Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240910-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
94KB
-
MD5
253ac30243b554105815a1e1e2ac3d60
-
SHA1
58df3274b461dfc7c77efdbc79ba610a9af1c8a2
-
SHA256
485713e5274cb1115e7d39a9383c657ff4a35ade034c994d140466abf860e83c
-
SHA512
cb33522fe8a9821dd93707be2b4129a44d6af044b092b9f9f698c917c531463a42287dc75c520d65ac257836f0ddc1fe385c3565492e24ed3bdaa3d5f1161a11
-
SSDEEP
1536:iltS35lxnjY7LfHQjb/fw56hqIy5m2LMaIZTJ+7LhkiB0MPiKeEAgv:Is5lxnjUoX/456hqIGMaMU7uihJ5v
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkqgno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khihld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leabphmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeaiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loemnnhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbppgona.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khihld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koljgppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leabphmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihaidhgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbmmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmnkdal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgfhnhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkegbpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlidpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koimbpbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahinkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbqinm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfoad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaqcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbppgona.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffjgpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkqgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgkab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbgfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaqcnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbefe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnlim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkhog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecmhlhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijpepcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llimgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inidkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbmmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llimgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkegbpca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqabib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Infhebbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdalog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inidkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajmmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgkab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgfhnhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacijjgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llngbabj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infhebbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblpcndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khdoqefq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhool32.exe -
Executes dropped EXE 64 IoCs
pid Process 5096 Infhebbh.exe 2728 Ieqpbm32.exe 2152 Iccpniqp.exe 3324 Ilkhog32.exe 4472 Inidkb32.exe 2164 Iagqgn32.exe 3784 Iecmhlhb.exe 3092 Ihaidhgf.exe 4836 Ijpepcfj.exe 3560 Iajmmm32.exe 5092 Ihceigec.exe 3972 Ijbbfc32.exe 416 Jbijgp32.exe 5116 Jdjfohjg.exe 1360 Jjdokb32.exe 1588 Jblflp32.exe 2920 Jejbhk32.exe 2896 Jhhodg32.exe 4056 Jjgkab32.exe 4904 Jaqcnl32.exe 2456 Jlfhke32.exe 4292 Jbppgona.exe 3348 Jeolckne.exe 3120 Jdalog32.exe 4744 Jlidpe32.exe 4812 Jbbmmo32.exe 4272 Jeaiij32.exe 3356 Jlkafdco.exe 2144 Koimbpbc.exe 2988 Kahinkaf.exe 1916 Keceoj32.exe 1780 Kdffjgpj.exe 464 Klmnkdal.exe 1472 Koljgppp.exe 4184 Kbgfhnhi.exe 2292 Kefbdjgm.exe 3244 Khdoqefq.exe 5016 Klpjad32.exe 3772 Kkbkmqed.exe 3400 Kongmo32.exe 2952 Kalcik32.exe 4324 Kehojiej.exe 2332 Kdkoef32.exe 4120 Klbgfc32.exe 1068 Kkegbpca.exe 4776 Kblpcndd.exe 4076 Kejloi32.exe 4624 Khihld32.exe 4132 Kbnlim32.exe 3896 Kaaldjil.exe 3724 Kemhei32.exe 2540 Klgqabib.exe 2032 Loemnnhe.exe 3044 Lbqinm32.exe 180 Lacijjgi.exe 4552 Ldbefe32.exe 3372 Llimgb32.exe 3580 Logicn32.exe 2652 Lbcedmnl.exe 2012 Leabphmp.exe 5024 Lknjhokg.exe 4804 Lbebilli.exe 4352 Ledoegkm.exe 2892 Ldfoad32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pomfkgml.dll Jlfhke32.exe File created C:\Windows\SysWOW64\Jlkafdco.exe Jeaiij32.exe File opened for modification C:\Windows\SysWOW64\Kdffjgpj.exe Keceoj32.exe File created C:\Windows\SysWOW64\Dpchag32.dll Ijpepcfj.exe File opened for modification C:\Windows\SysWOW64\Jjdokb32.exe Jdjfohjg.exe File opened for modification C:\Windows\SysWOW64\Jjgkab32.exe Jhhodg32.exe File opened for modification C:\Windows\SysWOW64\Jbppgona.exe Jlfhke32.exe File opened for modification C:\Windows\SysWOW64\Jhhodg32.exe Jejbhk32.exe File created C:\Windows\SysWOW64\Balfdi32.dll Jejbhk32.exe File created C:\Windows\SysWOW64\Klpjad32.exe Khdoqefq.exe File created C:\Windows\SysWOW64\Kejloi32.exe Kblpcndd.exe File created C:\Windows\SysWOW64\Inidkb32.exe Ilkhog32.exe File opened for modification C:\Windows\SysWOW64\Jbijgp32.exe Ijbbfc32.exe File created C:\Windows\SysWOW64\Eepbdodb.dll Jdjfohjg.exe File opened for modification C:\Windows\SysWOW64\Lacijjgi.exe Lbqinm32.exe File created C:\Windows\SysWOW64\Kahinkaf.exe Koimbpbc.exe File created C:\Windows\SysWOW64\Klmnkdal.exe Kdffjgpj.exe File created C:\Windows\SysWOW64\Cjbdmo32.dll Ldbefe32.exe File opened for modification C:\Windows\SysWOW64\Lknjhokg.exe Leabphmp.exe File opened for modification C:\Windows\SysWOW64\Llngbabj.exe Ldfoad32.exe File created C:\Windows\SysWOW64\Hmfchehg.dll Ldfoad32.exe File created C:\Windows\SysWOW64\Ihceigec.exe Iajmmm32.exe File opened for modification C:\Windows\SysWOW64\Jblflp32.exe Jjdokb32.exe File opened for modification C:\Windows\SysWOW64\Jaqcnl32.exe Jjgkab32.exe File created C:\Windows\SysWOW64\Kkegbpca.exe Klbgfc32.exe File opened for modification C:\Windows\SysWOW64\Kblpcndd.exe Kkegbpca.exe File opened for modification C:\Windows\SysWOW64\Logicn32.exe Llimgb32.exe File created C:\Windows\SysWOW64\Ledoegkm.exe Lbebilli.exe File created C:\Windows\SysWOW64\Olkpol32.dll Lbhool32.exe File created C:\Windows\SysWOW64\Koimbpbc.exe Jlkafdco.exe File opened for modification C:\Windows\SysWOW64\Kemhei32.exe Kaaldjil.exe File created C:\Windows\SysWOW64\Logicn32.exe Llimgb32.exe File created C:\Windows\SysWOW64\Infhebbh.exe Trojan.Win32.Cerber.exe File created C:\Windows\SysWOW64\Jejbhk32.exe Jblflp32.exe File created C:\Windows\SysWOW64\Pceijm32.dll Jbbmmo32.exe File created C:\Windows\SysWOW64\Eqfnqg32.dll Kbnlim32.exe File created C:\Windows\SysWOW64\Khdoqefq.exe Kefbdjgm.exe File created C:\Windows\SysWOW64\Hbhgkfkg.dll Kahinkaf.exe File created C:\Windows\SysWOW64\Aedfbe32.dll Ieqpbm32.exe File created C:\Windows\SysWOW64\Qbddhbhn.dll Ihceigec.exe File created C:\Windows\SysWOW64\Ifkqol32.dll Jlkafdco.exe File created C:\Windows\SysWOW64\Kehojiej.exe Kalcik32.exe File created C:\Windows\SysWOW64\Ijpepcfj.exe Ihaidhgf.exe File created C:\Windows\SysWOW64\Jbijgp32.exe Ijbbfc32.exe File opened for modification C:\Windows\SysWOW64\Lbebilli.exe Lknjhokg.exe File created C:\Windows\SysWOW64\Jhhodg32.exe Jejbhk32.exe File created C:\Windows\SysWOW64\Iecmhlhb.exe Iagqgn32.exe File created C:\Windows\SysWOW64\Ldikgdpe.exe Lefkkg32.exe File created C:\Windows\SysWOW64\Jdjfohjg.exe Jbijgp32.exe File created C:\Windows\SysWOW64\Gqpbcn32.dll Jjdokb32.exe File created C:\Windows\SysWOW64\Dpjkgoka.dll Loemnnhe.exe File created C:\Windows\SysWOW64\Ldbefe32.exe Lacijjgi.exe File created C:\Windows\SysWOW64\Ieqpbm32.exe Infhebbh.exe File created C:\Windows\SysWOW64\Hgnfpc32.dll Kbgfhnhi.exe File opened for modification C:\Windows\SysWOW64\Lbhool32.exe Lkqgno32.exe File opened for modification C:\Windows\SysWOW64\Iccpniqp.exe Ieqpbm32.exe File created C:\Windows\SysWOW64\Dcmnee32.dll Jeaiij32.exe File created C:\Windows\SysWOW64\Koljgppp.exe Klmnkdal.exe File opened for modification C:\Windows\SysWOW64\Llimgb32.exe Ldbefe32.exe File created C:\Windows\SysWOW64\Jblflp32.exe Jjdokb32.exe File opened for modification C:\Windows\SysWOW64\Kejloi32.exe Kblpcndd.exe File opened for modification C:\Windows\SysWOW64\Klmnkdal.exe Kdffjgpj.exe File created C:\Windows\SysWOW64\Lajbnn32.dll Khdoqefq.exe File created C:\Windows\SysWOW64\Anjkcakk.dll Klpjad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4828 224 WerFault.exe 155 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inidkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jejbhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbebilli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.Cerber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpepcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdalog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahinkaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacijjgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infhebbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbppgona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkegbpca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjfohjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkqgno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecmhlhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejloi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khihld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaldjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefbdjgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehojiej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblpcndd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbgfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkhog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagqgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeaiij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmnkdal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgkab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbmmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leabphmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajmmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlidpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llimgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknjhokg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koljgppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgfhnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbqinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnlim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihceigec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaqcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkafdco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfoad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeolckne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbkmqed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemhei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loemnnhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikgdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kongmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcedmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledoegkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaidhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koimbpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keceoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdffjgpj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll" Lbcedmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcedmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbijgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbgfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpbcn32.dll" Jjdokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll" Jeaiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll" Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieqpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll" Ihceigec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koimbpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kefbdjgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" Lbebilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll" Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbbmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll" Kaaldjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfood32.dll" Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejnp32.dll" Jlidpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbqinm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leabphmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkqgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll" Khdoqefq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaldjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlidpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemhei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klgqabib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbijgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll" Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll" Kongmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejloi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecmhlhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijpepcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdffjgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll" Kdkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll" Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgqabib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lknjhokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll" Klbgfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll" Jlkafdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll" Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll" Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll" Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" Jhhodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khdoqefq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll" Ledoegkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll" Jjgkab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkbkmqed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lacijjgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaqcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll" Jbbmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll" Klgqabib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4960 wrote to memory of 5096 4960 Trojan.Win32.Cerber.exe 86 PID 4960 wrote to memory of 5096 4960 Trojan.Win32.Cerber.exe 86 PID 4960 wrote to memory of 5096 4960 Trojan.Win32.Cerber.exe 86 PID 5096 wrote to memory of 2728 5096 Infhebbh.exe 87 PID 5096 wrote to memory of 2728 5096 Infhebbh.exe 87 PID 5096 wrote to memory of 2728 5096 Infhebbh.exe 87 PID 2728 wrote to memory of 2152 2728 Ieqpbm32.exe 88 PID 2728 wrote to memory of 2152 2728 Ieqpbm32.exe 88 PID 2728 wrote to memory of 2152 2728 Ieqpbm32.exe 88 PID 2152 wrote to memory of 3324 2152 Iccpniqp.exe 89 PID 2152 wrote to memory of 3324 2152 Iccpniqp.exe 89 PID 2152 wrote to memory of 3324 2152 Iccpniqp.exe 89 PID 3324 wrote to memory of 4472 3324 Ilkhog32.exe 91 PID 3324 wrote to memory of 4472 3324 Ilkhog32.exe 91 PID 3324 wrote to memory of 4472 3324 Ilkhog32.exe 91 PID 4472 wrote to memory of 2164 4472 Inidkb32.exe 92 PID 4472 wrote to memory of 2164 4472 Inidkb32.exe 92 PID 4472 wrote to memory of 2164 4472 Inidkb32.exe 92 PID 2164 wrote to memory of 3784 2164 Iagqgn32.exe 93 PID 2164 wrote to memory of 3784 2164 Iagqgn32.exe 93 PID 2164 wrote to memory of 3784 2164 Iagqgn32.exe 93 PID 3784 wrote to memory of 3092 3784 Iecmhlhb.exe 94 PID 3784 wrote to memory of 3092 3784 Iecmhlhb.exe 94 PID 3784 wrote to memory of 3092 3784 Iecmhlhb.exe 94 PID 3092 wrote to memory of 4836 3092 Ihaidhgf.exe 95 PID 3092 wrote to memory of 4836 3092 Ihaidhgf.exe 95 PID 3092 wrote to memory of 4836 3092 Ihaidhgf.exe 95 PID 4836 wrote to memory of 3560 4836 Ijpepcfj.exe 96 PID 4836 wrote to memory of 3560 4836 Ijpepcfj.exe 96 PID 4836 wrote to memory of 3560 4836 Ijpepcfj.exe 96 PID 3560 wrote to memory of 5092 3560 Iajmmm32.exe 97 PID 3560 wrote to memory of 5092 3560 Iajmmm32.exe 97 PID 3560 wrote to memory of 5092 3560 Iajmmm32.exe 97 PID 5092 wrote to memory of 3972 5092 Ihceigec.exe 98 PID 5092 wrote to memory of 3972 5092 Ihceigec.exe 98 PID 5092 wrote to memory of 3972 5092 Ihceigec.exe 98 PID 3972 wrote to memory of 416 3972 Ijbbfc32.exe 99 PID 3972 wrote to memory of 416 3972 Ijbbfc32.exe 99 PID 3972 wrote to memory of 416 3972 Ijbbfc32.exe 99 PID 416 wrote to memory of 5116 416 Jbijgp32.exe 100 PID 416 wrote to memory of 5116 416 Jbijgp32.exe 100 PID 416 wrote to memory of 5116 416 Jbijgp32.exe 100 PID 5116 wrote to memory of 1360 5116 Jdjfohjg.exe 101 PID 5116 wrote to memory of 1360 5116 Jdjfohjg.exe 101 PID 5116 wrote to memory of 1360 5116 Jdjfohjg.exe 101 PID 1360 wrote to memory of 1588 1360 Jjdokb32.exe 102 PID 1360 wrote to memory of 1588 1360 Jjdokb32.exe 102 PID 1360 wrote to memory of 1588 1360 Jjdokb32.exe 102 PID 1588 wrote to memory of 2920 1588 Jblflp32.exe 103 PID 1588 wrote to memory of 2920 1588 Jblflp32.exe 103 PID 1588 wrote to memory of 2920 1588 Jblflp32.exe 103 PID 2920 wrote to memory of 2896 2920 Jejbhk32.exe 104 PID 2920 wrote to memory of 2896 2920 Jejbhk32.exe 104 PID 2920 wrote to memory of 2896 2920 Jejbhk32.exe 104 PID 2896 wrote to memory of 4056 2896 Jhhodg32.exe 105 PID 2896 wrote to memory of 4056 2896 Jhhodg32.exe 105 PID 2896 wrote to memory of 4056 2896 Jhhodg32.exe 105 PID 4056 wrote to memory of 4904 4056 Jjgkab32.exe 106 PID 4056 wrote to memory of 4904 4056 Jjgkab32.exe 106 PID 4056 wrote to memory of 4904 4056 Jjgkab32.exe 106 PID 4904 wrote to memory of 2456 4904 Jaqcnl32.exe 107 PID 4904 wrote to memory of 2456 4904 Jaqcnl32.exe 107 PID 4904 wrote to memory of 2456 4904 Jaqcnl32.exe 107 PID 2456 wrote to memory of 4292 2456 Jlfhke32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Ilkhog32.exeC:\Windows\system32\Ilkhog32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jbppgona.exeC:\Windows\system32\Jbppgona.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4132 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Kemhei32.exeC:\Windows\system32\Kemhei32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:180 -
C:\Windows\SysWOW64\Ldbefe32.exeC:\Windows\system32\Ldbefe32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3372 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\Lbcedmnl.exeC:\Windows\system32\Lbcedmnl.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Leabphmp.exeC:\Windows\system32\Leabphmp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Ldikgdpe.exeC:\Windows\system32\Ldikgdpe.exe70⤵
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 41271⤵
- Program crash
PID:4828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 224 -ip 2241⤵PID:3884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD514eff6c3dd22bfdccb2fa1ccd71a32e7
SHA122d496ab9b8267766b7f2319aadf0c77b6683fda
SHA256c7b6fd9cc608d54ee186496657c729c873aad2b7ce9544ed5957cfd585c4fd26
SHA512c913eb778043d46a757e858931b5ede859071ebe435886a0bb314f7bcb25f8f150163ff6b8673a200e926d7353ffce7fec197361fa2f5e88eb3048290e8e8d91
-
Filesize
94KB
MD5ed86e40d9b62ea75f47fe35008a06927
SHA1377c564a589fb1a80c9fc11a638f5d4054aa8081
SHA256ad609a3dcf9f88d584ae7ebb18ce43611b723101dd4c0be26e140abb1bb4fb79
SHA512196f01c9b1bf5137498d1875e0fa05ba4f791438d6b779e8b5e3147979653fc9413a658e4b3f9879aa85d3a998472df534b95bc621e3f773b8a4564659143a78
-
Filesize
94KB
MD54f209914be96be794bcfd81f993d482c
SHA136f905dd6570afcf71af0fecde3940073a9e2d0a
SHA25616e71c4ccbf86e81902cec89f31f4e656653a87ede1ffed8cec5485b1a3225aa
SHA512cac3d0d4fba52e7a549dc49f55b46afd1709d164ec9eb3c6aa73332ce981e4a1a9cd488f6d4135bf71cbe048e2820b3cdf02afe657f0daf566c38d0d378b7d07
-
Filesize
94KB
MD517f3844ad7b5c59a8f356a5fe14f0e78
SHA10a11b1c2182f4309993e2feede088f2ec6b03d9d
SHA25680e4a12dfe6a8304d438a58ef335585dd4441b4fbf4245036452d5a035e38f25
SHA512afad5bba90520f9676d6b5591cbea317a81112611deeb67b958b0f9f54a9648827d53ac5e7cc93d09268b055a0ac7db16ad44fd341087fdbc28f99e73dc38955
-
Filesize
94KB
MD5bd56695e44b00e410935432a28681d64
SHA1ab59e9884a3b02f4e30a52df8367d7bd3591e976
SHA2568d6cbab201fa414b1b8560d149fe577c39ec8ce024500e0f91b0c3d5bd64bfa4
SHA512d44ebf55bf0620e5058ec6686a4bb1cb7407187571953fe53a3cfa46e39196a928304fdde3f5dbaa09b4b0728938ce124bdaaecf44ca9b6f18a8c41f39cb3b12
-
Filesize
94KB
MD5f4bfb44615b9e4d3a7d0c5d52eb24bff
SHA1c7c08c2f1adfea4661e7cf7a31968782d7395c30
SHA2566c45869197038fd01e7f9b5ca9b492a2d72c036bac848d949efb053916d9eb1f
SHA5120b0485f17c6ad1561e5d41053df3f3aeaa788f6e563b704e7e0acb4ac7e0d8b89a38cb6e698a7f74c935e74105350d136601327efc625501a06df09b790b51e1
-
Filesize
94KB
MD5605b26d197fd160769990af29bd6204d
SHA1b5098dc2334ded8c9ce17339f451a9e98f38ece5
SHA2560fa71f01445429d4178b496d267214b6448302f420a078cad889d738bfe68715
SHA512b43c1e49aa9715b889d5f6163075a312b75e47ae6728e1ad47d50e100d4a32663d64333703aa50bdc6fef1cac804967a39e21168a04a10df22188d58dea42166
-
Filesize
94KB
MD5e63b52723d9b097333e6652c1558ad00
SHA1d36f079fb9c87cdc72821fa4466e78ae62b41e66
SHA2561573ba1f6df7a42a0fd02e5a41a89350acc08dce72bfddb8b416d3cad51f1162
SHA512cf2120e0aaeabc3ad46f13110b151320a886d8bd991f04a0e47708b72b75c04db9025d1c3af22f5bb4eb504165b570e29513e18808ee4d7ca61c03ae9dee2b1f
-
Filesize
94KB
MD5b5177abdcea3de2f7f2e9797c59f64e4
SHA1b2c368e30edae7877f58ee764d4c0a3a908ad1c2
SHA256eb8ebe0b32920e9af642b9f29069edf8504b8baf8d471d2f8f77c5b53c3ed777
SHA5129f7e2a3a4ef6fff27b1c10a4116256f34d91c721f21861675149ea206fca417ae8112c3194f25fd454fb033c893aae784b82c6b9d5d5266a294a1bdf845ef8ff
-
Filesize
94KB
MD5c57b0a6a994298dce1ef9ae29212734b
SHA18b1c7b3bd16b57a23c89217d3f6c773112ece7d1
SHA2562c0ab85a5f11d34e4aeea3f31cf493a10de561d57a20bed6d3b7903b0874f966
SHA512a6ce7de06f1e9f6cde6d4abca0511efde07a92d1f200d976b42ea6fa843f2c1f62587cbb726ec4fa975bb28f3ae1d0ed6ebe9c4ae687f8cc7d85914091201035
-
Filesize
94KB
MD5b26167dbf1054821de3351bb744f6260
SHA19e1e680013db829e6c0daf2fc58b70901567e580
SHA25607363bdc9dcdceb4b704cb6e4072f44c5378aab90854259136146a33a5e59577
SHA512fb0a3714fb2ec5a0f7e90f1b1079f45ba7cae6a8172a04dccc17a51e862be66ee6b90f4cdb8ff7c951e2b05de35a5f9bc649883a32e6ba107a6841b35c51081a
-
Filesize
94KB
MD547f49b67fa58797f15f2d8b3b45cb1ec
SHA13cc5795e4b558a1bab0716ee9c4a2736c86e97ec
SHA256a9a199b196462d46634ab3197006859b79bc86a824d92200be988c6b120e2ee5
SHA512150c7a9d851b050a1002377730c17434a0c7d22127aa1d7903b2b0169f2701edcd85f9acecc65dcd2e1242175d62da1cef025bb2aebff884abe4b25c451f7005
-
Filesize
94KB
MD55aad64e61851e9f4578ae4694592957e
SHA1a930370b1ef4d8938f90b89a1af2163c71ba3f12
SHA256aa08e761d60dd05d66cde8c48156c8669103792f0262d761570d7828f138c12e
SHA512b8bacf700c6b6b1a261fff8af955e6fb9943385c39d526910be4041b70dccc45a2c8460353f592b7186cef41f9e511030903cec44dfb70c083f22f7e4eeb42bd
-
Filesize
94KB
MD5221b9de3a19984c23f62c32234bfc7c4
SHA179ae6c585fc398801ba6d8fbd3f7694a817bdf24
SHA256a2cb204f168f46e9afe19c04d025735da6f14d68c01f185db50010ba86470e0b
SHA51280b54bfd27b38923bcb698155efce6860830fa0efc320068b9bb80eef8859c6ba55974043fda9b996d9f5894a4dade02862c47c23c879e900c07259edd38ae8e
-
Filesize
94KB
MD59a36b5af5126b85cfacfa2cdeb8bc669
SHA16c911eb6b4ce1c644440570c7e812f6bdc6387b9
SHA256318e6951d049aca7c58720124c92b2eae01a2afbeee916048ab92c3c5eac636d
SHA512082bc4b27ca6a013b373611ea156940fcae1ef2a394550d9b75f08b171efa04b7401c5a5bfb2a181e3b986e55393de5345f7e4bfa1a18544c6aadb39851e8358
-
Filesize
94KB
MD55ce2ad78711830e03ec9342d29602ecd
SHA1cff380fbb808b2864a78441d29b7016185ff5351
SHA25636724fbc4c33f20fae62efa7667d962f95e2a5175e7dc2df1a01ed2e093ab8f1
SHA5124327e3d989e679bbcef9e4ba087b9fe488e8ed1cacb3b6ff3f222f6d3a9c18d40c214bdab4e962d9e0f8516c1b8387f8ab92f292ce9e1ba6949b94ade752ace0
-
Filesize
94KB
MD543ebb320708b4efe4a702780d607acc5
SHA157533132390f3135de84480ca641ec706d0f4c9a
SHA256fc272629982cde137e51a4628f0f685f4200e413cba19baa7692a30c98b9adc5
SHA5128c452e27ddb19fbdb5eac3b466e713c407f6b7d89bc0cb11a88702b413f753a82998ad48aee5e50f9ba91a81f48b5d8e838f6fed772b6739a9876da725a93e97
-
Filesize
94KB
MD57a1600023936a6c69acbf2e9e478d749
SHA1f965018646546abf99204863f19c34f6bbe5b7ac
SHA2565a557d328aa94dfa4ce5fa2d494bf6a8b0b7a6dd9b213fd75632aadc5136dd11
SHA5120906a9da86ff6ec793be3c12270026863c1d65b302116e12ae62b5f4b9377eccf63720ad25a70ceb79caaa3344d0223e81fbbdfedb14de286dff138a190b2628
-
Filesize
94KB
MD546facdec91f6a9135d6d04eb9469bf23
SHA1612951d260c52f815bcd9c35c67acdfe49990b83
SHA2561bcb31b0b36fd74448ca008cf0b71e68920a9214862e00c8ae860130995bb3c0
SHA512cf440aa8678d31bc73d0618c6a57d5fcf2c55f7a8dd8e1bc62e5ecbdbdb9df4c4a5fd78ce516e5f436116531fe5cafb918b262b3e5fd67d6aad59e36d7a46cbb
-
Filesize
94KB
MD5085204cef44e5d108217d83dcedbdb5a
SHA1f8ab7b84297a981c0dd1bdb27704cc6b0c01ab75
SHA25653303575b1d91f196e2b65d6899b208754250ed5ab5c67bb7e19f3d8931ccb60
SHA512b07a2d8338dfbcabe129672a110682ce76d7b649dd5c451ce70b691d94b822ddc43895b07400e6c5fce5f66f8f3b131717ad553b7273698190f11861423dbf2e
-
Filesize
94KB
MD5d04056aaa27a6d37385e8540de6e1fcd
SHA168165690f53943b407f567b423870cc18ed2cbf0
SHA25600b5fcf09b68212bac0e472a70eee6d4d01b8e75927d39173508039327cd6a58
SHA5121985c0e01cbf721d2360fb81e5c29458aaa5d39db8faa002c7855f133ea1279e9fa2883d58c8b039505a615608daa2af5324c01e9ef19d99113f63ef29e7f524
-
Filesize
94KB
MD526039a21c29b2a2eaf8535af2c06ec36
SHA171fd6195c5d728dac2a54773aeace478e0aeafa0
SHA2569d8dbb18aadf6fd230548985df730e2b7b319210f88e4282f34d136c4073811f
SHA512af23d2e8a7c57c211ee272e26eddbfff97d2c9d334d8abdbdb9fffd2e6c0e23a9c1a01c211578f2e5a83f5215dd109b220b13457b51b09f13a9f793034a81d9d
-
Filesize
94KB
MD536665bf52739f86818b224cfd04177e8
SHA1bbf6c9953b389a7551ba7ea7b9d95ec90fbe61e6
SHA256a753f7fc0d498cff3f3b4dfd1d87116a41eb29c53bb4b44e67b3afaad9683737
SHA512e08a2162613c05660ac6ec27c02b816fc87e3c3322a01dbd8e8544415fb4c334bf2fef580660bd64ee7df5df56a413745ae6deb1f88e6fefeb9eede8b3c151b1
-
Filesize
94KB
MD5ee17c7c1afb87f6ed6e5a42061663a0d
SHA1f577c33bfdc35860be1aacf6988b9208550eb833
SHA25675b2a5eade837cda8808652b5dfeaf20b9a0f1895dad29d35648b4fc42546233
SHA512dea80affe34519d5ea1b3d68988abdd993e08a27fb9cbe26f7b5a60359e4cdf635ab188114bf2ee0857bd2a14210a27c2bdc4a593d6dffeed8f8ae392b2fc80d
-
Filesize
94KB
MD57cdc94490500e9fc25e73e85dc6bbcb7
SHA132d4df4b839e792b8d5ff6c597adc811c1b39b77
SHA256862d0c39b93d05046188f1c0bc0f8f250da300394c22fcdacbcd981ad461be3a
SHA5123d669152f9dff780ff263a65aa617aaf10e8aeb44f2431ac7f44f134cb3ecf8694e2b9d0c4230de2b371ccce521dcfe60f02eb04727c4d7ef39f834c49bfd008
-
Filesize
94KB
MD5e69a6e0a9e2583ad9e046a1b6104b6a2
SHA15f84eb244809c68ea0ff92d86d7ca2d2413bbb02
SHA2566b8f394b7f172dbfa38ba33939e75888bb001067b04a149768cd179828c68c8a
SHA5127ec1b77d763c189e55310d2bca46c41085fea6e5d44cf7b1615877ccdca6d8e4e8a5907495aa727f56f0df6ef4c4fb376db234795a93fda1bb27d706bb2db765
-
Filesize
94KB
MD57b0840ffe4fdc59a63206bb0eb1cdbe5
SHA147a8773293970f9a47643e3323778cfebffbfd2a
SHA256c8ca74d90f7781c8c21800a1b40bbb7dfed8f8c55642091403ecc7cb4444e26e
SHA5124d374507169550d50612bdddac56124c1c4924646b27b973c3a2bf95cd204cbedf1a05ea5603e1c19a43e65054f57eb13335e4f206bcfabc5f663472777109ba
-
Filesize
94KB
MD53ac5a555c7135e5ee84ff03f03037149
SHA1a2996ac44f6c4a74769340239f12b17eaad3e5e8
SHA256389db1b13f41e9d3c942cab577cf0d06ba0859637301dbf8c497ff1cab4cf62c
SHA51255127206042a858620fc9129ca82a0e1487288aff3135e3e59de543add1c7509258fa56f63e1ffc76f306e83d456e0c7d8c1fa3fe24f70f48398841c4e03eae9
-
Filesize
94KB
MD526da085ecd38d868c197954ace8f919c
SHA1de1059c66e846e9daba2bf96de29c0e84cd1ddc2
SHA2567d32f1c615fc2cd30d6353dc675e4299ad775983d4fdb8cadc8d5984fd0556a5
SHA512ce0fab9c9b89bbcd15af3dfaa5b8bfe4d705df9ce6513edde77d86dfcf55479245f49593d35e5a414fede4876c754a52ce496a42e37f1e7e5f9be3abce99fe3e
-
Filesize
94KB
MD56c14e1060db523a17cb7e8785c76bf75
SHA12416b9d9669914be29b175be7ebb0ecf3fbea076
SHA256854a576826eae9665f91fdca86a964e9c492c4f16e122b2e99fd8c231dd97dbb
SHA512b16379fa3f09dfbe6f8a6728a69ab115b0b4920f6cf899cbc3017a504142f7e6be50aa5157d5323c65f0148a05b16a758ab8db778091c439a938156ed5ce9861
-
Filesize
94KB
MD5e6245bf93ba74b0d3d48d3e67632bf88
SHA197959fc4483819753baa6ff2990de03be5af392d
SHA256403fa7ccf38f502796cf635334fba0dc7665f3566ccedab1a57854caf5ce6618
SHA5124152f67d42509231c5e42da2f4eb1c5684f5782ea8d78b82b910c80e24cd786ac4a69ca96b32e52222f3b17e8ce4532adf5117b847212495595c576aabab54ff
-
Filesize
94KB
MD5f8a234feac24dd213cf00fc6a118d166
SHA13f1dc3f0ad0072ca3f688b7a4e40dea32d0e6c04
SHA256ccc290580fb59a61a11cd6026ef36cb621228e9ced801a41eb75817746e3bc27
SHA5128167490fd3994999b87852b6cd3b3d3299f2f538f5c90ef26ebf34978fac0f50f1f38841892e7d0365cd790af2a7031b6ae0cf6604f413de145dd54b59e94e17
-
Filesize
94KB
MD5f5f4d6ffc7d3a1cbee1437f2e775e24f
SHA1b7b7ffbc2c2f448c05b5695cc47bcf0433572e70
SHA256caeb7310d50e0c2e5abe09de576806bdbae976fd27b0bb720627c67957b28105
SHA51237b06039c0c3c9936f29284140461fd68da1467f8bb128472f2b633c0175f0212485ab51fc060771cbde27b2216d4d61729af15428098f64bdf1529bfecfd7af
-
Filesize
94KB
MD5a7b8439e907b576f4dd31817086863ee
SHA19bb8428519d7816296f0c29580cbc06577d244d5
SHA2562901484bba16295dd94393e36063ec2a537b4aec368207dd56a5b8147e209502
SHA51233bd37704e69641eba204d458776c9cb40e1d31abcc128373c1907584e98b5de53375704f61b90ddd8afdbf6595898e2e03c754a692352b9acbc5207f6a0bd3f
-
Filesize
94KB
MD5223b1896d862bf4b464775d03501772d
SHA17b6bbb6da11c6b007de11639123144320a753e7e
SHA2563a9495f0cf7cfde2dc0079a9045b415c99419f04df0ed2c510e13edefcbf7dca
SHA512db4f72b6156709ee9eef6f7998fa367069dbd60cb37c2d3e44cad61ee38795f155eb65f919f20f7c008f36c5cb33f5438b9e6e1267aea016528b1417ac6e73cd
-
Filesize
94KB
MD5afae8b654a45a3dcd81975d63fa301e2
SHA129500600fe237401e987882419c46fbaa421b2fa
SHA256bacb545ef8821c878c0c007ca60a60157b804d9870ff155db59dd4b2f620959f
SHA5127e50c88bfc66d9642c75d00cb29d554113c177821f32496e393449e98a832c475bf21637d0cbff3a635bd84b7de3cc2fe953d937218063185717aa8766b1987b