhfjaph.dll Fmknko32.exe File created C:\Windows\SysWOW64\Kgagfk32.dll Iniidj32.exe File created C:\Windows\SysWOW64\Oiahpkdj.exe Ojnhdn32.exe File opened for modification C:\Windows\SysWOW64\Eakjophb.exe Enlncdio.exe File created C:\Windows\SysWOW64\Edlmlclc.dll Efdmohmm.exe File opened for modification C:\Windows\SysWOW64\Diklpn32.exe Dflpdb32.exe File opened for modification C:\Windows\SysWOW64\Kbikokin.exe Kpkocpjj.exe File opened for modification C:\Windows\SysWOW64\Kblhdkgk.exe Kjdpcnfi.exe File created C:\Windows\SysWOW64\Eafhchmp.dll Fpijgk32.exe File created C:\Windows\SysWOW64\Denglpkc.exe Dmgokcja.exe File created C:\Windows\SysWOW64\Ncjalh32.dll Jmelfeqn.exe File created C:\Windows\SysWOW64\Jpfehq32.exe Jmhile32.exe File created C:\Windows\SysWOW64\Klmfmacc.exe Kmjfae32.exe File created C:\Windows\SysWOW64\Aklgck32.dll Mgglcqdk.exe File created C:\Windows\SysWOW64\Jlpjpc32.dll Jnncoini.exe File opened for modification C:\Windows\SysWOW64\Jfkdik32.exe Jgidnobg.exe File created C:\Windows\SysWOW64\Noighakn.exe Nkmkgc32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5520 5384 WerFault.exe Gmmgobfd.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Enagnc32.exeFoacmg32.exeBqilfp32.exeEbhani32.exeHqemlbqi.exeMlfebcnd.exeAijgemok.exeColegflh.exeDflpdb32.exeGhihfl32.exeBcjhig32.exeHappkf32.exeOcbbbd32.exeJfkdik32.exeJijqeg32.exeClpeajjb.exeDcnchg32.exeEpmahmcm.exeFkbadifn.exeJgdkbo32.exeFpojlp32.exeHgpeimhf.exePldnge32.exePngcnpkg.exePddlggin.exeCnekcblk.exeFljhmmci.exeFebmfcjj.exeIkhqbo32.exeJkpfcnoe.exeJpfehq32.exeGaamobdf.exeCjkcedgp.exeMkiemqdo.exeMpjgag32.exeOpkpme32.exeGkfkoi32.exeHhhkbqea.exeKeekeg32.exeLielphqc.exeIfikehii.exeLlalgdbj.exeMhmfgdch.exeMdhpgeeg.exeOgkbmcba.exeFblpnepn.exeEponmmaj.exeKiafff32.exeBfcqoqeh.exeDmdkkm32.exeDkolblkk.exeDghjmlnm.exeFigoefkf.exeDddmkkpb.exeKpkocpjj.exeNlhnfg32.exeOdjikh32.exeQjcmoqlf.exeAbgeiaaf.exeEedijo32.exeEpakcm32.exeFaljqcmk.exeOkgnna32.exeElcbmn32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enagnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foacmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfebcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijgemok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colegflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflpdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbbbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkdik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijqeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnchg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmahmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbadifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdkbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpojlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpeimhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngcnpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddlggin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febmfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhqbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpfcnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkcedgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkiemqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjgag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhkbqea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lielphqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifikehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llalgdbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmfgdch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhpgeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eponmmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiafff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcqoqeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkolblkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figoefkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddmkkpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkocpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhnfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjcmoqlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgeiaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faljqcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe -
Modifies registry class 64 IoCs
Processes:
Hngppgae.exePlbaafak.exePjndca32.exeFpojlp32.exeKlocba32.exePmamliin.exeGoemhfco.exeJajbfeop.exeNlhnfg32.exeCnpieceq.exeLlooad32.exeNoighakn.exeOkgnna32.exeBdpnlo32.exeCqfdem32.exeKacakgip.exeGadidabc.exeBhdmahpn.exeHfdbji32.exeJgidnobg.exeFijolbfh.exeBqilfp32.exeIgdndl32.exeBcjhig32.exeFehodaqd.exeIihgadhl.exeDjffihmp.exeIjbjpg32.exeLknbjlnn.exeFpijgk32.exeAgchdfmk.exeHhjhgpcn.exeOiahpkdj.exeIganmp32.exeMdfcaegj.exePngcnpkg.exeFfoihepa.exeEccdmmpk.exeFljhmmci.exeBdbkaoce.exeLddjmb32.exeGcapckod.exeEhopnk32.exeDddmkkpb.exeNbjpjm32.exeJjgpjjak.exeNflidmic.exeDbidof32.exeEoanij32.exeOmmdqi32.exeOpkpme32.exeEmdgjpkd.exeFimedaoe.exeDbfaopqo.exeDmaoem32.exeFomndhng.exeIiekkdjo.exeLcnqin32.exeBjjcdp32.exeEhilgikj.exeIkhqbo32.exeJmcpqfba.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjmco32.dll" Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpojlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnlnkk32.dll" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajbfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngdkkof.dll" Nlhnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmcfdjn.dll" Llooad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noighakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdpnlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqfdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kacakgip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfdbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidnobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijolbfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqilfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpjlpa32.dll" Igdndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjhig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehodaqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iihgadhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeckdc32.dll" Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lknbjlnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpabid32.dll" Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiahpkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieeidi32.dll" Mdfcaegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngcnpkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffoihepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbaeanda.dll" Fljhmmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hondclnf.dll" Dddmkkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iananl32.dll" Nbjpjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgpjjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflidmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkmmb32.dll" Dbidof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnkma32.dll" Ommdqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biamam32.dll" Emdgjpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimedaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgapfkgp.dll" Dmaoem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lendnaic.dll" Lcnqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naofga32.dll" Noighakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjcdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehilgikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikhqbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmcpqfba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeAdekhkng.exeAgchdfmk.exeAlqplmlb.exeBcjhig32.exeBjdqfajl.exeBlcmbmip.exeBjgmka32.exeBkhjcing.exeBdpnlo32.exeBofbih32.exeBdbkaoce.exeBgagnjbi.exeBqilfp32.exeBhqdgm32.exeCnmlpd32.exedescription pid process target process PID 2528 wrote to memory of 2696 2528 Trojan.Win32.Cerber.exe Adekhkng.exe PID 2528 wrote to memory of 2696 2528 Trojan.Win32.Cerber.exe Adekhkng.exe PID 2528 wrote to memory of 2696 2528 Trojan.Win32.Cerber.exe Adekhkng.exe PID 2528 wrote to memory of 2696 2528 Trojan.Win32.Cerber.exe Adekhkng.exe PID 2696 wrote to memory of 2180 2696 Adekhkng.exe Agchdfmk.exe PID 2696 wrote to memory of 2180 2696 Adekhkng.exe Agchdfmk.exe PID 2696 wrote to memory of 2180 2696 Adekhkng.exe Agchdfmk.exe PID 2696 wrote to memory of 2180 2696 Adekhkng.exe Agchdfmk.exe PID 2180 wrote to memory of 2984 2180 Agchdfmk.exe Alqplmlb.exe PID 2180 wrote to memory of 2984 2180 Agchdfmk.exe Alqplmlb.exe PID 2180 wrote to memory of 2984 2180 Agchdfmk.exe Alqplmlb.exe PID 2180 wrote to memory of 2984 2180 Agchdfmk.exe Alqplmlb.exe PID 2984 wrote to memory of 2876 2984 Alqplmlb.exe Bcjhig32.exe PID 2984 wrote to memory of 2876 2984 Alqplmlb.exe Bcjhig32.exe PID 2984 wrote to memory of 2876 2984 Alqplmlb.exe Bcjhig32.exe PID 2984 wrote to memory of 2876 2984 Alqplmlb.exe Bcjhig32.exe PID 2876 wrote to memory of 2872 2876 Bcjhig32.exe Bjdqfajl.exe PID 2876 wrote to memory of 2872 2876 Bcjhig32.exe Bjdqfajl.exe PID 2876 wrote to memory of 2872 2876 Bcjhig32.exe Bjdqfajl.exe PID 2876 wrote to memory of 2872 2876 Bcjhig32.exe Bjdqfajl.exe PID 2872 wrote to memory of 2640 2872 Bjdqfajl.exe Blcmbmip.exe PID 2872 wrote to memory of 2640 2872 Bjdqfajl.exe Blcmbmip.exe PID 2872 wrote to memory of 2640 2872 Bjdqfajl.exe Blcmbmip.exe PID 2872 wrote to memory of 2640 2872 Bjdqfajl.exe Blcmbmip.exe PID 2640 wrote to memory of 1556 2640 Blcmbmip.exe Bjgmka32.exe PID 2640 wrote to memory of 1556 2640 Blcmbmip.exe Bjgmka32.exe PID 2640 wrote to memory of 1556 2640 Blcmbmip.exe Bjgmka32.exe PID 2640 wrote to memory of 1556 2640 Blcmbmip.exe Bjgmka32.exe PID 1556 wrote to memory of 2648 1556 Bjgmka32.exe Bkhjcing.exe PID 1556 wrote to memory of 2648 1556 Bjgmka32.exe Bkhjcing.exe PID 1556 wrote to memory of 2648 1556 Bjgmka32.exe Bkhjcing.exe PID 1556 wrote to memory of 2648 1556 Bjgmka32.exe Bkhjcing.exe PID 2648 wrote to memory of 2496 2648 Bkhjcing.exe Bdpnlo32.exe PID 2648 wrote to memory of 2496 2648 Bkhjcing.exe Bdpnlo32.exe PID 2648 wrote to memory of 2496 2648 Bkhjcing.exe Bdpnlo32.exe PID 2648 wrote to memory of 2496 2648 Bkhjcing.exe Bdpnlo32.exe PID 2496 wrote to memory of 1820 2496 Bdpnlo32.exe Bofbih32.exe PID 2496 wrote to memory of 1820 2496 Bdpnlo32.exe Bofbih32.exe PID 2496 wrote to memory of 1820 2496 Bdpnlo32.exe Bofbih32.exe PID 2496 wrote to memory of 1820 2496 Bdpnlo32.exe Bofbih32.exe PID 1820 wrote to memory of 2520 1820 Bofbih32.exe Bdbkaoce.exe PID 1820 wrote to memory of 2520 1820 Bofbih32.exe Bdbkaoce.exe PID 1820 wrote to memory of 2520 1820 Bofbih32.exe Bdbkaoce.exe PID 1820 wrote to memory of 2520 1820 Bofbih32.exe Bdbkaoce.exe PID 2520 wrote to memory of 2904 2520 Bdbkaoce.exe Bgagnjbi.exe PID 2520 wrote to memory of 2904 2520 Bdbkaoce.exe Bgagnjbi.exe PID 2520 wrote to memory of 2904 2520 Bdbkaoce.exe Bgagnjbi.exe PID 2520 wrote to memory of 2904 2520 Bdbkaoce.exe Bgagnjbi.exe PID 2904 wrote to memory of 1972 2904 Bgagnjbi.exe Bqilfp32.exe PID 2904 wrote to memory of 1972 2904 Bgagnjbi.exe Bqilfp32.exe PID 2904 wrote to memory of 1972 2904 Bgagnjbi.exe Bqilfp32.exe PID 2904 wrote to memory of 1972 2904 Bgagnjbi.exe Bqilfp32.exe PID 1972 wrote to memory of 2428 1972 Bqilfp32.exe Bhqdgm32.exe PID 1972 wrote to memory of 2428 1972 Bqilfp32.exe Bhqdgm32.exe PID 1972 wrote to memory of 2428 1972 Bqilfp32.exe Bhqdgm32.exe PID 1972 wrote to memory of 2428 1972 Bqilfp32.exe Bhqdgm32.exe PID 2428 wrote to memory of 2184 2428 Bhqdgm32.exe Cnmlpd32.exe PID 2428 wrote to memory of 2184 2428 Bhqdgm32.exe Cnmlpd32.exe PID 2428 wrote to memory of 2184 2428 Bhqdgm32.exe Cnmlpd32.exe PID 2428 wrote to memory of 2184 2428 Bhqdgm32.exe Cnmlpd32.exe PID 2184 wrote to memory of 1888 2184 Cnmlpd32.exe Cdgdlnop.exe PID 2184 wrote to memory of 1888 2184 Cnmlpd32.exe Cdgdlnop.exe PID 2184 wrote to memory of 1888 2184 Cnmlpd32.exe Cdgdlnop.exe PID 2184 wrote to memory of 1888 2184 Cnmlpd32.exe Cdgdlnop.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Cjkcedgp.exeC:\Windows\system32\Cjkcedgp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe33⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe34⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe35⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe37⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe38⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe41⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe42⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe43⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe44⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe45⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Denglpkc.exeC:\Windows\system32\Denglpkc.exe47⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe48⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe49⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe50⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe52⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe56⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe57⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe60⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe61⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe63⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe64⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe65⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe67⤵
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe69⤵PID:2572
-
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe71⤵PID:2324
-
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe73⤵PID:2748
-
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe74⤵PID:2880
-
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe75⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe76⤵PID:2084
-
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe77⤵PID:2596
-
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe78⤵PID:2500
-
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe79⤵PID:684
-
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe80⤵PID:2124
-
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe83⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe84⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe85⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe86⤵PID:592
-
C:\Windows\SysWOW64\Fokaoh32.exeC:\Windows\system32\Fokaoh32.exe87⤵PID:968
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe88⤵PID:1616
-
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe89⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe90⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe91⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe92⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe94⤵PID:2712
-
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe95⤵
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe96⤵PID:1932
-
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe97⤵PID:1040
-
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe98⤵PID:1128
-
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe99⤵PID:1740
-
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe101⤵PID:2372
-
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe103⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe104⤵PID:2620
-
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe105⤵PID:2460
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe106⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe107⤵PID:1892
-
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe109⤵PID:2040
-
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe110⤵PID:2176
-
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe111⤵PID:1512
-
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:360 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe114⤵PID:1464
-
C:\Windows\SysWOW64\Gjpakdbl.exeC:\Windows\system32\Gjpakdbl.exe115⤵PID:2536
-
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe117⤵PID:2328
-
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe118⤵PID:2188
-
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe119⤵PID:1752
-
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe120⤵PID:1268
-
C:\Windows\SysWOW64\Glajmppm.exeC:\Windows\system32\Glajmppm.exe121⤵PID:2216
-
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe122⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe123⤵PID:1724
-
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1400 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe125⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe126⤵PID:2636
-
C:\Windows\SysWOW64\Hobcok32.exeC:\Windows\system32\Hobcok32.exe127⤵PID:3040
-
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe128⤵
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe129⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe130⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe131⤵PID:1160
-
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe132⤵PID:2280
-
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe133⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe135⤵PID:2676
-
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe137⤵PID:1604
-
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe138⤵PID:1768
-
C:\Windows\SysWOW64\Hcfenn32.exeC:\Windows\system32\Hcfenn32.exe139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe140⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe141⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe142⤵PID:2920
-
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe143⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe145⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe146⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe147⤵PID:572
-
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe148⤵PID:876
-
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe149⤵PID:2444
-
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe150⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe151⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe152⤵PID:2296
-
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe153⤵PID:884
-
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe154⤵PID:1624
-
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe155⤵PID:2848
-
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe156⤵PID:1136
-
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe157⤵PID:1976
-
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe158⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe160⤵PID:1796
-
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Iilalc32.exeC:\Windows\system32\Iilalc32.exe162⤵PID:1988
-
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe163⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe164⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe165⤵PID:2912
-
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe166⤵PID:2004
-
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe167⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Ikmjnnah.exeC:\Windows\system32\Ikmjnnah.exe168⤵PID:2248
-
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe169⤵PID:1248
-
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe170⤵PID:2616
-
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe171⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe172⤵PID:2828
-
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe173⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe175⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe176⤵PID:1204
-
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe177⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe178⤵PID:2836
-
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe179⤵PID:800
-
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3104 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe181⤵
- Drops file in System32 directory
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Jpalmaad.exeC:\Windows\system32\Jpalmaad.exe182⤵PID:3184
-
C:\Windows\SysWOW64\Jpalmaad.exeC:\Windows\system32\Jpalmaad.exe183⤵PID:3212
-
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe184⤵
- Drops file in System32 directory
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe185⤵
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe186⤵
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe187⤵
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe189⤵PID:3440
-
C:\Windows\SysWOW64\Jbbenlof.exeC:\Windows\system32\Jbbenlof.exe190⤵PID:3480
-
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe191⤵PID:3520
-
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe192⤵PID:3560
-
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe193⤵
- Drops file in System32 directory
PID:3600 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe194⤵
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe195⤵PID:3680
-
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe196⤵PID:3720
-
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe197⤵PID:3760
-
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe198⤵
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe199⤵PID:3840
-
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe200⤵PID:3880
-
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe201⤵
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\SysWOW64\Kiafff32.exeC:\Windows\system32\Kiafff32.exe203⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe204⤵
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe205⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe206⤵PID:3096
-
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3152 -
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe208⤵PID:3196
-
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3260 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe210⤵
- Drops file in System32 directory
PID:3308 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe211⤵PID:3364
-
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe212⤵PID:3412
-
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3452 -
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe214⤵
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe215⤵
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe216⤵PID:3616
-
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe217⤵PID:3652
-
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe218⤵PID:3712
-
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe219⤵PID:3756
-
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe220⤵PID:3812
-
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe221⤵PID:3848
-
C:\Windows\SysWOW64\Kmgekh32.exeC:\Windows\system32\Kmgekh32.exe222⤵PID:3872
-
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe223⤵
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe224⤵PID:3976
-
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe225⤵PID:4024
-
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe226⤵PID:4068
-
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe227⤵PID:3112
-
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3168 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe229⤵PID:3248
-
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe230⤵
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe231⤵PID:3376
-
C:\Windows\SysWOW64\Lknbjlnn.exeC:\Windows\system32\Lknbjlnn.exe232⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Liqcei32.exeC:\Windows\system32\Liqcei32.exe233⤵
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe234⤵
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe235⤵PID:3612
-
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe236⤵PID:3688
-
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe237⤵PID:3744
-
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe238⤵PID:3796
-
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe239⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe240⤵PID:3948
-
C:\Windows\SysWOW64\Lckdcn32.exeC:\Windows\system32\Lckdcn32.exe241⤵PID:4020
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060