Analysis Overview
SHA256
7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542
Threat Level: Known bad
The file Backdoor.Win32.Berbew.pz-7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 15:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 15:39
Reported
2024-09-16 15:41
Platform
win7-20240729-en
Max time kernel
61s
Max time network
21s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kageia32.exe | N/A |
Berbew
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Lbjofi32.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Qmgaio32.dll | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfaeme32.exe | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| File created | C:\Windows\SysWOW64\Hapbpm32.dll | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jibnop32.exe | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpcafifg.dll | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipafocdg.dll | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmkmjoec.exe | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Keioca32.exe | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjhcag32.exe | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| File created | C:\Windows\SysWOW64\Koflgf32.exe | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkmmlgik.exe | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmkmjoec.exe | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbjbge32.exe | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mobafhlg.dll | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdnkdmec.exe | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kjhcag32.exe | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| File created | C:\Windows\SysWOW64\Pehbqi32.dll | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfaeme32.exe | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| File created | C:\Windows\SysWOW64\Khldkllj.exe | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Khldkllj.exe | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| File created | C:\Windows\SysWOW64\Onpeobjf.dll | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgcnahoo.exe | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kageia32.exe | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgcnahoo.exe | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfcabd32.exe | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jibnop32.exe | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Keioca32.exe | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abqcpo32.dll | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Caefjg32.dll | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Koflgf32.exe | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgodelnq.dll | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eghoka32.dll | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgcgbb32.dll | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifkmqd32.dll | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdnkdmec.exe | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kageia32.exe | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlflfm32.dll | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfohgepi.exe | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfohgepi.exe | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfcabd32.exe | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| File created | C:\Windows\SysWOW64\Eplpdepa.dll | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbjbge32.exe | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkmmlgik.exe | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbjofi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" | C:\Windows\SysWOW64\Jmkmjoec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll" | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll" | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jibnop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll" | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Khldkllj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll" | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Keioca32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Jfohgepi.exe
C:\Windows\system32\Jfohgepi.exe
C:\Windows\SysWOW64\Jfaeme32.exe
C:\Windows\system32\Jfaeme32.exe
C:\Windows\SysWOW64\Jmkmjoec.exe
C:\Windows\system32\Jmkmjoec.exe
C:\Windows\SysWOW64\Jfcabd32.exe
C:\Windows\system32\Jfcabd32.exe
C:\Windows\SysWOW64\Jibnop32.exe
C:\Windows\system32\Jibnop32.exe
C:\Windows\SysWOW64\Kbjbge32.exe
C:\Windows\system32\Kbjbge32.exe
C:\Windows\SysWOW64\Keioca32.exe
C:\Windows\system32\Keioca32.exe
C:\Windows\SysWOW64\Kdnkdmec.exe
C:\Windows\system32\Kdnkdmec.exe
C:\Windows\SysWOW64\Kjhcag32.exe
C:\Windows\system32\Kjhcag32.exe
C:\Windows\SysWOW64\Khldkllj.exe
C:\Windows\system32\Khldkllj.exe
C:\Windows\SysWOW64\Koflgf32.exe
C:\Windows\system32\Koflgf32.exe
C:\Windows\SysWOW64\Kkmmlgik.exe
C:\Windows\system32\Kkmmlgik.exe
C:\Windows\SysWOW64\Kageia32.exe
C:\Windows\system32\Kageia32.exe
C:\Windows\SysWOW64\Kgcnahoo.exe
C:\Windows\system32\Kgcnahoo.exe
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
Network
Files
memory/2188-0-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Jfohgepi.exe
| MD5 | bc523c33f6bf31da9e725687804d56d5 |
| SHA1 | 09d0c0dc3dc1d235b15789ad21bb4985c12a9017 |
| SHA256 | 9a3300a47f12b4ce22c691d4fdb2bada6d05329ee615e8a87ae3e7a7b750e9ae |
| SHA512 | c50185d4a8cc3e93f96535d88c50b0473e6a67b2f277b50b4b9c18ee8993259a381a82ab9b6bbb5ce24aa51f59ea21973db26d37900a8f05f36e83e6ea5fb382 |
memory/2188-7-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2228-14-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2188-12-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2776-27-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jfaeme32.exe
| MD5 | b3f2063d59e3972881f035d66f1fe10a |
| SHA1 | ef13e9adee0a8eaddef373c495fb61df18435b77 |
| SHA256 | 585309b9d15ef73929f8c8f3ec8d8a0e882ee8d0263ce19698345d7293dac435 |
| SHA512 | cc34970cfebca2b35dc066d01282864370eefe2c899c8921d9f89bd655b6b664fa4f92db6b78248b4483ca05c606364c4902b9b235de8ae52669da2619c0a516 |
\Windows\SysWOW64\Jmkmjoec.exe
| MD5 | 24736ed1ae5c0d88758158c06fce9f2c |
| SHA1 | 2c44e60e2baf34fbe5bb232acdfd0f9db6ad36cd |
| SHA256 | 8d097b09a1cd573137ca713dc7c01e5ef2551aa3c94610af7a1c27b342da9d40 |
| SHA512 | d2b69e238f2dfe5b824704c8bd5e5bc206ebabfaf8a15c263247bb397e4be239cbd077b091e63124a78bc06a95fc9edc4b8530ec755e6c418539661edceef3a4 |
memory/2724-41-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2776-40-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Jfcabd32.exe
| MD5 | dd4ac16774eefc95c58478f5b338a8f4 |
| SHA1 | f1978cd3d4872413562cf78cf73103b4ead2869d |
| SHA256 | 62a8c7d7c72a52a9801e2e5995df801413d799bb88a31a789d06e9968a4000aa |
| SHA512 | 70da6c245f1ffb3ae83267993107f1f5c346ce4c9626ff4d7277d17a5d5ebd30ba1dad9ce1024ab1103cbe397ad288941dd23efb223fedf669f44279974d9930 |
memory/2724-48-0x0000000000440000-0x0000000000480000-memory.dmp
memory/2188-55-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jibnop32.exe
| MD5 | b529da755615583efe737973542ef3f7 |
| SHA1 | daf1c1f57e3269fc3690e911bb6379d51b58f54f |
| SHA256 | 33625533caa662083d2b9fb6caebf37599b148288e59c7847c8450cd1d37b42d |
| SHA512 | 983e82716934572df95c7d183e8f7f846ce74f24486edea9e2066cfacdb0a53c67e77c8b5e43d384888f1816bf19aa62c40ea683ced653fd712a6e5b297ad20f |
memory/2764-64-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2188-63-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2228-70-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Kbjbge32.exe
| MD5 | 56a636c510b4cf928c279c4bfcd08266 |
| SHA1 | 30c92c6fb7985d57483ec85cedb150b8ed2b8e86 |
| SHA256 | fa7e6fb99dfa0cb4caca21dd97ac90fcdf4ff8b15c8de2b2c321c0f21353e0d6 |
| SHA512 | 4b2bde49846d1c51ea05321b811429eec4ea94230b70011c60f4b31e913130139884c932cbfe286e77079b9abfd632dc4de4521aed65f1709bc4ca8a40b1ff13 |
memory/2776-78-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1356-102-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1876-101-0x0000000001F30000-0x0000000001F70000-memory.dmp
C:\Windows\SysWOW64\Keioca32.exe
| MD5 | b0c1cb4627098462d1c764ec5e4b2ed1 |
| SHA1 | 9de4e2ee029f6111963095b2cc2e60d2c689699a |
| SHA256 | 8cb5cd362ec46a246984096b8b473f9e874fcd5dd1b93f3d5b7747187579ebea |
| SHA512 | 0f59071fdde51843771fa6a1967876fed89276064fad039f5910bbd8f0a23cdc0fa43443556e83cce6405c5c3b7783c397dae6035a53093451f47ca602f5765b |
memory/1876-93-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2724-88-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2776-86-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2624-84-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2624-83-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Kdnkdmec.exe
| MD5 | 0e74c56ed7bbf2ce3c40ba7e43becc1b |
| SHA1 | 240e4dfa85b11de602c82c763221cba9e238e74d |
| SHA256 | 6dd3bde32fa9f02a9b97f91b48cce5e0e99109359702113f0af341f0037a82c7 |
| SHA512 | 8ce7db7e6c9185bf75c4b3407a3bce4b2ad552a60ef7b0f7bb9ba379a3feb49c6702b45c06d60ce4e46554c7f283a2929d8e9170ee7d276d54a39ee264b84352 |
memory/2764-110-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1356-111-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2764-117-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Kjhcag32.exe
| MD5 | 2902fc4dc33bd5107e383c7621dc7c65 |
| SHA1 | 536d4405345e2d21d61289ade6f78e5ab09cfb54 |
| SHA256 | acf4652e0a184dcc46fdbebdcfe57097c502c50d3de05edf5898c0b4318d83bb |
| SHA512 | 8aeb7e9d0411272c47fb7aa55c5480dd0b49c8e486bbf9d5c5195e7c2d795eecf1b915c62ce918443fef76c67e3a534f52fc9f7af3fdf38dc9e44bbe7664627d |
memory/2624-133-0x0000000000250000-0x0000000000290000-memory.dmp
memory/540-134-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2624-131-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1052-130-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1052-129-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Khldkllj.exe
| MD5 | d567c9af83e7611e9b40acb5ddbf9f02 |
| SHA1 | 0ec40b2f3d52e8c81626966d63236c1d346f85d4 |
| SHA256 | 08cdae928e14789d3cae6e1779e45fb7cb2e3a8577fbf48971ff0a653f248c17 |
| SHA512 | f299d8d60fe73c771aebc114fc5a9b6237ae092dbcf0f0790ce31d680d42b9bc49b2dc9e17788a03364bd0b4eca730167f16a830f48d00d084e83262b8db2cff |
memory/540-143-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/1876-142-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2248-151-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1356-150-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1876-149-0x0000000001F30000-0x0000000001F70000-memory.dmp
\Windows\SysWOW64\Koflgf32.exe
| MD5 | c7525b444ef42abf77802b1529479db7 |
| SHA1 | e9b35d583b3f891ca42acf2059869822ddac6c51 |
| SHA256 | 964b4df747e96fdcceba61d3b51ca38f3a4f966ba7e37b493a090ed3e50e4acb |
| SHA512 | 51f9055a0b29f44d51316e9b242e6d56158f6b2e0bd01d0848d6ac8ff191393be8939fdbefce78532a570c19be235427f0dc7afe032a5580c61a58bdade713fe |
memory/2096-166-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2248-165-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2248-164-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Kkmmlgik.exe
| MD5 | 84fe42cf947ac57673717253475215e2 |
| SHA1 | b28b7f9f492be193b3bc0870bd77d30fed8c4961 |
| SHA256 | 47d6273a4724cc4631a7edfae294722bbbdc4ececc8cd27a4684bcce30a3cc08 |
| SHA512 | 928c6fedbb47fe5a8bd8fd7a10fb23bea7739a0bf1ce29f314150073667fccea58d37d337d68fc49e1a05f0d27adfb9896a4af8cec4f6cda717a28f59a1ce775 |
memory/2096-174-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/540-198-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kageia32.exe
| MD5 | 61841ab18c4d3384034d1c62ddf22da5 |
| SHA1 | 9caeeb2a8048b43b65ab81fad2b7ed52f85b6166 |
| SHA256 | 825fa9706478305b8793c391519bf359ae32b3ae79d17cc335d8af027c5ade2e |
| SHA512 | 1eac4266a4368829a3644ad16c14bbf6bb6819c824443a98248be58b10affd1eb53eb1995b7b25e6b8477143c5a4fa91f6a73c240d8be2a4e8a47841e8ce2ea8 |
memory/324-197-0x0000000000400000-0x0000000000440000-memory.dmp
memory/484-196-0x0000000000250000-0x0000000000290000-memory.dmp
memory/484-183-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1052-182-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1052-181-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1052-179-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Kgcnahoo.exe
| MD5 | a23d83f9e9ea99d7d618028b0ee89265 |
| SHA1 | 85aa7d6025d3d5404ec8a3a41c8051bf5584b359 |
| SHA256 | ada5be23b55f09eeacf54f65a1aff88f7a7652122338f1adbd351b5b6fecf2a5 |
| SHA512 | 8aedc75e5e097bba48474bc82df146e2a07c295192924a229ed8b7207d816b8cae0b1f731c793a567d042012afb097cf47321bd376b7c4643e026161e382c7db |
memory/344-213-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2248-212-0x0000000000400000-0x0000000000440000-memory.dmp
memory/324-210-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Lbjofi32.exe
| MD5 | 1726d6201008db20bb858ff5017eb79d |
| SHA1 | 4addf05a8bc4379ba68dfd4c81400fb203d705af |
| SHA256 | ed47900d1e9b0f0f0da7101143ccbf02ef31725e0dea50488cb98cc2363431a1 |
| SHA512 | 946051f70d689bee0d4be210eca8b29b257f9e4605d414261138b2cdf01ca8ff50ac332e312ca32cd0239ed9746784a0fab202c4e75b6233a15c78aea721a230 |
memory/2008-230-0x0000000000400000-0x0000000000440000-memory.dmp
memory/344-229-0x0000000000440000-0x0000000000480000-memory.dmp
memory/2096-228-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2248-227-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2248-226-0x0000000000250000-0x0000000000290000-memory.dmp
memory/484-233-0x0000000000400000-0x0000000000440000-memory.dmp
memory/324-232-0x0000000000400000-0x0000000000440000-memory.dmp
memory/344-231-0x0000000000400000-0x0000000000440000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 15:39
Reported
2024-09-16 15:41
Platform
win10v2004-20240910-en
Max time kernel
95s
Max time network
97s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ahfmpnql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgqlcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amlogfel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chiblk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnjdpaki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfiddm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaoaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpdnjple.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chiblk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgnffj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bgnffj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgnomg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgeenfog.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amlogfel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bknlbhhe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aphnnafb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgkiaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmeandma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ckgohf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bknlbhhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qdaniq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aknbkjfh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bobabg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckgohf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ahfmpnql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bobabg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pffgom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmblagmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qodeajbg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdkifmjq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgeenfog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnjdpaki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkndie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qmeigg32.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Aggpfkjj.exe | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Akdilipp.exe | C:\Windows\SysWOW64\Ahfmpnql.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdojjo32.exe | C:\Windows\SysWOW64\Bpdnjple.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckbemgcp.exe | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibmlia32.dll | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgifbhid.exe | C:\Windows\SysWOW64\Cdkifmjq.exe | N/A |
| File created | C:\Windows\SysWOW64\Okhbek32.dll | C:\Windows\SysWOW64\Cdkifmjq.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmbgla32.dll | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcgplk32.dll | C:\Windows\SysWOW64\Amlogfel.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdmmeo32.exe | C:\Windows\SysWOW64\Aaoaic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpkdjofm.exe | C:\Windows\SysWOW64\Bknlbhhe.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpkhqmjb.dll | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| File created | C:\Windows\SysWOW64\Nchkcb32.dll | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcknij32.dll | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aknbkjfh.exe | C:\Windows\SysWOW64\Aphnnafb.exe | N/A |
| File created | C:\Windows\SysWOW64\Nflnbh32.dll | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkndie32.exe | C:\Windows\SysWOW64\Dddllkbf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkqaoe32.exe | C:\Windows\SysWOW64\Dgeenfog.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgnffj32.exe | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ahfmpnql.exe | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaoaic32.exe | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckbemgcp.exe | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| File created | C:\Windows\SysWOW64\Lelgfl32.dll | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgqlcg32.exe | C:\Windows\SysWOW64\Cpfcfmlp.exe | N/A |
| File created | C:\Windows\SysWOW64\Phcgcqab.exe | C:\Windows\SysWOW64\Pplobcpp.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmmeo32.exe | C:\Windows\SysWOW64\Aaoaic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgelgi32.exe | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpbjkn32.exe | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfiddm32.exe | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahfmpnql.exe | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qodeajbg.exe | C:\Windows\SysWOW64\Qdoacabq.exe | N/A |
| File created | C:\Windows\SysWOW64\Aknbkjfh.exe | C:\Windows\SysWOW64\Aphnnafb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgkiaj32.exe | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgddkelm.dll | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhijep32.dll | C:\Windows\SysWOW64\Cpfcfmlp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ennamn32.dll | C:\Windows\SysWOW64\Cgqlcg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aphnnafb.exe | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmblagmf.exe | C:\Windows\SysWOW64\Pfiddm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdmdnadc.exe | C:\Windows\SysWOW64\Pmblagmf.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdaniq32.exe | C:\Windows\SysWOW64\Qodeajbg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmjkic32.exe | C:\Windows\SysWOW64\Bgnffj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bknlbhhe.exe | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mqnbqh32.dll | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpbjkn32.exe | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| File created | C:\Windows\SysWOW64\Kfcfimfi.dll | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aggpfkjj.exe | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbobhb32.dll | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobabg32.exe | C:\Windows\SysWOW64\Bgkiaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhqndghj.dll | C:\Windows\SysWOW64\Boldhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chiblk32.exe | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckgohf32.exe | C:\Windows\SysWOW64\Chiblk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nalhik32.dll | C:\Windows\SysWOW64\Cnjdpaki.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmnbfhal.exe | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgeenfog.exe | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgeaknci.dll | C:\Windows\SysWOW64\Akpoaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ieoigp32.dll | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaoaic32.exe | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgkiaj32.exe | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgnomg32.exe | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgnomg32.exe | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijilflah.dll | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| File created | C:\Windows\SysWOW64\Idaiki32.dll | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dddllkbf.exe | C:\Windows\SysWOW64\Cnjdpaki.exe | N/A |
| File created | C:\Windows\SysWOW64\Iafphi32.dll | C:\Windows\SysWOW64\Pfiddm32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckgohf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkqaoe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmnbfhal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmblagmf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkndie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amlogfel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bpdnjple.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgnffj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Boldhf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgeenfog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaoaic32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmeandma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgnomg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmjkic32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qodeajbg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bobabg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bknlbhhe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qfkqjmdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aknbkjfh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdoacabq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aphnnafb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dddllkbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ahfmpnql.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pplobcpp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfiddm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgkiaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdkifmjq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qmeigg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pffgom32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chiblk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnjdpaki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdaniq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akpoaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfcfmlp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgqlcg32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmblagmf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aaoaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Boldhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll" | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll" | C:\Windows\SysWOW64\Qmeigg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll" | C:\Windows\SysWOW64\Bgkiaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dddllkbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkndie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" | C:\Windows\SysWOW64\Pfiddm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amlogfel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" | C:\Windows\SysWOW64\Cpfcfmlp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" | C:\Windows\SysWOW64\Qdoacabq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ahfmpnql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" | C:\Windows\SysWOW64\Bmjkic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pplobcpp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" | C:\Windows\SysWOW64\Qodeajbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll" | C:\Windows\SysWOW64\Aknbkjfh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bgkiaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpfcfmlp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bobabg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmeandma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" | C:\Windows\SysWOW64\Cgqlcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" | C:\Windows\SysWOW64\Bknlbhhe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" | C:\Windows\SysWOW64\Bmeandma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" | C:\Windows\SysWOW64\Boldhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ckgohf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" | C:\Windows\SysWOW64\Dddllkbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmblagmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgnomg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" | C:\Windows\SysWOW64\Cgnomg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll" | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aknbkjfh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Akpoaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bpdnjple.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmjkic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmnbfhal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmnbfhal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Pmnbfhal.exe
C:\Windows\system32\Pmnbfhal.exe
C:\Windows\SysWOW64\Pplobcpp.exe
C:\Windows\system32\Pplobcpp.exe
C:\Windows\SysWOW64\Phcgcqab.exe
C:\Windows\system32\Phcgcqab.exe
C:\Windows\SysWOW64\Pffgom32.exe
C:\Windows\system32\Pffgom32.exe
C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
C:\Windows\SysWOW64\Pfiddm32.exe
C:\Windows\system32\Pfiddm32.exe
C:\Windows\SysWOW64\Pmblagmf.exe
C:\Windows\system32\Pmblagmf.exe
C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
C:\Windows\SysWOW64\Qfkqjmdg.exe
C:\Windows\system32\Qfkqjmdg.exe
C:\Windows\SysWOW64\Qmeigg32.exe
C:\Windows\system32\Qmeigg32.exe
C:\Windows\SysWOW64\Qdoacabq.exe
C:\Windows\system32\Qdoacabq.exe
C:\Windows\SysWOW64\Qodeajbg.exe
C:\Windows\system32\Qodeajbg.exe
C:\Windows\SysWOW64\Qdaniq32.exe
C:\Windows\system32\Qdaniq32.exe
C:\Windows\SysWOW64\Akkffkhk.exe
C:\Windows\system32\Akkffkhk.exe
C:\Windows\SysWOW64\Aphnnafb.exe
C:\Windows\system32\Aphnnafb.exe
C:\Windows\SysWOW64\Aknbkjfh.exe
C:\Windows\system32\Aknbkjfh.exe
C:\Windows\SysWOW64\Amlogfel.exe
C:\Windows\system32\Amlogfel.exe
C:\Windows\SysWOW64\Akpoaj32.exe
C:\Windows\system32\Akpoaj32.exe
C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
C:\Windows\SysWOW64\Amqhbe32.exe
C:\Windows\system32\Amqhbe32.exe
C:\Windows\SysWOW64\Ahfmpnql.exe
C:\Windows\system32\Ahfmpnql.exe
C:\Windows\SysWOW64\Akdilipp.exe
C:\Windows\system32\Akdilipp.exe
C:\Windows\SysWOW64\Aaoaic32.exe
C:\Windows\system32\Aaoaic32.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bgkiaj32.exe
C:\Windows\system32\Bgkiaj32.exe
C:\Windows\SysWOW64\Bobabg32.exe
C:\Windows\system32\Bobabg32.exe
C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
C:\Windows\SysWOW64\Bpdnjple.exe
C:\Windows\system32\Bpdnjple.exe
C:\Windows\SysWOW64\Bdojjo32.exe
C:\Windows\system32\Bdojjo32.exe
C:\Windows\SysWOW64\Bgnffj32.exe
C:\Windows\system32\Bgnffj32.exe
C:\Windows\SysWOW64\Bmjkic32.exe
C:\Windows\system32\Bmjkic32.exe
C:\Windows\SysWOW64\Bphgeo32.exe
C:\Windows\system32\Bphgeo32.exe
C:\Windows\SysWOW64\Bknlbhhe.exe
C:\Windows\system32\Bknlbhhe.exe
C:\Windows\SysWOW64\Bpkdjofm.exe
C:\Windows\system32\Bpkdjofm.exe
C:\Windows\SysWOW64\Bgelgi32.exe
C:\Windows\system32\Bgelgi32.exe
C:\Windows\SysWOW64\Boldhf32.exe
C:\Windows\system32\Boldhf32.exe
C:\Windows\SysWOW64\Chdialdl.exe
C:\Windows\system32\Chdialdl.exe
C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
C:\Windows\SysWOW64\Cdkifmjq.exe
C:\Windows\system32\Cdkifmjq.exe
C:\Windows\SysWOW64\Cgifbhid.exe
C:\Windows\system32\Cgifbhid.exe
C:\Windows\SysWOW64\Cpbjkn32.exe
C:\Windows\system32\Cpbjkn32.exe
C:\Windows\SysWOW64\Chiblk32.exe
C:\Windows\system32\Chiblk32.exe
C:\Windows\SysWOW64\Ckgohf32.exe
C:\Windows\system32\Ckgohf32.exe
C:\Windows\SysWOW64\Cpdgqmnb.exe
C:\Windows\system32\Cpdgqmnb.exe
C:\Windows\SysWOW64\Cgnomg32.exe
C:\Windows\system32\Cgnomg32.exe
C:\Windows\SysWOW64\Cpfcfmlp.exe
C:\Windows\system32\Cpfcfmlp.exe
C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
C:\Windows\SysWOW64\Cnjdpaki.exe
C:\Windows\system32\Cnjdpaki.exe
C:\Windows\SysWOW64\Dddllkbf.exe
C:\Windows\system32\Dddllkbf.exe
C:\Windows\SysWOW64\Dkndie32.exe
C:\Windows\system32\Dkndie32.exe
C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
C:\Windows\SysWOW64\Ddgibkpc.exe
C:\Windows\system32\Ddgibkpc.exe
C:\Windows\SysWOW64\Dgeenfog.exe
C:\Windows\system32\Dgeenfog.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4180 -ip 4180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/864-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/864-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pmnbfhal.exe
| MD5 | b9f562080e4dcc61284b8f57b686bb48 |
| SHA1 | e3fb2bb3dd9dbc56f15aa896dfd427e95a418fab |
| SHA256 | 6048147dcd3146bc3f9d432603dfae6ed824f065e8db39620766320bbe91f1cb |
| SHA512 | 7b2d4fd9f1475db7bc65bfd67c633b36849baa30bb77b2c3b71a3d41ceda56b19b78b6087bbc3d38357ca753c834f78ca35224e751b30556ff9cf6f7ed9a5f57 |
memory/2292-9-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pplobcpp.exe
| MD5 | d8a39306d601a1badb4f2db98ff5e76e |
| SHA1 | a4d64fe3ce5ba064e14915579cb1a6034e9b7b46 |
| SHA256 | 5b268c9a0496f38ba02e1620337c6c4e07ba634037d1507b6cdc221576554a72 |
| SHA512 | 066e26bca0a1493af464c71e8ba8bd0fe85454c4b4d1aed8dec2f7f335c33a6b12b4537fd09d546f7aa76639668336807c75f352c7c38f9b6d9653ee9840ab8e |
memory/2816-17-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Phcgcqab.exe
| MD5 | 835de544f46cbaeeada65c9b301411d0 |
| SHA1 | f575b7313a78a018f2341e99d9a0083a58f52dd4 |
| SHA256 | b9a219d5c0d19092ac6127ce70cdee8908d7f389bfc0c9f609f25ce99a9ed08a |
| SHA512 | 1e3a05225c9520b63fe691796e00e3e1d5f04200ff78d21fecfc3161bbe1b3df388529c332a6e141032fbc5e67ed50e4a564033e3854121f3034a8c06feaf55d |
memory/2368-24-0x0000000000400000-0x0000000000440000-memory.dmp
memory/600-32-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pffgom32.exe
| MD5 | ab5714bcdf7752fca189944eeed711b2 |
| SHA1 | 15547b9c79d62ce41e6fdf0387a7ad43ed446217 |
| SHA256 | 0092e19e5bb5b4e58b7cb7f58b1fc1c769afdc7c419750e68b9f2c66427f1765 |
| SHA512 | b25766e5174c9ca9cd331143a5e783263cafc3c8054ecf92f3c7d4c1161e2e85d1c3f18c1e42001ffef3e3f6567d9c977ba4dcf20405bbc41d9fcf1ab58f798d |
memory/1820-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ppolhcnm.exe
| MD5 | f6e2bda7122a8ea46297373656258421 |
| SHA1 | 00bb034483809c24b31edd75677f8b0e85e41da3 |
| SHA256 | e1cf7e6b33611db2ed56cc6106932727f40a9dd1299f02166fda2bf4adc426cc |
| SHA512 | 39f14327ba921bae512e622494c4a47dd2a89afa479495877239054eb1397501f96202c48b6ec25afeaebf524ae04e9f4e964f7dd343face379f5584b9232108 |
C:\Windows\SysWOW64\Pfiddm32.exe
| MD5 | fc652a646d0fb1e9f6e28c4cf8fcb7f2 |
| SHA1 | 43c22b1d92df6a920f778836f5000ce786e51c36 |
| SHA256 | f1ed44d7aabf5370dda1b1c6bd51d27d47212fa69b6740a443319203e83adfc0 |
| SHA512 | 9f318c6c8ea298353d26dc66e8835ed8363fa9a4870a5e3b56c560d3db8bf7f8002cdec0e7b332f53220067195282f781675626b61aff83786ab18ac505c8cf7 |
memory/5060-48-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pmblagmf.exe
| MD5 | d7861f63e973ca097389c6deb02d0889 |
| SHA1 | 6c61250762a7fd271cab9b1ea2fef6ff3a775137 |
| SHA256 | 40bd6a9e23ad8390b4f306a363f5964db2104a04493ffcd7f8d33b9c29347bc8 |
| SHA512 | 2594193ba06e2a8aa85d5efb75350b3c98ee577d51cc670613d0dffdc2a09513e70b79d097629a95b13413860d67d2f8639d8099adffdd7efe5a44833a5aae1b |
memory/952-56-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pdmdnadc.exe
| MD5 | 6baac7f16901babcd860688aefee17c7 |
| SHA1 | bc55813d5adf90ad61517dc10b9348483dc6faac |
| SHA256 | af26dc6e4e432b6bb44e96876a1ae7eb23c1e97db5414abf22a1162674b1ae8a |
| SHA512 | fc20bb031866d70d8746e1725633952aff23ee2d0e4da729c91bced4f75546cadb1f0615da855df50f5f8f4de1e3e4861ed2204fb9f74df8abede9379031603f |
memory/1724-64-0x0000000000400000-0x0000000000440000-memory.dmp
memory/864-72-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qfkqjmdg.exe
| MD5 | e6e104b4cfb57de92cae71f8e24c1506 |
| SHA1 | c09add039d45027258c599fad4634be85b1ab5a7 |
| SHA256 | 0273401ceb3787bd322e3d797842be56886cf85326ed07406a186932c0fdfa0c |
| SHA512 | ea819bfe646858265e33652924e05ecbf4776a03506a08233d1dd689dacfb5912a6d108edae6a3af2aeadf65550c627676358dde7263b49f9e9bcb5b1515b4ff |
memory/4852-74-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qmeigg32.exe
| MD5 | a568ebeac7b891b6e3415dc2e4792f62 |
| SHA1 | 087bf7bb87942f85eea14f7e9368063c7758d5ff |
| SHA256 | 2b9aa96b8c2e20abe6d6437bf9f1b62cc5e03f7edfefd967244117073f46e064 |
| SHA512 | 87856f1b0bd252448f79381de434976aeb6950db178a9e19c07fd7a3c5c5823874e9b1388b474442d1aa195585ef5e9c663937e6a8da0c275758b6d02a800d0d |
memory/4380-81-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qdoacabq.exe
| MD5 | 50c2088d1bb3d50d7248dabfd83ed910 |
| SHA1 | 1cc01fb8fa70b5827aa893166970b98001829a79 |
| SHA256 | f5133b6da0d7b66237c28ecde08723fb7cb9bb96fc935129eb5cfc9debfb7332 |
| SHA512 | c29d9ae16847d37cf6b1c0f2aabd7b44e159df1e174cbdf06493634ce8a245d2c1e9fd1c26b1b10bedf52bc1399bc3b9a600c93eafd45070d1a617c219e1c890 |
memory/2292-89-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4148-90-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qodeajbg.exe
| MD5 | 91db7bab9b2e9908f1e6d38405cbe0c0 |
| SHA1 | 7ec94ededac6b2c32db6e786fc95d2ad93f4ac6c |
| SHA256 | ec8e51e12a6cec80f530aea2d2b48cd1aca51dfaf61d9f2e246ce7f83c8283bd |
| SHA512 | fee71a1a72c37dff730b570e4e1a98915d9a6f1ea8539f8e6c6e82fa86f1957404fd0a8cfa1add2f49cc6c03f92435e0281dffa8d68bef57ee05b1a0051561a6 |
memory/2816-98-0x0000000000400000-0x0000000000440000-memory.dmp
memory/412-99-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qdaniq32.exe
| MD5 | a4ce13e9f5c8855f29dcb869a66a26c3 |
| SHA1 | 62ab67fd97f41f58dde4e7ebed2544603f822fa6 |
| SHA256 | 64630ac1bba38a5f8b81b8ea7b4c0d79ab932654bcf5a63ff2488a05e24d105b |
| SHA512 | 0fcf698c80516dd569e4a48aa5aa72298f60b453f189980bcc3218d65a4cd0e59bfce993bd27f162bc4c99beb9753e51b3fdbf1965407f14a6f89b9985b8d231 |
memory/2368-108-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2804-109-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Akkffkhk.exe
| MD5 | 5eb9ba2e4fd11b7c69cdd191330f5485 |
| SHA1 | 84b71270669d5f98889c9adf74b704b6c8267578 |
| SHA256 | 139b28044fc6e9e65860d98d832693933736c9721355aa9bc5ba193de1d8a5ef |
| SHA512 | d69eb4ccf6a90d675f63d0b7ed8da1b4bfe11eaeccc99d40a9d29d70818191e300093e07804196c458cb9dd63979e98a4bc40430f26083d7e1b903fcff394d8e |
memory/1700-118-0x0000000000400000-0x0000000000440000-memory.dmp
memory/600-117-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aphnnafb.exe
| MD5 | 3c9641996bfc0da68df4e19db54d3255 |
| SHA1 | 4553e637c5f3055dabc7799048322439300fc6e4 |
| SHA256 | efd382c8e9db68a6610302d9e6d30e31ec4a4cb22046b76420d39c937f0c87ee |
| SHA512 | f9bfe6d40a1a1c94f2fc574b5d6a5959fc75c941ed7960ff709a131a3540db19db4510e54fa9220cd18e7e0b4c453ccaaf70d75205a4bc8ececf943a1b395519 |
memory/1820-125-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2780-126-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aknbkjfh.exe
| MD5 | cb63ee58d8f799e04f7fb9977a1d22f1 |
| SHA1 | 2e84332dc371eb3dd9613a22c86668ab3d79aa9f |
| SHA256 | 6575afca205e75a2a2f354e0e294493dc7e026086d4c62af7dcca778c007e362 |
| SHA512 | f41ab7e7e3ac7e71b49d17f70ef49d5d90a14e367278749ac46d531261dce8fed98c03e031a67744e23caccbe407bcf6ad196804ccbb1b6abbb233dcaed79cba |
memory/3216-136-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5060-135-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Amlogfel.exe
| MD5 | 7fb4ee15fadcbf42ae4e8eec460bc9c1 |
| SHA1 | aedd0290c2a8683dc77de14ee228e9346d8e2ae9 |
| SHA256 | 8a5ed92e9978ec82145a2e6d2ab676684b3f44e12872f2ee80354a73a4d3905c |
| SHA512 | 6466863374d4fb810cb4430ed872ec187fe2a11db2bb6479176705d2ec94bd41f703fc76cb9fd3235a3beab92cddafc70b98a202aeeedc550f31b7778e353c56 |
memory/220-144-0x0000000000400000-0x0000000000440000-memory.dmp
memory/952-143-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Akpoaj32.exe
| MD5 | 7b3d7c6a0c65a56f5015001152c456d6 |
| SHA1 | f4ae092c005a8ef777a3bae6c1dcfcf8b610837d |
| SHA256 | fd2511c061fa308f0238437dfbbf87733107dd7301f687c70ac66d3d72f86cd5 |
| SHA512 | fc5440f04820a679e4be96056453ed21daa40ef1db50091b701402f3386ef141135ecb693988e925613521a0056acd890680e421622f4b51506c360d270a1bf4 |
memory/1724-152-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3844-154-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Apmhiq32.exe
| MD5 | 55cd4453d2d9332f6c5cdaa3f7be1290 |
| SHA1 | e0c7f571faa0dcbbff2ea077a803dc6d89d989f8 |
| SHA256 | 18aad04054440639e4f694682afe1fee20d193c64ef28b0297855298c6aa70f2 |
| SHA512 | 5370c5943e506644ced34c16a722f18a59095f7677666727d01c1d3bba6b4e5d44fdff00ce16ea6370f9b0206f451c593595519becb463fd8757f5ab8798d1de |
memory/2648-162-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4852-161-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4380-170-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3272-171-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aggpfkjj.exe
| MD5 | 6a4f1722968bd33f1abaeede2b416c2c |
| SHA1 | e7bc2abedc1b96b0103575d47786932c8551fd0f |
| SHA256 | 3ee81319855870a1eb2ec4b248bd671b10b9f494fe626a551b82064a7c70e00c |
| SHA512 | f85e12bbf3d37ae4baa12a892d8102c4a7e3e96964ae29cc9a66cce99292e86f51ff74ff50c241a65880ec80bae58f657a7efa3777c5ee3e5f3729ca1c8b8447 |
C:\Windows\SysWOW64\Amqhbe32.exe
| MD5 | 6f86b8f0d4dcd204ba7e62ed640d78df |
| SHA1 | 7a6a28255c37818bfe2de2ba06873fa3a67248e9 |
| SHA256 | e360898d19ff1628d49267e928277a6733aa875c7ffd5ed60e945ccf918ec3b5 |
| SHA512 | dc58389e1fa1f9c0a414bf50e0d98ede015748b25384e83c930f47a5b6a2fd36dc12192a1b2af825148652f498bd0811e650cd2a5e9c93e4d8677b671857ea37 |
memory/3868-180-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4148-179-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ahfmpnql.exe
| MD5 | d8b4a2181ed603ad125f6f02b0b69092 |
| SHA1 | acebacf1724ceb26b48a451e7cc72d180640c732 |
| SHA256 | e08a48c603a9ada8e5b2ee6bc6187a391bfdac6a1ef36739a215641dc6d0f0bc |
| SHA512 | 9581592ec386ad2bf48a8931b8c92d1f3aed689ba36e62f82a7bdf41e8e6032a816e7676b80c2ab44eddf399c17884b82bd4947d063fd95ea1a68bd1cb2d605d |
memory/2132-190-0x0000000000400000-0x0000000000440000-memory.dmp
memory/412-189-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2804-197-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3912-198-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Akdilipp.exe
| MD5 | 43b2f838d5ac0ac6a494912c1989c4be |
| SHA1 | e2c4e4c6f8ffc26611a39d29f8bbecb3bbb5efe0 |
| SHA256 | 778fe7ca8b2e9badfb363bb07b2f9fc981cbfc70bd182eef81309a2a57fee310 |
| SHA512 | 8026248f82562ca5232ea408cd9b07f1432e4f5a5d6b5f0248368a33dca3643ed7a82e844e54dbf38ac0bf4ef2264f70ea79ef00ca1dda5586257a0f165203b9 |
C:\Windows\SysWOW64\Aaoaic32.exe
| MD5 | c9b65b58b29a0bac003edbba8a85f617 |
| SHA1 | 3b63a54577e14a81664cba94754c560be4f6d7a0 |
| SHA256 | 4b08930f4ebf00b51047b1d3f21999bff0b453b1ab36c63c3fd9352fc3f19038 |
| SHA512 | 41979b7154470788e3c05038c200f9eb07bd1b917896dfec26d2043beac3628a649f64f30ce8a02b6f7e8071b7c9b4fcf4224e0739144e625299364fceda076a |
memory/1812-208-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1700-206-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bdmmeo32.exe
| MD5 | a55b75f25def1c9ce6aa3f26eba0c03f |
| SHA1 | cc6511adaf880d969b260eae88b2a00adc919967 |
| SHA256 | 429d83f397762ee22cdbf4e82d52e516d5ecc94f6a2843ee0aa73261d02cf63d |
| SHA512 | 8d0f511e0c1b5e42e7530ec01db27c09710d4062872494ac334897d9b2aada59e93035d6c41057fe0d915bfe449d8934ad30aed929e8b7cc43d210c4791d84d4 |
memory/2780-216-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1920-221-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bgkiaj32.exe
| MD5 | f65354344828e1962002d9d26b173df0 |
| SHA1 | 4005e8c384ff59adb5c8f4b1f23df3376610dde6 |
| SHA256 | 8cacb1160b20b3c9f167d135d6994115fb5d15cebbd7f22aaa627d4db7fc8b13 |
| SHA512 | c60939fff5504b48f11f26186b55e2d9988d5ace03373fdbe3b7cf852532cac7d1b85c98faf60368df201de4b6ba131981bb3ba48e8bf5593c59496930e8ff5b |
memory/4572-230-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bobabg32.exe
| MD5 | 3dee73641299c146b476acadee39e8b2 |
| SHA1 | 4b680e78c064477d2fbbcda4f1db2621b4409ae7 |
| SHA256 | 0382dd164cd6371cbe7738dbe7fe304156fe018ae9944ef3860effc3c6a24210 |
| SHA512 | 2d9464987faa4c891ba8d57d8163ccb4fdccc0fb2eb193ebb8b6541bba68753b6f8a5faccf0a87a0abc5dff54378610eceb28cff243de0fb20acd12e39cc43b6 |
memory/4904-239-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bmeandma.exe
| MD5 | 97e78ef531cc83d9674b1265d17f926d |
| SHA1 | 7b71364d1ea6fb820b07e13c4c5586b963f8cbb5 |
| SHA256 | 5d1b8828439a23478b3f9eb5c2d034a0ea83b202c245d918974ec12a896fe6d6 |
| SHA512 | 49da9238078d5653db0858cf3d7d75e29a8a5c3254f119b2e217f5833cc65db1d379ae0b2622a3870bf7e53787e33829e6ac12848461248cb4ec492a160a7f9b |
memory/3844-243-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bpdnjple.exe
| MD5 | 50172a7130793b4bc8542ca2fadc5a39 |
| SHA1 | 6f64b6371c75fe9343814326b230d59fee63b070 |
| SHA256 | 12786ed9f80bc8e9d8cf8ff72cce22d5e40e173276773bb02a8142bde19e220b |
| SHA512 | 8d47c235f9d7f9629849c7405f50698ed39c5deee22567f2fb54f37e77f7bfb7e7d7145d3ed4a8a5728945179af7c1dea51c4fe919284feee877ea7f8fe09be9 |
C:\Windows\SysWOW64\Bdojjo32.exe
| MD5 | c4021619296724c895ecaa1eabd26ef6 |
| SHA1 | c68625be897dc2413cbdb6312a68bc92b2d3f27f |
| SHA256 | 7cf2e3c313313663f0955998906ea0dcd792cad081281a184160efe9e1a015ee |
| SHA512 | 7fd5aefeee7c23288fa8a94875b8377105feaec8322498bec17a8a02e62c00c5a404255ab1919677ef331daeb8ed854c2be760a5e2ed10f0321e11dcd22c0022 |
C:\Windows\SysWOW64\Bgnffj32.exe
| MD5 | 5297c3f77477cf4928e3f9d7666de94d |
| SHA1 | ff9bf8be7365a5100e08297036ed1fd6cce1848c |
| SHA256 | 81907d2aa93752ed1d409199450fa9f6e43c84e38eed8347ef323b63c762a54e |
| SHA512 | e5d8ad14b082b5e65a92c3be4c6e99354583a0a9002922d6d31d9dddeaafbe4fec13977d3b102506877736a12e759db25e2b64dd5a73e7b8710919345bdd0117 |
memory/1924-271-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3868-270-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3272-267-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4416-266-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4672-265-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2648-264-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3632-255-0x0000000000400000-0x0000000000440000-memory.dmp
memory/220-234-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3216-229-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bmjkic32.exe
| MD5 | ef9a12bc5b48c9307d5c6e09348a3040 |
| SHA1 | a9a7bdde803d59820656ca1413dfce7ef6549af4 |
| SHA256 | 25538db6a8f9f099802ac225e7aa0a58dcdb3612faa6169aa0d4feea9f5031b5 |
| SHA512 | 17194bd20fd80870929ecface58b3d571db80a0792024e55e5d5e58f8ac93cf12d442a30c68bc84247500357fcb56805d5634eea7ba4275da0d0a779bc7ef461 |
memory/1032-280-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2132-278-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5012-287-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3912-286-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2308-294-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1812-293-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2664-301-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1920-300-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1520-307-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2600-315-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3632-314-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4904-313-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2012-321-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3364-327-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4532-333-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3812-340-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1924-339-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2416-347-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1032-346-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3128-354-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5012-353-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2308-360-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3168-361-0x0000000000400000-0x0000000000440000-memory.dmp
memory/684-368-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2664-367-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1520-374-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3984-375-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1608-382-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2600-381-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4900-389-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2012-388-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1732-396-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3364-395-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4532-402-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1080-403-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1536-410-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3812-409-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1928-417-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2416-416-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3752-424-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3128-423-0x0000000000400000-0x0000000000440000-memory.dmp