Malware Analysis Report

2025-03-15 09:53

Sample ID 240916-s3slfawamr
Target Backdoor.Win32.Berbew.pz-7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542N
SHA256 7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pz-7fc77aaf773147968d36061f8ea7a3abd337c970fe53cd5bdb1013f1fdeea542N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:39

Reported

2024-09-16 15:41

Platform

win7-20240729-en

Max time kernel

61s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khldkllj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Koflgf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbjbge32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfaeme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koflgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jibnop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kageia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khldkllj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jibnop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbjbge32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjhcag32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfohgepi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kageia32.exe N/A

Berbew

backdoor berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Qmgaio32.dll C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jfohgepi.exe N/A
File created C:\Windows\SysWOW64\Hapbpm32.dll C:\Windows\SysWOW64\Jfaeme32.exe N/A
File created C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Jfcabd32.exe N/A
File created C:\Windows\SysWOW64\Gpcafifg.dll C:\Windows\SysWOW64\Kdnkdmec.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Kgcnahoo.exe N/A
File created C:\Windows\SysWOW64\Ipafocdg.dll C:\Windows\SysWOW64\Kgcnahoo.exe N/A
File created C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jfaeme32.exe N/A
File created C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kbjbge32.exe N/A
File created C:\Windows\SysWOW64\Kjhcag32.exe C:\Windows\SysWOW64\Kdnkdmec.exe N/A
File created C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Khldkllj.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkmmlgik.exe C:\Windows\SysWOW64\Koflgf32.exe N/A
File created C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Kgcnahoo.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jfaeme32.exe N/A
File created C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Jibnop32.exe N/A
File created C:\Windows\SysWOW64\Mobafhlg.dll C:\Windows\SysWOW64\Jibnop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Keioca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kjhcag32.exe C:\Windows\SysWOW64\Kdnkdmec.exe N/A
File created C:\Windows\SysWOW64\Pehbqi32.dll C:\Windows\SysWOW64\Khldkllj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jfohgepi.exe N/A
File created C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Kjhcag32.exe N/A
File opened for modification C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Kjhcag32.exe N/A
File created C:\Windows\SysWOW64\Onpeobjf.dll C:\Windows\SysWOW64\Koflgf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Kageia32.exe N/A
File created C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kkmmlgik.exe N/A
File created C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Kageia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File opened for modification C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Jfcabd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kbjbge32.exe N/A
File created C:\Windows\SysWOW64\Abqcpo32.dll C:\Windows\SysWOW64\Kbjbge32.exe N/A
File created C:\Windows\SysWOW64\Caefjg32.dll C:\Windows\SysWOW64\Keioca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Khldkllj.exe N/A
File created C:\Windows\SysWOW64\Pgodelnq.dll C:\Windows\SysWOW64\Kageia32.exe N/A
File created C:\Windows\SysWOW64\Eghoka32.dll C:\Windows\SysWOW64\Kjhcag32.exe N/A
File created C:\Windows\SysWOW64\Dgcgbb32.dll C:\Windows\SysWOW64\Jfohgepi.exe N/A
File created C:\Windows\SysWOW64\Ifkmqd32.dll C:\Windows\SysWOW64\Jfcabd32.exe N/A
File created C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Keioca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kkmmlgik.exe N/A
File created C:\Windows\SysWOW64\Jlflfm32.dll C:\Windows\SysWOW64\Kkmmlgik.exe N/A
File created C:\Windows\SysWOW64\Jfohgepi.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File created C:\Windows\SysWOW64\Eplpdepa.dll C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Jibnop32.exe N/A
File created C:\Windows\SysWOW64\Kkmmlgik.exe C:\Windows\SysWOW64\Koflgf32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jibnop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khldkllj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koflgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjhcag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kageia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keioca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbjofi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbjbge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkmmlgik.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jibnop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" C:\Windows\SysWOW64\Kageia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbjbge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" C:\Windows\SysWOW64\Keioca32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Khldkllj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kageia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" C:\Windows\SysWOW64\Jfohgepi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfohgepi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" C:\Windows\SysWOW64\Jibnop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Koflgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbjbge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kageia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfcabd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll" C:\Windows\SysWOW64\Koflgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll" C:\Windows\SysWOW64\Khldkllj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfaeme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" C:\Windows\SysWOW64\Jfaeme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfaeme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jibnop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll" C:\Windows\SysWOW64\Kbjbge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Khldkllj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Koflgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll" C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Keioca32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 2188 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 2188 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 2188 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jfaeme32.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jfaeme32.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jfaeme32.exe
PID 2228 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jfaeme32.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jmkmjoec.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2724 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Jmkmjoec.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jibnop32.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jibnop32.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jibnop32.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jibnop32.exe
PID 2624 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Kbjbge32.exe
PID 2624 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Kbjbge32.exe
PID 2624 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Kbjbge32.exe
PID 2624 wrote to memory of 1876 N/A C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Kbjbge32.exe
PID 1876 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 1876 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 1876 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 1876 wrote to memory of 1356 N/A C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 1356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kdnkdmec.exe
PID 1356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kdnkdmec.exe
PID 1356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kdnkdmec.exe
PID 1356 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kdnkdmec.exe
PID 1052 wrote to memory of 540 N/A C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Kjhcag32.exe
PID 1052 wrote to memory of 540 N/A C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Kjhcag32.exe
PID 1052 wrote to memory of 540 N/A C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Kjhcag32.exe
PID 1052 wrote to memory of 540 N/A C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Kjhcag32.exe
PID 540 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Kjhcag32.exe C:\Windows\SysWOW64\Khldkllj.exe
PID 540 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Kjhcag32.exe C:\Windows\SysWOW64\Khldkllj.exe
PID 540 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Kjhcag32.exe C:\Windows\SysWOW64\Khldkllj.exe
PID 540 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Kjhcag32.exe C:\Windows\SysWOW64\Khldkllj.exe
PID 2248 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Koflgf32.exe
PID 2248 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Koflgf32.exe
PID 2248 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Koflgf32.exe
PID 2248 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Koflgf32.exe
PID 2096 wrote to memory of 484 N/A C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Kkmmlgik.exe
PID 2096 wrote to memory of 484 N/A C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Kkmmlgik.exe
PID 2096 wrote to memory of 484 N/A C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Kkmmlgik.exe
PID 2096 wrote to memory of 484 N/A C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Kkmmlgik.exe
PID 484 wrote to memory of 324 N/A C:\Windows\SysWOW64\Kkmmlgik.exe C:\Windows\SysWOW64\Kageia32.exe
PID 484 wrote to memory of 324 N/A C:\Windows\SysWOW64\Kkmmlgik.exe C:\Windows\SysWOW64\Kageia32.exe
PID 484 wrote to memory of 324 N/A C:\Windows\SysWOW64\Kkmmlgik.exe C:\Windows\SysWOW64\Kageia32.exe
PID 484 wrote to memory of 324 N/A C:\Windows\SysWOW64\Kkmmlgik.exe C:\Windows\SysWOW64\Kageia32.exe
PID 324 wrote to memory of 344 N/A C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kgcnahoo.exe
PID 324 wrote to memory of 344 N/A C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kgcnahoo.exe
PID 324 wrote to memory of 344 N/A C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kgcnahoo.exe
PID 324 wrote to memory of 344 N/A C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kgcnahoo.exe
PID 344 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 344 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 344 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Lbjofi32.exe
PID 344 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Lbjofi32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Jfohgepi.exe

C:\Windows\system32\Jfohgepi.exe

C:\Windows\SysWOW64\Jfaeme32.exe

C:\Windows\system32\Jfaeme32.exe

C:\Windows\SysWOW64\Jmkmjoec.exe

C:\Windows\system32\Jmkmjoec.exe

C:\Windows\SysWOW64\Jfcabd32.exe

C:\Windows\system32\Jfcabd32.exe

C:\Windows\SysWOW64\Jibnop32.exe

C:\Windows\system32\Jibnop32.exe

C:\Windows\SysWOW64\Kbjbge32.exe

C:\Windows\system32\Kbjbge32.exe

C:\Windows\SysWOW64\Keioca32.exe

C:\Windows\system32\Keioca32.exe

C:\Windows\SysWOW64\Kdnkdmec.exe

C:\Windows\system32\Kdnkdmec.exe

C:\Windows\SysWOW64\Kjhcag32.exe

C:\Windows\system32\Kjhcag32.exe

C:\Windows\SysWOW64\Khldkllj.exe

C:\Windows\system32\Khldkllj.exe

C:\Windows\SysWOW64\Koflgf32.exe

C:\Windows\system32\Koflgf32.exe

C:\Windows\SysWOW64\Kkmmlgik.exe

C:\Windows\system32\Kkmmlgik.exe

C:\Windows\SysWOW64\Kageia32.exe

C:\Windows\system32\Kageia32.exe

C:\Windows\SysWOW64\Kgcnahoo.exe

C:\Windows\system32\Kgcnahoo.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Jfohgepi.exe

MD5 bc523c33f6bf31da9e725687804d56d5
SHA1 09d0c0dc3dc1d235b15789ad21bb4985c12a9017
SHA256 9a3300a47f12b4ce22c691d4fdb2bada6d05329ee615e8a87ae3e7a7b750e9ae
SHA512 c50185d4a8cc3e93f96535d88c50b0473e6a67b2f277b50b4b9c18ee8993259a381a82ab9b6bbb5ce24aa51f59ea21973db26d37900a8f05f36e83e6ea5fb382

memory/2188-7-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2228-14-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2188-12-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2776-27-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jfaeme32.exe

MD5 b3f2063d59e3972881f035d66f1fe10a
SHA1 ef13e9adee0a8eaddef373c495fb61df18435b77
SHA256 585309b9d15ef73929f8c8f3ec8d8a0e882ee8d0263ce19698345d7293dac435
SHA512 cc34970cfebca2b35dc066d01282864370eefe2c899c8921d9f89bd655b6b664fa4f92db6b78248b4483ca05c606364c4902b9b235de8ae52669da2619c0a516

\Windows\SysWOW64\Jmkmjoec.exe

MD5 24736ed1ae5c0d88758158c06fce9f2c
SHA1 2c44e60e2baf34fbe5bb232acdfd0f9db6ad36cd
SHA256 8d097b09a1cd573137ca713dc7c01e5ef2551aa3c94610af7a1c27b342da9d40
SHA512 d2b69e238f2dfe5b824704c8bd5e5bc206ebabfaf8a15c263247bb397e4be239cbd077b091e63124a78bc06a95fc9edc4b8530ec755e6c418539661edceef3a4

memory/2724-41-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2776-40-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Jfcabd32.exe

MD5 dd4ac16774eefc95c58478f5b338a8f4
SHA1 f1978cd3d4872413562cf78cf73103b4ead2869d
SHA256 62a8c7d7c72a52a9801e2e5995df801413d799bb88a31a789d06e9968a4000aa
SHA512 70da6c245f1ffb3ae83267993107f1f5c346ce4c9626ff4d7277d17a5d5ebd30ba1dad9ce1024ab1103cbe397ad288941dd23efb223fedf669f44279974d9930

memory/2724-48-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2188-55-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jibnop32.exe

MD5 b529da755615583efe737973542ef3f7
SHA1 daf1c1f57e3269fc3690e911bb6379d51b58f54f
SHA256 33625533caa662083d2b9fb6caebf37599b148288e59c7847c8450cd1d37b42d
SHA512 983e82716934572df95c7d183e8f7f846ce74f24486edea9e2066cfacdb0a53c67e77c8b5e43d384888f1816bf19aa62c40ea683ced653fd712a6e5b297ad20f

memory/2764-64-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2188-63-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2228-70-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Kbjbge32.exe

MD5 56a636c510b4cf928c279c4bfcd08266
SHA1 30c92c6fb7985d57483ec85cedb150b8ed2b8e86
SHA256 fa7e6fb99dfa0cb4caca21dd97ac90fcdf4ff8b15c8de2b2c321c0f21353e0d6
SHA512 4b2bde49846d1c51ea05321b811429eec4ea94230b70011c60f4b31e913130139884c932cbfe286e77079b9abfd632dc4de4521aed65f1709bc4ca8a40b1ff13

memory/2776-78-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1356-102-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1876-101-0x0000000001F30000-0x0000000001F70000-memory.dmp

C:\Windows\SysWOW64\Keioca32.exe

MD5 b0c1cb4627098462d1c764ec5e4b2ed1
SHA1 9de4e2ee029f6111963095b2cc2e60d2c689699a
SHA256 8cb5cd362ec46a246984096b8b473f9e874fcd5dd1b93f3d5b7747187579ebea
SHA512 0f59071fdde51843771fa6a1967876fed89276064fad039f5910bbd8f0a23cdc0fa43443556e83cce6405c5c3b7783c397dae6035a53093451f47ca602f5765b

memory/1876-93-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2724-88-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2776-86-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2624-84-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2624-83-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Kdnkdmec.exe

MD5 0e74c56ed7bbf2ce3c40ba7e43becc1b
SHA1 240e4dfa85b11de602c82c763221cba9e238e74d
SHA256 6dd3bde32fa9f02a9b97f91b48cce5e0e99109359702113f0af341f0037a82c7
SHA512 8ce7db7e6c9185bf75c4b3407a3bce4b2ad552a60ef7b0f7bb9ba379a3feb49c6702b45c06d60ce4e46554c7f283a2929d8e9170ee7d276d54a39ee264b84352

memory/2764-110-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1356-111-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2764-117-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Kjhcag32.exe

MD5 2902fc4dc33bd5107e383c7621dc7c65
SHA1 536d4405345e2d21d61289ade6f78e5ab09cfb54
SHA256 acf4652e0a184dcc46fdbebdcfe57097c502c50d3de05edf5898c0b4318d83bb
SHA512 8aeb7e9d0411272c47fb7aa55c5480dd0b49c8e486bbf9d5c5195e7c2d795eecf1b915c62ce918443fef76c67e3a534f52fc9f7af3fdf38dc9e44bbe7664627d

memory/2624-133-0x0000000000250000-0x0000000000290000-memory.dmp

memory/540-134-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2624-131-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1052-130-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1052-129-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Khldkllj.exe

MD5 d567c9af83e7611e9b40acb5ddbf9f02
SHA1 0ec40b2f3d52e8c81626966d63236c1d346f85d4
SHA256 08cdae928e14789d3cae6e1779e45fb7cb2e3a8577fbf48971ff0a653f248c17
SHA512 f299d8d60fe73c771aebc114fc5a9b6237ae092dbcf0f0790ce31d680d42b9bc49b2dc9e17788a03364bd0b4eca730167f16a830f48d00d084e83262b8db2cff

memory/540-143-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/1876-142-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2248-151-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1356-150-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1876-149-0x0000000001F30000-0x0000000001F70000-memory.dmp

\Windows\SysWOW64\Koflgf32.exe

MD5 c7525b444ef42abf77802b1529479db7
SHA1 e9b35d583b3f891ca42acf2059869822ddac6c51
SHA256 964b4df747e96fdcceba61d3b51ca38f3a4f966ba7e37b493a090ed3e50e4acb
SHA512 51f9055a0b29f44d51316e9b242e6d56158f6b2e0bd01d0848d6ac8ff191393be8939fdbefce78532a570c19be235427f0dc7afe032a5580c61a58bdade713fe

memory/2096-166-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2248-165-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2248-164-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Kkmmlgik.exe

MD5 84fe42cf947ac57673717253475215e2
SHA1 b28b7f9f492be193b3bc0870bd77d30fed8c4961
SHA256 47d6273a4724cc4631a7edfae294722bbbdc4ececc8cd27a4684bcce30a3cc08
SHA512 928c6fedbb47fe5a8bd8fd7a10fb23bea7739a0bf1ce29f314150073667fccea58d37d337d68fc49e1a05f0d27adfb9896a4af8cec4f6cda717a28f59a1ce775

memory/2096-174-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/540-198-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kageia32.exe

MD5 61841ab18c4d3384034d1c62ddf22da5
SHA1 9caeeb2a8048b43b65ab81fad2b7ed52f85b6166
SHA256 825fa9706478305b8793c391519bf359ae32b3ae79d17cc335d8af027c5ade2e
SHA512 1eac4266a4368829a3644ad16c14bbf6bb6819c824443a98248be58b10affd1eb53eb1995b7b25e6b8477143c5a4fa91f6a73c240d8be2a4e8a47841e8ce2ea8

memory/324-197-0x0000000000400000-0x0000000000440000-memory.dmp

memory/484-196-0x0000000000250000-0x0000000000290000-memory.dmp

memory/484-183-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1052-182-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1052-181-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1052-179-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Kgcnahoo.exe

MD5 a23d83f9e9ea99d7d618028b0ee89265
SHA1 85aa7d6025d3d5404ec8a3a41c8051bf5584b359
SHA256 ada5be23b55f09eeacf54f65a1aff88f7a7652122338f1adbd351b5b6fecf2a5
SHA512 8aedc75e5e097bba48474bc82df146e2a07c295192924a229ed8b7207d816b8cae0b1f731c793a567d042012afb097cf47321bd376b7c4643e026161e382c7db

memory/344-213-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2248-212-0x0000000000400000-0x0000000000440000-memory.dmp

memory/324-210-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Lbjofi32.exe

MD5 1726d6201008db20bb858ff5017eb79d
SHA1 4addf05a8bc4379ba68dfd4c81400fb203d705af
SHA256 ed47900d1e9b0f0f0da7101143ccbf02ef31725e0dea50488cb98cc2363431a1
SHA512 946051f70d689bee0d4be210eca8b29b257f9e4605d414261138b2cdf01ca8ff50ac332e312ca32cd0239ed9746784a0fab202c4e75b6233a15c78aea721a230

memory/2008-230-0x0000000000400000-0x0000000000440000-memory.dmp

memory/344-229-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2096-228-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2248-227-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2248-226-0x0000000000250000-0x0000000000290000-memory.dmp

memory/484-233-0x0000000000400000-0x0000000000440000-memory.dmp

memory/324-232-0x0000000000400000-0x0000000000440000-memory.dmp

memory/344-231-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:39

Reported

2024-09-16 15:41

Platform

win10v2004-20240910-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppolhcnm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgqlcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amlogfel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chiblk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfiddm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaoaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpdnjple.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chiblk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgnffj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgnffj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgnomg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgeenfog.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amlogfel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akdilipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apmhiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bphgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bknlbhhe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aphnnafb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apmhiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amqhbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmeandma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppolhcnm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amqhbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bpkdjofm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckgohf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bknlbhhe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpkdjofm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgifbhid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdaniq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bobabg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckgohf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bobabg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phcgcqab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pffgom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmblagmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdkifmjq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgeenfog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkndie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmeigg32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pmnbfhal.exe N/A
N/A N/A C:\Windows\SysWOW64\Pplobcpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcgcqab.exe N/A
N/A N/A C:\Windows\SysWOW64\Pffgom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppolhcnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfiddm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmblagmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdmdnadc.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmeigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdoacabq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodeajbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdaniq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akkffkhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aphnnafb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aknbkjfh.exe N/A
N/A N/A C:\Windows\SysWOW64\Amlogfel.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpoaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apmhiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aggpfkjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Amqhbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahfmpnql.exe N/A
N/A N/A C:\Windows\SysWOW64\Akdilipp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaoaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmmeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgkiaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bobabg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmeandma.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpdnjple.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdojjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgnffj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmjkic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphgeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bknlbhhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpkdjofm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgelgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boldhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chdialdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckbemgcp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnaaib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdkifmjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgifbhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpbjkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chiblk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckgohf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgnomg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgqlcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnjdpaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Dddllkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkndie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dojqjdbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddgibkpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgeenfog.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkqaoe32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Apmhiq32.exe N/A
File created C:\Windows\SysWOW64\Akdilipp.exe C:\Windows\SysWOW64\Ahfmpnql.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdojjo32.exe C:\Windows\SysWOW64\Bpdnjple.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe C:\Windows\SysWOW64\Chdialdl.exe N/A
File created C:\Windows\SysWOW64\Ibmlia32.dll C:\Windows\SysWOW64\Chdialdl.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgifbhid.exe C:\Windows\SysWOW64\Cdkifmjq.exe N/A
File created C:\Windows\SysWOW64\Okhbek32.dll C:\Windows\SysWOW64\Cdkifmjq.exe N/A
File created C:\Windows\SysWOW64\Fmbgla32.dll C:\Windows\SysWOW64\Akkffkhk.exe N/A
File created C:\Windows\SysWOW64\Gcgplk32.dll C:\Windows\SysWOW64\Amlogfel.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Aaoaic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpkdjofm.exe C:\Windows\SysWOW64\Bknlbhhe.exe N/A
File created C:\Windows\SysWOW64\Cpkhqmjb.dll C:\Windows\SysWOW64\Cgifbhid.exe N/A
File created C:\Windows\SysWOW64\Nchkcb32.dll C:\Windows\SysWOW64\Dojqjdbl.exe N/A
File created C:\Windows\SysWOW64\Jcknij32.dll C:\Windows\SysWOW64\Ddgibkpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aphnnafb.exe N/A
File created C:\Windows\SysWOW64\Nflnbh32.dll C:\Windows\SysWOW64\Ckbemgcp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkndie32.exe C:\Windows\SysWOW64\Dddllkbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe C:\Windows\SysWOW64\Dgeenfog.exe N/A
File created C:\Windows\SysWOW64\Bgnffj32.exe C:\Windows\SysWOW64\Bdojjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahfmpnql.exe C:\Windows\SysWOW64\Amqhbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaoaic32.exe C:\Windows\SysWOW64\Akdilipp.exe N/A
File created C:\Windows\SysWOW64\Ckbemgcp.exe C:\Windows\SysWOW64\Chdialdl.exe N/A
File created C:\Windows\SysWOW64\Lelgfl32.dll C:\Windows\SysWOW64\Cnaaib32.exe N/A
File created C:\Windows\SysWOW64\Cgqlcg32.exe C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
File created C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Pplobcpp.exe N/A
File created C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Aaoaic32.exe N/A
File created C:\Windows\SysWOW64\Bgelgi32.exe C:\Windows\SysWOW64\Bpkdjofm.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe C:\Windows\SysWOW64\Cgifbhid.exe N/A
File created C:\Windows\SysWOW64\Pfiddm32.exe C:\Windows\SysWOW64\Ppolhcnm.exe N/A
File created C:\Windows\SysWOW64\Ahfmpnql.exe C:\Windows\SysWOW64\Amqhbe32.exe N/A
File created C:\Windows\SysWOW64\Qodeajbg.exe C:\Windows\SysWOW64\Qdoacabq.exe N/A
File created C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aphnnafb.exe N/A
File created C:\Windows\SysWOW64\Bgkiaj32.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File created C:\Windows\SysWOW64\Jgddkelm.dll C:\Windows\SysWOW64\Bpkdjofm.exe N/A
File created C:\Windows\SysWOW64\Jhijep32.dll C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
File created C:\Windows\SysWOW64\Ennamn32.dll C:\Windows\SysWOW64\Cgqlcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Akkffkhk.exe N/A
File created C:\Windows\SysWOW64\Pmblagmf.exe C:\Windows\SysWOW64\Pfiddm32.exe N/A
File created C:\Windows\SysWOW64\Pdmdnadc.exe C:\Windows\SysWOW64\Pmblagmf.exe N/A
File created C:\Windows\SysWOW64\Qdaniq32.exe C:\Windows\SysWOW64\Qodeajbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe C:\Windows\SysWOW64\Bgnffj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bknlbhhe.exe C:\Windows\SysWOW64\Bphgeo32.exe N/A
File created C:\Windows\SysWOW64\Mqnbqh32.dll C:\Windows\SysWOW64\Bphgeo32.exe N/A
File created C:\Windows\SysWOW64\Cpbjkn32.exe C:\Windows\SysWOW64\Cgifbhid.exe N/A
File created C:\Windows\SysWOW64\Kfcfimfi.dll C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File opened for modification C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Apmhiq32.exe N/A
File created C:\Windows\SysWOW64\Hbobhb32.dll C:\Windows\SysWOW64\Amqhbe32.exe N/A
File created C:\Windows\SysWOW64\Bobabg32.exe C:\Windows\SysWOW64\Bgkiaj32.exe N/A
File created C:\Windows\SysWOW64\Bhqndghj.dll C:\Windows\SysWOW64\Boldhf32.exe N/A
File created C:\Windows\SysWOW64\Chiblk32.exe C:\Windows\SysWOW64\Cpbjkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckgohf32.exe C:\Windows\SysWOW64\Chiblk32.exe N/A
File created C:\Windows\SysWOW64\Nalhik32.dll C:\Windows\SysWOW64\Cnjdpaki.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmnbfhal.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Dgeenfog.exe C:\Windows\SysWOW64\Ddgibkpc.exe N/A
File created C:\Windows\SysWOW64\Dgeaknci.dll C:\Windows\SysWOW64\Akpoaj32.exe N/A
File created C:\Windows\SysWOW64\Ieoigp32.dll C:\Windows\SysWOW64\Aggpfkjj.exe N/A
File created C:\Windows\SysWOW64\Aaoaic32.exe C:\Windows\SysWOW64\Akdilipp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File created C:\Windows\SysWOW64\Cgnomg32.exe C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgnomg32.exe C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
File created C:\Windows\SysWOW64\Ijilflah.dll C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
File created C:\Windows\SysWOW64\Idaiki32.dll C:\Windows\SysWOW64\Ppolhcnm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe C:\Windows\SysWOW64\Cnjdpaki.exe N/A
File created C:\Windows\SysWOW64\Iafphi32.dll C:\Windows\SysWOW64\Pfiddm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akkffkhk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckgohf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkqaoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apmhiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkndie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akdilipp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amlogfel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpdnjple.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgnffj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boldhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgifbhid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgeenfog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amqhbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaoaic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmeandma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgnomg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmjkic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bphgeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chdialdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bobabg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bknlbhhe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phcgcqab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppolhcnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfkqjmdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdoacabq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aphnnafb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dddllkbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpkdjofm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pplobcpp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfiddm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdkifmjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmeigg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdojjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pffgom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnaaib32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chiblk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdaniq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akpoaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgqlcg32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaoaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Boldhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll" C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll" C:\Windows\SysWOW64\Qmeigg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll" C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdojjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dddllkbf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkndie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" C:\Windows\SysWOW64\Pfiddm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amlogfel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bphgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" C:\Windows\SysWOW64\Qdoacabq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" C:\Windows\SysWOW64\Akdilipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll" C:\Windows\SysWOW64\Bmjkic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bphgeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bpkdjofm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pplobcpp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phcgcqab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" C:\Windows\SysWOW64\Qodeajbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll" C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akkffkhk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akdilipp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bobabg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmeandma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" C:\Windows\SysWOW64\Cgqlcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" C:\Windows\SysWOW64\Bknlbhhe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" C:\Windows\SysWOW64\Bmeandma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" C:\Windows\SysWOW64\Boldhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckgohf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" C:\Windows\SysWOW64\Dddllkbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmblagmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chdialdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgnomg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" C:\Windows\SysWOW64\Cgnomg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll" C:\Windows\SysWOW64\Akkffkhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akkffkhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akpoaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apmhiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amqhbe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bpdnjple.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmjkic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" C:\Windows\SysWOW64\Phcgcqab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pmnbfhal.exe
PID 864 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pmnbfhal.exe
PID 864 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pmnbfhal.exe
PID 2292 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pmnbfhal.exe C:\Windows\SysWOW64\Pplobcpp.exe
PID 2292 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pmnbfhal.exe C:\Windows\SysWOW64\Pplobcpp.exe
PID 2292 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Pmnbfhal.exe C:\Windows\SysWOW64\Pplobcpp.exe
PID 2816 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Phcgcqab.exe
PID 2816 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Phcgcqab.exe
PID 2816 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Phcgcqab.exe
PID 2368 wrote to memory of 600 N/A C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Pffgom32.exe
PID 2368 wrote to memory of 600 N/A C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Pffgom32.exe
PID 2368 wrote to memory of 600 N/A C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Pffgom32.exe
PID 600 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Pffgom32.exe C:\Windows\SysWOW64\Ppolhcnm.exe
PID 600 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Pffgom32.exe C:\Windows\SysWOW64\Ppolhcnm.exe
PID 600 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Pffgom32.exe C:\Windows\SysWOW64\Ppolhcnm.exe
PID 1820 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Ppolhcnm.exe C:\Windows\SysWOW64\Pfiddm32.exe
PID 1820 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Ppolhcnm.exe C:\Windows\SysWOW64\Pfiddm32.exe
PID 1820 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Ppolhcnm.exe C:\Windows\SysWOW64\Pfiddm32.exe
PID 5060 wrote to memory of 952 N/A C:\Windows\SysWOW64\Pfiddm32.exe C:\Windows\SysWOW64\Pmblagmf.exe
PID 5060 wrote to memory of 952 N/A C:\Windows\SysWOW64\Pfiddm32.exe C:\Windows\SysWOW64\Pmblagmf.exe
PID 5060 wrote to memory of 952 N/A C:\Windows\SysWOW64\Pfiddm32.exe C:\Windows\SysWOW64\Pmblagmf.exe
PID 952 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Pmblagmf.exe C:\Windows\SysWOW64\Pdmdnadc.exe
PID 952 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Pmblagmf.exe C:\Windows\SysWOW64\Pdmdnadc.exe
PID 952 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Pmblagmf.exe C:\Windows\SysWOW64\Pdmdnadc.exe
PID 1724 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Pdmdnadc.exe C:\Windows\SysWOW64\Qfkqjmdg.exe
PID 1724 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Pdmdnadc.exe C:\Windows\SysWOW64\Qfkqjmdg.exe
PID 1724 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Pdmdnadc.exe C:\Windows\SysWOW64\Qfkqjmdg.exe
PID 4852 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Qmeigg32.exe
PID 4852 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Qmeigg32.exe
PID 4852 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Qfkqjmdg.exe C:\Windows\SysWOW64\Qmeigg32.exe
PID 4380 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Qdoacabq.exe
PID 4380 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Qdoacabq.exe
PID 4380 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Qmeigg32.exe C:\Windows\SysWOW64\Qdoacabq.exe
PID 4148 wrote to memory of 412 N/A C:\Windows\SysWOW64\Qdoacabq.exe C:\Windows\SysWOW64\Qodeajbg.exe
PID 4148 wrote to memory of 412 N/A C:\Windows\SysWOW64\Qdoacabq.exe C:\Windows\SysWOW64\Qodeajbg.exe
PID 4148 wrote to memory of 412 N/A C:\Windows\SysWOW64\Qdoacabq.exe C:\Windows\SysWOW64\Qodeajbg.exe
PID 412 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Qodeajbg.exe C:\Windows\SysWOW64\Qdaniq32.exe
PID 412 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Qodeajbg.exe C:\Windows\SysWOW64\Qdaniq32.exe
PID 412 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Qodeajbg.exe C:\Windows\SysWOW64\Qdaniq32.exe
PID 2804 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Qdaniq32.exe C:\Windows\SysWOW64\Akkffkhk.exe
PID 2804 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Qdaniq32.exe C:\Windows\SysWOW64\Akkffkhk.exe
PID 2804 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Qdaniq32.exe C:\Windows\SysWOW64\Akkffkhk.exe
PID 1700 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Aphnnafb.exe
PID 1700 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Aphnnafb.exe
PID 1700 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Aphnnafb.exe
PID 2780 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 2780 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 2780 wrote to memory of 3216 N/A C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 3216 wrote to memory of 220 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Amlogfel.exe
PID 3216 wrote to memory of 220 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Amlogfel.exe
PID 3216 wrote to memory of 220 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Amlogfel.exe
PID 220 wrote to memory of 3844 N/A C:\Windows\SysWOW64\Amlogfel.exe C:\Windows\SysWOW64\Akpoaj32.exe
PID 220 wrote to memory of 3844 N/A C:\Windows\SysWOW64\Amlogfel.exe C:\Windows\SysWOW64\Akpoaj32.exe
PID 220 wrote to memory of 3844 N/A C:\Windows\SysWOW64\Amlogfel.exe C:\Windows\SysWOW64\Akpoaj32.exe
PID 3844 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Akpoaj32.exe C:\Windows\SysWOW64\Apmhiq32.exe
PID 3844 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Akpoaj32.exe C:\Windows\SysWOW64\Apmhiq32.exe
PID 3844 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Akpoaj32.exe C:\Windows\SysWOW64\Apmhiq32.exe
PID 2648 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Apmhiq32.exe C:\Windows\SysWOW64\Aggpfkjj.exe
PID 2648 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Apmhiq32.exe C:\Windows\SysWOW64\Aggpfkjj.exe
PID 2648 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Apmhiq32.exe C:\Windows\SysWOW64\Aggpfkjj.exe
PID 3272 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Amqhbe32.exe
PID 3272 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Amqhbe32.exe
PID 3272 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Amqhbe32.exe
PID 3868 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Amqhbe32.exe C:\Windows\SysWOW64\Ahfmpnql.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pffgom32.exe

C:\Windows\system32\Pffgom32.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Qdoacabq.exe

C:\Windows\system32\Qdoacabq.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Amlogfel.exe

C:\Windows\system32\Amlogfel.exe

C:\Windows\SysWOW64\Akpoaj32.exe

C:\Windows\system32\Akpoaj32.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Aaoaic32.exe

C:\Windows\system32\Aaoaic32.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bgkiaj32.exe

C:\Windows\system32\Bgkiaj32.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Bknlbhhe.exe

C:\Windows\system32\Bknlbhhe.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dgeenfog.exe

C:\Windows\system32\Dgeenfog.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4180 -ip 4180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/864-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/864-1-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pmnbfhal.exe

MD5 b9f562080e4dcc61284b8f57b686bb48
SHA1 e3fb2bb3dd9dbc56f15aa896dfd427e95a418fab
SHA256 6048147dcd3146bc3f9d432603dfae6ed824f065e8db39620766320bbe91f1cb
SHA512 7b2d4fd9f1475db7bc65bfd67c633b36849baa30bb77b2c3b71a3d41ceda56b19b78b6087bbc3d38357ca753c834f78ca35224e751b30556ff9cf6f7ed9a5f57

memory/2292-9-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pplobcpp.exe

MD5 d8a39306d601a1badb4f2db98ff5e76e
SHA1 a4d64fe3ce5ba064e14915579cb1a6034e9b7b46
SHA256 5b268c9a0496f38ba02e1620337c6c4e07ba634037d1507b6cdc221576554a72
SHA512 066e26bca0a1493af464c71e8ba8bd0fe85454c4b4d1aed8dec2f7f335c33a6b12b4537fd09d546f7aa76639668336807c75f352c7c38f9b6d9653ee9840ab8e

memory/2816-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Phcgcqab.exe

MD5 835de544f46cbaeeada65c9b301411d0
SHA1 f575b7313a78a018f2341e99d9a0083a58f52dd4
SHA256 b9a219d5c0d19092ac6127ce70cdee8908d7f389bfc0c9f609f25ce99a9ed08a
SHA512 1e3a05225c9520b63fe691796e00e3e1d5f04200ff78d21fecfc3161bbe1b3df388529c332a6e141032fbc5e67ed50e4a564033e3854121f3034a8c06feaf55d

memory/2368-24-0x0000000000400000-0x0000000000440000-memory.dmp

memory/600-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pffgom32.exe

MD5 ab5714bcdf7752fca189944eeed711b2
SHA1 15547b9c79d62ce41e6fdf0387a7ad43ed446217
SHA256 0092e19e5bb5b4e58b7cb7f58b1fc1c769afdc7c419750e68b9f2c66427f1765
SHA512 b25766e5174c9ca9cd331143a5e783263cafc3c8054ecf92f3c7d4c1161e2e85d1c3f18c1e42001ffef3e3f6567d9c977ba4dcf20405bbc41d9fcf1ab58f798d

memory/1820-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ppolhcnm.exe

MD5 f6e2bda7122a8ea46297373656258421
SHA1 00bb034483809c24b31edd75677f8b0e85e41da3
SHA256 e1cf7e6b33611db2ed56cc6106932727f40a9dd1299f02166fda2bf4adc426cc
SHA512 39f14327ba921bae512e622494c4a47dd2a89afa479495877239054eb1397501f96202c48b6ec25afeaebf524ae04e9f4e964f7dd343face379f5584b9232108

C:\Windows\SysWOW64\Pfiddm32.exe

MD5 fc652a646d0fb1e9f6e28c4cf8fcb7f2
SHA1 43c22b1d92df6a920f778836f5000ce786e51c36
SHA256 f1ed44d7aabf5370dda1b1c6bd51d27d47212fa69b6740a443319203e83adfc0
SHA512 9f318c6c8ea298353d26dc66e8835ed8363fa9a4870a5e3b56c560d3db8bf7f8002cdec0e7b332f53220067195282f781675626b61aff83786ab18ac505c8cf7

memory/5060-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pmblagmf.exe

MD5 d7861f63e973ca097389c6deb02d0889
SHA1 6c61250762a7fd271cab9b1ea2fef6ff3a775137
SHA256 40bd6a9e23ad8390b4f306a363f5964db2104a04493ffcd7f8d33b9c29347bc8
SHA512 2594193ba06e2a8aa85d5efb75350b3c98ee577d51cc670613d0dffdc2a09513e70b79d097629a95b13413860d67d2f8639d8099adffdd7efe5a44833a5aae1b

memory/952-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pdmdnadc.exe

MD5 6baac7f16901babcd860688aefee17c7
SHA1 bc55813d5adf90ad61517dc10b9348483dc6faac
SHA256 af26dc6e4e432b6bb44e96876a1ae7eb23c1e97db5414abf22a1162674b1ae8a
SHA512 fc20bb031866d70d8746e1725633952aff23ee2d0e4da729c91bced4f75546cadb1f0615da855df50f5f8f4de1e3e4861ed2204fb9f74df8abede9379031603f

memory/1724-64-0x0000000000400000-0x0000000000440000-memory.dmp

memory/864-72-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qfkqjmdg.exe

MD5 e6e104b4cfb57de92cae71f8e24c1506
SHA1 c09add039d45027258c599fad4634be85b1ab5a7
SHA256 0273401ceb3787bd322e3d797842be56886cf85326ed07406a186932c0fdfa0c
SHA512 ea819bfe646858265e33652924e05ecbf4776a03506a08233d1dd689dacfb5912a6d108edae6a3af2aeadf65550c627676358dde7263b49f9e9bcb5b1515b4ff

memory/4852-74-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qmeigg32.exe

MD5 a568ebeac7b891b6e3415dc2e4792f62
SHA1 087bf7bb87942f85eea14f7e9368063c7758d5ff
SHA256 2b9aa96b8c2e20abe6d6437bf9f1b62cc5e03f7edfefd967244117073f46e064
SHA512 87856f1b0bd252448f79381de434976aeb6950db178a9e19c07fd7a3c5c5823874e9b1388b474442d1aa195585ef5e9c663937e6a8da0c275758b6d02a800d0d

memory/4380-81-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qdoacabq.exe

MD5 50c2088d1bb3d50d7248dabfd83ed910
SHA1 1cc01fb8fa70b5827aa893166970b98001829a79
SHA256 f5133b6da0d7b66237c28ecde08723fb7cb9bb96fc935129eb5cfc9debfb7332
SHA512 c29d9ae16847d37cf6b1c0f2aabd7b44e159df1e174cbdf06493634ce8a245d2c1e9fd1c26b1b10bedf52bc1399bc3b9a600c93eafd45070d1a617c219e1c890

memory/2292-89-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4148-90-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qodeajbg.exe

MD5 91db7bab9b2e9908f1e6d38405cbe0c0
SHA1 7ec94ededac6b2c32db6e786fc95d2ad93f4ac6c
SHA256 ec8e51e12a6cec80f530aea2d2b48cd1aca51dfaf61d9f2e246ce7f83c8283bd
SHA512 fee71a1a72c37dff730b570e4e1a98915d9a6f1ea8539f8e6c6e82fa86f1957404fd0a8cfa1add2f49cc6c03f92435e0281dffa8d68bef57ee05b1a0051561a6

memory/2816-98-0x0000000000400000-0x0000000000440000-memory.dmp

memory/412-99-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qdaniq32.exe

MD5 a4ce13e9f5c8855f29dcb869a66a26c3
SHA1 62ab67fd97f41f58dde4e7ebed2544603f822fa6
SHA256 64630ac1bba38a5f8b81b8ea7b4c0d79ab932654bcf5a63ff2488a05e24d105b
SHA512 0fcf698c80516dd569e4a48aa5aa72298f60b453f189980bcc3218d65a4cd0e59bfce993bd27f162bc4c99beb9753e51b3fdbf1965407f14a6f89b9985b8d231

memory/2368-108-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2804-109-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Akkffkhk.exe

MD5 5eb9ba2e4fd11b7c69cdd191330f5485
SHA1 84b71270669d5f98889c9adf74b704b6c8267578
SHA256 139b28044fc6e9e65860d98d832693933736c9721355aa9bc5ba193de1d8a5ef
SHA512 d69eb4ccf6a90d675f63d0b7ed8da1b4bfe11eaeccc99d40a9d29d70818191e300093e07804196c458cb9dd63979e98a4bc40430f26083d7e1b903fcff394d8e

memory/1700-118-0x0000000000400000-0x0000000000440000-memory.dmp

memory/600-117-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aphnnafb.exe

MD5 3c9641996bfc0da68df4e19db54d3255
SHA1 4553e637c5f3055dabc7799048322439300fc6e4
SHA256 efd382c8e9db68a6610302d9e6d30e31ec4a4cb22046b76420d39c937f0c87ee
SHA512 f9bfe6d40a1a1c94f2fc574b5d6a5959fc75c941ed7960ff709a131a3540db19db4510e54fa9220cd18e7e0b4c453ccaaf70d75205a4bc8ececf943a1b395519

memory/1820-125-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2780-126-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aknbkjfh.exe

MD5 cb63ee58d8f799e04f7fb9977a1d22f1
SHA1 2e84332dc371eb3dd9613a22c86668ab3d79aa9f
SHA256 6575afca205e75a2a2f354e0e294493dc7e026086d4c62af7dcca778c007e362
SHA512 f41ab7e7e3ac7e71b49d17f70ef49d5d90a14e367278749ac46d531261dce8fed98c03e031a67744e23caccbe407bcf6ad196804ccbb1b6abbb233dcaed79cba

memory/3216-136-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5060-135-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Amlogfel.exe

MD5 7fb4ee15fadcbf42ae4e8eec460bc9c1
SHA1 aedd0290c2a8683dc77de14ee228e9346d8e2ae9
SHA256 8a5ed92e9978ec82145a2e6d2ab676684b3f44e12872f2ee80354a73a4d3905c
SHA512 6466863374d4fb810cb4430ed872ec187fe2a11db2bb6479176705d2ec94bd41f703fc76cb9fd3235a3beab92cddafc70b98a202aeeedc550f31b7778e353c56

memory/220-144-0x0000000000400000-0x0000000000440000-memory.dmp

memory/952-143-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Akpoaj32.exe

MD5 7b3d7c6a0c65a56f5015001152c456d6
SHA1 f4ae092c005a8ef777a3bae6c1dcfcf8b610837d
SHA256 fd2511c061fa308f0238437dfbbf87733107dd7301f687c70ac66d3d72f86cd5
SHA512 fc5440f04820a679e4be96056453ed21daa40ef1db50091b701402f3386ef141135ecb693988e925613521a0056acd890680e421622f4b51506c360d270a1bf4

memory/1724-152-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3844-154-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Apmhiq32.exe

MD5 55cd4453d2d9332f6c5cdaa3f7be1290
SHA1 e0c7f571faa0dcbbff2ea077a803dc6d89d989f8
SHA256 18aad04054440639e4f694682afe1fee20d193c64ef28b0297855298c6aa70f2
SHA512 5370c5943e506644ced34c16a722f18a59095f7677666727d01c1d3bba6b4e5d44fdff00ce16ea6370f9b0206f451c593595519becb463fd8757f5ab8798d1de

memory/2648-162-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4852-161-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4380-170-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3272-171-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aggpfkjj.exe

MD5 6a4f1722968bd33f1abaeede2b416c2c
SHA1 e7bc2abedc1b96b0103575d47786932c8551fd0f
SHA256 3ee81319855870a1eb2ec4b248bd671b10b9f494fe626a551b82064a7c70e00c
SHA512 f85e12bbf3d37ae4baa12a892d8102c4a7e3e96964ae29cc9a66cce99292e86f51ff74ff50c241a65880ec80bae58f657a7efa3777c5ee3e5f3729ca1c8b8447

C:\Windows\SysWOW64\Amqhbe32.exe

MD5 6f86b8f0d4dcd204ba7e62ed640d78df
SHA1 7a6a28255c37818bfe2de2ba06873fa3a67248e9
SHA256 e360898d19ff1628d49267e928277a6733aa875c7ffd5ed60e945ccf918ec3b5
SHA512 dc58389e1fa1f9c0a414bf50e0d98ede015748b25384e83c930f47a5b6a2fd36dc12192a1b2af825148652f498bd0811e650cd2a5e9c93e4d8677b671857ea37

memory/3868-180-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4148-179-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ahfmpnql.exe

MD5 d8b4a2181ed603ad125f6f02b0b69092
SHA1 acebacf1724ceb26b48a451e7cc72d180640c732
SHA256 e08a48c603a9ada8e5b2ee6bc6187a391bfdac6a1ef36739a215641dc6d0f0bc
SHA512 9581592ec386ad2bf48a8931b8c92d1f3aed689ba36e62f82a7bdf41e8e6032a816e7676b80c2ab44eddf399c17884b82bd4947d063fd95ea1a68bd1cb2d605d

memory/2132-190-0x0000000000400000-0x0000000000440000-memory.dmp

memory/412-189-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2804-197-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3912-198-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Akdilipp.exe

MD5 43b2f838d5ac0ac6a494912c1989c4be
SHA1 e2c4e4c6f8ffc26611a39d29f8bbecb3bbb5efe0
SHA256 778fe7ca8b2e9badfb363bb07b2f9fc981cbfc70bd182eef81309a2a57fee310
SHA512 8026248f82562ca5232ea408cd9b07f1432e4f5a5d6b5f0248368a33dca3643ed7a82e844e54dbf38ac0bf4ef2264f70ea79ef00ca1dda5586257a0f165203b9

C:\Windows\SysWOW64\Aaoaic32.exe

MD5 c9b65b58b29a0bac003edbba8a85f617
SHA1 3b63a54577e14a81664cba94754c560be4f6d7a0
SHA256 4b08930f4ebf00b51047b1d3f21999bff0b453b1ab36c63c3fd9352fc3f19038
SHA512 41979b7154470788e3c05038c200f9eb07bd1b917896dfec26d2043beac3628a649f64f30ce8a02b6f7e8071b7c9b4fcf4224e0739144e625299364fceda076a

memory/1812-208-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1700-206-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bdmmeo32.exe

MD5 a55b75f25def1c9ce6aa3f26eba0c03f
SHA1 cc6511adaf880d969b260eae88b2a00adc919967
SHA256 429d83f397762ee22cdbf4e82d52e516d5ecc94f6a2843ee0aa73261d02cf63d
SHA512 8d0f511e0c1b5e42e7530ec01db27c09710d4062872494ac334897d9b2aada59e93035d6c41057fe0d915bfe449d8934ad30aed929e8b7cc43d210c4791d84d4

memory/2780-216-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1920-221-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bgkiaj32.exe

MD5 f65354344828e1962002d9d26b173df0
SHA1 4005e8c384ff59adb5c8f4b1f23df3376610dde6
SHA256 8cacb1160b20b3c9f167d135d6994115fb5d15cebbd7f22aaa627d4db7fc8b13
SHA512 c60939fff5504b48f11f26186b55e2d9988d5ace03373fdbe3b7cf852532cac7d1b85c98faf60368df201de4b6ba131981bb3ba48e8bf5593c59496930e8ff5b

memory/4572-230-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bobabg32.exe

MD5 3dee73641299c146b476acadee39e8b2
SHA1 4b680e78c064477d2fbbcda4f1db2621b4409ae7
SHA256 0382dd164cd6371cbe7738dbe7fe304156fe018ae9944ef3860effc3c6a24210
SHA512 2d9464987faa4c891ba8d57d8163ccb4fdccc0fb2eb193ebb8b6541bba68753b6f8a5faccf0a87a0abc5dff54378610eceb28cff243de0fb20acd12e39cc43b6

memory/4904-239-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bmeandma.exe

MD5 97e78ef531cc83d9674b1265d17f926d
SHA1 7b71364d1ea6fb820b07e13c4c5586b963f8cbb5
SHA256 5d1b8828439a23478b3f9eb5c2d034a0ea83b202c245d918974ec12a896fe6d6
SHA512 49da9238078d5653db0858cf3d7d75e29a8a5c3254f119b2e217f5833cc65db1d379ae0b2622a3870bf7e53787e33829e6ac12848461248cb4ec492a160a7f9b

memory/3844-243-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bpdnjple.exe

MD5 50172a7130793b4bc8542ca2fadc5a39
SHA1 6f64b6371c75fe9343814326b230d59fee63b070
SHA256 12786ed9f80bc8e9d8cf8ff72cce22d5e40e173276773bb02a8142bde19e220b
SHA512 8d47c235f9d7f9629849c7405f50698ed39c5deee22567f2fb54f37e77f7bfb7e7d7145d3ed4a8a5728945179af7c1dea51c4fe919284feee877ea7f8fe09be9

C:\Windows\SysWOW64\Bdojjo32.exe

MD5 c4021619296724c895ecaa1eabd26ef6
SHA1 c68625be897dc2413cbdb6312a68bc92b2d3f27f
SHA256 7cf2e3c313313663f0955998906ea0dcd792cad081281a184160efe9e1a015ee
SHA512 7fd5aefeee7c23288fa8a94875b8377105feaec8322498bec17a8a02e62c00c5a404255ab1919677ef331daeb8ed854c2be760a5e2ed10f0321e11dcd22c0022

C:\Windows\SysWOW64\Bgnffj32.exe

MD5 5297c3f77477cf4928e3f9d7666de94d
SHA1 ff9bf8be7365a5100e08297036ed1fd6cce1848c
SHA256 81907d2aa93752ed1d409199450fa9f6e43c84e38eed8347ef323b63c762a54e
SHA512 e5d8ad14b082b5e65a92c3be4c6e99354583a0a9002922d6d31d9dddeaafbe4fec13977d3b102506877736a12e759db25e2b64dd5a73e7b8710919345bdd0117

memory/1924-271-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3868-270-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3272-267-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4416-266-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4672-265-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-264-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3632-255-0x0000000000400000-0x0000000000440000-memory.dmp

memory/220-234-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3216-229-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bmjkic32.exe

MD5 ef9a12bc5b48c9307d5c6e09348a3040
SHA1 a9a7bdde803d59820656ca1413dfce7ef6549af4
SHA256 25538db6a8f9f099802ac225e7aa0a58dcdb3612faa6169aa0d4feea9f5031b5
SHA512 17194bd20fd80870929ecface58b3d571db80a0792024e55e5d5e58f8ac93cf12d442a30c68bc84247500357fcb56805d5634eea7ba4275da0d0a779bc7ef461

memory/1032-280-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2132-278-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5012-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3912-286-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2308-294-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1812-293-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2664-301-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1920-300-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1520-307-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2600-315-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3632-314-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4904-313-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-321-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3364-327-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4532-333-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3812-340-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1924-339-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2416-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1032-346-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3128-354-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5012-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2308-360-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3168-361-0x0000000000400000-0x0000000000440000-memory.dmp

memory/684-368-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2664-367-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1520-374-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3984-375-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1608-382-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2600-381-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4900-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-388-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1732-396-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3364-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4532-402-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1080-403-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1536-410-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3812-409-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1928-417-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2416-416-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3752-424-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3128-423-0x0000000000400000-0x0000000000440000-memory.dmp