Analysis
-
max time kernel
108s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
80KB
-
MD5
28f8056ed6843fba0ad05da168a338e0
-
SHA1
176c22eedfc5620a975176cc089517c8385a4076
-
SHA256
44e4e85e44f4d5cdf27e29c56004c6d3af762b59eb8d4190068b110ff92dda47
-
SHA512
390ccedfecaaa80a6e68aa5de9c24259ffdaf6013d6dea21b3526f607d119db60a11069e1fcf616f5a744119157eee74e73a648520da6807ac184afabd2559bf
-
SSDEEP
1536:1TWJTSXyMJOGIOEtMhX+Mq9MiZ5vx3J0v2LRaIZTJ+7LhkiB0:1yTSXya42hX+Mq9NZD3O0RaMU7ui
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmahog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiljcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcijmhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqmpkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllomg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfckbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdqpdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhcnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpqbnmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfogneop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fialggcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfipj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kokppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehjmppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faikbkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommdqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfimhmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihojiok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkplnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemgqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khhpmbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdjpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbjca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liaeleak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmeiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghaeaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfgkha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coldmfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikaqppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beogaenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgbnbcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpnjkgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpnkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgdhcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capmemci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkdpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlpnamm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaoaafli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mookod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcpbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjhkpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcdpi32.exe -
Executes dropped EXE 64 IoCs
pid Process 1832 Mgbcfdmo.exe 2756 Miclhpjp.exe 2104 Mldeik32.exe 2820 Mkibjgli.exe 2516 Ndafcmci.exe 3012 Npkdnnfk.exe 1148 Nopaoj32.exe 2088 Njeelc32.exe 2684 Oodjjign.exe 2672 Ojceef32.exe 2176 Oehicoom.exe 1476 Pfnoegaf.exe 1912 Pmkdhq32.exe 560 Qnqjkh32.exe 1616 Qjgjpi32.exe 940 Amhcad32.exe 2324 Amjpgdik.exe 1736 Afcdpi32.exe 2320 Aicmadmm.exe 1932 Apnfno32.exe 852 Aejnfe32.exe 2204 Beogaenl.exe 2236 Beadgdli.exe 2748 Befnbd32.exe 2664 Cnabffeo.exe 2796 Clilmbhd.exe 2640 Cpgecq32.exe 3004 Cgqmpkfg.exe 2452 Coladm32.exe 2008 Cbjnqh32.exe 2896 Dcjjkkji.exe 2716 Dqddmd32.exe 2700 Dbdagg32.exe 1284 Dgqion32.exe 2148 Dmmbge32.exe 1972 Ecgjdong.exe 2316 Ejabqi32.exe 2956 Eqkjmcmq.exe 2244 Efhcej32.exe 616 Eifobe32.exe 1004 Eclcon32.exe 2384 Ejfllhao.exe 2648 Ecnpdnho.exe 2408 Eikimeff.exe 1560 Epeajo32.exe 1016 Efoifiep.exe 2968 Fnjnkkbk.exe 2296 Fipbhd32.exe 2808 Fnmjpk32.exe 1252 Fheoiqgi.exe 2764 Fmbgageq.exe 2116 Fdlpnamm.exe 2900 Fappgflg.exe 2212 Ffmipmjn.exe 2536 Fdqiiaih.exe 2016 Gminbfoh.exe 2264 Gbffjmmp.exe 2072 Gipngg32.exe 1692 Gbhcpmkm.exe 932 Gibkmgcj.exe 2312 Gplcia32.exe 840 Glbdnbpk.exe 1044 Ghidcceo.exe 752 Hmfmkjdf.exe -
Loads dropped DLL 64 IoCs
pid Process 2656 Trojan.Win32.Cerber.exe 2656 Trojan.Win32.Cerber.exe 1832 Mgbcfdmo.exe 1832 Mgbcfdmo.exe 2756 Miclhpjp.exe 2756 Miclhpjp.exe 2104 Mldeik32.exe 2104 Mldeik32.exe 2820 Mkibjgli.exe 2820 Mkibjgli.exe 2516 Ndafcmci.exe 2516 Ndafcmci.exe 3012 Npkdnnfk.exe 3012 Npkdnnfk.exe 1148 Nopaoj32.exe 1148 Nopaoj32.exe 2088 Njeelc32.exe 2088 Njeelc32.exe 2684 Oodjjign.exe 2684 Oodjjign.exe 2672 Ojceef32.exe 2672 Ojceef32.exe 2176 Oehicoom.exe 2176 Oehicoom.exe 1476 Pfnoegaf.exe 1476 Pfnoegaf.exe 1912 Pmkdhq32.exe 1912 Pmkdhq32.exe 560 Qnqjkh32.exe 560 Qnqjkh32.exe 1616 Qjgjpi32.exe 1616 Qjgjpi32.exe 940 Amhcad32.exe 940 Amhcad32.exe 2324 Amjpgdik.exe 2324 Amjpgdik.exe 1736 Afcdpi32.exe 1736 Afcdpi32.exe 2320 Aicmadmm.exe 2320 Aicmadmm.exe 1932 Apnfno32.exe 1932 Apnfno32.exe 852 Aejnfe32.exe 852 Aejnfe32.exe 2204 Beogaenl.exe 2204 Beogaenl.exe 1596 Bahelebm.exe 1596 Bahelebm.exe 2748 Befnbd32.exe 2748 Befnbd32.exe 2664 Cnabffeo.exe 2664 Cnabffeo.exe 2796 Clilmbhd.exe 2796 Clilmbhd.exe 2640 Cpgecq32.exe 2640 Cpgecq32.exe 3004 Cgqmpkfg.exe 3004 Cgqmpkfg.exe 2452 Coladm32.exe 2452 Coladm32.exe 2008 Cbjnqh32.exe 2008 Cbjnqh32.exe 2896 Dcjjkkji.exe 2896 Dcjjkkji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fmcbka32.dll Fhnjdfcl.exe File created C:\Windows\SysWOW64\Lnbmgkoo.dll Naokbq32.exe File created C:\Windows\SysWOW64\Pelpgb32.exe Pldknmhd.exe File created C:\Windows\SysWOW64\Lgmhbloc.dll Cngfqi32.exe File created C:\Windows\SysWOW64\Dnbdblmp.dll Cpkaai32.exe File created C:\Windows\SysWOW64\Lpanne32.exe Ligfakaa.exe File opened for modification C:\Windows\SysWOW64\Pqjhjf32.exe Pnllnk32.exe File created C:\Windows\SysWOW64\Ioochn32.exe Iiekkdjo.exe File created C:\Windows\SysWOW64\Aeannooi.dll Ghlell32.exe File created C:\Windows\SysWOW64\Gkokcp32.dll Jkioho32.exe File created C:\Windows\SysWOW64\Oafhmf32.exe Oohlaj32.exe File created C:\Windows\SysWOW64\Ipameehe.exe Ieligmho.exe File opened for modification C:\Windows\SysWOW64\Lhenmm32.exe Llomhllh.exe File opened for modification C:\Windows\SysWOW64\Edkahbmo.exe Emailhfb.exe File opened for modification C:\Windows\SysWOW64\Gocnjn32.exe Fejjah32.exe File created C:\Windows\SysWOW64\Cjifpdib.exe Cconcjae.exe File created C:\Windows\SysWOW64\Gohjnf32.exe Gadidabc.exe File created C:\Windows\SysWOW64\Kgbjdd32.dll Edmkei32.exe File created C:\Windows\SysWOW64\Bhjpnj32.exe Beldao32.exe File created C:\Windows\SysWOW64\Mlgdhcmb.exe Memlki32.exe File created C:\Windows\SysWOW64\Cdlmlidp.exe Ckchcc32.exe File opened for modification C:\Windows\SysWOW64\Cimooo32.exe Cmfnjnin.exe File created C:\Windows\SysWOW64\Egknpp32.dll Ejadibmh.exe File created C:\Windows\SysWOW64\Giedhjnn.dll Okkfmmqj.exe File created C:\Windows\SysWOW64\Agnbbk32.dll Dhjdjc32.exe File created C:\Windows\SysWOW64\Pfnoegaf.exe Oehicoom.exe File opened for modification C:\Windows\SysWOW64\Hccfoehi.exe Hngngo32.exe File created C:\Windows\SysWOW64\Eoalpaaa.exe Eeiggk32.exe File created C:\Windows\SysWOW64\Okdahbmm.exe Onqaonnc.exe File created C:\Windows\SysWOW64\Nddobb32.dll Onqaonnc.exe File opened for modification C:\Windows\SysWOW64\Agnjge32.exe Aadakl32.exe File created C:\Windows\SysWOW64\Imbfohon.dll Egndgdai.exe File created C:\Windows\SysWOW64\Pojdem32.exe Pnihneon.exe File opened for modification C:\Windows\SysWOW64\Hqpahkmj.exe Gkchpcoc.exe File created C:\Windows\SysWOW64\Okoefg32.dll Ojgokflc.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Pacqlcdi.exe File created C:\Windows\SysWOW64\Gffnacpc.dll Egikle32.exe File created C:\Windows\SysWOW64\Mamcfo32.dll Ekhjlioa.exe File created C:\Windows\SysWOW64\Glfiinip.dll Mnkfcjqe.exe File created C:\Windows\SysWOW64\Fkneka32.dll Gkoodd32.exe File opened for modification C:\Windows\SysWOW64\Gnhkkjbf.exe Gdpfbd32.exe File opened for modification C:\Windows\SysWOW64\Gklkdn32.exe Gdbchd32.exe File created C:\Windows\SysWOW64\Mlcekgbb.exe Mdhpgeeg.exe File opened for modification C:\Windows\SysWOW64\Gminbfoh.exe Fdqiiaih.exe File created C:\Windows\SysWOW64\Ojjalodg.dll Pppnia32.exe File created C:\Windows\SysWOW64\Ihlbih32.exe Ipameehe.exe File opened for modification C:\Windows\SysWOW64\Nlhnfg32.exe Nodnmb32.exe File created C:\Windows\SysWOW64\Bcedbefd.exe Bnhljnhm.exe File opened for modification C:\Windows\SysWOW64\Enhcnd32.exe Edpoeoea.exe File opened for modification C:\Windows\SysWOW64\Eifobe32.exe Efhcej32.exe File created C:\Windows\SysWOW64\Lomglo32.exe Lcffgnnc.exe File created C:\Windows\SysWOW64\Epdljjjm.exe Ekgcbcke.exe File opened for modification C:\Windows\SysWOW64\Faikbkhj.exe Fokofpif.exe File created C:\Windows\SysWOW64\Gfgcpnon.dll Ebkndibq.exe File created C:\Windows\SysWOW64\Hdolga32.exe Hobcok32.exe File created C:\Windows\SysWOW64\Miclhpjp.exe Mgbcfdmo.exe File created C:\Windows\SysWOW64\Akljeqga.dll Mjbghkfi.exe File opened for modification C:\Windows\SysWOW64\Hmnhnk32.exe Hcfceeff.exe File opened for modification C:\Windows\SysWOW64\Ahoamplo.exe Acbieing.exe File created C:\Windows\SysWOW64\Fpkdca32.exe Fialggcl.exe File created C:\Windows\SysWOW64\Oiioneca.dll Coehnecn.exe File created C:\Windows\SysWOW64\Niligfhh.dll Qekdpkgj.exe File opened for modification C:\Windows\SysWOW64\Dmmbge32.exe Dgqion32.exe File created C:\Windows\SysWOW64\Ndjhjkfi.dll Anpooe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3008 2900 WerFault.exe 964 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgbcofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbehbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhpgeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekofgnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqiiaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkiobge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdloab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpoibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeaaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehgkgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmqieh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfckbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmjjhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnfci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehonebqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiglnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkbdbai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkfcjqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlqimph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacjna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qefihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eahkag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppdlgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdlaplh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aellfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meojkide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maejpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjkmijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onggom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjpncii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaafocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjcncak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjebjjck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npieoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabcbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fappgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpafgp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblbj32.dll" Dofnnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpafgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll" Phmfpddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoaaqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpbc32.dll" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndbeeo.dll" Dpjhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbomgjkh.dll" Bnjipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjchmclb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmgddcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojfinhh.dll" Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkioho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohjmlaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhgceh32.dll" Bppdlgjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coldmfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpgip32.dll" Jaffca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnbfkccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appcjgmk.dll" Hliieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll" Ecgjdong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjddaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebedebg.dll" Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeepjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeameodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpppjikm.dll" Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblhqf32.dll" Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepjmp32.dll" Khhpmbeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lepclldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flbehbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgahboge.dll" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpcbe32.dll" Kcllfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcaic32.dll" Faikbkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmanjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeenapck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjibgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffaoi32.dll" Fdjddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niaihojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aellfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfonhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbojchdc.dll" Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jllaig32.dll" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpoibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdodjlda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfldpqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeiggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidqcdjh.dll" Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmdql32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 1832 2656 Trojan.Win32.Cerber.exe 30 PID 2656 wrote to memory of 1832 2656 Trojan.Win32.Cerber.exe 30 PID 2656 wrote to memory of 1832 2656 Trojan.Win32.Cerber.exe 30 PID 2656 wrote to memory of 1832 2656 Trojan.Win32.Cerber.exe 30 PID 1832 wrote to memory of 2756 1832 Mgbcfdmo.exe 31 PID 1832 wrote to memory of 2756 1832 Mgbcfdmo.exe 31 PID 1832 wrote to memory of 2756 1832 Mgbcfdmo.exe 31 PID 1832 wrote to memory of 2756 1832 Mgbcfdmo.exe 31 PID 2756 wrote to memory of 2104 2756 Miclhpjp.exe 32 PID 2756 wrote to memory of 2104 2756 Miclhpjp.exe 32 PID 2756 wrote to memory of 2104 2756 Miclhpjp.exe 32 PID 2756 wrote to memory of 2104 2756 Miclhpjp.exe 32 PID 2104 wrote to memory of 2820 2104 Mldeik32.exe 33 PID 2104 wrote to memory of 2820 2104 Mldeik32.exe 33 PID 2104 wrote to memory of 2820 2104 Mldeik32.exe 33 PID 2104 wrote to memory of 2820 2104 Mldeik32.exe 33 PID 2820 wrote to memory of 2516 2820 Mkibjgli.exe 34 PID 2820 wrote to memory of 2516 2820 Mkibjgli.exe 34 PID 2820 wrote to memory of 2516 2820 Mkibjgli.exe 34 PID 2820 wrote to memory of 2516 2820 Mkibjgli.exe 34 PID 2516 wrote to memory of 3012 2516 Ndafcmci.exe 35 PID 2516 wrote to memory of 3012 2516 Ndafcmci.exe 35 PID 2516 wrote to memory of 3012 2516 Ndafcmci.exe 35 PID 2516 wrote to memory of 3012 2516 Ndafcmci.exe 35 PID 3012 wrote to memory of 1148 3012 Npkdnnfk.exe 36 PID 3012 wrote to memory of 1148 3012 Npkdnnfk.exe 36 PID 3012 wrote to memory of 1148 3012 Npkdnnfk.exe 36 PID 3012 wrote to memory of 1148 3012 Npkdnnfk.exe 36 PID 1148 wrote to memory of 2088 1148 Nopaoj32.exe 37 PID 1148 wrote to memory of 2088 1148 Nopaoj32.exe 37 PID 1148 wrote to memory of 2088 1148 Nopaoj32.exe 37 PID 1148 wrote to memory of 2088 1148 Nopaoj32.exe 37 PID 2088 wrote to memory of 2684 2088 Njeelc32.exe 38 PID 2088 wrote to memory of 2684 2088 Njeelc32.exe 38 PID 2088 wrote to memory of 2684 2088 Njeelc32.exe 38 PID 2088 wrote to memory of 2684 2088 Njeelc32.exe 38 PID 2684 wrote to memory of 2672 2684 Oodjjign.exe 39 PID 2684 wrote to memory of 2672 2684 Oodjjign.exe 39 PID 2684 wrote to memory of 2672 2684 Oodjjign.exe 39 PID 2684 wrote to memory of 2672 2684 Oodjjign.exe 39 PID 2672 wrote to memory of 2176 2672 Ojceef32.exe 40 PID 2672 wrote to memory of 2176 2672 Ojceef32.exe 40 PID 2672 wrote to memory of 2176 2672 Ojceef32.exe 40 PID 2672 wrote to memory of 2176 2672 Ojceef32.exe 40 PID 2176 wrote to memory of 1476 2176 Oehicoom.exe 41 PID 2176 wrote to memory of 1476 2176 Oehicoom.exe 41 PID 2176 wrote to memory of 1476 2176 Oehicoom.exe 41 PID 2176 wrote to memory of 1476 2176 Oehicoom.exe 41 PID 1476 wrote to memory of 1912 1476 Pfnoegaf.exe 42 PID 1476 wrote to memory of 1912 1476 Pfnoegaf.exe 42 PID 1476 wrote to memory of 1912 1476 Pfnoegaf.exe 42 PID 1476 wrote to memory of 1912 1476 Pfnoegaf.exe 42 PID 1912 wrote to memory of 560 1912 Pmkdhq32.exe 43 PID 1912 wrote to memory of 560 1912 Pmkdhq32.exe 43 PID 1912 wrote to memory of 560 1912 Pmkdhq32.exe 43 PID 1912 wrote to memory of 560 1912 Pmkdhq32.exe 43 PID 560 wrote to memory of 1616 560 Qnqjkh32.exe 44 PID 560 wrote to memory of 1616 560 Qnqjkh32.exe 44 PID 560 wrote to memory of 1616 560 Qnqjkh32.exe 44 PID 560 wrote to memory of 1616 560 Qnqjkh32.exe 44 PID 1616 wrote to memory of 940 1616 Qjgjpi32.exe 45 PID 1616 wrote to memory of 940 1616 Qjgjpi32.exe 45 PID 1616 wrote to memory of 940 1616 Qjgjpi32.exe 45 PID 1616 wrote to memory of 940 1616 Qjgjpi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe25⤵
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe34⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe35⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe37⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe40⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe42⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe44⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe45⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe46⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe47⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe48⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe49⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe50⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe51⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe52⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe56⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe58⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe59⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe61⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe62⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe63⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe64⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe65⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe66⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe67⤵PID:2216
-
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe68⤵PID:916
-
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe69⤵PID:3060
-
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe70⤵PID:2576
-
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe72⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe73⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe75⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe76⤵PID:1336
-
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe78⤵PID:3020
-
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe79⤵PID:464
-
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe80⤵PID:1672
-
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe81⤵PID:2292
-
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe82⤵PID:1804
-
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe83⤵PID:2168
-
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe84⤵PID:1772
-
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe85⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe86⤵PID:736
-
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe87⤵PID:2100
-
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe88⤵PID:664
-
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe89⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe90⤵PID:2724
-
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe91⤵PID:2920
-
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe93⤵PID:2828
-
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe94⤵PID:928
-
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe95⤵PID:2676
-
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe96⤵PID:1456
-
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe97⤵PID:1424
-
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe98⤵PID:2024
-
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe99⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe100⤵PID:820
-
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe101⤵PID:1964
-
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe102⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe103⤵PID:1136
-
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe104⤵PID:1460
-
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe105⤵PID:2936
-
C:\Windows\SysWOW64\Nchipb32.exeC:\Windows\system32\Nchipb32.exe106⤵PID:892
-
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Noojdc32.exeC:\Windows\system32\Noojdc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe110⤵PID:604
-
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe111⤵PID:2192
-
C:\Windows\SysWOW64\Odqlhjbi.exeC:\Windows\system32\Odqlhjbi.exe112⤵PID:1484
-
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe113⤵PID:2788
-
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe114⤵PID:2552
-
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe115⤵PID:2392
-
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe116⤵PID:2304
-
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe117⤵PID:2924
-
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe119⤵PID:1708
-
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe120⤵PID:2144
-
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe121⤵PID:2708
-
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe122⤵PID:2076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-