Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Cerber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Cerber.exe
Resource
win10v2004-20240802-en
General
-
Target
Trojan.Win32.Cerber.exe
-
Size
94KB
-
MD5
a6943c74876dbf3a0b346d92243ad860
-
SHA1
396b5d065efd9abe7f6f81f9a24619fd51ac4581
-
SHA256
c034a1f22d5b0ba1499257e69f09dc00f74970cbf2a5327cc95d9c3be6be3a47
-
SHA512
469dd50509c60a5dfb8ab0891c049d9329624130556b5b8292d94c911d58f589c0fa2733395f644d2b9340ccfe8489a733a0836ff464e6118c7cd7ac393369cd
-
SSDEEP
1536:1jlhLaV25OmoLmuZD9WBJQYNl2L+aIZTJ+7LhkiB0MPiKeEAgv:zhLaV2ELoJzW+aMU7uihJ5v
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs
Processes:
Albkieqj.exeCbhbbn32.exeCehlcikj.exeBbcignbo.exeClpgkcdj.exeBldgoeog.exeBihhhi32.exeBcnleb32.exeDpefaq32.exeBblcfo32.exeBpgjpb32.exeBlnjecfl.exeCdnelpod.exeBipnihgi.exeCpqlfa32.exeAlpnde32.exeBboplo32.exeBliajd32.exeTrojan.Win32.Cerber.exeAlmanf32.exeAioebj32.exeDgdgijhp.exeAfeban32.exeDedkogqm.exeAeffgkkp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albkieqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlcikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clpgkcdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcnleb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpefaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnjecfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnelpod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bipnihgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgkcdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpqlfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bboplo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bliajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Trojan.Win32.Cerber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almanf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aioebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdgijhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almanf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bliajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bipnihgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afeban32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkogqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgjpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpnde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnjecfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkogqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbcignbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlcikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblcfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Trojan.Win32.Cerber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeffgkkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpqlfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnelpod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdgijhp.exe -
Executes dropped EXE 25 IoCs
Processes:
Aioebj32.exeAlmanf32.exeAeffgkkp.exeAlpnde32.exeAfeban32.exeAlbkieqj.exeBblcfo32.exeBldgoeog.exeBboplo32.exeBihhhi32.exeBcnleb32.exeBliajd32.exeBbcignbo.exeBpgjpb32.exeBipnihgi.exeBlnjecfl.exeCbhbbn32.exeClpgkcdj.exeCehlcikj.exeCpqlfa32.exeCdnelpod.exeDpefaq32.exeDedkogqm.exeDgdgijhp.exeDbkhnk32.exepid process 892 Aioebj32.exe 2380 Almanf32.exe 1732 Aeffgkkp.exe 1212 Alpnde32.exe 4204 Afeban32.exe 4808 Albkieqj.exe 3096 Bblcfo32.exe 4552 Bldgoeog.exe 4348 Bboplo32.exe 1960 Bihhhi32.exe 4988 Bcnleb32.exe 1688 Bliajd32.exe 4676 Bbcignbo.exe 2508 Bpgjpb32.exe 692 Bipnihgi.exe 548 Blnjecfl.exe 3624 Cbhbbn32.exe 3004 Clpgkcdj.exe 1052 Cehlcikj.exe 3668 Cpqlfa32.exe 3600 Cdnelpod.exe 908 Dpefaq32.exe 1764 Dedkogqm.exe 4272 Dgdgijhp.exe 1544 Dbkhnk32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bbcignbo.exeBipnihgi.exeBlnjecfl.exeCbhbbn32.exeCpqlfa32.exeBldgoeog.exeDedkogqm.exeDpefaq32.exeCdnelpod.exeAeffgkkp.exeAlmanf32.exeAioebj32.exeClpgkcdj.exeAfeban32.exeAlbkieqj.exeBpgjpb32.exeTrojan.Win32.Cerber.exeBihhhi32.exeDgdgijhp.exeBblcfo32.exeBboplo32.exeBcnleb32.exeAlpnde32.exeCehlcikj.exeBliajd32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Bpgjpb32.exe Bbcignbo.exe File created C:\Windows\SysWOW64\Blnjecfl.exe Bipnihgi.exe File created C:\Windows\SysWOW64\Ipekmlhg.dll Bipnihgi.exe File created C:\Windows\SysWOW64\Cbhbbn32.exe Blnjecfl.exe File created C:\Windows\SysWOW64\Eldafjjc.dll Cbhbbn32.exe File created C:\Windows\SysWOW64\Cdnelpod.exe Cpqlfa32.exe File created C:\Windows\SysWOW64\Ggiipk32.dll Cpqlfa32.exe File created C:\Windows\SysWOW64\Bboplo32.exe Bldgoeog.exe File opened for modification C:\Windows\SysWOW64\Dgdgijhp.exe Dedkogqm.exe File created C:\Windows\SysWOW64\Dedkogqm.exe Dpefaq32.exe File created C:\Windows\SysWOW64\Clpgkcdj.exe Cbhbbn32.exe File created C:\Windows\SysWOW64\Eicfep32.dll Cdnelpod.exe File opened for modification C:\Windows\SysWOW64\Alpnde32.exe Aeffgkkp.exe File created C:\Windows\SysWOW64\Famnbgil.dll Almanf32.exe File created C:\Windows\SysWOW64\Dpefaq32.exe Cdnelpod.exe File created C:\Windows\SysWOW64\Dgdgijhp.exe Dedkogqm.exe File opened for modification C:\Windows\SysWOW64\Almanf32.exe Aioebj32.exe File created C:\Windows\SysWOW64\Aeffgkkp.exe Almanf32.exe File created C:\Windows\SysWOW64\Mmhpkebp.dll Bldgoeog.exe File created C:\Windows\SysWOW64\Fgpoahbe.dll Dedkogqm.exe File created C:\Windows\SysWOW64\Almanf32.exe Aioebj32.exe File opened for modification C:\Windows\SysWOW64\Cehlcikj.exe Clpgkcdj.exe File opened for modification C:\Windows\SysWOW64\Dpefaq32.exe Cdnelpod.exe File created C:\Windows\SysWOW64\Albkieqj.exe Afeban32.exe File created C:\Windows\SysWOW64\Kipiefce.dll Albkieqj.exe File opened for modification C:\Windows\SysWOW64\Bipnihgi.exe Bpgjpb32.exe File created C:\Windows\SysWOW64\Ibnoch32.dll Blnjecfl.exe File opened for modification C:\Windows\SysWOW64\Bblcfo32.exe Albkieqj.exe File created C:\Windows\SysWOW64\Nkebqokl.dll Afeban32.exe File created C:\Windows\SysWOW64\Pkjdhm32.dll Trojan.Win32.Cerber.exe File opened for modification C:\Windows\SysWOW64\Albkieqj.exe Afeban32.exe File opened for modification C:\Windows\SysWOW64\Bcnleb32.exe Bihhhi32.exe File created C:\Windows\SysWOW64\Bpgjpb32.exe Bbcignbo.exe File opened for modification C:\Windows\SysWOW64\Dbkhnk32.exe Dgdgijhp.exe File created C:\Windows\SysWOW64\Aioebj32.exe Trojan.Win32.Cerber.exe File created C:\Windows\SysWOW64\Bcnleb32.exe Bihhhi32.exe File created C:\Windows\SysWOW64\Elgide32.dll Bpgjpb32.exe File created C:\Windows\SysWOW64\Cehlcikj.exe Clpgkcdj.exe File created C:\Windows\SysWOW64\Bldgoeog.exe Bblcfo32.exe File created C:\Windows\SysWOW64\Pimdleea.dll Bboplo32.exe File created C:\Windows\SysWOW64\Gjgmjh32.dll Bihhhi32.exe File created C:\Windows\SysWOW64\Bliajd32.exe Bcnleb32.exe File opened for modification C:\Windows\SysWOW64\Blnjecfl.exe Bipnihgi.exe File opened for modification C:\Windows\SysWOW64\Afeban32.exe Alpnde32.exe File created C:\Windows\SysWOW64\Ndfchkio.dll Clpgkcdj.exe File opened for modification C:\Windows\SysWOW64\Cbhbbn32.exe Blnjecfl.exe File opened for modification C:\Windows\SysWOW64\Aeffgkkp.exe Almanf32.exe File created C:\Windows\SysWOW64\Afeban32.exe Alpnde32.exe File opened for modification C:\Windows\SysWOW64\Bihhhi32.exe Bboplo32.exe File created C:\Windows\SysWOW64\Cpqlfa32.exe Cehlcikj.exe File created C:\Windows\SysWOW64\Mkfbmfbn.dll Cehlcikj.exe File opened for modification C:\Windows\SysWOW64\Cdnelpod.exe Cpqlfa32.exe File created C:\Windows\SysWOW64\Igqceh32.dll Aioebj32.exe File opened for modification C:\Windows\SysWOW64\Bldgoeog.exe Bblcfo32.exe File created C:\Windows\SysWOW64\Bipnihgi.exe Bpgjpb32.exe File opened for modification C:\Windows\SysWOW64\Clpgkcdj.exe Cbhbbn32.exe File created C:\Windows\SysWOW64\Jgfdkj32.dll Dpefaq32.exe File created C:\Windows\SysWOW64\Dbkhnk32.exe Dgdgijhp.exe File created C:\Windows\SysWOW64\Dfiefp32.dll Alpnde32.exe File created C:\Windows\SysWOW64\Bblcfo32.exe Albkieqj.exe File opened for modification C:\Windows\SysWOW64\Bliajd32.exe Bcnleb32.exe File created C:\Windows\SysWOW64\Bbcignbo.exe Bliajd32.exe File opened for modification C:\Windows\SysWOW64\Bbcignbo.exe Bliajd32.exe File created C:\Windows\SysWOW64\Eobepglo.dll Aeffgkkp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5084 1544 WerFault.exe Dbkhnk32.exe -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Almanf32.exeClpgkcdj.exeDgdgijhp.exeBlnjecfl.exeTrojan.Win32.Cerber.exeAeffgkkp.exeAlpnde32.exeBbcignbo.exeBboplo32.exeBihhhi32.exeBcnleb32.exeBblcfo32.exeBpgjpb32.exeBipnihgi.exeDedkogqm.exeAioebj32.exeAfeban32.exeBldgoeog.exeCdnelpod.exeAlbkieqj.exeCehlcikj.exeDpefaq32.exeBliajd32.exeCbhbbn32.exeDbkhnk32.exeCpqlfa32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almanf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpgkcdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdgijhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnjecfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.Cerber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeffgkkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpnde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbcignbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblcfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipnihgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkogqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldgoeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnelpod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albkieqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehlcikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpefaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bliajd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpqlfa32.exe -
Modifies registry class 64 IoCs
Processes:
Bldgoeog.exeAioebj32.exeBihhhi32.exeBcnleb32.exeCdnelpod.exeDedkogqm.exeDgdgijhp.exeAeffgkkp.exeAlpnde32.exeBliajd32.exeTrojan.Win32.Cerber.exeBipnihgi.exeBlnjecfl.exeClpgkcdj.exeAlmanf32.exeAfeban32.exeAlbkieqj.exeBbcignbo.exeCbhbbn32.exeCehlcikj.exeDpefaq32.exeBblcfo32.exeBboplo32.exeBpgjpb32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igqceh32.dll" Aioebj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll" Cdnelpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpoahbe.dll" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll" Dgdgijhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aioebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeffgkkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpnde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bliajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdgijhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Trojan.Win32.Cerber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bliajd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bipnihgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoch32.dll" Blnjecfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpgkcdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almanf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbcignbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfchkio.dll" Clpgkcdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehlcikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almanf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblcfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahgec32.dll" Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpgjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobepglo.dll" Aeffgkkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipiefce.dll" Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpkebp.dll" Bldgoeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimdleea.dll" Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpgkcdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll" Almanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjdhm32.dll" Trojan.Win32.Cerber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll" Alpnde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldgoeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgide32.dll" Bpgjpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdgijhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} Trojan.Win32.Cerber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll" Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbhbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll" Cehlcikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdkj32.dll" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedkogqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID Trojan.Win32.Cerber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icldmjph.dll" Bblcfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojahakp.dll" Bliajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnjecfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehlcikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afeban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgmjh32.dll" Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bipnihgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldafjjc.dll" Cbhbbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedkogqm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.Cerber.exeAioebj32.exeAlmanf32.exeAeffgkkp.exeAlpnde32.exeAfeban32.exeAlbkieqj.exeBblcfo32.exeBldgoeog.exeBboplo32.exeBihhhi32.exeBcnleb32.exeBliajd32.exeBbcignbo.exeBpgjpb32.exeBipnihgi.exeBlnjecfl.exeCbhbbn32.exeClpgkcdj.exeCehlcikj.exeCpqlfa32.exeCdnelpod.exedescription pid process target process PID 560 wrote to memory of 892 560 Trojan.Win32.Cerber.exe Aioebj32.exe PID 560 wrote to memory of 892 560 Trojan.Win32.Cerber.exe Aioebj32.exe PID 560 wrote to memory of 892 560 Trojan.Win32.Cerber.exe Aioebj32.exe PID 892 wrote to memory of 2380 892 Aioebj32.exe Almanf32.exe PID 892 wrote to memory of 2380 892 Aioebj32.exe Almanf32.exe PID 892 wrote to memory of 2380 892 Aioebj32.exe Almanf32.exe PID 2380 wrote to memory of 1732 2380 Almanf32.exe Aeffgkkp.exe PID 2380 wrote to memory of 1732 2380 Almanf32.exe Aeffgkkp.exe PID 2380 wrote to memory of 1732 2380 Almanf32.exe Aeffgkkp.exe PID 1732 wrote to memory of 1212 1732 Aeffgkkp.exe Alpnde32.exe PID 1732 wrote to memory of 1212 1732 Aeffgkkp.exe Alpnde32.exe PID 1732 wrote to memory of 1212 1732 Aeffgkkp.exe Alpnde32.exe PID 1212 wrote to memory of 4204 1212 Alpnde32.exe Afeban32.exe PID 1212 wrote to memory of 4204 1212 Alpnde32.exe Afeban32.exe PID 1212 wrote to memory of 4204 1212 Alpnde32.exe Afeban32.exe PID 4204 wrote to memory of 4808 4204 Afeban32.exe Albkieqj.exe PID 4204 wrote to memory of 4808 4204 Afeban32.exe Albkieqj.exe PID 4204 wrote to memory of 4808 4204 Afeban32.exe Albkieqj.exe PID 4808 wrote to memory of 3096 4808 Albkieqj.exe Bblcfo32.exe PID 4808 wrote to memory of 3096 4808 Albkieqj.exe Bblcfo32.exe PID 4808 wrote to memory of 3096 4808 Albkieqj.exe Bblcfo32.exe PID 3096 wrote to memory of 4552 3096 Bblcfo32.exe Bldgoeog.exe PID 3096 wrote to memory of 4552 3096 Bblcfo32.exe Bldgoeog.exe PID 3096 wrote to memory of 4552 3096 Bblcfo32.exe Bldgoeog.exe PID 4552 wrote to memory of 4348 4552 Bldgoeog.exe Bboplo32.exe PID 4552 wrote to memory of 4348 4552 Bldgoeog.exe Bboplo32.exe PID 4552 wrote to memory of 4348 4552 Bldgoeog.exe Bboplo32.exe PID 4348 wrote to memory of 1960 4348 Bboplo32.exe Bihhhi32.exe PID 4348 wrote to memory of 1960 4348 Bboplo32.exe Bihhhi32.exe PID 4348 wrote to memory of 1960 4348 Bboplo32.exe Bihhhi32.exe PID 1960 wrote to memory of 4988 1960 Bihhhi32.exe Bcnleb32.exe PID 1960 wrote to memory of 4988 1960 Bihhhi32.exe Bcnleb32.exe PID 1960 wrote to memory of 4988 1960 Bihhhi32.exe Bcnleb32.exe PID 4988 wrote to memory of 1688 4988 Bcnleb32.exe Bliajd32.exe PID 4988 wrote to memory of 1688 4988 Bcnleb32.exe Bliajd32.exe PID 4988 wrote to memory of 1688 4988 Bcnleb32.exe Bliajd32.exe PID 1688 wrote to memory of 4676 1688 Bliajd32.exe Bbcignbo.exe PID 1688 wrote to memory of 4676 1688 Bliajd32.exe Bbcignbo.exe PID 1688 wrote to memory of 4676 1688 Bliajd32.exe Bbcignbo.exe PID 4676 wrote to memory of 2508 4676 Bbcignbo.exe Bpgjpb32.exe PID 4676 wrote to memory of 2508 4676 Bbcignbo.exe Bpgjpb32.exe PID 4676 wrote to memory of 2508 4676 Bbcignbo.exe Bpgjpb32.exe PID 2508 wrote to memory of 692 2508 Bpgjpb32.exe Bipnihgi.exe PID 2508 wrote to memory of 692 2508 Bpgjpb32.exe Bipnihgi.exe PID 2508 wrote to memory of 692 2508 Bpgjpb32.exe Bipnihgi.exe PID 692 wrote to memory of 548 692 Bipnihgi.exe Blnjecfl.exe PID 692 wrote to memory of 548 692 Bipnihgi.exe Blnjecfl.exe PID 692 wrote to memory of 548 692 Bipnihgi.exe Blnjecfl.exe PID 548 wrote to memory of 3624 548 Blnjecfl.exe Cbhbbn32.exe PID 548 wrote to memory of 3624 548 Blnjecfl.exe Cbhbbn32.exe PID 548 wrote to memory of 3624 548 Blnjecfl.exe Cbhbbn32.exe PID 3624 wrote to memory of 3004 3624 Cbhbbn32.exe Clpgkcdj.exe PID 3624 wrote to memory of 3004 3624 Cbhbbn32.exe Clpgkcdj.exe PID 3624 wrote to memory of 3004 3624 Cbhbbn32.exe Clpgkcdj.exe PID 3004 wrote to memory of 1052 3004 Clpgkcdj.exe Cehlcikj.exe PID 3004 wrote to memory of 1052 3004 Clpgkcdj.exe Cehlcikj.exe PID 3004 wrote to memory of 1052 3004 Clpgkcdj.exe Cehlcikj.exe PID 1052 wrote to memory of 3668 1052 Cehlcikj.exe Cpqlfa32.exe PID 1052 wrote to memory of 3668 1052 Cehlcikj.exe Cpqlfa32.exe PID 1052 wrote to memory of 3668 1052 Cehlcikj.exe Cpqlfa32.exe PID 3668 wrote to memory of 3600 3668 Cpqlfa32.exe Cdnelpod.exe PID 3668 wrote to memory of 3600 3668 Cpqlfa32.exe Cdnelpod.exe PID 3668 wrote to memory of 3600 3668 Cpqlfa32.exe Cdnelpod.exe PID 3600 wrote to memory of 908 3600 Cdnelpod.exe Dpefaq32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Bldgoeog.exeC:\Windows\system32\Bldgoeog.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Dbkhnk32.exeC:\Windows\system32\Dbkhnk32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 40027⤵
- Program crash
PID:5084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1544 -ip 15441⤵PID:4304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1904,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:81⤵PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5af30fed71bb306367ab6dcc57d0e163e
SHA1d63ccb7bbcaf4d72e36b82714b555eb14215de42
SHA2569f5fc980be0d282767bb6c3b3c04ffb7af42089b735f3d6484fef2ab4137c540
SHA512579d63eb061e4ceb690ae039bee8af6987237603192de7335228086d5e83de246a299581d1224359eaeab7e53476462c73f49aa55699b9dde2273c746e0f25ef
-
Filesize
94KB
MD556f3b07a534cd06bdb9c8c7303049ace
SHA1645ba740e529c4cb908e0b21b092391c8632fa75
SHA2566faf5cb93cd69521d48ffa125b5fa83bcddb35f935460b31c35de19124bf37a8
SHA512076b9078fdded9418d431bd992e76d5fd4b92da68208bec82518b780ca810875984d7662c4550265c0b283f83f1a6d79375a3ea387f2574d6cc57d0ec51500d9
-
Filesize
94KB
MD55b0fa250d752fc1cd70a26557e25d10e
SHA179429202f0e4236c39b7034df26bc5cfc1d6185f
SHA256a8e78b2d8fa3d46104bf923a87e6ada3dddc3c58a1d29140325aef2e4a4d840e
SHA512fe681cbfca4041f9196468fd63f9c411314a81948e75afa9074e41f1c798a7d0db401334e78fb8b9b4610019d8ddba10ff4bbcedfdc98a6e813958eed3f8f331
-
Filesize
94KB
MD5a42b7e69f31d0987fdfc24a349ecaf9d
SHA124f2f7e7186300f4312812868a23e27a4c1cc7da
SHA256b7f7241523bdb4300d441962d9cc39da8e25853525a716d9fd8929b125c04850
SHA512535fe4d0b123ae2104ab10aa9633fa1f946b0f98ecbb326fddec1dca92b7217aa91d547fbaa6d57c8b8dba5e9ea84a7e218073a10effa2e771abf4aceb585e73
-
Filesize
94KB
MD5d1d773ee1c7cf8c571f97dd91a531904
SHA138adb4cb99c461ee7b5ab2b774a8325d2c7bedde
SHA256d253205d87065db1aff3ab74ae317a5719f9db4bffa2f962c5526a0ca975e211
SHA512f0ab8e8c8f82f01d88c5400124d87a25a7970d7a1753c5e23494e5bfc05764f469c1047904a80b3b8af849315420fa44bbb57739f56a0c9b4981fc535b14b61f
-
Filesize
94KB
MD531fcf0ba7bd56d358f11bee9e4de6694
SHA142db70422a27e6b24966cd5df70ab493e223d485
SHA2562d4d91bac8e18f172767457332bd942c016118cae19715b69e54eebb9ae928c8
SHA51220e1cab2122ed145729c25cb45f7e287352392830941c0ce579e56f921327ad9a15643638e0b740d2f8e2f13c28b56b7dcbc7a9df45ed55fd16fada94c28e7a3
-
Filesize
94KB
MD58cb193ca8a16ca80785d194b7dec2676
SHA11e8245593f2bea1b37843c6813ad4c18ece26459
SHA256112a028f39a6ac006ff24fc8c31a4d9ff2d1a69d2d80cf6aa8467b6a7da933b0
SHA512b0e981a341db0bee8b53b3f007455e1cef1a583b5e868a2aae0a8f77078efcac0dfbce4be69681a4101d2dfeda2dbe32eee02e951e76240bc38be8c3d980e138
-
Filesize
94KB
MD5b3ae15c641e2fb0965b97380a3086d60
SHA14889c59fa64c790b77a2a54b7712df27563c6420
SHA256e7d93df9ac52bb9e5f5e92a67cf8dfd19c0684d51ef9fdd67bf638ad58d4beb1
SHA5129bbd70f4a3c776256e3e2e1db8d66a81406aa97a7e8439363509c0fff206523234e51352f0f5a0f903c9708adf0edd432cbd5d33f882aa2124aca27c6c520602
-
Filesize
94KB
MD5957fdd5a22eba4669b70325c56a9e197
SHA147d09d53e53948ea226ed88568148aaf22be79e0
SHA25678c440ae1cac4b669168f560d8e70dac72bb5b58e3847cf6595837dda0dbe4fd
SHA5126908e570764956477ecc17f2c361638c10b74e65c4ac865c0d10b99c1fd566de5c773d60b1c3f38d8974b5ef84f21a0f39a5734131881e53a66f1775e29548a0
-
Filesize
94KB
MD5aff8dece26bed076eec9e0dfcc5b999a
SHA119b068b2d96ae710288eb84efe023c5aec771c54
SHA256d5e2a76cb5a7e347e47c467e4b450d6bc8a28aec7d3bdc1f7ac4a20999013908
SHA5126ab838c9169bf5aba3bee3c3c8d0c6290dab6174db0f08cefe1142f43ea51c72b01d2de3663e7cc32eeb5986741bce13321f6edb71f1443e4dbed24992551650
-
Filesize
94KB
MD5453ddc15329a6ef63948ccfc9b4b5da4
SHA1f11f989d16b75c8faca19e71f7f4e0980b36d217
SHA256803d101a6bfc63a73b9d9765cd8ebd6f8834c1a05605792107302ac5b5ecad09
SHA5123ebc88866c6d0924cb0e511aa7cafdad4572a361e3fb5b498f62647a547259a4c75852696f1f96c32215cb15c16767b7d6eaa506746608bc2d559292c232d085
-
Filesize
94KB
MD53cb46c8db0f3cb1af63bf0195e6cedce
SHA1faa5a0c982f4406eaa443122f842fe9fe653a366
SHA256105267a1763d0a602d3b7119d8abc8d901f9d62f5f483a0b613a83894a6cbedc
SHA51217a9c9b6225ab4dc1af21995ebe8289d317ed0749563b94cccee24fe3ad2e771535845e54ecdd4800a260f45e28c2146f338a8d0aeba906c7a665eac948ab103
-
Filesize
94KB
MD57859a0d8df65caa95defcbd9530e0f4f
SHA154c8ca4faf10f2a1c83224be9a221439487fd3ac
SHA256986fb1f65f59a06cb3862aa3a1aa8e71e8f110c5a9140316cf24faf0fa49685b
SHA51200bfda5362733dae67b7b9fa1d4a69844a984a45eab30dfeaa2bbf96d8c20a5fb9e4ff49b563119aead40fe57b4545fba97c6d36feab2e76085bb7fee3dbbba7
-
Filesize
94KB
MD50085b5cc6c1ed5fea238db146706a732
SHA18d38e1c0c3d2165c2d72ed0dbc2db883c0a6e0aa
SHA256bb9c6211a15e83fcec10f29ee268e2619d7b7690e12a1ae00601be252081c90a
SHA5125915f32123c940ce6b0f0e2e10a70c9376e59872c4137ca45753c09d87f3d56242168589239252ad547e9417922970cc483686d7d207e06cda4216ed5858ff06
-
Filesize
94KB
MD55fd3fe58d2dbaf7a575a4678e3674945
SHA14d0ff51b47133d06d7d6f35f123a237783eac632
SHA25652c157b6606412186a5c24e2d72a2e3a31ce6b97eafce172b936d2ffc16a4656
SHA512c275888b0f44b5ffc3d935bded82a1cf45bb2127d8f2028aa48ca72d4a9fc84e2bbc941e3c27c18c0affb653a6352113fa4d53f8c7d5cf045bd659faf828ce22
-
Filesize
94KB
MD54404934faebafc0bfa04f7506a686adb
SHA162c7e0ca5054d6d126240038b7af241b600ba1e9
SHA256c656f911b17f4e76bb7570c6db1c6aedb03f90448ca1317da4952f2c09a06e79
SHA5124e8d1361322d14a9cde5c49d086108e39b5b398cdd8f119ca87d188f3735cf5c853e2838eb6a2be6db0314caff8f924fd7f9796977dc1f12c40c13ef0b931cbd
-
Filesize
94KB
MD5173471f2357df73a801cdf0810dc4de2
SHA1bb195d096f9b20b5d7920b399ea7427a6cddf069
SHA256ecc85a5e4340c830a689858ed1cf34244eb71489ea9c4aaac511889dff6c1051
SHA5127f2b23b81fac88acd1f62e7ee69abea6825eb2b95a0ba2353d0f9295fcabeee48b539321b23717ebe2f74c8a36cc301b3e204e584152e5d01b22b9be9bfe77e0
-
Filesize
94KB
MD536d7695547cb739fb9bbb4f938a63d60
SHA19e4bf2cb5825789359ca6a16af1ef01d60d9481c
SHA256ef04e8bf18cf27dfbf373490811402f74c268e8e6ec3e55d33a2ad3450ac4d11
SHA5129d2f05cad1d7ba7ceeb96cc5cbb5497003d408b8d0d12adebc102888bcda83f2e32fbcd5ca06276818635a491ca32463ef343db7b98bf5e01965e615ab2c2541
-
Filesize
94KB
MD5b61022e562b69c0164c0cfc6db389e87
SHA1602454a28a116911af9f7aef55635cd2ceff1d58
SHA2564d5376b9762afe06346954815a70c3cc2b0a41459f9275ca302866ebda8d0b8a
SHA512799125566618b09893a031d7de6149b74446584201eea21666d938299befd1781d6ba2c769aa1abd9791207c97d85c22552b05199ec83318e94dc7bef5435adb
-
Filesize
94KB
MD5df6c5e6ea37a0e3db7df46828b0d76a5
SHA17b1d34ad51bd48f9b7b9a32c4298728bd5aa9a50
SHA25684ff79074f1a2448c389aeeb0541ce88acc2e499e2b627f324ebf6156e7d81a3
SHA51291e2589706cb91649bba561ab8277fc49e82f573f2dd4998564009389637bf5ea0f3224a7356b17619d66744cd841057a9bbd3402a0b879b56cc6fcd15aa675e
-
Filesize
94KB
MD5790b7c023be3a819b99b3fd2270ff9e2
SHA1931302ba1c5aeb0e50290bd624319064ddeb8540
SHA2566f658cedf7e457d529f78a013b80e0025fe3123be51226dc7842ceea2998c9c0
SHA5128da1aa8e06bdef435a6f882da63fc7f129d5deb3d1deb15ecf7f889269ce0e23066c4f702339b037d383e43b1628e2a29762db7fc3d794fe9c566a29596ba6e2
-
Filesize
94KB
MD5ef72673d76eb0c925de9ce278ded3906
SHA11bbdec16e38fc4a960fe4b89b081e7d18b5cd644
SHA25608e60037cf7f84d1a767c1aa573d0e51597661bfa8e206fdcfba73be217667e5
SHA51226d32098d774f31260583b4551267600e36953d4c1fc886712ca8130fbf4617ad86576a5a9cf39421f16b4b61a924c0716fb48dc309c09a144dd6b2a476d9b7c
-
Filesize
94KB
MD51952293f0a088e3fa530149b6524f2c8
SHA11c7e8a13490e39d40ad4f05a6eb154b7c5bf23b2
SHA2569d4c5d9d0be5321153b294277b677332af0478588c38a823350dffd8f0d14eef
SHA5122319de9204ddd95e02ecfe30f66af11c2d5934c6358d6479f5df7cfa86a0e34494f32763a62bab0ac7404ae27903f39611da3b0e7c459a7a9533e10dae1017c4
-
Filesize
94KB
MD540d6c39a0e5e5bdd7dcbcda08cab1c88
SHA14164ecbd37aee87f5062485511d6f6391f5af2b1
SHA2566e967d398946cbc9ca313ad504a6ef79fb7b845aa2bc322fcdf16159e90ab797
SHA512e4e6bca664038b612eacd8ce78fe64afb7c43c51f2dae3901ee19ba521fd2778ff7e0b6546a5078e9ae80578dddeb24716087513199df11211d3a9262f34534c
-
Filesize
94KB
MD590334fb53ee6b25d55a8c8dd6aef7d31
SHA19eaed401e5e1e30da6219dcbc73f1deaef2eb77a
SHA2569e30cc6d56f40d465d7021493f4e28782cba9cd75d5760c5436f1ffe5f27e1a7
SHA512c91b70751ca5d1b4cbd710908de7f7e802157d9f209a32a206e960403aa450e0a75b6c6de44e5ce4e038a0119e3265d5b9a8a43508b016563b4dbed9326061f0