Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
80KB
-
MD5
47392928d933392cf8a6966163c70fd0
-
SHA1
8f567204f8be07bc083ced872177d713822f727b
-
SHA256
eee4dbe01a4a6541aa2f2c4797e4eebf217c1e8f75cb69ae108f9952910546b1
-
SHA512
ea5f8416032ecde13d533b30628ca07195ff540540b8d436c9b382ff6c96b8008509d3f7bf74d457d44a7a41fe9faf14fa8d9abee7e920cdc87a5723a2107d6f
-
SSDEEP
1536:8TbYyS8OF2l8K1V+3DURqJIFvJokqGQ2LcaIZTJ+7LhkiB0:8TbYYO2l8K1V6DUkJI3vqGcaMU7ui
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ajckij32.exeQoifflkg.exeGnjjfegi.exeHdkidohn.exeIgigla32.exeMaiccajf.exeBheplb32.exeAqaffn32.exeCmniml32.exeDjjebh32.exeBlgifbil.exeLnjgfb32.exeOofaiokl.exeCglgjeci.exeDdcqedkk.exeHkbdki32.exePoajkgnc.exeAojlaeei.exeLggldm32.exeAgglboim.exeBmomlnjk.exeGkgeoklj.exeBhoqeibl.exeGfmojenc.exeMnhkbfme.exeMnpabe32.exeMpnnle32.exePdhbmh32.exeGikdkj32.exeAepefb32.exeBcahmb32.exePonfka32.exeGnfhfl32.exeGojnko32.exeAanbhp32.exeDkdliame.exeGmbmkpie.exeJkimho32.exeLlodgnja.exeIndfca32.exeJnhpoamf.exeDndnpf32.exeMhdjehhj.exeFiliii32.exeJniood32.exeOljaccjf.exeFhmigagd.exeIphioh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoifflkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjfegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igigla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqaffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcqedkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglboim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgeoklj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnnle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdjehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphioh32.exe -
Executes dropped EXE 64 IoCs
Processes:
Ajanck32.exeAqkgpedc.exeAdgbpc32.exeAjckij32.exeAmbgef32.exeAgglboim.exeAjfhnjhq.exeAqppkd32.exeAgjhgngj.exeAmgapeea.exeAabmqd32.exeAfoeiklb.exeAnfmjhmd.exeAepefb32.exeBfabnjjp.exeBagflcje.exeBfdodjhm.exeBmngqdpj.exeBchomn32.exeBffkij32.exeBjagjhnc.exeBcjlcn32.exeBfhhoi32.exeBmbplc32.exeBjfaeh32.exeBelebq32.exeCjinkg32.exeCdabcm32.exeCdcoim32.exeCnicfe32.exeCjpckf32.exeCffdpghg.exeDdjejl32.exeDopigd32.exeDejacond.exeDjgjlelk.exeDmefhako.exeDhkjej32.exeDodbbdbb.exeDdakjkqi.exeDogogcpo.exeDeagdn32.exeDgbdlf32.exeEdfdej32.exeEkpmbddq.exeEajeon32.exeEdhakj32.exeEmaedo32.exeEdknqiho.exeEkefmc32.exeEejjjl32.exeEglgbdep.exeEmeoooml.exeEgnchd32.exeEoekia32.exeFeocelll.exeFkllnbjc.exeFoghnabl.exeFeapkk32.exeFhpmgg32.exeFknicb32.exeFnmepn32.exeFahaplon.exeFhbimf32.exepid process 1188 Ajanck32.exe 3924 Aqkgpedc.exe 3964 Adgbpc32.exe 3256 Ajckij32.exe 4448 Ambgef32.exe 3776 Agglboim.exe 2448 Ajfhnjhq.exe 4616 Aqppkd32.exe 3196 Agjhgngj.exe 5024 Amgapeea.exe 2864 Aabmqd32.exe 3128 Afoeiklb.exe 4564 Anfmjhmd.exe 3764 Aepefb32.exe 4472 Bfabnjjp.exe 2688 Bagflcje.exe 2656 Bfdodjhm.exe 4248 Bmngqdpj.exe 3404 Bchomn32.exe 4988 Bffkij32.exe 3676 Bjagjhnc.exe 3832 Bcjlcn32.exe 3944 Bfhhoi32.exe 744 Bmbplc32.exe 4984 Bjfaeh32.exe 3976 Belebq32.exe 1264 Cjinkg32.exe 4060 Cdabcm32.exe 2436 Cdcoim32.exe 5048 Cnicfe32.exe 2012 Cjpckf32.exe 4560 Cffdpghg.exe 1952 Ddjejl32.exe 4204 Dopigd32.exe 2192 Dejacond.exe 932 Djgjlelk.exe 1576 Dmefhako.exe 2840 Dhkjej32.exe 1384 Dodbbdbb.exe 1476 Ddakjkqi.exe 2484 Dogogcpo.exe 844 Deagdn32.exe 1524 Dgbdlf32.exe 2052 Edfdej32.exe 3552 Ekpmbddq.exe 1596 Eajeon32.exe 5080 Edhakj32.exe 2260 Emaedo32.exe 4392 Edknqiho.exe 2992 Ekefmc32.exe 1588 Eejjjl32.exe 1928 Eglgbdep.exe 4180 Emeoooml.exe 4364 Egnchd32.exe 220 Eoekia32.exe 4580 Feocelll.exe 1512 Fkllnbjc.exe 2928 Foghnabl.exe 1516 Feapkk32.exe 2692 Fhpmgg32.exe 5108 Fknicb32.exe 1260 Fnmepn32.exe 3100 Fahaplon.exe 432 Fhbimf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mejpje32.exeMqfpckhm.exeEmdajb32.exeKqphfe32.exeIahlcaol.exeGjfnedho.exeJnhidk32.exeMkmkkjko.exeEdknqiho.exeGhpocngo.exeGmiclo32.exeMkohaj32.exeIojbpo32.exeLnjgfb32.exeJkimho32.exeQhmqdemc.exeJphkkpbp.exeOhjlgefb.exeCjomap32.exeAjckij32.exeCglgjeci.exeMniallpq.exeLihfcm32.exeMfjcnold.exePlndcl32.exeCkpbnb32.exeDpbdopck.exeMchppmij.exeFlpmagqi.exeAjhniccb.exeDjfcaohp.exeGphgbafl.exeFnobem32.exeCfcjfk32.exeMifcejnj.exeAednci32.exeFflohaij.exeGekcaj32.exeJgdhgmep.exeGnkaalkd.exeKodnmkap.exeJbbfdfkn.exeBfpdin32.exeKeqdmihc.exePefhlaie.exedescription ioc process File created C:\Windows\SysWOW64\Mhilfa32.exe Mejpje32.exe File opened for modification C:\Windows\SysWOW64\Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Egened32.exe File opened for modification C:\Windows\SysWOW64\Pmkofa32.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Mqfpckhm.exe File created C:\Windows\SysWOW64\Cnocia32.dll File opened for modification C:\Windows\SysWOW64\Dinael32.exe File created C:\Windows\SysWOW64\Lagajn32.dll Emdajb32.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Kqphfe32.exe File opened for modification C:\Windows\SysWOW64\Ihbdplfi.exe Iahlcaol.exe File created C:\Windows\SysWOW64\Oeddnh32.dll Gjfnedho.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Jheldb32.dll Mkmkkjko.exe File created C:\Windows\SysWOW64\Edfknb32.exe File created C:\Windows\SysWOW64\Haojfo32.dll Edknqiho.exe File opened for modification C:\Windows\SysWOW64\Gknkpjfb.exe Ghpocngo.exe File created C:\Windows\SysWOW64\Biepfnpi.dll File opened for modification C:\Windows\SysWOW64\Gphphj32.exe Gmiclo32.exe File opened for modification C:\Windows\SysWOW64\Mjahlgpf.exe Mkohaj32.exe File opened for modification C:\Windows\SysWOW64\Iedjmioj.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Ombnni32.dll Lnjgfb32.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe File created C:\Windows\SysWOW64\Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Jnhidk32.exe Jkimho32.exe File created C:\Windows\SysWOW64\Imakphnc.dll Qhmqdemc.exe File created C:\Windows\SysWOW64\Jedccfqg.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Doccpcja.exe File created C:\Windows\SysWOW64\Opadhb32.exe Ohjlgefb.exe File created C:\Windows\SysWOW64\Bilqdmae.dll Cjomap32.exe File created C:\Windows\SysWOW64\Nmfmde32.exe File opened for modification C:\Windows\SysWOW64\Djegekil.exe File opened for modification C:\Windows\SysWOW64\Ambgef32.exe Ajckij32.exe File created C:\Windows\SysWOW64\Cfogeb32.exe Cglgjeci.exe File created C:\Windows\SysWOW64\Mecjif32.exe Mniallpq.exe File opened for modification C:\Windows\SysWOW64\Dqpfmlce.exe File created C:\Windows\SysWOW64\Eklajcmc.exe File created C:\Windows\SysWOW64\Jhgiim32.exe File opened for modification C:\Windows\SysWOW64\Llgcph32.exe Lihfcm32.exe File opened for modification C:\Windows\SysWOW64\Nhlpfgbb.exe Mfjcnold.exe File created C:\Windows\SysWOW64\Hejkiial.dll Plndcl32.exe File created C:\Windows\SysWOW64\Ccgjopal.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Dcnqpo32.exe Dpbdopck.exe File created C:\Windows\SysWOW64\Mkohaj32.exe Mchppmij.exe File created C:\Windows\SysWOW64\Fbjena32.exe Flpmagqi.exe File opened for modification C:\Windows\SysWOW64\Aqaffn32.exe Ajhniccb.exe File created C:\Windows\SysWOW64\Dapkni32.exe Djfcaohp.exe File created C:\Windows\SysWOW64\Kopapk32.dll Gphgbafl.exe File created C:\Windows\SysWOW64\Fgiaemic.exe File opened for modification C:\Windows\SysWOW64\Fdijbg32.exe Fnobem32.exe File created C:\Windows\SysWOW64\Njoddaaj.dll Cfcjfk32.exe File created C:\Windows\SysWOW64\Gfameb32.dll Mifcejnj.exe File opened for modification C:\Windows\SysWOW64\Alnfpcag.exe Aednci32.exe File created C:\Windows\SysWOW64\Ahoemi32.dll Fflohaij.exe File created C:\Windows\SysWOW64\Hnphoj32.exe File created C:\Windows\SysWOW64\Bocbindj.dll Gekcaj32.exe File created C:\Windows\SysWOW64\Jnnpdg32.exe Jgdhgmep.exe File created C:\Windows\SysWOW64\Gafmaj32.exe Gnkaalkd.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Eelche32.dll Kodnmkap.exe File created C:\Windows\SysWOW64\Lnedgk32.dll File created C:\Windows\SysWOW64\Mgdbei32.dll Jbbfdfkn.exe File opened for modification C:\Windows\SysWOW64\Bhoqeibl.exe Bfpdin32.exe File created C:\Windows\SysWOW64\Ihqiqn32.dll Keqdmihc.exe File created C:\Windows\SysWOW64\Ilkibdpe.dll Pefhlaie.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 13304 13256 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lfjfecno.exeHhihdcbp.exeIdjlpc32.exeCglgjeci.exeOiknlagg.exeNibbqicm.exeFknbil32.exeHpfcdojl.exeHkfglb32.exeMcecjmkl.exeGnhnaf32.exePllgnl32.exeQcclld32.exeCmflbf32.exeJjoiil32.exeGfdfgiid.exeJkomneim.exeQeodhjmo.exeLfbped32.exeLblaabdp.exeDdcqedkk.exeBhoqeibl.exeIdkkpf32.exeAlkijdci.exeEifaim32.exeFamjkl32.exeNbadcpbh.exeKenggi32.exeLgepom32.exeCljobphg.exeMqdcnl32.exeOohgdhfn.exeEciplm32.exeGikkfqmf.exeJjafok32.exePlndcl32.exeCfcjfk32.exeAompak32.exeMngegmbc.exeHdjbiheb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhihdcbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjlpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgjeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibbqicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknbil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfcdojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhnaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmflbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdfgiid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblaabdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcqedkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbadcpbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljobphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikkfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjbiheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Gnhdkl32.exeDbcmakpl.exeMhbmphjm.exeFagjfflb.exeDbkqfe32.exeCffdpghg.exeKbpbed32.exeEfpomccg.exeKefdbo32.exeNookip32.exeBfjnjcni.exeFjmkoeqi.exeIcknfcol.exeLggldm32.exeGhhhcomg.exeBohibc32.exeOlgemcli.exeNmlddqem.exeKlfjijgq.exeLieccf32.exeDigehphc.exeEnpmld32.exeFknicb32.exeDjfcaohp.exeOdmbaj32.exeBmomlnjk.exeIjcahd32.exeIgdnabjh.exeKnbbep32.exeDjcoai32.exeCjinkg32.exeMbjnbqhp.exeOllnhb32.exePgbbek32.exeJjoiil32.exeCdbfab32.exeBihjfnmm.exeFiliii32.exeFimodc32.exeKqmkae32.exeFamjkl32.exeCimmggfl.exeJgadgf32.exeMnkggfkb.exeDmlkhofd.exeHbhboolf.exeLnjgfb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnhdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agolng32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmmkl32.dll" Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjfflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poigcbng.dll" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofoidko.dll" Kbpbed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efpomccg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefdbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieefiiml.dll" Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll" Bfjnjcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkecidg.dll" Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflhb32.dll" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhhcomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhilkd.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfjijgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fknicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmomlnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgamkhq.dll" Igdnabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmped32.dll" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebncn32.dll" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbplbf32.dll" Mbjnbqhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakdijo.dll" Ollnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll" Pgbbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafipibl.dll" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojmqe32.dll" Cdbfab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbmonhi.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjddk32.dll" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophkojl.dll" Kqmkae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbobmnod.dll" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeAjanck32.exeAqkgpedc.exeAdgbpc32.exeAjckij32.exeAmbgef32.exeAgglboim.exeAjfhnjhq.exeAqppkd32.exeAgjhgngj.exeAmgapeea.exeAabmqd32.exeAfoeiklb.exeAnfmjhmd.exeAepefb32.exeBfabnjjp.exeBagflcje.exeBfdodjhm.exeBmngqdpj.exeBchomn32.exeBffkij32.exeBjagjhnc.exedescription pid process target process PID 4956 wrote to memory of 1188 4956 Trojan.Win32.Cerber.exe Ajanck32.exe PID 4956 wrote to memory of 1188 4956 Trojan.Win32.Cerber.exe Ajanck32.exe PID 4956 wrote to memory of 1188 4956 Trojan.Win32.Cerber.exe Ajanck32.exe PID 1188 wrote to memory of 3924 1188 Ajanck32.exe Aqkgpedc.exe PID 1188 wrote to memory of 3924 1188 Ajanck32.exe Aqkgpedc.exe PID 1188 wrote to memory of 3924 1188 Ajanck32.exe Aqkgpedc.exe PID 3924 wrote to memory of 3964 3924 Aqkgpedc.exe Adgbpc32.exe PID 3924 wrote to memory of 3964 3924 Aqkgpedc.exe Adgbpc32.exe PID 3924 wrote to memory of 3964 3924 Aqkgpedc.exe Adgbpc32.exe PID 3964 wrote to memory of 3256 3964 Adgbpc32.exe Ajckij32.exe PID 3964 wrote to memory of 3256 3964 Adgbpc32.exe Ajckij32.exe PID 3964 wrote to memory of 3256 3964 Adgbpc32.exe Ajckij32.exe PID 3256 wrote to memory of 4448 3256 Ajckij32.exe Ambgef32.exe PID 3256 wrote to memory of 4448 3256 Ajckij32.exe Ambgef32.exe PID 3256 wrote to memory of 4448 3256 Ajckij32.exe Ambgef32.exe PID 4448 wrote to memory of 3776 4448 Ambgef32.exe Agglboim.exe PID 4448 wrote to memory of 3776 4448 Ambgef32.exe Agglboim.exe PID 4448 wrote to memory of 3776 4448 Ambgef32.exe Agglboim.exe PID 3776 wrote to memory of 2448 3776 Agglboim.exe Ajfhnjhq.exe PID 3776 wrote to memory of 2448 3776 Agglboim.exe Ajfhnjhq.exe PID 3776 wrote to memory of 2448 3776 Agglboim.exe Ajfhnjhq.exe PID 2448 wrote to memory of 4616 2448 Ajfhnjhq.exe Aqppkd32.exe PID 2448 wrote to memory of 4616 2448 Ajfhnjhq.exe Aqppkd32.exe PID 2448 wrote to memory of 4616 2448 Ajfhnjhq.exe Aqppkd32.exe PID 4616 wrote to memory of 3196 4616 Aqppkd32.exe Agjhgngj.exe PID 4616 wrote to memory of 3196 4616 Aqppkd32.exe Agjhgngj.exe PID 4616 wrote to memory of 3196 4616 Aqppkd32.exe Agjhgngj.exe PID 3196 wrote to memory of 5024 3196 Agjhgngj.exe Amgapeea.exe PID 3196 wrote to memory of 5024 3196 Agjhgngj.exe Amgapeea.exe PID 3196 wrote to memory of 5024 3196 Agjhgngj.exe Amgapeea.exe PID 5024 wrote to memory of 2864 5024 Amgapeea.exe Aabmqd32.exe PID 5024 wrote to memory of 2864 5024 Amgapeea.exe Aabmqd32.exe PID 5024 wrote to memory of 2864 5024 Amgapeea.exe Aabmqd32.exe PID 2864 wrote to memory of 3128 2864 Aabmqd32.exe Afoeiklb.exe PID 2864 wrote to memory of 3128 2864 Aabmqd32.exe Afoeiklb.exe PID 2864 wrote to memory of 3128 2864 Aabmqd32.exe Afoeiklb.exe PID 3128 wrote to memory of 4564 3128 Afoeiklb.exe Anfmjhmd.exe PID 3128 wrote to memory of 4564 3128 Afoeiklb.exe Anfmjhmd.exe PID 3128 wrote to memory of 4564 3128 Afoeiklb.exe Anfmjhmd.exe PID 4564 wrote to memory of 3764 4564 Anfmjhmd.exe Aepefb32.exe PID 4564 wrote to memory of 3764 4564 Anfmjhmd.exe Aepefb32.exe PID 4564 wrote to memory of 3764 4564 Anfmjhmd.exe Aepefb32.exe PID 3764 wrote to memory of 4472 3764 Aepefb32.exe Bfabnjjp.exe PID 3764 wrote to memory of 4472 3764 Aepefb32.exe Bfabnjjp.exe PID 3764 wrote to memory of 4472 3764 Aepefb32.exe Bfabnjjp.exe PID 4472 wrote to memory of 2688 4472 Bfabnjjp.exe Bagflcje.exe PID 4472 wrote to memory of 2688 4472 Bfabnjjp.exe Bagflcje.exe PID 4472 wrote to memory of 2688 4472 Bfabnjjp.exe Bagflcje.exe PID 2688 wrote to memory of 2656 2688 Bagflcje.exe Bfdodjhm.exe PID 2688 wrote to memory of 2656 2688 Bagflcje.exe Bfdodjhm.exe PID 2688 wrote to memory of 2656 2688 Bagflcje.exe Bfdodjhm.exe PID 2656 wrote to memory of 4248 2656 Bfdodjhm.exe Bmngqdpj.exe PID 2656 wrote to memory of 4248 2656 Bfdodjhm.exe Bmngqdpj.exe PID 2656 wrote to memory of 4248 2656 Bfdodjhm.exe Bmngqdpj.exe PID 4248 wrote to memory of 3404 4248 Bmngqdpj.exe Bchomn32.exe PID 4248 wrote to memory of 3404 4248 Bmngqdpj.exe Bchomn32.exe PID 4248 wrote to memory of 3404 4248 Bmngqdpj.exe Bchomn32.exe PID 3404 wrote to memory of 4988 3404 Bchomn32.exe Bffkij32.exe PID 3404 wrote to memory of 4988 3404 Bchomn32.exe Bffkij32.exe PID 3404 wrote to memory of 4988 3404 Bchomn32.exe Bffkij32.exe PID 4988 wrote to memory of 3676 4988 Bffkij32.exe Bjagjhnc.exe PID 4988 wrote to memory of 3676 4988 Bffkij32.exe Bjagjhnc.exe PID 4988 wrote to memory of 3676 4988 Bffkij32.exe Bjagjhnc.exe PID 3676 wrote to memory of 3832 3676 Bjagjhnc.exe Bcjlcn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe23⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe24⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe25⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe26⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe27⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe29⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe30⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe31⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe32⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe34⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe35⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe36⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe37⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe38⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe39⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe40⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe41⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe42⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe43⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe44⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe45⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe46⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe48⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe49⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4392 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe51⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe52⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe53⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe54⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe55⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe56⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe57⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe58⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe59⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe60⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe61⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe63⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe64⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe65⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe66⤵PID:4200
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe67⤵
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe68⤵PID:2336
-
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe69⤵PID:3244
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe70⤵PID:772
-
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe72⤵PID:756
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe73⤵PID:3636
-
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe74⤵PID:3700
-
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe75⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe76⤵PID:1628
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe77⤵PID:4528
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe79⤵PID:3152
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe80⤵PID:4848
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe81⤵PID:2504
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe82⤵PID:2492
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe83⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe84⤵PID:1736
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe85⤵PID:2288
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe86⤵PID:2400
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe87⤵PID:2804
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe88⤵
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe89⤵PID:1068
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe90⤵PID:4496
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe91⤵PID:2536
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4920 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe93⤵PID:1080
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe94⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe95⤵PID:2380
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe96⤵PID:4684
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe97⤵PID:2228
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe98⤵PID:4680
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe99⤵PID:3000
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe100⤵PID:4436
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe101⤵PID:4864
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe102⤵PID:1648
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe103⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe104⤵PID:752
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe105⤵PID:1600
-
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe106⤵PID:4280
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe107⤵PID:5152
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe108⤵PID:5196
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe109⤵PID:5240
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe110⤵PID:5284
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe111⤵PID:5328
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe112⤵PID:5372
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe113⤵PID:5416
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe114⤵PID:5460
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe115⤵PID:5504
-
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe117⤵PID:5592
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe118⤵PID:5636
-
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe119⤵PID:5680
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe120⤵PID:5724
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe121⤵PID:5768
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe122⤵PID:5812
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe123⤵PID:5856
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe124⤵PID:5904
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe125⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe126⤵PID:5992
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe127⤵PID:6036
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe128⤵PID:6080
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe129⤵PID:6124
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe130⤵PID:5148
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe131⤵PID:5224
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe132⤵PID:5296
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe133⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe134⤵PID:5432
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe135⤵PID:5512
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe136⤵PID:5584
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe137⤵PID:5652
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe138⤵PID:5716
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe139⤵PID:5784
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe140⤵PID:5848
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe141⤵PID:5916
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe142⤵PID:5976
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe143⤵PID:6048
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe144⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe145⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe146⤵PID:5276
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe147⤵PID:5340
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe148⤵PID:5520
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe149⤵PID:5620
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe150⤵PID:5736
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe151⤵PID:5840
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe152⤵PID:5936
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe153⤵PID:6008
-
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe154⤵PID:6096
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe155⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe156⤵PID:5388
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe157⤵PID:5564
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe158⤵PID:5688
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe159⤵PID:5912
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe160⤵PID:6000
-
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe161⤵
- System Location Discovery: System Language Discovery
PID:5280 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe162⤵PID:5492
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe163⤵PID:5868
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe164⤵PID:5168
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe165⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe166⤵PID:6064
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe167⤵PID:5872
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe168⤵PID:5500
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe169⤵PID:5204
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe170⤵PID:6160
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe171⤵PID:6204
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe172⤵PID:6248
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe173⤵PID:6292
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe174⤵PID:6336
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe175⤵PID:6380
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe176⤵
- Modifies registry class
PID:6424 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe177⤵PID:6472
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe178⤵PID:6516
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6560 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe180⤵PID:6604
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe181⤵
- Modifies registry class
PID:6648 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe182⤵PID:6692
-
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6736 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe184⤵PID:6780
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe185⤵
- Drops file in System32 directory
PID:6824 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe186⤵PID:6868
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe187⤵
- Drops file in System32 directory
PID:6916 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe188⤵PID:6960
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe189⤵PID:7004
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe190⤵
- System Location Discovery: System Language Discovery
PID:7048 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe191⤵PID:7092
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe192⤵PID:7136
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe193⤵PID:6156
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe194⤵PID:6232
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe195⤵PID:6300
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe196⤵PID:6364
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe197⤵PID:6436
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe198⤵PID:6512
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe199⤵PID:6576
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe200⤵PID:6644
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe201⤵PID:6720
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe202⤵
- System Location Discovery: System Language Discovery
PID:6788 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe203⤵PID:6856
-
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe204⤵
- Modifies registry class
PID:6928 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe205⤵PID:6988
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe206⤵PID:7060
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe207⤵PID:7132
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe208⤵PID:6188
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe209⤵PID:6284
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe210⤵
- Drops file in System32 directory
PID:6416 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe211⤵PID:6528
-
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe212⤵PID:6632
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe213⤵PID:6688
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe214⤵
- Modifies registry class
PID:6832 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6968 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe216⤵PID:7080
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe217⤵PID:6168
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6328 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe219⤵PID:6508
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe220⤵PID:6676
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe221⤵
- Modifies registry class
PID:6836 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe222⤵PID:7032
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe223⤵
- Modifies registry class
PID:6152 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe224⤵PID:6556
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe225⤵PID:6744
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe226⤵PID:1884
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe227⤵PID:6320
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe228⤵PID:6664
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe229⤵PID:6904
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe230⤵PID:6724
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe231⤵PID:6396
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe232⤵PID:6600
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe233⤵PID:7180
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe234⤵PID:7224
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe235⤵PID:7268
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe236⤵PID:7312
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe237⤵PID:7356
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe238⤵PID:7400
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe239⤵PID:7444
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe240⤵PID:7488
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe241⤵PID:7532
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe242⤵PID:7576