Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
92KB
-
MD5
4263a48236cc89cf70602f4e4e258810
-
SHA1
1415197c17565e1cc37aa138380e41a4d100ca8a
-
SHA256
af49a101a87bba10b677ebf4554514c8c728fc3250dc499399b37649a498cc85
-
SHA512
27ee65511b24793238e6ca1dd78c18b245637abe51c0f0706f83fd00b242187fbb91ed8464407ff2d76ae1150848a682b3262269f367fefc81c0737254929bd4
-
SSDEEP
1536:SrHTW+WViDIX0buWy1n4Fb9xRjXq+66DFUABABOVLefE3:yTW+WVMgz54FpxRj6+JB8M3
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs
Processes:
Bmpkqklh.exeCpfmmf32.exeCagienkb.exeClojhf32.exeDnpciaef.exeCnmfdb32.exeCmpgpond.exeBfdenafn.exeBmbgfkje.exeCfkloq32.exeCgaaah32.exeCeebklai.exeCcjoli32.exeCfhkhd32.exeBmnnkl32.exeCcmpce32.exeCocphf32.exeCnkjnb32.exeBackdoor.Win32.Berbew.exeCfmhdpnc.exeBoljgg32.exeBbmcibjp.exeCjonncab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clojhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boljgg32.exe -
Executes dropped EXE 23 IoCs
Processes:
Bfdenafn.exeBmnnkl32.exeBoljgg32.exeBmpkqklh.exeBbmcibjp.exeBmbgfkje.exeCcmpce32.exeCfkloq32.exeCocphf32.exeCfmhdpnc.exeCpfmmf32.exeCagienkb.exeCgaaah32.exeCjonncab.exeCnkjnb32.exeCeebklai.exeClojhf32.exeCnmfdb32.exeCmpgpond.exeCcjoli32.exeCfhkhd32.exeDnpciaef.exeDpapaj32.exepid process 1692 Bfdenafn.exe 2352 Bmnnkl32.exe 2704 Boljgg32.exe 2720 Bmpkqklh.exe 2588 Bbmcibjp.exe 2836 Bmbgfkje.exe 2636 Ccmpce32.exe 3044 Cfkloq32.exe 1324 Cocphf32.exe 1988 Cfmhdpnc.exe 1720 Cpfmmf32.exe 2372 Cagienkb.exe 1240 Cgaaah32.exe 2908 Cjonncab.exe 2144 Cnkjnb32.exe 2880 Ceebklai.exe 2508 Clojhf32.exe 268 Cnmfdb32.exe 1728 Cmpgpond.exe 848 Ccjoli32.exe 1532 Cfhkhd32.exe 2396 Dnpciaef.exe 2356 Dpapaj32.exe -
Loads dropped DLL 49 IoCs
Processes:
Backdoor.Win32.Berbew.exeBfdenafn.exeBmnnkl32.exeBoljgg32.exeBmpkqklh.exeBbmcibjp.exeBmbgfkje.exeCcmpce32.exeCfkloq32.exeCocphf32.exeCfmhdpnc.exeCpfmmf32.exeCagienkb.exeCgaaah32.exeCjonncab.exeCnkjnb32.exeCeebklai.exeClojhf32.exeCnmfdb32.exeCmpgpond.exeCcjoli32.exeCfhkhd32.exeDnpciaef.exeWerFault.exepid process 2336 Backdoor.Win32.Berbew.exe 2336 Backdoor.Win32.Berbew.exe 1692 Bfdenafn.exe 1692 Bfdenafn.exe 2352 Bmnnkl32.exe 2352 Bmnnkl32.exe 2704 Boljgg32.exe 2704 Boljgg32.exe 2720 Bmpkqklh.exe 2720 Bmpkqklh.exe 2588 Bbmcibjp.exe 2588 Bbmcibjp.exe 2836 Bmbgfkje.exe 2836 Bmbgfkje.exe 2636 Ccmpce32.exe 2636 Ccmpce32.exe 3044 Cfkloq32.exe 3044 Cfkloq32.exe 1324 Cocphf32.exe 1324 Cocphf32.exe 1988 Cfmhdpnc.exe 1988 Cfmhdpnc.exe 1720 Cpfmmf32.exe 1720 Cpfmmf32.exe 2372 Cagienkb.exe 2372 Cagienkb.exe 1240 Cgaaah32.exe 1240 Cgaaah32.exe 2908 Cjonncab.exe 2908 Cjonncab.exe 2144 Cnkjnb32.exe 2144 Cnkjnb32.exe 2880 Ceebklai.exe 2880 Ceebklai.exe 2508 Clojhf32.exe 2508 Clojhf32.exe 268 Cnmfdb32.exe 268 Cnmfdb32.exe 1728 Cmpgpond.exe 1728 Cmpgpond.exe 848 Ccjoli32.exe 848 Ccjoli32.exe 1532 Cfhkhd32.exe 1532 Cfhkhd32.exe 2396 Dnpciaef.exe 2396 Dnpciaef.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe -
Drops file in System32 directory 64 IoCs
Processes:
Boljgg32.exeBmbgfkje.exeCcmpce32.exeCfmhdpnc.exeCnkjnb32.exeClojhf32.exeBfdenafn.exeCocphf32.exeCnmfdb32.exeCjonncab.exeCcjoli32.exeDnpciaef.exeBmpkqklh.exeBmnnkl32.exeCgaaah32.exeCpfmmf32.exeCfkloq32.exeCagienkb.exeDpapaj32.exeCeebklai.exeCmpgpond.exeCfhkhd32.exeBackdoor.Win32.Berbew.exeBbmcibjp.exedescription ioc process File created C:\Windows\SysWOW64\Bmpkqklh.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Cfkloq32.exe Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Cnmfdb32.exe Clojhf32.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Godonkii.dll Bfdenafn.exe File created C:\Windows\SysWOW64\Qgejemnf.dll Cocphf32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cnmfdb32.exe File created C:\Windows\SysWOW64\Fchook32.dll Bmbgfkje.exe File created C:\Windows\SysWOW64\Cfkloq32.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Cjonncab.exe File created C:\Windows\SysWOW64\Fkdqjn32.dll Ccjoli32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Dnpciaef.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Bbmcibjp.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Bmnnkl32.exe File created C:\Windows\SysWOW64\Bbmcibjp.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cocphf32.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cocphf32.exe File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Hbcfdk32.dll Cpfmmf32.exe File created C:\Windows\SysWOW64\Aqpmpahd.dll Cfkloq32.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Ccjoli32.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Efeckm32.dll Ceebklai.exe File created C:\Windows\SysWOW64\Ciohdhad.dll Cmpgpond.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Cfhkhd32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Cjonncab.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Cfhkhd32.exe Ccjoli32.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bmpkqklh.exe File created C:\Windows\SysWOW64\Cpfmmf32.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Pijjilik.dll Boljgg32.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cnkjnb32.exe File created C:\Windows\SysWOW64\Clojhf32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Bmbgfkje.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Cocphf32.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cagienkb.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Clojhf32.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bbmcibjp.exe File created C:\Windows\SysWOW64\Nefamd32.dll Cfmhdpnc.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Bfdenafn.exe Backdoor.Win32.Berbew.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bbmcibjp.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Cfkloq32.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Cfhkhd32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1860 2356 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bbmcibjp.exeCfkloq32.exeCfmhdpnc.exeCjonncab.exeCcjoli32.exeBfdenafn.exeBmnnkl32.exeCocphf32.exeCpfmmf32.exeCeebklai.exeCnmfdb32.exeBackdoor.Win32.Berbew.exeBmbgfkje.exeCgaaah32.exeClojhf32.exeDpapaj32.exeBoljgg32.exeCcmpce32.exeCnkjnb32.exeCmpgpond.exeCfhkhd32.exeDnpciaef.exeBmpkqklh.exeCagienkb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Berbew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe -
Modifies registry class 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeBfdenafn.exeCfkloq32.exeCnkjnb32.exeCcmpce32.exeCeebklai.exeCnmfdb32.exeBmnnkl32.exeBbmcibjp.exeCjonncab.exeCmpgpond.exeCcjoli32.exeDnpciaef.exeBmpkqklh.exeCagienkb.exeCpfmmf32.exeBmbgfkje.exeClojhf32.exeCfmhdpnc.exeCocphf32.exeCfhkhd32.exeCgaaah32.exeBoljgg32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll" Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkjnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll" Ccmpce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmcibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmpce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Backdoor.Win32.Berbew.exeBfdenafn.exeBmnnkl32.exeBoljgg32.exeBmpkqklh.exeBbmcibjp.exeBmbgfkje.exeCcmpce32.exeCfkloq32.exeCocphf32.exeCfmhdpnc.exeCpfmmf32.exeCagienkb.exeCgaaah32.exeCjonncab.exeCnkjnb32.exedescription pid process target process PID 2336 wrote to memory of 1692 2336 Backdoor.Win32.Berbew.exe Bfdenafn.exe PID 2336 wrote to memory of 1692 2336 Backdoor.Win32.Berbew.exe Bfdenafn.exe PID 2336 wrote to memory of 1692 2336 Backdoor.Win32.Berbew.exe Bfdenafn.exe PID 2336 wrote to memory of 1692 2336 Backdoor.Win32.Berbew.exe Bfdenafn.exe PID 1692 wrote to memory of 2352 1692 Bfdenafn.exe Bmnnkl32.exe PID 1692 wrote to memory of 2352 1692 Bfdenafn.exe Bmnnkl32.exe PID 1692 wrote to memory of 2352 1692 Bfdenafn.exe Bmnnkl32.exe PID 1692 wrote to memory of 2352 1692 Bfdenafn.exe Bmnnkl32.exe PID 2352 wrote to memory of 2704 2352 Bmnnkl32.exe Boljgg32.exe PID 2352 wrote to memory of 2704 2352 Bmnnkl32.exe Boljgg32.exe PID 2352 wrote to memory of 2704 2352 Bmnnkl32.exe Boljgg32.exe PID 2352 wrote to memory of 2704 2352 Bmnnkl32.exe Boljgg32.exe PID 2704 wrote to memory of 2720 2704 Boljgg32.exe Bmpkqklh.exe PID 2704 wrote to memory of 2720 2704 Boljgg32.exe Bmpkqklh.exe PID 2704 wrote to memory of 2720 2704 Boljgg32.exe Bmpkqklh.exe PID 2704 wrote to memory of 2720 2704 Boljgg32.exe Bmpkqklh.exe PID 2720 wrote to memory of 2588 2720 Bmpkqklh.exe Bbmcibjp.exe PID 2720 wrote to memory of 2588 2720 Bmpkqklh.exe Bbmcibjp.exe PID 2720 wrote to memory of 2588 2720 Bmpkqklh.exe Bbmcibjp.exe PID 2720 wrote to memory of 2588 2720 Bmpkqklh.exe Bbmcibjp.exe PID 2588 wrote to memory of 2836 2588 Bbmcibjp.exe Bmbgfkje.exe PID 2588 wrote to memory of 2836 2588 Bbmcibjp.exe Bmbgfkje.exe PID 2588 wrote to memory of 2836 2588 Bbmcibjp.exe Bmbgfkje.exe PID 2588 wrote to memory of 2836 2588 Bbmcibjp.exe Bmbgfkje.exe PID 2836 wrote to memory of 2636 2836 Bmbgfkje.exe Ccmpce32.exe PID 2836 wrote to memory of 2636 2836 Bmbgfkje.exe Ccmpce32.exe PID 2836 wrote to memory of 2636 2836 Bmbgfkje.exe Ccmpce32.exe PID 2836 wrote to memory of 2636 2836 Bmbgfkje.exe Ccmpce32.exe PID 2636 wrote to memory of 3044 2636 Ccmpce32.exe Cfkloq32.exe PID 2636 wrote to memory of 3044 2636 Ccmpce32.exe Cfkloq32.exe PID 2636 wrote to memory of 3044 2636 Ccmpce32.exe Cfkloq32.exe PID 2636 wrote to memory of 3044 2636 Ccmpce32.exe Cfkloq32.exe PID 3044 wrote to memory of 1324 3044 Cfkloq32.exe Cocphf32.exe PID 3044 wrote to memory of 1324 3044 Cfkloq32.exe Cocphf32.exe PID 3044 wrote to memory of 1324 3044 Cfkloq32.exe Cocphf32.exe PID 3044 wrote to memory of 1324 3044 Cfkloq32.exe Cocphf32.exe PID 1324 wrote to memory of 1988 1324 Cocphf32.exe Cfmhdpnc.exe PID 1324 wrote to memory of 1988 1324 Cocphf32.exe Cfmhdpnc.exe PID 1324 wrote to memory of 1988 1324 Cocphf32.exe Cfmhdpnc.exe PID 1324 wrote to memory of 1988 1324 Cocphf32.exe Cfmhdpnc.exe PID 1988 wrote to memory of 1720 1988 Cfmhdpnc.exe Cpfmmf32.exe PID 1988 wrote to memory of 1720 1988 Cfmhdpnc.exe Cpfmmf32.exe PID 1988 wrote to memory of 1720 1988 Cfmhdpnc.exe Cpfmmf32.exe PID 1988 wrote to memory of 1720 1988 Cfmhdpnc.exe Cpfmmf32.exe PID 1720 wrote to memory of 2372 1720 Cpfmmf32.exe Cagienkb.exe PID 1720 wrote to memory of 2372 1720 Cpfmmf32.exe Cagienkb.exe PID 1720 wrote to memory of 2372 1720 Cpfmmf32.exe Cagienkb.exe PID 1720 wrote to memory of 2372 1720 Cpfmmf32.exe Cagienkb.exe PID 2372 wrote to memory of 1240 2372 Cagienkb.exe Cgaaah32.exe PID 2372 wrote to memory of 1240 2372 Cagienkb.exe Cgaaah32.exe PID 2372 wrote to memory of 1240 2372 Cagienkb.exe Cgaaah32.exe PID 2372 wrote to memory of 1240 2372 Cagienkb.exe Cgaaah32.exe PID 1240 wrote to memory of 2908 1240 Cgaaah32.exe Cjonncab.exe PID 1240 wrote to memory of 2908 1240 Cgaaah32.exe Cjonncab.exe PID 1240 wrote to memory of 2908 1240 Cgaaah32.exe Cjonncab.exe PID 1240 wrote to memory of 2908 1240 Cgaaah32.exe Cjonncab.exe PID 2908 wrote to memory of 2144 2908 Cjonncab.exe Cnkjnb32.exe PID 2908 wrote to memory of 2144 2908 Cjonncab.exe Cnkjnb32.exe PID 2908 wrote to memory of 2144 2908 Cjonncab.exe Cnkjnb32.exe PID 2908 wrote to memory of 2144 2908 Cjonncab.exe Cnkjnb32.exe PID 2144 wrote to memory of 2880 2144 Cnkjnb32.exe Ceebklai.exe PID 2144 wrote to memory of 2880 2144 Cnkjnb32.exe Ceebklai.exe PID 2144 wrote to memory of 2880 2144 Cnkjnb32.exe Ceebklai.exe PID 2144 wrote to memory of 2880 2144 Cnkjnb32.exe Ceebklai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 14425⤵
- Loads dropped DLL
- Program crash
PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD588fcbf9c7254688321f48e8c33888c66
SHA1e1c78e837194d72b8c88f72e463a97cd0ab9f767
SHA25678d1eb132dffa3feeaf440bbc98dcb8552db38e4ff6ed7940e1ef99839f54cb7
SHA512e134a4b352af0763910b15a429e605270e8198194ea63bf688d363b51abfa688bc1c23a6ad18b12542d92ca743e5b8fd8a2a3234b8172ea3c3101051cdcfab65
-
Filesize
92KB
MD5fc0fcd66cfe02145aa4c22b52d765224
SHA126ebe815797464846f26e1bd4de5e72b2b021730
SHA2568a102e4cc3b319dd612c12e67d1dc684508e307a91e35457c5d24b3be6316f04
SHA512f27170e1d266136e3d4d00624cb7e4dc3e531c0f6c62ec84a5f4baec030e05d5a9cad52132ed5b0da92b61197de9d95eaff5f7ed53a6e3c29330103b3ed79b41
-
Filesize
92KB
MD521f38156bb8f62469c056eb1a8d255e2
SHA13faeacf2ccf82cc68627ea83663bb2da75cd3583
SHA256756bbb554aba420a5f7f51f79b720aaaeb21898a748516f13d5e19b2676c4b16
SHA512f2369baa7accdc0792603d4930e185643d600fccffb9f81948f3152205ac67424ca8bb3facfd087c7dec4cd7c4201518cead247b4cf31355e4d903c575c926ac
-
Filesize
92KB
MD5b567963f56b41746c8e22a3c1e8eb8b0
SHA125a71cf0972882e48df20befb508bfae5c6b2044
SHA25606dc09514beac29ae3195628a54b9a0bd156e082b0387780e9d927f32beacf74
SHA512b1081ef89d54e7ddaab6cf2bef55e4113a5426d0feaa416600315505ab47fe992c5e17b17916415b8bdc99e94841f74e124d0262f8b47da57d0011528a580a11
-
Filesize
92KB
MD55a34ed4d413f9ff13f15babe817dd229
SHA10717add798a542bf5fd5c8366ed33e881913505a
SHA2562ac6b6b35d9fbcb9719a27cf82c2614503860324eea8591e7f36926f9c470880
SHA51283045b431230becfbe12096fe7e4f3093534b6a228c55093a2834c0644d96c6582d74fd1305752b296f229ab6fd5c75ff6f28df86be73dfd7bc21d52e4f06f9a
-
Filesize
92KB
MD577322927eb8ebd70f67cd8e4c504d7bb
SHA105c73af1c342f6bbddaf69dac48213240ae52624
SHA256d9cec39b79c9b2885132574ed879d5184ee78cffe12c23389c127fbe5318a0f5
SHA512a5925cbee1021905f3732e4cc30c3a4753f70721bd1d4a7eea5a55346fbcc5409a7a8fad1f3f073be73feaa10ad40ae562067d5c471f4c8dbf8ec43562822891
-
Filesize
92KB
MD5ea31219e636e932b882a0551164cddbd
SHA16632280724dc0dce18bc5834fc8299f5ada5f8aa
SHA256d5e50f4f15644427eaf3758ca2d1a48d7eede04467d5acb6c1440bac7d498d38
SHA512820e13f9033aa2379cd992ad83461cf33f55f0a3d6563a96c1dec84a141e8546d9113a2f19693c5b365b3f9c976a4beb39d7ce25aea0c4fdabe97b890059e903
-
Filesize
92KB
MD5bb6b954de281ec77cc6b462a4e48181b
SHA12c702c11740969ba06e24fa577f828407b192626
SHA256ec6dc77db8e6c915b149851d8f3515b2632cefe02b381881f332cbaf3bdc9de5
SHA512951d655bc831df6b93200f9b46210f0494b8f404a8a606b39467ce8fa84e64eec66fc93c830051dc68fa0b59497bb6fc84497360730dbec2a907dae80d3abc05
-
Filesize
92KB
MD542090bc37053d848bd6b15f726f6c2c0
SHA1e1a575083237e2eedb9d4f99fda69ee7bc644ed5
SHA256a87b804702f984c356bf35f8da3c1128383de4502104200caf15405f801dd2ff
SHA5127eda6facfd3e477187b8d7a2ade534edd209baba6cff416a330c4bb01a56f1fa6caf29ad16bcf9aba355178ab5486c1720d3ad598212bc7fdeb5779a46b82cf5
-
Filesize
92KB
MD5a1f87197a6d12f518dfc7b79f4ee21fd
SHA19d23ce1b28f4c8ce3f1bec10660900fb6aa1e6bc
SHA25616db65e96c2929d29648003a557aa172763341beeaeb5a17e9beb48fdc0ff0da
SHA512d3a056f5fbc76119da114e3a6480f68ef91eade21772cdb90ab000b48687c2590f9f5e602b4b8cd083488a8599d58f9ce8e180cb10f9736d68fa47251051f26f
-
Filesize
92KB
MD5744960e64d1548c4a66a51be41d6a343
SHA1257e11de13b965499936d78ff3f746d548c421f5
SHA25622f9ab475589a6eba0e022a44aac360ef65071867b379d1e174cdc60f30542c3
SHA512493e5099990697a7fa56794d5cc5f67b132b509be701f7aadd8c63d4ed4646698c1bb9bdea9b68775ab523703ceaf97864ec1429c0bb8f8b8ff41f157fa5d752
-
Filesize
92KB
MD5e60ec234fa8a825af20cd916232dc087
SHA19c6428fdc6f5f83ad03120bf19d9b911ece5b6fb
SHA256680e0538d1522cb66ba79d8d8b5d6b3ab4de8559a673dc6ad9afb4cb06feacce
SHA512a51677f79e6a401f9ae3b5a3a6820bf31e587789894f8fa6f1dab20244d1c20df1231995c395d8c7f652af56d86bbdeca9ee406aded0f93ce1013363be6b75cf
-
Filesize
92KB
MD5ee543eccf5b02467a24c9964f98c92e3
SHA187689108d2290691bfb44ee813d7e11a0b2bb61b
SHA256058a93a9a37c0267e231eb3ca58796c7fc0f58e8098021a5e1e3c9ca156816e1
SHA512f209416bcd21378196bcb12fac8b330db4eb6936ca7bd956f80554dba1600d78bf87aeee69284dffd844639da310b25b54f711b4f7e96653627c931399e66a15
-
Filesize
92KB
MD54061408e98da2f25ac4765dcf68217ac
SHA1de7d90389d440f17635aa846d70aa29b0fc1ed66
SHA2562c400492c1003e8554a3fe68096a657b95a9239f4b2ab0978fcbbb55f0ba7a02
SHA512a895e5fd4cc0ff083d7fc55ec4fb56b83af538d094ea1d2a1f2d2ca8cf26cfd0299d32669b15af7cdf3cd8528389ecc4a95ba0bc82f58568c5d781e1b9800273
-
Filesize
92KB
MD5eb83de7b50bdbdfa936b0927fd3d2895
SHA1657f2b1938bac7bae006e63a5e96580a4a5bb0a7
SHA25605ba156ca156c7e8968103f8f20c4c0ccbc205d45cb44fe1abc2085b18d1129f
SHA512c1115e1c34add1578b368ffc1a99c3a7aca8223faa640ada84b4bc515a1e570aad1db64908d0c477bada67cbe6b7fa76a5494375477e0c4a4e8269b28db3efdb
-
Filesize
92KB
MD59d2eac25cf5d090b376eef00b05b0414
SHA1c8b8cd7aa06b4eaa817d4131ff76129d9029324d
SHA256807ba24af99584607b01d2c1d124fcb1af11d85fc6f43c09285430b08be6b7d9
SHA512cdaa22a770ede0813f309c01660680c38e95dc62f8d5d70e616db6f4b3e256b4f14147fc6d5168a451c4ee86ceddbb3efb4d88ebabc77dcac7e0092ca3e7c7fc
-
Filesize
92KB
MD56209adcc6d0fb2bb1814cfd73b7708bb
SHA1f2564885f5d5ab181a0d3fb0d8ef53d79a6acb2c
SHA256c91df97b4aef025dc0a12285649b3fb2e41fcc2eff99c3fc0a22b39f8c97256a
SHA51229340e30f848d566f10527118656b25516645005fa750d36c5b648f45dedcc315d851216eae8ce492bc6a68073664a59568c5450b894a11ab83909ad06a8ef8a
-
Filesize
92KB
MD5b2ac0e510e046f3ad69e78794f75df30
SHA14252a6b70054731893925d4c03cc72f89f05efc1
SHA256e88af277b408ca1a5efafa5091c25b88bd5e63b7bbf4f3f8040ca87009ae6428
SHA512b39cd9b06f5237b6d55f201af0c0f57a42362060eca9c00797f1ed21ce7bcde04968c28d95790d02d61bfd0d73fb3dee85ac12e95b6137d1c1ec28802c3169b7
-
Filesize
92KB
MD5088ccfd06cf0c10b84a0891635f1ca3e
SHA1721a87df29be53323a655aea84b19fd2f67b9f6e
SHA25639f40ac3db049c609b26300efbe6ad424ace6871d29ffd6dd87924c0ccbdbb6e
SHA51282fecaaf67952edb48ec8d06b361546f8336d397f4381a546b5536b27103674671fa8de208742a539f25d977af14f04e0a27d20b8111a933a5ed2edd76c952a7
-
Filesize
92KB
MD56184d6de58b4257eb1f97004c18b32b6
SHA1540d882be032ec2ea26c23f1a3498e7b927a110f
SHA2563acd160095b93c3de25188736f504d080a128c43d30b5c6780f3bb1093217a3e
SHA5129811e4ea67708dfcc35b0b449469e12c8b194d7f47a2513e46cd9f38f0a1bff8f71a2e9a60cc17009b33a5b8a5956717b448e294f5738a4c1a6955c3ec0c73a1
-
Filesize
92KB
MD5251f3b0849c4ca584c4a0991e518e208
SHA1b0f1619fbea832c1ad04447afdee76652d989e0b
SHA25613aede12064ba5b87f043d50d7133206bd407aa0b3fe93d7935f8b8dcd264c9a
SHA512f3a02eecb4fa987f072d91731ebd494e4d4fb6dc362716ab00570aa07c2c259e4ca3eba763bfacd427fb469d2ee47ca71364b9e33082b67e194f60a70351a83f
-
Filesize
92KB
MD547b17e4ffb47cdaffd339965fa31e0b6
SHA139ab594be41286dedcb7746ffa933b9fd9dfa59c
SHA256ac44693e1c14cbeea9bec7df7c799fa8c3f6dc061d06b7223a9ea4a2e8caeb6c
SHA51295c44917c6cd9b19d56b81f442162d7932cd73e6647e5ef1561d244f32a8a879ae3d52cc6ac33adbfa852cb45afd1c9dc3e329706ab8684d1dd027bf9872c388
-
Filesize
92KB
MD5486be0a7077de06a855a463a5b659bee
SHA16ac9bef87dd38a57390264d0f6e1f38df1718231
SHA256b1a672015fb74aaa3fa657db11d716ff377431087aa4d63fa8bf591996a38268
SHA51259c6e72bf2ccaf22fb762193aa68e95d05bb0581cb82b3beff3148133e9c954dc62139057af94a92519e933ca84822791c5f08db814e71091c4de6095719471e