Malware Analysis Report

2025-03-15 09:46

Sample ID 240916-s92gxswckg
Target Backdoor.Win32.Berbew.pzd1a4494b678e0147a9e2bae9de78d249bc43d6dbe72e82b79704b32cf65f3abdN
SHA256 d1a4494b678e0147a9e2bae9de78d249bc43d6dbe72e82b79704b32cf65f3abd
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1a4494b678e0147a9e2bae9de78d249bc43d6dbe72e82b79704b32cf65f3abd

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pzd1a4494b678e0147a9e2bae9de78d249bc43d6dbe72e82b79704b32cf65f3abdN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:50

Reported

2024-09-16 15:52

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jabponba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpgionie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imbjcpnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jefbnacn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbhbai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcqlkjae.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iamfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jggoqimd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcqlkjae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jabponba.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlnmel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jlnmel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kipmhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kipmhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Japciodd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jefbnacn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpgionie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jikhnaao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmimcbja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klecfkff.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Japciodd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jggoqimd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmimcbja.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imbjcpnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llpfjomf.exe N/A

Berbew

backdoor berbew

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Imbjcpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Imbjcpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Iamfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iamfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jggoqimd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jggoqimd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnagmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnagmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnagmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnagmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Japciodd.exe N/A
N/A N/A C:\Windows\SysWOW64\Japciodd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikhnaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikhnaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Jabponba.exe N/A
N/A N/A C:\Windows\SysWOW64\Jabponba.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcqlkjae.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcqlkjae.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfohgepi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfohgepi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjdhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjdhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jipaip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jipaip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlnmel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlnmel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jefbnacn.exe N/A
N/A N/A C:\Windows\SysWOW64\Jefbnacn.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhenjmbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhenjmbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kidjdpie.exe N/A
N/A N/A C:\Windows\SysWOW64\Kidjdpie.exe N/A
N/A N/A C:\Windows\SysWOW64\Klcgpkhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Klcgpkhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Kapohbfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kapohbfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdnkdmec.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdnkdmec.exe N/A
N/A N/A C:\Windows\SysWOW64\Klecfkff.exe N/A
N/A N/A C:\Windows\SysWOW64\Klecfkff.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmfpmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmfpmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjpggkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjpggkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimcbja.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimcbja.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgionie.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgionie.exe N/A
N/A N/A C:\Windows\SysWOW64\Kipmhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kipmhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbhbai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbhbai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgcnahoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgcnahoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Llpfjomf.exe N/A
N/A N/A C:\Windows\SysWOW64\Llpfjomf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Jggoqimd.exe C:\Windows\SysWOW64\Iamfdo32.exe N/A
File created C:\Windows\SysWOW64\Jcqlkjae.exe C:\Windows\SysWOW64\Jabponba.exe N/A
File opened for modification C:\Windows\SysWOW64\Kapohbfp.exe C:\Windows\SysWOW64\Klcgpkhh.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Kmimcbja.exe N/A
File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe C:\Windows\SysWOW64\Kpgionie.exe N/A
File created C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jefbnacn.exe N/A
File created C:\Windows\SysWOW64\Ekhnnojb.dll C:\Windows\SysWOW64\Jggoqimd.exe N/A
File created C:\Windows\SysWOW64\Japciodd.exe C:\Windows\SysWOW64\Jnagmc32.exe N/A
File created C:\Windows\SysWOW64\Oiahkhpo.dll C:\Windows\SysWOW64\Jikhnaao.exe N/A
File created C:\Windows\SysWOW64\Qmgaio32.dll C:\Windows\SysWOW64\Jcqlkjae.exe N/A
File opened for modification C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jlnmel32.exe N/A
File created C:\Windows\SysWOW64\Qmeedp32.dll C:\Windows\SysWOW64\Japciodd.exe N/A
File created C:\Windows\SysWOW64\Kmnfciac.dll C:\Windows\SysWOW64\Jlnmel32.exe N/A
File created C:\Windows\SysWOW64\Caefjg32.dll C:\Windows\SysWOW64\Kapohbfp.exe N/A
File created C:\Windows\SysWOW64\Dkpnde32.dll C:\Windows\SysWOW64\Kpgionie.exe N/A
File created C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Imbjcpnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Klecfkff.exe C:\Windows\SysWOW64\Kdnkdmec.exe N/A
File created C:\Windows\SysWOW64\Kmfpmc32.exe C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Ipafocdg.dll C:\Windows\SysWOW64\Llpfjomf.exe N/A
File created C:\Windows\SysWOW64\Bodilc32.dll C:\Windows\SysWOW64\Kkjpggkn.exe N/A
File created C:\Windows\SysWOW64\Kbhbai32.exe C:\Windows\SysWOW64\Kipmhc32.exe N/A
File created C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Japciodd.exe N/A
File created C:\Windows\SysWOW64\Mebgijei.dll C:\Windows\SysWOW64\Jfohgepi.exe N/A
File opened for modification C:\Windows\SysWOW64\Jlnmel32.exe C:\Windows\SysWOW64\Jipaip32.exe N/A
File created C:\Windows\SysWOW64\Klcgpkhh.exe C:\Windows\SysWOW64\Kidjdpie.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkjpggkn.exe C:\Windows\SysWOW64\Kmfpmc32.exe N/A
File created C:\Windows\SysWOW64\Kdnkdmec.exe C:\Windows\SysWOW64\Kapohbfp.exe N/A
File created C:\Windows\SysWOW64\Kcadppco.dll C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Bndneq32.dll C:\Windows\SysWOW64\Kipmhc32.exe N/A
File created C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jggoqimd.exe N/A
File opened for modification C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jggoqimd.exe N/A
File created C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jfohgepi.exe N/A
File created C:\Windows\SysWOW64\Ikbilijo.dll C:\Windows\SysWOW64\Jjjdhc32.exe N/A
File created C:\Windows\SysWOW64\Kapohbfp.exe C:\Windows\SysWOW64\Klcgpkhh.exe N/A
File created C:\Windows\SysWOW64\Mlpckqje.dll C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File opened for modification C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jjjdhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmfpmc32.exe C:\Windows\SysWOW64\Klecfkff.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekhnnojb.dll C:\Windows\SysWOW64\Jnagmc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jcqlkjae.exe N/A
File created C:\Windows\SysWOW64\Jmegnj32.dll C:\Windows\SysWOW64\Klcgpkhh.exe N/A
File created C:\Windows\SysWOW64\Kmimcbja.exe C:\Windows\SysWOW64\Kkjpggkn.exe N/A
File created C:\Windows\SysWOW64\Imbjcpnn.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Mnpkephg.dll C:\Windows\SysWOW64\Jipaip32.exe N/A
File created C:\Windows\SysWOW64\Kipmhc32.exe C:\Windows\SysWOW64\Kpgionie.exe N/A
File created C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Kgcnahoo.exe N/A
File created C:\Windows\SysWOW64\Aiomcb32.dll C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe C:\Windows\SysWOW64\Kkjpggkn.exe N/A
File created C:\Windows\SysWOW64\Jbdhhp32.dll C:\Windows\SysWOW64\Kmimcbja.exe N/A
File created C:\Windows\SysWOW64\Gkddco32.dll C:\Windows\SysWOW64\Imbjcpnn.exe N/A
File created C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jnagmc32.exe N/A
File created C:\Windows\SysWOW64\Hpdjnn32.dll C:\Windows\SysWOW64\Jnagmc32.exe N/A
File created C:\Windows\SysWOW64\Cmojeo32.dll C:\Windows\SysWOW64\Jabponba.exe N/A
File created C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jcqlkjae.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Kbhbai32.exe N/A
File created C:\Windows\SysWOW64\Kkjpggkn.exe C:\Windows\SysWOW64\Kmfpmc32.exe N/A
File created C:\Windows\SysWOW64\Hlekjpbi.dll C:\Windows\SysWOW64\Kmfpmc32.exe N/A
File created C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Llpfjomf.exe N/A
File opened for modification C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Imbjcpnn.exe N/A
File created C:\Windows\SysWOW64\Keppajog.dll C:\Windows\SysWOW64\Iamfdo32.exe N/A
File created C:\Windows\SysWOW64\Jabponba.exe C:\Windows\SysWOW64\Jikhnaao.exe N/A
File created C:\Windows\SysWOW64\Kidjdpie.exe C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File created C:\Windows\SysWOW64\Mmofpf32.dll C:\Windows\SysWOW64\Kidjdpie.exe N/A
File created C:\Windows\SysWOW64\Jggoqimd.exe C:\Windows\SysWOW64\Iamfdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Japciodd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcqlkjae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jipaip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jefbnacn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kidjdpie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpgionie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kipmhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Japciodd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jabponba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlnmel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klecfkff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jggoqimd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbjofi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imbjcpnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmimcbja.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" C:\Windows\SysWOW64\Japciodd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jabponba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jlnmel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kidjdpie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Japciodd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll" C:\Windows\SysWOW64\Kpgionie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iamfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" C:\Windows\SysWOW64\Iamfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jipaip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcqlkjae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jefbnacn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jabponba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfohgepi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kipmhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" C:\Windows\SysWOW64\Jefbnacn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmimcbja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jggoqimd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll" C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbhbai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Japciodd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" C:\Windows\SysWOW64\Kipmhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmimcbja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imbjcpnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcqlkjae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" C:\Windows\SysWOW64\Kbhbai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" C:\Windows\SysWOW64\Jggoqimd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jggoqimd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfohgepi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" C:\Windows\SysWOW64\Imbjcpnn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Imbjcpnn.exe
PID 2196 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Imbjcpnn.exe
PID 2196 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Imbjcpnn.exe
PID 2196 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Imbjcpnn.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Imbjcpnn.exe C:\Windows\SysWOW64\Iamfdo32.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Imbjcpnn.exe C:\Windows\SysWOW64\Iamfdo32.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Imbjcpnn.exe C:\Windows\SysWOW64\Iamfdo32.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Imbjcpnn.exe C:\Windows\SysWOW64\Iamfdo32.exe
PID 2736 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Jggoqimd.exe
PID 2736 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Jggoqimd.exe
PID 2736 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Jggoqimd.exe
PID 2736 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Jggoqimd.exe
PID 2832 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Jggoqimd.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2832 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Jggoqimd.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2832 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Jggoqimd.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2832 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Jggoqimd.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2548 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2548 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2548 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 2548 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jnagmc32.exe
PID 1360 wrote to memory of 340 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Japciodd.exe
PID 1360 wrote to memory of 340 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Japciodd.exe
PID 1360 wrote to memory of 340 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Japciodd.exe
PID 1360 wrote to memory of 340 N/A C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Japciodd.exe
PID 340 wrote to memory of 400 N/A C:\Windows\SysWOW64\Japciodd.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 340 wrote to memory of 400 N/A C:\Windows\SysWOW64\Japciodd.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 340 wrote to memory of 400 N/A C:\Windows\SysWOW64\Japciodd.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 340 wrote to memory of 400 N/A C:\Windows\SysWOW64\Japciodd.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 400 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jabponba.exe
PID 400 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jabponba.exe
PID 400 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jabponba.exe
PID 400 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jabponba.exe
PID 1292 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Jabponba.exe C:\Windows\SysWOW64\Jcqlkjae.exe
PID 1292 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Jabponba.exe C:\Windows\SysWOW64\Jcqlkjae.exe
PID 1292 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Jabponba.exe C:\Windows\SysWOW64\Jcqlkjae.exe
PID 1292 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Jabponba.exe C:\Windows\SysWOW64\Jcqlkjae.exe
PID 1324 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Jcqlkjae.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 1324 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Jcqlkjae.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 1324 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Jcqlkjae.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 1324 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Jcqlkjae.exe C:\Windows\SysWOW64\Jfohgepi.exe
PID 1480 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 1480 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 1480 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 1480 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Jfohgepi.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 2904 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2904 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2904 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2904 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2004 wrote to memory of 292 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jlnmel32.exe
PID 2004 wrote to memory of 292 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jlnmel32.exe
PID 2004 wrote to memory of 292 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jlnmel32.exe
PID 2004 wrote to memory of 292 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jlnmel32.exe
PID 292 wrote to memory of 620 N/A C:\Windows\SysWOW64\Jlnmel32.exe C:\Windows\SysWOW64\Jefbnacn.exe
PID 292 wrote to memory of 620 N/A C:\Windows\SysWOW64\Jlnmel32.exe C:\Windows\SysWOW64\Jefbnacn.exe
PID 292 wrote to memory of 620 N/A C:\Windows\SysWOW64\Jlnmel32.exe C:\Windows\SysWOW64\Jefbnacn.exe
PID 292 wrote to memory of 620 N/A C:\Windows\SysWOW64\Jlnmel32.exe C:\Windows\SysWOW64\Jefbnacn.exe
PID 620 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 620 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 620 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 620 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 2364 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Kidjdpie.exe
PID 2364 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Kidjdpie.exe
PID 2364 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Kidjdpie.exe
PID 2364 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Kidjdpie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Imbjcpnn.exe

C:\Windows\system32\Imbjcpnn.exe

C:\Windows\SysWOW64\Iamfdo32.exe

C:\Windows\system32\Iamfdo32.exe

C:\Windows\SysWOW64\Jggoqimd.exe

C:\Windows\system32\Jggoqimd.exe

C:\Windows\SysWOW64\Jnagmc32.exe

C:\Windows\system32\Jnagmc32.exe

C:\Windows\SysWOW64\Jnagmc32.exe

C:\Windows\system32\Jnagmc32.exe

C:\Windows\SysWOW64\Japciodd.exe

C:\Windows\system32\Japciodd.exe

C:\Windows\SysWOW64\Jikhnaao.exe

C:\Windows\system32\Jikhnaao.exe

C:\Windows\SysWOW64\Jabponba.exe

C:\Windows\system32\Jabponba.exe

C:\Windows\SysWOW64\Jcqlkjae.exe

C:\Windows\system32\Jcqlkjae.exe

C:\Windows\SysWOW64\Jfohgepi.exe

C:\Windows\system32\Jfohgepi.exe

C:\Windows\SysWOW64\Jjjdhc32.exe

C:\Windows\system32\Jjjdhc32.exe

C:\Windows\SysWOW64\Jipaip32.exe

C:\Windows\system32\Jipaip32.exe

C:\Windows\SysWOW64\Jlnmel32.exe

C:\Windows\system32\Jlnmel32.exe

C:\Windows\SysWOW64\Jefbnacn.exe

C:\Windows\system32\Jefbnacn.exe

C:\Windows\SysWOW64\Jhenjmbb.exe

C:\Windows\system32\Jhenjmbb.exe

C:\Windows\SysWOW64\Kidjdpie.exe

C:\Windows\system32\Kidjdpie.exe

C:\Windows\SysWOW64\Klcgpkhh.exe

C:\Windows\system32\Klcgpkhh.exe

C:\Windows\SysWOW64\Kapohbfp.exe

C:\Windows\system32\Kapohbfp.exe

C:\Windows\SysWOW64\Kdnkdmec.exe

C:\Windows\system32\Kdnkdmec.exe

C:\Windows\SysWOW64\Klecfkff.exe

C:\Windows\system32\Klecfkff.exe

C:\Windows\SysWOW64\Kmfpmc32.exe

C:\Windows\system32\Kmfpmc32.exe

C:\Windows\SysWOW64\Kkjpggkn.exe

C:\Windows\system32\Kkjpggkn.exe

C:\Windows\SysWOW64\Kmimcbja.exe

C:\Windows\system32\Kmimcbja.exe

C:\Windows\SysWOW64\Kpgionie.exe

C:\Windows\system32\Kpgionie.exe

C:\Windows\SysWOW64\Kipmhc32.exe

C:\Windows\system32\Kipmhc32.exe

C:\Windows\SysWOW64\Kbhbai32.exe

C:\Windows\system32\Kbhbai32.exe

C:\Windows\SysWOW64\Kgcnahoo.exe

C:\Windows\system32\Kgcnahoo.exe

C:\Windows\SysWOW64\Llpfjomf.exe

C:\Windows\system32\Llpfjomf.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

Network

N/A

Files

memory/2196-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Imbjcpnn.exe

MD5 1e16d1c39ced0837804cee68dea04916
SHA1 5cf1c75cd776be1a6663865cafa849ba36cbc0e0
SHA256 733f9ec37b6d3eb2737d9130ac233744af93d9425b67e413e03eac279f0140bc
SHA512 68a9e4d19c566e4842bcd56a98090d4aa6104f2da32641c0d3d2941480eee0181fa061fe77009e7e58b364e33d378fd80015bf4757eecb2464754d2d3554a0c2

memory/2760-19-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2196-18-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2196-13-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Iamfdo32.exe

MD5 fbf1531a30f3daefa9efde16ba7038c2
SHA1 8fb45d4cbd174385e9972dfcc053a0da5998f83f
SHA256 d22ccab5cd4ba7257e4808badad7668d19de165b3dc25908f099d39f0d9b9816
SHA512 e77bb6a0c397d2bd1b5f1d78f0b71978272d1b0f2bf238df2342eeea92de6214911079907202af0bf676df4c34ea71af43f03a75d22042a81e7283db2ee1309e

C:\Windows\SysWOW64\Jggoqimd.exe

MD5 04550c2b8a6c212d43886cec31b71690
SHA1 4ec1a69d99efaaf0ee5f27ffb109d7e20ee4d605
SHA256 78aea0748c1dc8a1f1adbd81047517b09d5338d202e6ad430e74962d42c04ea7
SHA512 4ff41ef9f128e91c764822b260bbdc8e0fbddc11e9025ff5dbe98a3ff3ebedc6d0839b882d11a41c7a1180af01f75a61f31b1037d13c10b1582dad52796c9d8e

memory/2736-33-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2760-27-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Jnagmc32.exe

MD5 838b0164ce09a5b77d37d0e2c1669fd8
SHA1 f2abcee921f15ed6ffedc61eecd2ae14576d08e6
SHA256 2b053fb98b79cfe506747d01169f257cc0c29f056562d5eef8564dfb39edfc35
SHA512 381074220974e424a066e5cfd8c302dffe7980e811f08c8732d52eceee28c070e2eedca245113d364d438080f3c3bbbcda8c976cfa5b6aa8303abbde4a94dfaf

C:\Windows\SysWOW64\Ekhnnojb.dll

MD5 50bd11aa2977c5f4e147bc5bda4f1dce
SHA1 b010d67ffbd3c52663d5672a45417717928dfb80
SHA256 e5521283e200845c6fbf56a89839d2c9039d04ecb33843bb8d3e61f4b40c46f1
SHA512 c8fbc05aa3a07a9485477f59e9bdf8dfd1264cde442564c9fcf480ed91cb66f141c34ddd021c4ec4a4209a8982e1553e3f3021bbb701dfd4e20882d0d880a1d4

memory/1360-68-0x0000000000250000-0x0000000000290000-memory.dmp

\Windows\SysWOW64\Japciodd.exe

MD5 502510b9d3c94db8b042afc96728821f
SHA1 15df258a203b3ddcaca96cedfc4575239432cbfe
SHA256 260972d6e43b61dc474df67b68ca71910bf25be6b0e36d18898c6d8cdafd0510
SHA512 b8e7a4d614d3c7b08b9eef223603cca921a55e23b4f314c1eff67f7234d124bcf0801806ea3a616a3a3364dcd5bdd8a75e001d3f0c97e1b9f3b071cfc30056a0

memory/1360-61-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2548-59-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2832-41-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Jikhnaao.exe

MD5 fcc2ae3fbbc0f9dc3cc9151e727571e6
SHA1 ba35cbd73613327dc9364e8ca55ffc8dbb60d183
SHA256 6a40b8a3969f932214ce5376803c87895889b6a4ecd50e0c0290559b29a624b5
SHA512 bc950f3ad9039b0549f486bb9628ad0c23d9d6fe221c5a087f2886993df94bf927fa5b9e5afcb85935c9490c6ad86c492ab834da6d53c8c5aaedb7b41fb4b881

\Windows\SysWOW64\Jfohgepi.exe

MD5 c2cc320fa792d329a2bb7ac64501254f
SHA1 bdc5ea1c6c33ecc9d68362ebf8f3c6ac096bc349
SHA256 7795310a23052e4bf99ab677d1e82d422a64cf34e9f3eb95e73869bfeff38254
SHA512 ba87d485e66836e45060037d04f004e629652fef3bbf4b0ac0461bb214635c40cce4573bc3331e31ae1f4ecb77da5c1b8ff09c1d0be255e35b3a15679521e29f

C:\Windows\SysWOW64\Jcqlkjae.exe

MD5 4540f3acc0a24dceb801b10d713a1258
SHA1 b714bd92c12bdcc38817183b2c4b56549b58ad9e
SHA256 10cf988a232dc4ce6835dc252fb037ae10fb491619db4020b9465b11bcab206e
SHA512 3a7a4c16126ef741b360566883b56821240b1bd17135dd9b1ff1b3382d4efb8c0f023504799908870bd0d0b92c4bfe715d1fefa2663503a4e4c7ace169144e30

memory/1292-107-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jabponba.exe

MD5 391492cd8d1d307307615932f0d05655
SHA1 67b6c48fee71705525e73109ab98ea2a33b0de0b
SHA256 d5b9368a3d0396bcda213eab932601189d4c86263b510970d561bfb89f1cea42
SHA512 d7d0519a5efd9f908a51fac79c49a258edd4b64d00ac94743c5bb07f7a324ee8c7383f7c10dc03bf7c8d90f3f15a78a7da31d65f8a7df02510cc1e5193401b92

\Windows\SysWOW64\Jjjdhc32.exe

MD5 e1cacff24e437ee8f8d93342af4a06cf
SHA1 55abe1c9ca83821dd35fa4d7736f889545ca149b
SHA256 382dfe50caa9dd3c8e17bccb8415aacbe50552c1b4c211dab0cf684222697f78
SHA512 d50c02beb020472319d216e29b6b1109c29aca2c699214192f9da0b7bd6011c05eb6c6cb04c36eaff775ce6c12b63e64ec3f1debc04709eff29b99c7ca77e450

memory/1480-133-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1324-116-0x0000000000400000-0x0000000000440000-memory.dmp

memory/400-90-0x0000000000400000-0x0000000000440000-memory.dmp

memory/340-87-0x0000000000250000-0x0000000000290000-memory.dmp

memory/340-80-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1360-79-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2904-141-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Jipaip32.exe

MD5 3e30b2e38b0da9dbd87e663169d03a12
SHA1 bf272531e924045570e0692dae5ea76860dd2992
SHA256 f8a75cc439d672781a808d3557c2ccd54e2da5c7a3a4fd1bd1140e8ad9ddf3b6
SHA512 a65a04e4429d9daa5acf841db7823fb7ca99629ad4947b86833d7c2108b476739316a695a4b927b7439c7d8dcec0981d43dc0dab80403c57e3c374bfa398d770

memory/2904-153-0x0000000000440000-0x0000000000480000-memory.dmp

\Windows\SysWOW64\Jlnmel32.exe

MD5 4e61857cfe0977e33866c93747b3cb59
SHA1 9e902ecf777bbf5fc77b6079e797beeef1bded64
SHA256 d0b5f3f8274c42a0b23f333cc32e722d89aaebd92fd48935132e62d8c8ca184d
SHA512 3ff5886e2d4f187565f5b76f435086bdc20c2648bb845c404ec69da81774fbcbde40c25391981716210e8f7428acf7adb8895fab9a044baea1e931e89299e555

memory/292-168-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2004-162-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Jefbnacn.exe

MD5 0c0de41ee088b325a3ce7a3ae9f11a43
SHA1 f4cdb98495b97b7fbd77e7195a3f25bcaca1bcb7
SHA256 daf448ee226dd853c9a66c7ba95952b23bf54a58c3fafa5d39f1610eb044fc96
SHA512 381d97e72cf14cf7e58016eff0bd8122bb2508c853908a3b24f7f841d4abb62799e3811f53d098a2cbfce4bc2fe7c2d83ee151fd8a69e8f7aad027af99ae8a9c

memory/2364-194-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jhenjmbb.exe

MD5 f5df3fe597c3cc55a7ad5c29932fcd7c
SHA1 3e6fdda77ce45ccb841483b8d0d95164670d6724
SHA256 22e2e64031852042992a6ec76aa95faa61e154098a67aac641549f475c6abe0c
SHA512 8ef4938dab0acb1d7727f8c36664c5e579b514aa866d3e512c7ae003f9c21774da27d3d1763c86a79a270820961b05af6fe8b989d1c03d7fea314a0c6b0cdc91

memory/620-192-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Kidjdpie.exe

MD5 3319713d3122f2e0d82d8b1e5ac85513
SHA1 0838e656f7b7ab1c35587149b6cb45e10f69b45d
SHA256 7fb17a505a0d52a93e4526fdf36670070bdced545172da0059574c832312e951
SHA512 e71e1d39fd8e43bdca660d531fff7647d472e440e30ea080faebc4ea5fa6f96bc1e4be65e711e822ab81ebceded983bbc328f5295a05be1260f89bd6d9206212

memory/2976-208-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Klcgpkhh.exe

MD5 5d4018619a7bfc771318d59e35f11f22
SHA1 0b6e736a8769e224d5922f8ab384f751209bb5e7
SHA256 770fa7aa4c97073dd59e393f9bac1f9a72aa1d435eb35b5695637b35edbfe449
SHA512 3bbea2ec5d6c70e0a7f012f9b40f1c96494479cf513c2df957bda4a79b5041a2cf4a7c9b2771b3440a881cfee01c9593f37b19129f2a961c359ff8486e7b996a

memory/1308-217-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kapohbfp.exe

MD5 1f936be8b8122f1a7def6833d124c976
SHA1 c32127cff45166b4c28d8f2c86b64042388aec37
SHA256 07f155c1146395b25b9cad6edeac524e37484b8a8efcd307279716b43c5e47a6
SHA512 e9c57fd2e6e4dc7708b947eaeb58325fcf09897bf45e89121f049c335528df8af99767322f141b7b685fb7e415a71305e205a71d697c5ff31f1a3db21e8e3e49

memory/2212-230-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kdnkdmec.exe

MD5 43437378bc817eb20a6c086b17d3234c
SHA1 e48052e031e970bb8953c19ea80684dc96a5e997
SHA256 2b072782906849bb5ab630331d9e182f544d081a34eff9547782396412404ba9
SHA512 9002a5a63810526d4976a35322c208ff10a58b3215ea6638584609ef8dd009eb4d40e83cd46ffa90baa66188629e76d1a1b98acd5872b3a672255231c6855687

memory/928-237-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2212-236-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2212-235-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1896-248-0x0000000000400000-0x0000000000440000-memory.dmp

memory/928-247-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/928-246-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Windows\SysWOW64\Klecfkff.exe

MD5 13184e6095bf537d3d20bcef4a95bd7d
SHA1 3521913159bd887b4ba03ef686341ef4ecdf5aa0
SHA256 f47b377c0a2d1d304960f9b8ee0b67dd17a374886f9f0a9e00b0af45f7900d8f
SHA512 e13db1c3769c7cdf5ac86496db6ace4c552643450b682a21473150b2c51382b77da12bb7c80469c39c56cc88e551151b1cd580a770f645789a23f87ace6e7dd4

memory/1800-259-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1896-258-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/1896-257-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Kmfpmc32.exe

MD5 b70428e63aea0511e3a95c4e59b66fa4
SHA1 685358a1ba5d55db4f8c86775ae24b30d0e08d9b
SHA256 8862c960577b54b231dbacb8b36111f19a8dd0a27752c08671658cc17432bda1
SHA512 db999e6440a3da5ed42139f8d352cd90f578d7de56fb376a9e9dd8e7154bb7044e36864129f7d181f9dc57c6f61cfb7c4dc418e6e37667c26428625f9c5c7dd8

memory/1800-269-0x0000000000320000-0x0000000000360000-memory.dmp

memory/1800-268-0x0000000000320000-0x0000000000360000-memory.dmp

C:\Windows\SysWOW64\Kkjpggkn.exe

MD5 3424fc5e29f491828292110ef94a968c
SHA1 8cdff57f77b5576463cfcdbeaaec8689cb1400f4
SHA256 c21ab1a95aae9f22d83e5c86f398ad2ec797763857e8c63a35cb7d04caba047b
SHA512 51a9f14a1105d96b0864857600603cc55d16e2dabca3ca7f249b922ddbd7b70b127433b0f5634d818d6c5c9d6ea538ee12487688a98765ef80929ef42dd821d7

memory/1716-280-0x0000000000300000-0x0000000000340000-memory.dmp

C:\Windows\SysWOW64\Kmimcbja.exe

MD5 160c49e4f66ff7536dc14b4c7e23451c
SHA1 47ee4fc39d09b8c3cc7fb7de1bc07306d65790cf
SHA256 e4db1d1f8238c0e38e9c438eb42e543e360a3fa79e5ddb8d296799165ec8b7b9
SHA512 ad76a71862b62b16a934759f63c0ada56d567b3f80e1d4dd67a537c5c7046eea1352b155a4ef903c5ad855eccbaf831b5a9eb3a2e4fa58350a10b9f8922ad93a

memory/1716-276-0x0000000000300000-0x0000000000340000-memory.dmp

memory/1716-275-0x0000000000400000-0x0000000000440000-memory.dmp

memory/376-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/376-290-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\Kpgionie.exe

MD5 f5fed799f6f5eb1730e980822bde55fa
SHA1 fe3211dc33d35ba54691c1b5d9be6cf00f2ba6d7
SHA256 e36e8de186dd917b4d4df5f752ab6f886c4a1520cd7ea6d00731677e2ea8d9c5
SHA512 0086d9e452ac49b17e471d00186f9ea7040e2a9582735a765bcc7d405e4ca6bde6cfb7b909a598ca9954a8331d2418a8c4c16ade1808cf2bbe64296a3d182bba

memory/376-291-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1816-298-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1816-297-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1816-302-0x0000000000250000-0x0000000000290000-memory.dmp

memory/876-303-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kipmhc32.exe

MD5 c1d541acce2e6e2900bfe6ada81655b4
SHA1 e880535d3f54e398712206e1d3d2d8669895b907
SHA256 992cc76577e903dff54a95f93e7c597d0997f9d7e79a275287182d4f5d4e6d32
SHA512 29c41ad9aec8480bbb307eb7669a0bd8d4157036305c015aea856375131e53589ddbbe7fa70c2f482e534a806187033f9f0790d088e517af1fc7d069a279ddb1

C:\Windows\SysWOW64\Kbhbai32.exe

MD5 a9cd72e1faafee67c112dd566c3cb8e0
SHA1 eb8bd87fb3ce607143c95ed12b34ced113144873
SHA256 d3ed5b193d4eb995b9b6bfb45652439543d9547d3d59393778e06bc5f2014ca9
SHA512 dba414a3a743eb949f79dbecd4cc8a1e5adda7a7ecb403191f374197cc479f48f118f907caa59ed5b10b6e6e1b2e6077b9560d6ccd454e9bdac30c6d4dc15317

memory/876-317-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/876-316-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/2804-318-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kgcnahoo.exe

MD5 a7e6f5a1d3bc4f47d40d798d4ca1296e
SHA1 28abe1d7344720024a9dfe02eea244e01acdc9c7
SHA256 76d0862d63f5bf031791ef7db7155afadcf2e48df7056ecb791f1e8fe3b165cf
SHA512 ea2cb06d4314fe4c363dc2783e0b3352cfe3c8108efec191a5b5f876efd89a12df090a3695ad57e60b228c493930422a553e70d2750538a51c4774063f975fc2

memory/2804-323-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2804-324-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2672-328-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2672-335-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2672-334-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Llpfjomf.exe

MD5 813393b9e8795c84f8985b2c69abfe78
SHA1 d8b9cf90cec9ac5d410976648d6c642f767864e2
SHA256 3a0c0d95e183083ddc26839bb26ba5f7c0ab21a777e6af0e0c8e9fbcfc69df24
SHA512 269004d7fdc81b83a2bf7f4bceb2b254f867c69c0e3a803fb455a7196514074c7ad62a6cd6f7c7852b435b847ee34ff07c21838b4a56c5b84db23cd246177055

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 d8948b20832f0324ebb7b8d6fc8a1687
SHA1 5f97b2887be646d06f68fae9110a2fccdff6bcee
SHA256 6ab966acad4d47e1148823a98a391b3dfa637f0d69e6c920d1942b3e4e5ae10d
SHA512 53b9529a57837dcdc18c0c4768678d722d98f279e709f1ab0f8cc58280e26da850f0aa590745dafa79692449e227a866ad783f7ab65ea38455b20a09e1969006

memory/2580-345-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2700-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2580-346-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2580-344-0x0000000000400000-0x0000000000440000-memory.dmp

memory/376-351-0x0000000000400000-0x0000000000440000-memory.dmp

memory/876-350-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2672-349-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2700-348-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1896-352-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1800-357-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2004-356-0x0000000000400000-0x0000000000440000-memory.dmp

memory/620-355-0x0000000000400000-0x0000000000440000-memory.dmp

memory/928-354-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2976-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1308-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2904-358-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2196-362-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2364-361-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2832-360-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1324-364-0x0000000000400000-0x0000000000440000-memory.dmp

memory/292-363-0x0000000000400000-0x0000000000440000-memory.dmp

memory/400-366-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1360-365-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:50

Reported

2024-09-16 15:52

Platform

win10v2004-20240802-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bagmdllg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpcpfg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekngemhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdocph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgklmacf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpcpfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fqdbdbna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fgnjqm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fklcgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqmlccdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dckoia32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cigkdmel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Banjnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cajjjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Calfpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cildom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgihop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Biiobo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bagmdllg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddcebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcekfnkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgdemb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcibca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpacqg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edfknb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdkdibjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fkcpql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fkemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdocph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekqckmfb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgdemb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cildom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdkdibjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcekfnkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cajjjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekimjn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjocbhbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfolacnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbanq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejojljqa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdbkja32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekqckmfb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekimjn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fggdpnkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fggdpnkf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkemfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbaclegm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmggingc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgnjqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgbanq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqmlccdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fklcgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfkbfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biiobo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bipecnkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekngemhd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Calfpk32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Banjnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkbfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biiobo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdocph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbaclegm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmggingc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfolacnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmidnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baepolni.exe N/A
N/A N/A C:\Windows\SysWOW64\Bipecnkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagmdllg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgdemb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajjjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbkfbcpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Calfpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cigkdmel.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpacqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgklmacf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpcpfg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdolgfbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cildom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgpeha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmjmekgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcebe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgbanq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcibca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dckoia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnqcfjae.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgihop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enemaimp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekimjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejojljqa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekngemhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Edfknb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekqckmfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqmlccdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fggdpnkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkcpql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdkdibjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkemfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqbeoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkgillpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqdbdbna.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgnjqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdbkja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcekfnkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fklcgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjocbhbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gddgpqbe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Fdkdibjp.exe C:\Windows\SysWOW64\Fkcpql32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmidnm32.exe C:\Windows\SysWOW64\Bfolacnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe C:\Windows\SysWOW64\Enemaimp.exe N/A
File created C:\Windows\SysWOW64\Eclhcj32.dll C:\Windows\SysWOW64\Edfknb32.exe N/A
File created C:\Windows\SysWOW64\Fjinnekj.dll C:\Windows\SysWOW64\Fqbeoc32.exe N/A
File created C:\Windows\SysWOW64\Fklcgk32.exe C:\Windows\SysWOW64\Fcekfnkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcibca32.exe C:\Windows\SysWOW64\Dgbanq32.exe N/A
File created C:\Windows\SysWOW64\Enemaimp.exe C:\Windows\SysWOW64\Dgihop32.exe N/A
File created C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Calfpk32.exe N/A
File created C:\Windows\SysWOW64\Ejojljqa.exe C:\Windows\SysWOW64\Ekimjn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbaclegm.exe C:\Windows\SysWOW64\Bdocph32.exe N/A
File created C:\Windows\SysWOW64\Baepolni.exe C:\Windows\SysWOW64\Bmidnm32.exe N/A
File created C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cpacqg32.exe N/A
File created C:\Windows\SysWOW64\Nepmal32.dll C:\Windows\SysWOW64\Cpacqg32.exe N/A
File created C:\Windows\SysWOW64\Blghiiea.dll C:\Windows\SysWOW64\Eqmlccdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbkfbcpb.exe C:\Windows\SysWOW64\Cajjjk32.exe N/A
File created C:\Windows\SysWOW64\Ejnnldhi.dll C:\Windows\SysWOW64\Cajjjk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bagmdllg.exe C:\Windows\SysWOW64\Bipecnkd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmjmekgn.exe C:\Windows\SysWOW64\Dgpeha32.exe N/A
File created C:\Windows\SysWOW64\Dgihop32.exe C:\Windows\SysWOW64\Dnqcfjae.exe N/A
File created C:\Windows\SysWOW64\Anijgd32.dll C:\Windows\SysWOW64\Enemaimp.exe N/A
File created C:\Windows\SysWOW64\Jcggmk32.dll C:\Windows\SysWOW64\Fjocbhbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Bipecnkd.exe C:\Windows\SysWOW64\Baepolni.exe N/A
File created C:\Windows\SysWOW64\Bagmdllg.exe C:\Windows\SysWOW64\Bipecnkd.exe N/A
File created C:\Windows\SysWOW64\Jjnmkgom.dll C:\Windows\SysWOW64\Dnqcfjae.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkgillpj.exe C:\Windows\SysWOW64\Fqbeoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cpacqg32.exe N/A
File created C:\Windows\SysWOW64\Cpcpfg32.exe C:\Windows\SysWOW64\Cgklmacf.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkcpql32.exe C:\Windows\SysWOW64\Fggdpnkf.exe N/A
File created C:\Windows\SysWOW64\Gajlgpic.dll C:\Windows\SysWOW64\Fkgillpj.exe N/A
File created C:\Windows\SysWOW64\Bfkbfd32.exe C:\Windows\SysWOW64\Banjnm32.exe N/A
File created C:\Windows\SysWOW64\Kamonn32.dll C:\Windows\SysWOW64\Ejojljqa.exe N/A
File created C:\Windows\SysWOW64\Mkddhfnh.dll C:\Windows\SysWOW64\Bagmdllg.exe N/A
File opened for modification C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Cbkfbcpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cdolgfbp.exe N/A
File created C:\Windows\SysWOW64\Npgqep32.dll C:\Windows\SysWOW64\Dgihop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fqdbdbna.exe C:\Windows\SysWOW64\Fkgillpj.exe N/A
File created C:\Windows\SysWOW64\Eknphfld.dll C:\Windows\SysWOW64\Bfkbfd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmggingc.exe C:\Windows\SysWOW64\Bbaclegm.exe N/A
File created C:\Windows\SysWOW64\Eaecci32.dll C:\Windows\SysWOW64\Ekimjn32.exe N/A
File created C:\Windows\SysWOW64\Fjocbhbo.exe C:\Windows\SysWOW64\Fklcgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkbfd32.exe C:\Windows\SysWOW64\Banjnm32.exe N/A
File created C:\Windows\SysWOW64\Nlkppnab.dll C:\Windows\SysWOW64\Ddcebe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fnhbmgmk.exe C:\Windows\SysWOW64\Fgnjqm32.exe N/A
File created C:\Windows\SysWOW64\Ekimjn32.exe C:\Windows\SysWOW64\Enemaimp.exe N/A
File created C:\Windows\SysWOW64\Fqbeoc32.exe C:\Windows\SysWOW64\Fkemfl32.exe N/A
File created C:\Windows\SysWOW64\Cbkfbcpb.exe C:\Windows\SysWOW64\Cajjjk32.exe N/A
File created C:\Windows\SysWOW64\Mgqaip32.dll C:\Windows\SysWOW64\Dgpeha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enemaimp.exe C:\Windows\SysWOW64\Dgihop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekngemhd.exe C:\Windows\SysWOW64\Ejojljqa.exe N/A
File created C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bmggingc.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgdemb32.exe C:\Windows\SysWOW64\Bagmdllg.exe N/A
File created C:\Windows\SysWOW64\Fgnjqm32.exe C:\Windows\SysWOW64\Fqdbdbna.exe N/A
File opened for modification C:\Windows\SysWOW64\Gddgpqbe.exe C:\Windows\SysWOW64\Fjocbhbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgpeha32.exe C:\Windows\SysWOW64\Cildom32.exe N/A
File created C:\Windows\SysWOW64\Lpcgahca.dll C:\Windows\SysWOW64\Cildom32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqmlccdi.exe C:\Windows\SysWOW64\Ekqckmfb.exe N/A
File created C:\Windows\SysWOW64\Fggdpnkf.exe C:\Windows\SysWOW64\Eqmlccdi.exe N/A
File opened for modification C:\Windows\SysWOW64\Banjnm32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Jmbpjm32.dll C:\Windows\SysWOW64\Cgklmacf.exe N/A
File created C:\Windows\SysWOW64\Ghfqhkbn.dll C:\Windows\SysWOW64\Cigkdmel.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cpcpfg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnqcfjae.exe C:\Windows\SysWOW64\Dckoia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Edfknb32.exe C:\Windows\SysWOW64\Ekngemhd.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Gddgpqbe.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baepolni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Edfknb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekqckmfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkgillpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdkdibjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekimjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkcpql32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnqcfjae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enemaimp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fklcgk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bipecnkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbkfbcpb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddcebe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfolacnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgnjqm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajjjk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkemfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmggingc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekngemhd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdbkja32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gddgpqbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bagmdllg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpcpfg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fcekfnkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Banjnm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbanq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcibca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkbfd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbaclegm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calfpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biiobo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fqdbdbna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmidnm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cildom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgihop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eqmlccdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fjocbhbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdocph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgdemb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cigkdmel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgpeha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpacqg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgklmacf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dckoia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejojljqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fggdpnkf.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bipecnkd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcibca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnhbmgmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjocbhbo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baepolni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cajjjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cigkdmel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgihop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejojljqa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpacqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" C:\Windows\SysWOW64\Cpacqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll" C:\Windows\SysWOW64\Cpcpfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpcpfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekngemhd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fkemfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll" C:\Windows\SysWOW64\Fqbeoc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll" C:\Windows\SysWOW64\Bipecnkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll" C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgihop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmafal32.dll" C:\Windows\SysWOW64\Bmidnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqdbdbna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll" C:\Windows\SysWOW64\Bmggingc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enemaimp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll" C:\Windows\SysWOW64\Fqdbdbna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fcekfnkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll" C:\Windows\SysWOW64\Fjocbhbo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fcekfnkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bipecnkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll" C:\Windows\SysWOW64\Bagmdllg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpacqg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpcpfg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgpeha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" C:\Windows\SysWOW64\Calfpk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll" C:\Windows\SysWOW64\Dgbanq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll" C:\Windows\SysWOW64\Ekimjn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfolacnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnqcfjae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll" C:\Windows\SysWOW64\Edfknb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqmlccdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll" C:\Windows\SysWOW64\Fkemfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmggingc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fdkdibjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll" C:\Windows\SysWOW64\Fdbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fdbkja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll" C:\Windows\SysWOW64\Dnqcfjae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Banjnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" C:\Windows\SysWOW64\Biiobo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baepolni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" C:\Windows\SysWOW64\Cbkfbcpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmjmekgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll" C:\Windows\SysWOW64\Fdkdibjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Edfknb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fkcpql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fgnjqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll" C:\Windows\SysWOW64\Bgdemb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgklmacf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll" C:\Windows\SysWOW64\Dcibca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll" C:\Windows\SysWOW64\Dckoia32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Banjnm32.exe
PID 4692 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Banjnm32.exe
PID 4692 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Banjnm32.exe
PID 4864 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Banjnm32.exe C:\Windows\SysWOW64\Bfkbfd32.exe
PID 4864 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Banjnm32.exe C:\Windows\SysWOW64\Bfkbfd32.exe
PID 4864 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Banjnm32.exe C:\Windows\SysWOW64\Bfkbfd32.exe
PID 4440 wrote to memory of 644 N/A C:\Windows\SysWOW64\Bfkbfd32.exe C:\Windows\SysWOW64\Biiobo32.exe
PID 4440 wrote to memory of 644 N/A C:\Windows\SysWOW64\Bfkbfd32.exe C:\Windows\SysWOW64\Biiobo32.exe
PID 4440 wrote to memory of 644 N/A C:\Windows\SysWOW64\Bfkbfd32.exe C:\Windows\SysWOW64\Biiobo32.exe
PID 644 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Biiobo32.exe C:\Windows\SysWOW64\Bdocph32.exe
PID 644 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Biiobo32.exe C:\Windows\SysWOW64\Bdocph32.exe
PID 644 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Biiobo32.exe C:\Windows\SysWOW64\Bdocph32.exe
PID 4232 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bbaclegm.exe
PID 4232 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bbaclegm.exe
PID 4232 wrote to memory of 4756 N/A C:\Windows\SysWOW64\Bdocph32.exe C:\Windows\SysWOW64\Bbaclegm.exe
PID 4756 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Bbaclegm.exe C:\Windows\SysWOW64\Bmggingc.exe
PID 4756 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Bbaclegm.exe C:\Windows\SysWOW64\Bmggingc.exe
PID 4756 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Bbaclegm.exe C:\Windows\SysWOW64\Bmggingc.exe
PID 1488 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bmggingc.exe C:\Windows\SysWOW64\Bfolacnc.exe
PID 1488 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bmggingc.exe C:\Windows\SysWOW64\Bfolacnc.exe
PID 1488 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Bmggingc.exe C:\Windows\SysWOW64\Bfolacnc.exe
PID 2860 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bmidnm32.exe
PID 2860 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bmidnm32.exe
PID 2860 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Bfolacnc.exe C:\Windows\SysWOW64\Bmidnm32.exe
PID 2328 wrote to memory of 1580 N/A C:\Windows\SysWOW64\Bmidnm32.exe C:\Windows\SysWOW64\Baepolni.exe
PID 2328 wrote to memory of 1580 N/A C:\Windows\SysWOW64\Bmidnm32.exe C:\Windows\SysWOW64\Baepolni.exe
PID 2328 wrote to memory of 1580 N/A C:\Windows\SysWOW64\Bmidnm32.exe C:\Windows\SysWOW64\Baepolni.exe
PID 1580 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Baepolni.exe C:\Windows\SysWOW64\Bipecnkd.exe
PID 1580 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Baepolni.exe C:\Windows\SysWOW64\Bipecnkd.exe
PID 1580 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Baepolni.exe C:\Windows\SysWOW64\Bipecnkd.exe
PID 2240 wrote to memory of 4812 N/A C:\Windows\SysWOW64\Bipecnkd.exe C:\Windows\SysWOW64\Bagmdllg.exe
PID 2240 wrote to memory of 4812 N/A C:\Windows\SysWOW64\Bipecnkd.exe C:\Windows\SysWOW64\Bagmdllg.exe
PID 2240 wrote to memory of 4812 N/A C:\Windows\SysWOW64\Bipecnkd.exe C:\Windows\SysWOW64\Bagmdllg.exe
PID 4812 wrote to memory of 736 N/A C:\Windows\SysWOW64\Bagmdllg.exe C:\Windows\SysWOW64\Bgdemb32.exe
PID 4812 wrote to memory of 736 N/A C:\Windows\SysWOW64\Bagmdllg.exe C:\Windows\SysWOW64\Bgdemb32.exe
PID 4812 wrote to memory of 736 N/A C:\Windows\SysWOW64\Bagmdllg.exe C:\Windows\SysWOW64\Bgdemb32.exe
PID 736 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Bgdemb32.exe C:\Windows\SysWOW64\Cajjjk32.exe
PID 736 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Bgdemb32.exe C:\Windows\SysWOW64\Cajjjk32.exe
PID 736 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Bgdemb32.exe C:\Windows\SysWOW64\Cajjjk32.exe
PID 4860 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Cajjjk32.exe C:\Windows\SysWOW64\Cbkfbcpb.exe
PID 4860 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Cajjjk32.exe C:\Windows\SysWOW64\Cbkfbcpb.exe
PID 4860 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Cajjjk32.exe C:\Windows\SysWOW64\Cbkfbcpb.exe
PID 3052 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Cbkfbcpb.exe C:\Windows\SysWOW64\Calfpk32.exe
PID 3052 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Cbkfbcpb.exe C:\Windows\SysWOW64\Calfpk32.exe
PID 3052 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Cbkfbcpb.exe C:\Windows\SysWOW64\Calfpk32.exe
PID 4184 wrote to memory of 228 N/A C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Cigkdmel.exe
PID 4184 wrote to memory of 228 N/A C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Cigkdmel.exe
PID 4184 wrote to memory of 228 N/A C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Cigkdmel.exe
PID 228 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Cpacqg32.exe
PID 228 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Cpacqg32.exe
PID 228 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Cigkdmel.exe C:\Windows\SysWOW64\Cpacqg32.exe
PID 4348 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cpacqg32.exe C:\Windows\SysWOW64\Cgklmacf.exe
PID 4348 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cpacqg32.exe C:\Windows\SysWOW64\Cgklmacf.exe
PID 4348 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Cpacqg32.exe C:\Windows\SysWOW64\Cgklmacf.exe
PID 2840 wrote to memory of 1496 N/A C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cpcpfg32.exe
PID 2840 wrote to memory of 1496 N/A C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cpcpfg32.exe
PID 2840 wrote to memory of 1496 N/A C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cpcpfg32.exe
PID 1496 wrote to memory of 1272 N/A C:\Windows\SysWOW64\Cpcpfg32.exe C:\Windows\SysWOW64\Cdolgfbp.exe
PID 1496 wrote to memory of 1272 N/A C:\Windows\SysWOW64\Cpcpfg32.exe C:\Windows\SysWOW64\Cdolgfbp.exe
PID 1496 wrote to memory of 1272 N/A C:\Windows\SysWOW64\Cpcpfg32.exe C:\Windows\SysWOW64\Cdolgfbp.exe
PID 1272 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cildom32.exe
PID 1272 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cildom32.exe
PID 1272 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cildom32.exe
PID 2320 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Dgpeha32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Banjnm32.exe

C:\Windows\system32\Banjnm32.exe

C:\Windows\SysWOW64\Bfkbfd32.exe

C:\Windows\system32\Bfkbfd32.exe

C:\Windows\SysWOW64\Biiobo32.exe

C:\Windows\system32\Biiobo32.exe

C:\Windows\SysWOW64\Bdocph32.exe

C:\Windows\system32\Bdocph32.exe

C:\Windows\SysWOW64\Bbaclegm.exe

C:\Windows\system32\Bbaclegm.exe

C:\Windows\SysWOW64\Bmggingc.exe

C:\Windows\system32\Bmggingc.exe

C:\Windows\SysWOW64\Bfolacnc.exe

C:\Windows\system32\Bfolacnc.exe

C:\Windows\SysWOW64\Bmidnm32.exe

C:\Windows\system32\Bmidnm32.exe

C:\Windows\SysWOW64\Baepolni.exe

C:\Windows\system32\Baepolni.exe

C:\Windows\SysWOW64\Bipecnkd.exe

C:\Windows\system32\Bipecnkd.exe

C:\Windows\SysWOW64\Bagmdllg.exe

C:\Windows\system32\Bagmdllg.exe

C:\Windows\SysWOW64\Bgdemb32.exe

C:\Windows\system32\Bgdemb32.exe

C:\Windows\SysWOW64\Cajjjk32.exe

C:\Windows\system32\Cajjjk32.exe

C:\Windows\SysWOW64\Cbkfbcpb.exe

C:\Windows\system32\Cbkfbcpb.exe

C:\Windows\SysWOW64\Calfpk32.exe

C:\Windows\system32\Calfpk32.exe

C:\Windows\SysWOW64\Cigkdmel.exe

C:\Windows\system32\Cigkdmel.exe

C:\Windows\SysWOW64\Cpacqg32.exe

C:\Windows\system32\Cpacqg32.exe

C:\Windows\SysWOW64\Cgklmacf.exe

C:\Windows\system32\Cgklmacf.exe

C:\Windows\SysWOW64\Cpcpfg32.exe

C:\Windows\system32\Cpcpfg32.exe

C:\Windows\SysWOW64\Cdolgfbp.exe

C:\Windows\system32\Cdolgfbp.exe

C:\Windows\SysWOW64\Cildom32.exe

C:\Windows\system32\Cildom32.exe

C:\Windows\SysWOW64\Dgpeha32.exe

C:\Windows\system32\Dgpeha32.exe

C:\Windows\SysWOW64\Dmjmekgn.exe

C:\Windows\system32\Dmjmekgn.exe

C:\Windows\SysWOW64\Ddcebe32.exe

C:\Windows\system32\Ddcebe32.exe

C:\Windows\SysWOW64\Dgbanq32.exe

C:\Windows\system32\Dgbanq32.exe

C:\Windows\SysWOW64\Dcibca32.exe

C:\Windows\system32\Dcibca32.exe

C:\Windows\SysWOW64\Dckoia32.exe

C:\Windows\system32\Dckoia32.exe

C:\Windows\SysWOW64\Dnqcfjae.exe

C:\Windows\system32\Dnqcfjae.exe

C:\Windows\SysWOW64\Dgihop32.exe

C:\Windows\system32\Dgihop32.exe

C:\Windows\SysWOW64\Enemaimp.exe

C:\Windows\system32\Enemaimp.exe

C:\Windows\SysWOW64\Ekimjn32.exe

C:\Windows\system32\Ekimjn32.exe

C:\Windows\SysWOW64\Ejojljqa.exe

C:\Windows\system32\Ejojljqa.exe

C:\Windows\SysWOW64\Ekngemhd.exe

C:\Windows\system32\Ekngemhd.exe

C:\Windows\SysWOW64\Edfknb32.exe

C:\Windows\system32\Edfknb32.exe

C:\Windows\SysWOW64\Ekqckmfb.exe

C:\Windows\system32\Ekqckmfb.exe

C:\Windows\SysWOW64\Eqmlccdi.exe

C:\Windows\system32\Eqmlccdi.exe

C:\Windows\SysWOW64\Fggdpnkf.exe

C:\Windows\system32\Fggdpnkf.exe

C:\Windows\SysWOW64\Fkcpql32.exe

C:\Windows\system32\Fkcpql32.exe

C:\Windows\SysWOW64\Fdkdibjp.exe

C:\Windows\system32\Fdkdibjp.exe

C:\Windows\SysWOW64\Fkemfl32.exe

C:\Windows\system32\Fkemfl32.exe

C:\Windows\SysWOW64\Fqbeoc32.exe

C:\Windows\system32\Fqbeoc32.exe

C:\Windows\SysWOW64\Fkgillpj.exe

C:\Windows\system32\Fkgillpj.exe

C:\Windows\SysWOW64\Fqdbdbna.exe

C:\Windows\system32\Fqdbdbna.exe

C:\Windows\SysWOW64\Fgnjqm32.exe

C:\Windows\system32\Fgnjqm32.exe

C:\Windows\SysWOW64\Fnhbmgmk.exe

C:\Windows\system32\Fnhbmgmk.exe

C:\Windows\SysWOW64\Fdbkja32.exe

C:\Windows\system32\Fdbkja32.exe

C:\Windows\SysWOW64\Fcekfnkb.exe

C:\Windows\system32\Fcekfnkb.exe

C:\Windows\SysWOW64\Fklcgk32.exe

C:\Windows\system32\Fklcgk32.exe

C:\Windows\SysWOW64\Fjocbhbo.exe

C:\Windows\system32\Fjocbhbo.exe

C:\Windows\SysWOW64\Gddgpqbe.exe

C:\Windows\system32\Gddgpqbe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4656 -ip 4656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4144,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/4692-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4692-1-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Banjnm32.exe

MD5 f5e571f329f4bb95942c8300ff17fdce
SHA1 8ab38b59ada91ea651582076446630213f3521dd
SHA256 7f24f567ce17000d6ebae4617e4b3e6c64deefcc9411b9078042b56090255186
SHA512 c8c57d872c915697c297b17b8ca98664fe1d75c36d55bb57945ce435b23ba89ae5de76e8d936d73d3826685580d8c0f4329ebdeccb85ae4c7caca1b253177b93

memory/4864-9-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bfkbfd32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bfkbfd32.exe

MD5 3ea98544213462d2df033401dfdb5818
SHA1 7bd0ecb33f42c5635495be0cee27601be9d4c667
SHA256 fe7ed37d5e9a3c961566208915991a960114e80d14c4dc8fbd00f2d9e658419f
SHA512 98c5e7e5d6136db18955ea804209e80d2454ba0224103214e6c84ace5f2e9ae81b81cdb3d8bc940d0bb45e3df5bc5212491f56f914c9b738aacb15bdfeb1cb2c

memory/4440-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Biiobo32.exe

MD5 5b31375d95e63021843abf74a1a5a7e6
SHA1 7ab2d162c4604d1f04428e5b09b62e2ea976fa1c
SHA256 99abcbfc3a42a3747c26b2922c061ad8236a48c2eccf678de92d9e38469b27a2
SHA512 571a5eb79343d21996836909b112731a38cae0d86e81030dba4e606359313a5b598d1f6a90556b2b9d699bb680034e5aa56e9b57d9ceafc5578115e239bf8466

memory/644-24-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bdocph32.exe

MD5 997be4ec7fcdbd7e10e0b6b0ff5eada6
SHA1 9722d1ee0bc07c8522934afefb3f50334fe0bc67
SHA256 368a4321f0df968fcfbd6f723a31cf7fa7967e2ee9217701da3ef98439fb21a7
SHA512 6c935d6a47b57fb7ec3ce75b614f57956fe0ef03af92467050c597cd6e9398fd36971f0af7763fa6dccd23c8effd46df1370e2c0b0c5c195938d29d17463c555

memory/4232-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bbaclegm.exe

MD5 d657a328d3cd4c32afab099dfbe6f068
SHA1 71ff81b10741a5f310806a38c8146a4ef4583057
SHA256 c5a9aa829f327b6de2397d2783f87bf1950592dc07ca95eba5984c1073b7c6d9
SHA512 c1f32ff6bcd130695da6d5fac69e59a548fb50779d126e2a008b64f2552c988a766db45c63296a33d33e70f640a05d3a60393686c5853692e354fdd1b51a2817

memory/4756-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bmggingc.exe

MD5 e33e8180b145b89f3f525c732021f810
SHA1 4b53c1e1fa67f3720fda0899440205976502a7b6
SHA256 afac66c7a7a138a1773789fdbb9e7429425e176dda6d678db9de17e7eb914c5c
SHA512 b73e27fcf58b95f00ea73893846750f48c6389d6f9cb5899a737ab4471b2dd92bd442e7e6e3ca1d4b79735644166a1e2a350dbe89c7c4f26d76d8a6814131ff3

memory/1488-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bfolacnc.exe

MD5 38ee2f711dfc3f9307c6e416cd330710
SHA1 eb3b7f1f9e30c259ec1a60dcd198e5cff4575a21
SHA256 70252d048ac6231ddbcd4a7f719770d7b53676b2a923ae727b66dfe6086bcde6
SHA512 682e035f3a5713aa82134989ef14f12074617ad2e2525b6710f4c7468699382d883a22742bde5334c909eac0801bdd0b5fd1882ed6bd47c1c5a7d2bea898d47b

memory/2860-57-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bmidnm32.exe

MD5 bd25c75ac21dc3008cd5102075dfadfc
SHA1 5cfe2f2bab993de417f48787f5a74bc3952800ae
SHA256 c6847d7f795a928773e768d1bf434da6699f7b2c36c07c897873e49b375b7ab9
SHA512 871fbec2cc98dc6f79d464b2ebf78beb516f24e061b6ebcc270f307a15e909fe41eeed4e22c396da2b799400c692a08ff4d754f8d66adeccc3ab35ddb6d52848

memory/2328-65-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Baepolni.exe

MD5 799dd87648ab0f2bd404f0d9e5cf59f5
SHA1 54b89891d35e3c12c4eaa1ecb3c573d6eeef0901
SHA256 1f73df6a469924a9946433e49466fd4da1b760b5790a3d0cada85c99da285b84
SHA512 805d04ba7a9271cfb2cce4a6a6184e503b40033a27455912b52eb36ec08fbe6c7ef367a316f1b72d834fe52f0a34eeefd31e84c10a2f51b7cf20a12251fd4ef7

memory/1580-72-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bipecnkd.exe

MD5 ffb409ca0523b6fda03d846405606226
SHA1 22eab0dfbcbb5edcf2ae51c31f9e15effb2b48dd
SHA256 bf6ba18b9851f905b1bac81feb9f142551b28914b95720b2fe7da37f8201eeec
SHA512 39fb6c014b15ba0efd6067e55ae57a6eb2c213035e2f602dc4d84fd09be54786caf2f7487f07f7c8d3b4d129cee26da0a0f67dccc978d7bfda3e6f5182a7d866

memory/2240-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bagmdllg.exe

MD5 311647799637984f63a4889ef9795423
SHA1 74c37eb92d3fb10e9defbdd4f2afa423a8b8432a
SHA256 283a859bc71156c0dd97809033d099fc2e63ceb4527bec57bfddf0abbb971d42
SHA512 c0ca96607a6777c3e90037ba9abde8f55e379fb6d54657394086b1975944c536101490403f82759f548fd29e4459c2e5a8919b1e034533cc80a295dabed79e7e

memory/4812-88-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bgdemb32.exe

MD5 6c2cdb010f8d4822daa706b2ce46b7b0
SHA1 5db9c4a8c419866e2a89401ec270cb5557721a25
SHA256 1170ee63506b2faf4c15e69f7823c3c978829028340e857fb2b3e5c3596cca09
SHA512 8ec86132870e350fdf3f5b2e04e43f8a64af98b831547e1890320a4b4cf02351db9db86b610d657995b28b3de9e61bbe0d45bbc5945ad058245e3beaf9722f06

memory/736-97-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cajjjk32.exe

MD5 1cdba551186874c2251078aa3f764b0a
SHA1 7da74ca84e2556ee9f85cdcc21e897725ee42b01
SHA256 3c04b72066a52ae122b411edb43c7928c9d9cb94624d0e725f13d482f20e5a47
SHA512 4352baa9afd9e9b7bc91445b7c8c47e6bfd46a5671f4de601b19c0fa041a3f5b83fdef3e61e145bbf5d0ddfb85ed3a48c79dc237c8ca07036a0489871bf7774f

memory/4860-105-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cbkfbcpb.exe

MD5 56122d5b5a056ee76ec4516b9eb7f1ea
SHA1 8f0e8643b4661a5814bd59b8cc7ae0691ea95903
SHA256 69ba2acdc026e47db495428305932c1405ebade8bac526d0cd8e42eccff7e56c
SHA512 222451ebf6ab2e4d3061dbc84bb1bd74de435868f9d8292f857397aefd344fd974c411a71ec88b0414dd3842c8938d5f984977b1038da13094521c2c52b5846a

memory/3052-112-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Calfpk32.exe

MD5 037f8f120fa6b4aad9765628ce85fdcc
SHA1 8e657f8cd1df7ca0744de912cb7a756f88e10ae5
SHA256 f5b0663cd4ab647d7177205b62f3b15cb49b4be40df0d0362c6312a87c0c5a19
SHA512 f2d2ef24ec2db54f6afe71bceff200d9c537f57758464f33ee60d90e6ad9a5ce427b91e9bcc5f679fd87a72a6135f986ccbeda32b5af0cac34f6fafb6c0a3cf2

memory/4184-120-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cigkdmel.exe

MD5 09e8c8cf631c243fcd5c48c282541f15
SHA1 674a36c714ce49b130b7eeeacffae581ac88df75
SHA256 1daecdec1035875e1117e8b85291cc2d98e605e056b6686c0a648e1c25d00298
SHA512 94b832d83e8ee38ba1ffe2d247c5717754f57ff40c171104fcf95f462b49c887ed0f0d3ea9ef50c4325ea07c3bc06ba13f3f77a314f4b46fede68429c53bc6d9

memory/228-128-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cpacqg32.exe

MD5 cf756f8c1819f2f629229bb2121a496d
SHA1 e7f5dd99bb3c8d15167085ebc8aed7a6e0ca5be1
SHA256 2d38e9e964bce8be5b14456f7e2dc245e8b892f203dc94f82c0583d033d7f09d
SHA512 d5e823bdeaddbd8ebdbc28c6a28a36b70fd0804294631694488e1e422f1f752334637464c4a604a16cbc070c4960bfc9f84d8d02d5b29e7742a61ce72b437385

memory/4348-136-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cgklmacf.exe

MD5 5ca6c2ac46d99a17b1e295a6afd12b8c
SHA1 8ba1ddb8698791f92e6d21b74e455c6b94bcbc8e
SHA256 8c4f56f05d74a8992d9eccd8f729ee5487fb537662b22776988afc1932524d66
SHA512 44b9f33601db1203ec95f44db7651ba556fafe0c0d10e792434260d7ff43cb3c9dfef18830d9cfbf1129be539211fbf9b41f2d9bbb4eeda2dd52d8de8dd757aa

memory/2840-144-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cpcpfg32.exe

MD5 5804c4da53424c24c0fa15e780439500
SHA1 d6b45d01a098a8370254e01fe582a240c14106d4
SHA256 3f3512379e83582737b61ecf6cde89ed516a8073485b151abfd5ec878e2cfaa3
SHA512 d71146e2d4c74af020906c7d118b1227b16aec107fd3e5ce3c6b462283949b2146e8fdfc78f3886213537469806e58a9a638c911f4213037c9a3d6989cd3fed8

memory/1496-153-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cdolgfbp.exe

MD5 145ea214222eee6352eef02aafc6c39d
SHA1 c8db0ba5670a9a8163e0ca045e5f53d9a2c82172
SHA256 0efc9bbdb2531e69fe40b55afb34cfaf1961bc31fda8e0f772d8fd108e783db7
SHA512 e9b487628c9276e2d152b7c728a5762c5bf0477c867f9bb52effe02ceb2e56467a8b011a2254ea9bd9fa587893e1e6c4df0a8901ef8719a5a8630e49586f3b97

memory/1272-160-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cildom32.exe

MD5 f3d09e69e44469d48789bdd76c7f0dc1
SHA1 a205366a2d88e143fc2b72dea7aa83132271a407
SHA256 a7c794f80eb0284ec0c6a2e911627184bd9267162f1c4d4713d201fbb25e2f56
SHA512 cacb55dd67521805f3536656513342ab95dfa9c1b18112fd86f09a1c04e9f711f096514bec5945f65cd3cc115f5aa6bf58ab78255c331ca356f47d5207362e6a

memory/2320-168-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dgpeha32.exe

MD5 6dd6f56c8813c2c0948586accb81a481
SHA1 93843328f1eed40d2c63a57636906e638d29a7aa
SHA256 7ee5f9c7610d372314d5473581ac12f199750aea919448d6bc189e483df7a628
SHA512 6b95f440d4170f151754f4a1a5686b0ccfd0767ab5c6f2d6043916a62228864666367b7977dadc8545fc6fe30f15f89163fcee375890b06d341fef5f7dde430c

memory/1608-176-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dmjmekgn.exe

MD5 c76ca3cf7b5ce6c7c7c7ff36ed1496ed
SHA1 92c64e203e089d67901177d7e521335bc449bb90
SHA256 3749fbdf130a700d353198ab476bc7ce1c28ca6ca3bd1e7b721ab4833083b9f6
SHA512 9a1a7de99e2fd6898093d8aafb93c628a73fb8647ee84091777000f0c06e1cc608960ca0041a3c9ce287e23bc8c4336542021e19953b789acab73b97c1bafd74

memory/2300-184-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ddcebe32.exe

MD5 041b13eaec4fe511da8c031d4718760b
SHA1 26f03079e904886e764ba1a1dcae70e0c625f228
SHA256 335fd10e49b81b013379a6abe9d953ddc843e9997aab05a19a976a96c118b669
SHA512 c92089ce908ea1b79139bf44948a6cfadf6c5f41a865288cbe91e1a01fe5fcc52fd4126034954e7d1df4745ef4ad5d4784b65528bcb7e06a6fb34d34746910e8

C:\Windows\SysWOW64\Dgbanq32.exe

MD5 53a0a2b82ac9c944384e4374713cc9b5
SHA1 3fd33470656fe02754d3efd0040789b41292e27d
SHA256 0a84bea80d0d8c931c4fd38454262de91a7c73b2692367d08ea46d29dcccb595
SHA512 4be8f63718d80d2a81258908da00ac256ab7d959322c97dce317b6755abd83389d0fa66a8f8b4e4e79ab2f647c431e23f11e04d6215fbf5e2d9801fe520c04e6

memory/3212-200-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5032-198-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dcibca32.exe

MD5 5019410db11c25fbc3bf7c258221c2f6
SHA1 d73a7ef3b962cb8905d958f7145f9fd531805868
SHA256 e4204e9555e6cafaefa60eb38720dd0b7fdc5b9784f500aed3b3d33d1539c0d3
SHA512 c7d73d3aa0761745fabec82dccfe290d33a2e5a5499b4d06300bb0b0040c750e85b98adddd4392a44e390ffc6dbffeb03004188b69dcb7682a35ca77b55cdd0f

memory/3556-209-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dckoia32.exe

MD5 8b1992504c2238dc5233883a53982b3c
SHA1 a4953c59ec5db6346de8344a2f282a5dc4d47e25
SHA256 a358775b6b52a1e21ae9971ecd8839fca1b28fb9d6775cf6e038bbcd0372d51d
SHA512 c20010f775d99c86893cd48468df2c15224ca79ce938f50a60d60b76d0c19202f7176923d3c27871322f7d8676cb4ccd2b2727f0b5160cf0faa99ee34e7a5f89

memory/3624-216-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dnqcfjae.exe

MD5 5778fc3cb7fbd7b31b3d00ed0284d19f
SHA1 1a5045ff54824fef147ceaab6569735f63ae467a
SHA256 d9d7c2911545e435836c7df8b20aadda3c9c807cd00cca00f5ad98c8c7ce1d45
SHA512 45a4b9606f735373631c4ed6dd4c3be22b66e8e44a3aaf3c312bb94629a7b5f1c650326dc65532aba652fe4dc4d5fc96f8aeff6c460889f2e40bbc22a9edb31c

memory/3860-224-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Dgihop32.exe

MD5 4eaff259416756d722e2946dd2f29648
SHA1 c5ddfd637c27f36fe49306f32fe7b3cdb4f8d5a5
SHA256 1698c5183fae4c1f0f8fc13ae678c4568dd2fe8303a5bb505033b5249dea5b2b
SHA512 dee1e2d8dcf8b45017c2a8059c7284390dd6d973e791e55a3cb38cb5067cc3c9b305dc31e9472466bf7f48043d0d1ff78e97c5d32abb50009b931ec54b881db8

memory/2964-232-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Enemaimp.exe

MD5 f6263c846c69e89ab053bde61b3b6468
SHA1 0a88dd2aa49dc03a0f656f912b366a5bf2ae476a
SHA256 dfb15bbec23796ed84920781626e9bcbab0a022e81e4b875d03bb4be3518607e
SHA512 61ce539afedf9c8740f6fd0b7736db1a25507c833a68d1772be3cc5a28779cf425d50f32b18db97f771d2a9248aead1154c056c5f4236ba22110ddd29801bdc3

memory/4836-240-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ekimjn32.exe

MD5 34b7e677d5f7a4b50c67067e0a90fc92
SHA1 661c410a634527559bf43bf651842f645fffb53e
SHA256 f28113cddb73418fc9c24ca1b3280ad6405d5933c192e37291e8837cfd68a305
SHA512 16591dd5b5416bab738bf4a07f433deec061a8acd9e34f2efddeaf7d74d0792db45dbc0985791260359a999dc72c3d0793aca5b1ef754e2be2e0f348636a6dd7

memory/4404-248-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ejojljqa.exe

MD5 dc20aefbffdb75f96e43ef5835c43b36
SHA1 4b4fbc4f0bab7efec341ad3345a7b25c165bfb8a
SHA256 fb55902f650c4a66c1e14e6ad596d54b34bae70413f28714c534ebfb8aa6a25c
SHA512 25e4af0d83b0f07957b992cc094dfcc87ce3c33e7ddbe999aa34d64b07ebf06815b3d3a8a1d452a602baf3d0432257af4db54564c32d929f6b171d4f205e67aa

memory/3704-256-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2456-263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1192-269-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ekqckmfb.exe

MD5 bd97429610b011c329609516f66388d1
SHA1 ee9aaeaec30e8b04f27d2ca19b50d17a6b337fed
SHA256 8f9c415ceae4210ed19eeca9326e08e47f01253671f9e62eebd174c68bafda61
SHA512 ae28ec6af83dddd9699b1494cea027a19a5bb229e7c05c3b2c03ac8008c85f76482fc2075c830dcf37e0a86185b3adc0c69372791bd9a310360d73447590a6fc

memory/2004-275-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2616-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1176-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4888-293-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fdkdibjp.exe

MD5 f709319f9e7273b8923667958ea0fab6
SHA1 ce282ffae3e8aee17692a50010725d96a32d8fd5
SHA256 0fad74aeaa582bcc33062bb2f04c81e483f1a95939d7a9f0f09470df7438b3fc
SHA512 dece0ce4ae3bc115cc52d25c015e58d997277eedfe0af059ec8e8433811b728e2507248af525ec15d6eeec34795b4b81adc332160a5a681d6912dcd84c3a3394

memory/4784-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4304-305-0x0000000000400000-0x0000000000440000-memory.dmp

memory/884-311-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fkgillpj.exe

MD5 65dd1e2698e1098803e19599a12c0c80
SHA1 6baabebb520aa5c57e72c200a525a2c5c1f7a6c9
SHA256 d504fb0d5489c8d49a684a3439181b6e84c0454dc7f925ecf487ad724a176eed
SHA512 893855102024ded115423064ec7bdc469af7787d564d402885348ca28d7097adea75761b1e8046b8fafad4db57dea134a31a061b385bdcb203a14b5d17db1685

memory/4544-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1412-323-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2108-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3036-335-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3068-345-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3872-351-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4576-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2460-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4656-365-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4656-366-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4576-368-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1412-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4544-373-0x0000000000400000-0x0000000000440000-memory.dmp

memory/884-372-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2108-370-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3036-369-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2460-367-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4784-374-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4888-376-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4304-375-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4184-397-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2328-404-0x0000000000400000-0x0000000000440000-memory.dmp

memory/644-409-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4232-408-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4756-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1488-406-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2860-405-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1580-403-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2240-402-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4812-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/736-400-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4860-399-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3052-398-0x0000000000400000-0x0000000000440000-memory.dmp

memory/228-396-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4348-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2840-394-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1496-393-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1272-392-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2320-391-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1608-390-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2300-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3212-388-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3556-387-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3624-386-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3860-385-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2964-384-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4836-383-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3704-382-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2004-381-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1192-379-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2456-380-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1176-378-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2616-377-0x0000000000400000-0x0000000000440000-memory.dmp