Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
96KB
-
MD5
799ca486321ad6b357f0be92ea4473d0
-
SHA1
8705fe2570393170bee50c36bff45ae33cac53de
-
SHA256
3bbc9ac9eae4464ee517bfeeb328bb6d4eae87380314791b5bb316d7b55a0828
-
SHA512
41406dc6a565b91d35fbe5ed059c866daf6948f918419d983563fb9c49def2faf59a497a2110c860b91e8b0aa2f562acab93edb9a60a67f91a2da5219017cf07
-
SSDEEP
1536:mBreTZbH5RtzghzRFrwCWlCzzl+PQHnyAPgnDNBrcN4i6tBYuR3PlNPMAZ:gqZRtEVkTQHyAPgxed6BYudlNPMAZ
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eemgkpef.exeHcommoin.exeNffceq32.exeNejgbn32.exeAqfolqna.exeHembndee.exeLiofdigo.exeLjoboloa.exeHcifmdeo.exeGikbneio.exeGnanioad.exeCbdhgaid.exeBjkcqdje.exeLcealh32.exeGknkkmmj.exeHlnqln32.exeFefjanml.exeOhmepbki.exeOfhcdlgg.exeBiedhclh.exeEhnpmkbg.exeLfjchn32.exePhpklp32.exeCnmebblf.exeEieplhlf.exePhilfgdh.exeEnllgbcl.exePbifol32.exeEbagdddp.exeEimlgnij.exeKclnfi32.exeOdaiodbp.exeEebgqe32.exeIfcben32.exeMankaked.exeFlcfnn32.exeNkebee32.exeHgpbhmna.exeKfdklllb.exeIhjafd32.exeIcjengld.exeIjgjpaao.exeIadljc32.exeLmgfod32.exeIoffhn32.exeBqkigp32.exeBndjfjhl.exeIfnkeb32.exeJbieebha.exeBnppkj32.exePaomog32.exeDnienqbi.exeLjjicl32.exeJjhalkjc.exeFgcjea32.exeLibido32.exeNdejcemn.exeNmedmj32.exeEahjqicj.exeFeofmf32.exeEdfddl32.exeInkjfk32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eemgkpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffceq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liofdigo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljoboloa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifmdeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikbneio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnanioad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdhgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkcqdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcealh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnqln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefjanml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmepbki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biedhclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnpmkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnanioad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmebblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eieplhlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Philfgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enllgbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbifol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebagdddp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimlgnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odaiodbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eebgqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mankaked.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkebee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpbhmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfdklllb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjengld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iadljc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioffhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndjfjhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnkeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadljc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbieebha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnppkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paomog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnienqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhalkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libido32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndejcemn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmedmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahjqicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feofmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfddl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkjfk32.exe -
Executes dropped EXE 64 IoCs
Processes:
Clgmkbna.exeCfmahknh.exeDpefaq32.exeDebnjgcp.exeDdcogo32.exeDipgpf32.exeDdekmo32.exeDibdeegc.exeDpllbp32.exeDeidjf32.exeDpoiho32.exeDghadidj.exeEpaemojk.exeEcoaijio.exeEiijfd32.exeEgmjpi32.exeEilfldoi.exeEpeohn32.exeEebgqe32.exeEphlnn32.exeEeddfe32.exeEnllgbcl.exeEdfddl32.exeEegqldqg.exeFpmeimpn.exeFlcfnn32.exeFjgfgbek.exeFdmjdkda.exeFfnglc32.exeFlhoinbl.exeFgpplf32.exeGcgqag32.exeGgdigekj.exeGqmnpk32.exeGnanioad.exeGdkffi32.exeGflcnanp.exeHfnpca32.exeHmhhpkcj.exeHqddqj32.exeHgnlmdcp.exeHjlhipbc.exeHdbmfhbi.exeHnjaonij.exeHgbfhc32.exeHcifmdeo.exeHmbkfjko.exeIdkpmgjo.exeIfmldo32.exeIenlbf32.exeIcqmncof.exeImiagi32.exeIjmapm32.exeImknli32.exeIfcben32.exeInkjfk32.exeIaifbg32.exeJmpgghoo.exeJegohe32.exeJjdgal32.exeJanpnfee.exeJclljaei.exeJjfdfl32.exeJapmcfcc.exepid process 1628 Clgmkbna.exe 1360 Cfmahknh.exe 3780 Dpefaq32.exe 2660 Debnjgcp.exe 2272 Ddcogo32.exe 2056 Dipgpf32.exe 2964 Ddekmo32.exe 4564 Dibdeegc.exe 4404 Dpllbp32.exe 1092 Deidjf32.exe 2496 Dpoiho32.exe 2540 Dghadidj.exe 1232 Epaemojk.exe 4084 Ecoaijio.exe 2960 Eiijfd32.exe 3588 Egmjpi32.exe 1072 Eilfldoi.exe 3424 Epeohn32.exe 3612 Eebgqe32.exe 540 Ephlnn32.exe 5084 Eeddfe32.exe 1824 Enllgbcl.exe 3232 Edfddl32.exe 3636 Eegqldqg.exe 3452 Fpmeimpn.exe 1392 Flcfnn32.exe 4428 Fjgfgbek.exe 4744 Fdmjdkda.exe 3260 Ffnglc32.exe 2184 Flhoinbl.exe 4856 Fgpplf32.exe 3804 Gcgqag32.exe 4948 Ggdigekj.exe 2252 Gqmnpk32.exe 4528 Gnanioad.exe 1732 Gdkffi32.exe 2900 Gflcnanp.exe 1172 Hfnpca32.exe 3540 Hmhhpkcj.exe 3900 Hqddqj32.exe 1144 Hgnlmdcp.exe 4372 Hjlhipbc.exe 2480 Hdbmfhbi.exe 1592 Hnjaonij.exe 2008 Hgbfhc32.exe 4160 Hcifmdeo.exe 516 Hmbkfjko.exe 3344 Idkpmgjo.exe 4604 Ifmldo32.exe 652 Ienlbf32.exe 1156 Icqmncof.exe 4952 Imiagi32.exe 116 Ijmapm32.exe 3248 Imknli32.exe 3052 Ifcben32.exe 5008 Inkjfk32.exe 928 Iaifbg32.exe 4124 Jmpgghoo.exe 4572 Jegohe32.exe 2448 Jjdgal32.exe 3604 Janpnfee.exe 2728 Jclljaei.exe 4896 Jjfdfl32.exe 972 Japmcfcc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hgnlmdcp.exeCgagjo32.exeInkjfk32.exeAddhbo32.exeKmbmdeoj.exeJmmcgbnf.exeLkkekdhe.exeOgmiepcf.exeJjfdfl32.exeQgehml32.exeIcqmncof.exeLmjcdd32.exeClbmfm32.exeCkafkfkp.exeDeejpjgc.exeIgkadlcd.exePacfjfej.exeHiinoc32.exeEpaemojk.exeHjieii32.exeFgpplf32.exeNdejcemn.exeFblpflfg.exeEgmjpi32.exeFlhoinbl.exeKejeebpl.exeOnakco32.exeBdiamnpc.exeHgpbhmna.exeMjdbda32.exeGkeakl32.exeTrojan.Win32.Cerber.exePdgckg32.exeBhbahm32.exeDebnjgcp.exeOgjpld32.exeAbabkdij.exeOnmahojj.exeGplged32.exeGcgqag32.exeFgffka32.exeFeofmf32.exeMjaodkmo.exeOmjnhiiq.exeKblkap32.exeKifcnjpi.exePkonbamc.exeHodqlq32.exeGiahndcf.exeIfnkeb32.exeFiaogfai.exeIjgjpaao.exeDghadidj.exeHjlhipbc.exeLeqkeajd.exePkjegb32.exeAkjnnpcf.exeAbdfkj32.exeHleneo32.exeJfgnka32.exeJhhgmlli.exeHfnpca32.exedescription ioc process File created C:\Windows\SysWOW64\Kgaljo32.dll Hgnlmdcp.exe File opened for modification C:\Windows\SysWOW64\Cbglgg32.exe Cgagjo32.exe File created C:\Windows\SysWOW64\Dikgnp32.dll Inkjfk32.exe File opened for modification C:\Windows\SysWOW64\Agcdnjcl.exe Addhbo32.exe File created C:\Windows\SysWOW64\Kejeebpl.exe Kmbmdeoj.exe File created C:\Windows\SysWOW64\Igjhce32.dll Jmmcgbnf.exe File created C:\Windows\SysWOW64\Hnqmpo32.dll Lkkekdhe.exe File created C:\Windows\SysWOW64\Fdpnbald.dll Ogmiepcf.exe File created C:\Windows\SysWOW64\Japmcfcc.exe Jjfdfl32.exe File created C:\Windows\SysWOW64\Qpmmfbfl.exe Qgehml32.exe File created C:\Windows\SysWOW64\Bmmcco32.dll Icqmncof.exe File opened for modification C:\Windows\SysWOW64\Leqkeajd.exe Lmjcdd32.exe File opened for modification C:\Windows\SysWOW64\Cblebgfh.exe Clbmfm32.exe File created C:\Windows\SysWOW64\Lnojqbjp.dll Ckafkfkp.exe File opened for modification C:\Windows\SysWOW64\Dlobmd32.exe Deejpjgc.exe File created C:\Windows\SysWOW64\Qpjjkc32.dll Igkadlcd.exe File opened for modification C:\Windows\SysWOW64\Pdbbfadn.exe Pacfjfej.exe File created C:\Windows\SysWOW64\Hkjjfkcm.exe Hiinoc32.exe File opened for modification C:\Windows\SysWOW64\Ecoaijio.exe Epaemojk.exe File created C:\Windows\SysWOW64\Jdlbgl32.dll Hjieii32.exe File opened for modification C:\Windows\SysWOW64\Gcgqag32.exe Fgpplf32.exe File opened for modification C:\Windows\SysWOW64\Nhafcd32.exe Ndejcemn.exe File opened for modification C:\Windows\SysWOW64\Fejlbgek.exe Fblpflfg.exe File created C:\Windows\SysWOW64\Eilfldoi.exe Egmjpi32.exe File created C:\Windows\SysWOW64\Bejlik32.dll Flhoinbl.exe File created C:\Windows\SysWOW64\Hhljen32.dll Kejeebpl.exe File created C:\Windows\SysWOW64\Ofhcdlgg.exe Onakco32.exe File created C:\Windows\SysWOW64\Bjfjee32.exe Bdiamnpc.exe File created C:\Windows\SysWOW64\Nmkheljf.dll Hgpbhmna.exe File opened for modification C:\Windows\SysWOW64\Mankaked.exe Mjdbda32.exe File opened for modification C:\Windows\SysWOW64\Gaoihfoo.exe Gkeakl32.exe File created C:\Windows\SysWOW64\Clgmkbna.exe Trojan.Win32.Cerber.exe File opened for modification C:\Windows\SysWOW64\Qkakhakq.exe Pdgckg32.exe File created C:\Windows\SysWOW64\Jojbil32.dll Bhbahm32.exe File opened for modification C:\Windows\SysWOW64\Ddcogo32.exe Debnjgcp.exe File created C:\Windows\SysWOW64\Paocim32.exe Ogjpld32.exe File created C:\Windows\SysWOW64\Aqdbfa32.exe Ababkdij.exe File created C:\Windows\SysWOW64\Bfdelf32.dll Onmahojj.exe File opened for modification C:\Windows\SysWOW64\Glchjedc.exe Gplged32.exe File created C:\Windows\SysWOW64\Ggdigekj.exe Gcgqag32.exe File opened for modification C:\Windows\SysWOW64\Fidbgm32.exe Fgffka32.exe File opened for modification C:\Windows\SysWOW64\Gikbneio.exe Feofmf32.exe File opened for modification C:\Windows\SysWOW64\Mmokpglb.exe Mjaodkmo.exe File opened for modification C:\Windows\SysWOW64\Ogbbqo32.exe Omjnhiiq.exe File opened for modification C:\Windows\SysWOW64\Kifcnjpi.exe Kblkap32.exe File created C:\Windows\SysWOW64\Lckglc32.exe Kifcnjpi.exe File opened for modification C:\Windows\SysWOW64\Pbifol32.exe Pkonbamc.exe File created C:\Windows\SysWOW64\Fgmlkg32.dll Hodqlq32.exe File created C:\Windows\SysWOW64\Cfjpai32.dll Qgehml32.exe File opened for modification C:\Windows\SysWOW64\Gooqfkan.exe Giahndcf.exe File created C:\Windows\SysWOW64\Ilgcblnp.exe Ifnkeb32.exe File created C:\Windows\SysWOW64\Oqadklae.dll Ifnkeb32.exe File opened for modification C:\Windows\SysWOW64\Fbjcplhj.exe Fiaogfai.exe File opened for modification C:\Windows\SysWOW64\Ihjjln32.exe Ijgjpaao.exe File created C:\Windows\SysWOW64\Alcghnpc.dll Dghadidj.exe File opened for modification C:\Windows\SysWOW64\Hdbmfhbi.exe Hjlhipbc.exe File opened for modification C:\Windows\SysWOW64\Lfbgmj32.exe Leqkeajd.exe File created C:\Windows\SysWOW64\Pbdmdlie.exe Pkjegb32.exe File opened for modification C:\Windows\SysWOW64\Anijjkbj.exe Akjnnpcf.exe File created C:\Windows\SysWOW64\Agaoca32.exe Abdfkj32.exe File opened for modification C:\Windows\SysWOW64\Hocjaj32.exe Hleneo32.exe File created C:\Windows\SysWOW64\Jhejgl32.exe Jfgnka32.exe File opened for modification C:\Windows\SysWOW64\Joaojf32.exe Jhhgmlli.exe File opened for modification C:\Windows\SysWOW64\Hmhhpkcj.exe Hfnpca32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12952 12872 WerFault.exe Mbldhn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Oakjnnap.exeGplged32.exeKpnepk32.exeLikcdpop.exeKfdklllb.exeOnakco32.exeQbkcek32.exeHgpbhmna.exePacfjfej.exeGhpooanf.exeNhdicjfp.exeFoonjd32.exeHladlc32.exeDeidjf32.exeOgjpld32.exeFgcjea32.exeAkenij32.exeEaqdpjia.exeFeofmf32.exeFlcfnn32.exeQkcackeb.exeFjgfgbek.exeGcgqag32.exeOdbpij32.exeEjdonq32.exeInkjfk32.exeMhfmbl32.exeEhbihj32.exeIjedehgm.exeHjlhipbc.exeAaofedkl.exeIhgnfnjl.exeMeoggpmd.exeKgemahmg.exeNdejcemn.exeIfmldo32.exeQnpgdmjd.exeCihjeq32.exeGlqkefff.exeAddhbo32.exeIeiajckh.exeJmgmhgig.exeDecmjjie.exeEpeohn32.exeOnmahojj.exePdbbfadn.exeDeejpjgc.exeJapmcfcc.exeFepmgm32.exeHkaqgjme.exeBjkcqdje.exeJbpkfa32.exeJgedjjki.exeGqmnpk32.exeCblebgfh.exeJikjmbmb.exeMfmpob32.exePphckb32.exeQhbhapha.exeBdlncn32.exeFlddoa32.exeEeddfe32.exeEifffoob.exeBndblcdq.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakjnnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likcdpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdklllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onakco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbkcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpbhmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacfjfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpooanf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdicjfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foonjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hladlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deidjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akenij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdpjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feofmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcackeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjgfgbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdonq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijedehgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlhipbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaofedkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnfnjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meoggpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgemahmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndejcemn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpgdmjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihjeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glqkefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiajckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmgmhgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decmjjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmahojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbbfadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deejpjgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japmcfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepmgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaqgjme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkcqdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgedjjki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqmnpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblebgfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikjmbmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphckb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhbhapha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdlncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifffoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndblcdq.exe -
Modifies registry class 64 IoCs
Processes:
Akjnnpcf.exeClpppmqn.exeNipffmmg.exeGiahndcf.exeGaoihfoo.exeImknli32.exeJobfdl32.exeJmmcgbnf.exeGooqfkan.exeJfbdpabn.exeDdekmo32.exeOgjpld32.exeAqdbfa32.exeQbkcek32.exeBeobcdoi.exeHjpkjh32.exeLcdjba32.exeBdiamnpc.exeIlgcblnp.exeJhejgl32.exeCfmahknh.exeLfbgmj32.exeDlmegd32.exeFoonjd32.exeDpefaq32.exeOakjnnap.exeQkakhakq.exeQnpgdmjd.exeAdqeaf32.exeCihjeq32.exeFlgadake.exeMmokpglb.exeQoocnpag.exeBiedhclh.exeFgffka32.exeHladlc32.exeLccdghmc.exeEnpknplq.exeMcggga32.exeFlddoa32.exeGedohfmp.exeLmmokgne.exeIgnnjk32.exeAamipe32.exeTrojan.Win32.Cerber.exeGgdigekj.exePbifol32.exeEimlgnij.exeJfgnka32.exeJoaojf32.exeLmjcdd32.exeHcommoin.exeGjghdj32.exeIcminm32.exeKiodha32.exeDdcogo32.exeAgaoca32.exeImcqacfq.exeIfmldo32.exeElgohj32.exeEhbihj32.exeGgafgo32.exeGammbfqa.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjnnpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpppmqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmbobfa.dll" Nipffmmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giahndcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maommm32.dll" Gaoihfoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imknli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmcgbnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfpcj32.dll" Gooqfkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poifgc32.dll" Jfbdpabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddekmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepgghpg.dll" Aqdbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbkcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beobcdoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdph32.dll" Bdiamnpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipnio32.dll" Ilgcblnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhejgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmahknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjjj32.dll" Dlmegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foonjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpegl32.dll" Oakjnnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkakhakq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpmae32.dll" Qnpgdmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqellmb.dll" Adqeaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajncdql.dll" Cihjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flgadake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmokpglb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoocnpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biedhclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgffka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hladlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcajd32.dll" Lccdghmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gginjc32.dll" Hladlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcggga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnifj32.dll" Gedohfmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogadadh.dll" Lmmokgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ignnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajkfn32.dll" Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll" Trojan.Win32.Cerber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopoighe.dll" Ggdigekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbifol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmgmj32.dll" Joaojf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpbpopl.dll" Lmjcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohoibbd.dll" Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelmqm32.dll" Icminm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiodha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcogo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agaoca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imcqacfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egeflakp.dll" Ehbihj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhackbjl.dll" Gammbfqa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeClgmkbna.exeCfmahknh.exeDpefaq32.exeDebnjgcp.exeDdcogo32.exeDipgpf32.exeDdekmo32.exeDibdeegc.exeDpllbp32.exeDeidjf32.exeDpoiho32.exeDghadidj.exeEpaemojk.exeEcoaijio.exeEiijfd32.exeEgmjpi32.exeEilfldoi.exeEpeohn32.exeEebgqe32.exeEphlnn32.exeEeddfe32.exedescription pid process target process PID 2096 wrote to memory of 1628 2096 Trojan.Win32.Cerber.exe Clgmkbna.exe PID 2096 wrote to memory of 1628 2096 Trojan.Win32.Cerber.exe Clgmkbna.exe PID 2096 wrote to memory of 1628 2096 Trojan.Win32.Cerber.exe Clgmkbna.exe PID 1628 wrote to memory of 1360 1628 Clgmkbna.exe Cfmahknh.exe PID 1628 wrote to memory of 1360 1628 Clgmkbna.exe Cfmahknh.exe PID 1628 wrote to memory of 1360 1628 Clgmkbna.exe Cfmahknh.exe PID 1360 wrote to memory of 3780 1360 Cfmahknh.exe Dpefaq32.exe PID 1360 wrote to memory of 3780 1360 Cfmahknh.exe Dpefaq32.exe PID 1360 wrote to memory of 3780 1360 Cfmahknh.exe Dpefaq32.exe PID 3780 wrote to memory of 2660 3780 Dpefaq32.exe Debnjgcp.exe PID 3780 wrote to memory of 2660 3780 Dpefaq32.exe Debnjgcp.exe PID 3780 wrote to memory of 2660 3780 Dpefaq32.exe Debnjgcp.exe PID 2660 wrote to memory of 2272 2660 Debnjgcp.exe Ddcogo32.exe PID 2660 wrote to memory of 2272 2660 Debnjgcp.exe Ddcogo32.exe PID 2660 wrote to memory of 2272 2660 Debnjgcp.exe Ddcogo32.exe PID 2272 wrote to memory of 2056 2272 Ddcogo32.exe Dipgpf32.exe PID 2272 wrote to memory of 2056 2272 Ddcogo32.exe Dipgpf32.exe PID 2272 wrote to memory of 2056 2272 Ddcogo32.exe Dipgpf32.exe PID 2056 wrote to memory of 2964 2056 Dipgpf32.exe Ddekmo32.exe PID 2056 wrote to memory of 2964 2056 Dipgpf32.exe Ddekmo32.exe PID 2056 wrote to memory of 2964 2056 Dipgpf32.exe Ddekmo32.exe PID 2964 wrote to memory of 4564 2964 Ddekmo32.exe Dibdeegc.exe PID 2964 wrote to memory of 4564 2964 Ddekmo32.exe Dibdeegc.exe PID 2964 wrote to memory of 4564 2964 Ddekmo32.exe Dibdeegc.exe PID 4564 wrote to memory of 4404 4564 Dibdeegc.exe Dpllbp32.exe PID 4564 wrote to memory of 4404 4564 Dibdeegc.exe Dpllbp32.exe PID 4564 wrote to memory of 4404 4564 Dibdeegc.exe Dpllbp32.exe PID 4404 wrote to memory of 1092 4404 Dpllbp32.exe Deidjf32.exe PID 4404 wrote to memory of 1092 4404 Dpllbp32.exe Deidjf32.exe PID 4404 wrote to memory of 1092 4404 Dpllbp32.exe Deidjf32.exe PID 1092 wrote to memory of 2496 1092 Deidjf32.exe Dpoiho32.exe PID 1092 wrote to memory of 2496 1092 Deidjf32.exe Dpoiho32.exe PID 1092 wrote to memory of 2496 1092 Deidjf32.exe Dpoiho32.exe PID 2496 wrote to memory of 2540 2496 Dpoiho32.exe Dghadidj.exe PID 2496 wrote to memory of 2540 2496 Dpoiho32.exe Dghadidj.exe PID 2496 wrote to memory of 2540 2496 Dpoiho32.exe Dghadidj.exe PID 2540 wrote to memory of 1232 2540 Dghadidj.exe Epaemojk.exe PID 2540 wrote to memory of 1232 2540 Dghadidj.exe Epaemojk.exe PID 2540 wrote to memory of 1232 2540 Dghadidj.exe Epaemojk.exe PID 1232 wrote to memory of 4084 1232 Epaemojk.exe Ecoaijio.exe PID 1232 wrote to memory of 4084 1232 Epaemojk.exe Ecoaijio.exe PID 1232 wrote to memory of 4084 1232 Epaemojk.exe Ecoaijio.exe PID 4084 wrote to memory of 2960 4084 Ecoaijio.exe Eiijfd32.exe PID 4084 wrote to memory of 2960 4084 Ecoaijio.exe Eiijfd32.exe PID 4084 wrote to memory of 2960 4084 Ecoaijio.exe Eiijfd32.exe PID 2960 wrote to memory of 3588 2960 Eiijfd32.exe Egmjpi32.exe PID 2960 wrote to memory of 3588 2960 Eiijfd32.exe Egmjpi32.exe PID 2960 wrote to memory of 3588 2960 Eiijfd32.exe Egmjpi32.exe PID 3588 wrote to memory of 1072 3588 Egmjpi32.exe Eilfldoi.exe PID 3588 wrote to memory of 1072 3588 Egmjpi32.exe Eilfldoi.exe PID 3588 wrote to memory of 1072 3588 Egmjpi32.exe Eilfldoi.exe PID 1072 wrote to memory of 3424 1072 Eilfldoi.exe Epeohn32.exe PID 1072 wrote to memory of 3424 1072 Eilfldoi.exe Epeohn32.exe PID 1072 wrote to memory of 3424 1072 Eilfldoi.exe Epeohn32.exe PID 3424 wrote to memory of 3612 3424 Epeohn32.exe Eebgqe32.exe PID 3424 wrote to memory of 3612 3424 Epeohn32.exe Eebgqe32.exe PID 3424 wrote to memory of 3612 3424 Epeohn32.exe Eebgqe32.exe PID 3612 wrote to memory of 540 3612 Eebgqe32.exe Ephlnn32.exe PID 3612 wrote to memory of 540 3612 Eebgqe32.exe Ephlnn32.exe PID 3612 wrote to memory of 540 3612 Eebgqe32.exe Ephlnn32.exe PID 540 wrote to memory of 5084 540 Ephlnn32.exe Eeddfe32.exe PID 540 wrote to memory of 5084 540 Ephlnn32.exe Eeddfe32.exe PID 540 wrote to memory of 5084 540 Ephlnn32.exe Eeddfe32.exe PID 5084 wrote to memory of 1824 5084 Eeddfe32.exe Enllgbcl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe25⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe26⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe29⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe30⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe37⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe38⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe40⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe41⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe44⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Hnjaonij.exeC:\Windows\system32\Hnjaonij.exe45⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe48⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe49⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe51⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe53⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe54⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe58⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe59⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe60⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe61⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe62⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe63⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe66⤵PID:4300
-
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe68⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe69⤵PID:4688
-
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe70⤵PID:1004
-
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe71⤵PID:3536
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe72⤵PID:5132
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe73⤵PID:5176
-
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe74⤵PID:5228
-
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe76⤵PID:5308
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe77⤵PID:5348
-
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe78⤵
- Drops file in System32 directory
PID:5396 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe79⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe80⤵PID:5508
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe81⤵PID:5556
-
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5596 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe84⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe85⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe86⤵PID:5776
-
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe87⤵PID:5820
-
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe88⤵
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe89⤵PID:5912
-
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe90⤵PID:5956
-
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe91⤵PID:6000
-
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe92⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe93⤵PID:6092
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe94⤵PID:6136
-
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe95⤵PID:5172
-
C:\Windows\SysWOW64\Ngemjg32.exeC:\Windows\system32\Ngemjg32.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe97⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe98⤵PID:5404
-
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe99⤵PID:5492
-
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe100⤵PID:5592
-
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe103⤵PID:5744
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe104⤵PID:5852
-
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe106⤵PID:5988
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe107⤵PID:6064
-
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe109⤵PID:5236
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe110⤵PID:5356
-
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe111⤵PID:5516
-
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe112⤵PID:5640
-
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe113⤵PID:5808
-
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe115⤵PID:6028
-
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe117⤵PID:5320
-
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe121⤵PID:6124
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5380 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe123⤵PID:5836
-
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe124⤵PID:6088
-
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe125⤵
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe126⤵PID:6040
-
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe127⤵PID:5768
-
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe128⤵PID:5764
-
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe129⤵PID:5444
-
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe130⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6188 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe132⤵
- Drops file in System32 directory
PID:6232 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe133⤵
- Modifies registry class
PID:6276 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe134⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6320 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe135⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6364 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe136⤵PID:6412
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe137⤵
- Modifies registry class
PID:6448 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe138⤵PID:6500
-
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe139⤵PID:6544
-
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe140⤵PID:6588
-
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe141⤵PID:6632
-
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe142⤵PID:6676
-
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe143⤵PID:6720
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe144⤵
- Modifies registry class
PID:6764 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe145⤵
- Drops file in System32 directory
- Modifies registry class
PID:6804 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe146⤵PID:6848
-
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe147⤵
- Drops file in System32 directory
PID:6888 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe148⤵
- Modifies registry class
PID:6932 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe149⤵PID:6976
-
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe150⤵PID:7020
-
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe151⤵PID:7064
-
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe152⤵PID:7108
-
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe153⤵PID:7152
-
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6196 -
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe155⤵PID:6244
-
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6300 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe157⤵PID:6388
-
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe158⤵PID:6440
-
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe159⤵PID:6508
-
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6576 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe161⤵
- Modifies registry class
PID:6616 -
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe162⤵PID:6668
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe163⤵PID:2768
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe164⤵PID:6824
-
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe165⤵PID:6884
-
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe166⤵PID:6952
-
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe167⤵
- Drops file in System32 directory
PID:7016 -
C:\Windows\SysWOW64\Cbglgg32.exeC:\Windows\system32\Cbglgg32.exe168⤵PID:7092
-
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe169⤵PID:7164
-
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe170⤵
- Modifies registry class
PID:6224 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe171⤵PID:6340
-
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe172⤵
- Drops file in System32 directory
PID:6424 -
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe173⤵
- System Location Discovery: System Language Discovery
PID:6492 -
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe174⤵PID:6596
-
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe175⤵PID:6684
-
C:\Windows\SysWOW64\Cihjeq32.exeC:\Windows\system32\Cihjeq32.exe176⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6780 -
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe177⤵PID:6920
-
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe178⤵PID:7032
-
C:\Windows\SysWOW64\Cfljnejl.exeC:\Windows\system32\Cfljnejl.exe179⤵PID:6208
-
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe180⤵PID:4060
-
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe181⤵PID:5024
-
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe182⤵PID:6732
-
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe183⤵PID:6968
-
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe184⤵PID:6240
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe185⤵PID:2780
-
C:\Windows\SysWOW64\Dpglmjoj.exeC:\Windows\system32\Dpglmjoj.exe186⤵PID:6536
-
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe187⤵PID:7056
-
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe188⤵PID:764
-
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe189⤵PID:6800
-
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe190⤵PID:6376
-
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe191⤵PID:6184
-
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe192⤵
- System Location Discovery: System Language Discovery
PID:6752 -
C:\Windows\SysWOW64\Eppobi32.exeC:\Windows\system32\Eppobi32.exe193⤵PID:6872
-
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7208 -
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe195⤵
- Modifies registry class
PID:7252 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7284 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7336 -
C:\Windows\SysWOW64\Eohhie32.exeC:\Windows\system32\Eohhie32.exe198⤵PID:7380
-
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7424 -
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe200⤵PID:7468
-
C:\Windows\SysWOW64\Eojeodga.exeC:\Windows\system32\Eojeodga.exe201⤵PID:7512
-
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe202⤵PID:7556
-
C:\Windows\SysWOW64\Ehbihj32.exeC:\Windows\system32\Ehbihj32.exe203⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7600 -
C:\Windows\SysWOW64\Fgcjea32.exeC:\Windows\system32\Fgcjea32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:7644 -
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7688 -
C:\Windows\SysWOW64\Foonjd32.exeC:\Windows\system32\Foonjd32.exe206⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7732 -
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe207⤵PID:7776
-
C:\Windows\SysWOW64\Fgffka32.exeC:\Windows\system32\Fgffka32.exe208⤵
- Drops file in System32 directory
- Modifies registry class
PID:7816 -
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe209⤵PID:7868
-
C:\Windows\SysWOW64\Flboch32.exeC:\Windows\system32\Flboch32.exe210⤵PID:7912
-
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe211⤵PID:7956
-
C:\Windows\SysWOW64\Fekclnif.exeC:\Windows\system32\Fekclnif.exe212⤵PID:8000
-
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe213⤵PID:8044
-
C:\Windows\SysWOW64\Fhllni32.exeC:\Windows\system32\Fhllni32.exe214⤵PID:8088
-
C:\Windows\SysWOW64\Fepmgm32.exeC:\Windows\system32\Fepmgm32.exe215⤵
- System Location Discovery: System Language Discovery
PID:8136 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe216⤵PID:8180
-
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe217⤵PID:7216
-
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe218⤵PID:7276
-
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe219⤵PID:7356
-
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe220⤵PID:7416
-
C:\Windows\SysWOW64\Ggafgo32.exeC:\Windows\system32\Ggafgo32.exe221⤵
- Modifies registry class
PID:7496 -
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe222⤵PID:7564
-
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe223⤵PID:7636
-
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe224⤵PID:7704
-
C:\Windows\SysWOW64\Glqkefff.exeC:\Windows\system32\Glqkefff.exe225⤵
- System Location Discovery: System Language Discovery
PID:7760 -
C:\Windows\SysWOW64\Gplged32.exeC:\Windows\system32\Gplged32.exe226⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7836 -
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe227⤵PID:7904
-
C:\Windows\SysWOW64\Goadfa32.exeC:\Windows\system32\Goadfa32.exe228⤵PID:7968
-
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe229⤵PID:8036
-
C:\Windows\SysWOW64\Gjghdj32.exeC:\Windows\system32\Gjghdj32.exe230⤵
- Modifies registry class
PID:8104 -
C:\Windows\SysWOW64\Hodqlq32.exeC:\Windows\system32\Hodqlq32.exe231⤵
- Drops file in System32 directory
PID:8176 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:7292 -
C:\Windows\SysWOW64\Hgkimn32.exeC:\Windows\system32\Hgkimn32.exe233⤵PID:7376
-
C:\Windows\SysWOW64\Hjieii32.exeC:\Windows\system32\Hjieii32.exe234⤵
- Drops file in System32 directory
PID:7452 -
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe235⤵PID:7592
-
C:\Windows\SysWOW64\Hpejlc32.exeC:\Windows\system32\Hpejlc32.exe236⤵PID:7672
-
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7832 -
C:\Windows\SysWOW64\Hjnndime.exeC:\Windows\system32\Hjnndime.exe238⤵PID:7840
-
C:\Windows\SysWOW64\Hcfcmnce.exeC:\Windows\system32\Hcfcmnce.exe239⤵PID:8016
-
C:\Windows\SysWOW64\Hjpkjh32.exeC:\Windows\system32\Hjpkjh32.exe240⤵
- Modifies registry class
PID:8144 -
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe241⤵PID:7192
-
C:\Windows\SysWOW64\Hcipcnac.exeC:\Windows\system32\Hcipcnac.exe242⤵PID:7436