Analysis Overview
SHA256
d1a4494b678e0147a9e2bae9de78d249bc43d6dbe72e82b79704b32cf65f3abd
Threat Level: Known bad
The file Backdoor.Win32.Berbew.pzd1a4494b678e0147a9e2bae9de78d249bc43d6dbe72e82b79704b32cf65f3abdN was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 15:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 15:50
Reported
2024-09-16 15:52
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jlnmel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jlnmel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Jggoqimd.exe | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcqlkjae.exe | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kapohbfp.exe | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kpgionie.exe | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kipmhc32.exe | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhenjmbb.exe | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekhnnojb.dll | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| File created | C:\Windows\SysWOW64\Japciodd.exe | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oiahkhpo.dll | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmgaio32.dll | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jefbnacn.exe | C:\Windows\SysWOW64\Jlnmel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmeedp32.dll | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmnfciac.dll | C:\Windows\SysWOW64\Jlnmel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Caefjg32.dll | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkpnde32.dll | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| File created | C:\Windows\SysWOW64\Iamfdo32.exe | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Klecfkff.exe | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmfpmc32.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipafocdg.dll | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| File created | C:\Windows\SysWOW64\Bodilc32.dll | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbhbai32.exe | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jikhnaao.exe | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mebgijei.dll | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jlnmel32.exe | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klcgpkhh.exe | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkjpggkn.exe | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdnkdmec.exe | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcadppco.dll | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Bndneq32.dll | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnagmc32.exe | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jnagmc32.exe | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjjdhc32.exe | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikbilijo.dll | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kapohbfp.exe | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlpckqje.dll | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jipaip32.exe | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmfpmc32.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ekhnnojb.dll | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfohgepi.exe | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmegnj32.dll | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmimcbja.exe | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Imbjcpnn.exe | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnpkephg.dll | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kipmhc32.exe | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| File created | C:\Windows\SysWOW64\Llpfjomf.exe | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Aiomcb32.dll | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmimcbja.exe | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbdhhp32.dll | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkddco32.dll | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnagmc32.exe | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpdjnn32.dll | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmojeo32.dll | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfohgepi.exe | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgcnahoo.exe | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkjpggkn.exe | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlekjpbi.dll | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iamfdo32.exe | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Keppajog.dll | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jabponba.exe | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Kidjdpie.exe | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmofpf32.dll | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| File created | C:\Windows\SysWOW64\Jggoqimd.exe | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jikhnaao.exe | C:\Windows\SysWOW64\Japciodd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlnmel32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbjofi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jlnmel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll" | C:\Windows\SysWOW64\Kpgionie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll" | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Japciodd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jcqlkjae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kapohbfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jggoqimd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" | C:\Windows\SysWOW64\Imbjcpnn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Imbjcpnn.exe
C:\Windows\system32\Imbjcpnn.exe
C:\Windows\SysWOW64\Iamfdo32.exe
C:\Windows\system32\Iamfdo32.exe
C:\Windows\SysWOW64\Jggoqimd.exe
C:\Windows\system32\Jggoqimd.exe
C:\Windows\SysWOW64\Jnagmc32.exe
C:\Windows\system32\Jnagmc32.exe
C:\Windows\SysWOW64\Jnagmc32.exe
C:\Windows\system32\Jnagmc32.exe
C:\Windows\SysWOW64\Japciodd.exe
C:\Windows\system32\Japciodd.exe
C:\Windows\SysWOW64\Jikhnaao.exe
C:\Windows\system32\Jikhnaao.exe
C:\Windows\SysWOW64\Jabponba.exe
C:\Windows\system32\Jabponba.exe
C:\Windows\SysWOW64\Jcqlkjae.exe
C:\Windows\system32\Jcqlkjae.exe
C:\Windows\SysWOW64\Jfohgepi.exe
C:\Windows\system32\Jfohgepi.exe
C:\Windows\SysWOW64\Jjjdhc32.exe
C:\Windows\system32\Jjjdhc32.exe
C:\Windows\SysWOW64\Jipaip32.exe
C:\Windows\system32\Jipaip32.exe
C:\Windows\SysWOW64\Jlnmel32.exe
C:\Windows\system32\Jlnmel32.exe
C:\Windows\SysWOW64\Jefbnacn.exe
C:\Windows\system32\Jefbnacn.exe
C:\Windows\SysWOW64\Jhenjmbb.exe
C:\Windows\system32\Jhenjmbb.exe
C:\Windows\SysWOW64\Kidjdpie.exe
C:\Windows\system32\Kidjdpie.exe
C:\Windows\SysWOW64\Klcgpkhh.exe
C:\Windows\system32\Klcgpkhh.exe
C:\Windows\SysWOW64\Kapohbfp.exe
C:\Windows\system32\Kapohbfp.exe
C:\Windows\SysWOW64\Kdnkdmec.exe
C:\Windows\system32\Kdnkdmec.exe
C:\Windows\SysWOW64\Klecfkff.exe
C:\Windows\system32\Klecfkff.exe
C:\Windows\SysWOW64\Kmfpmc32.exe
C:\Windows\system32\Kmfpmc32.exe
C:\Windows\SysWOW64\Kkjpggkn.exe
C:\Windows\system32\Kkjpggkn.exe
C:\Windows\SysWOW64\Kmimcbja.exe
C:\Windows\system32\Kmimcbja.exe
C:\Windows\SysWOW64\Kpgionie.exe
C:\Windows\system32\Kpgionie.exe
C:\Windows\SysWOW64\Kipmhc32.exe
C:\Windows\system32\Kipmhc32.exe
C:\Windows\SysWOW64\Kbhbai32.exe
C:\Windows\system32\Kbhbai32.exe
C:\Windows\SysWOW64\Kgcnahoo.exe
C:\Windows\system32\Kgcnahoo.exe
C:\Windows\SysWOW64\Llpfjomf.exe
C:\Windows\system32\Llpfjomf.exe
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
Network
Files
memory/2196-0-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Imbjcpnn.exe
| MD5 | 1e16d1c39ced0837804cee68dea04916 |
| SHA1 | 5cf1c75cd776be1a6663865cafa849ba36cbc0e0 |
| SHA256 | 733f9ec37b6d3eb2737d9130ac233744af93d9425b67e413e03eac279f0140bc |
| SHA512 | 68a9e4d19c566e4842bcd56a98090d4aa6104f2da32641c0d3d2941480eee0181fa061fe77009e7e58b364e33d378fd80015bf4757eecb2464754d2d3554a0c2 |
memory/2760-19-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-18-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2196-13-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Iamfdo32.exe
| MD5 | fbf1531a30f3daefa9efde16ba7038c2 |
| SHA1 | 8fb45d4cbd174385e9972dfcc053a0da5998f83f |
| SHA256 | d22ccab5cd4ba7257e4808badad7668d19de165b3dc25908f099d39f0d9b9816 |
| SHA512 | e77bb6a0c397d2bd1b5f1d78f0b71978272d1b0f2bf238df2342eeea92de6214911079907202af0bf676df4c34ea71af43f03a75d22042a81e7283db2ee1309e |
C:\Windows\SysWOW64\Jggoqimd.exe
| MD5 | 04550c2b8a6c212d43886cec31b71690 |
| SHA1 | 4ec1a69d99efaaf0ee5f27ffb109d7e20ee4d605 |
| SHA256 | 78aea0748c1dc8a1f1adbd81047517b09d5338d202e6ad430e74962d42c04ea7 |
| SHA512 | 4ff41ef9f128e91c764822b260bbdc8e0fbddc11e9025ff5dbe98a3ff3ebedc6d0839b882d11a41c7a1180af01f75a61f31b1037d13c10b1582dad52796c9d8e |
memory/2736-33-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2760-27-0x0000000000260000-0x00000000002A0000-memory.dmp
C:\Windows\SysWOW64\Jnagmc32.exe
| MD5 | 838b0164ce09a5b77d37d0e2c1669fd8 |
| SHA1 | f2abcee921f15ed6ffedc61eecd2ae14576d08e6 |
| SHA256 | 2b053fb98b79cfe506747d01169f257cc0c29f056562d5eef8564dfb39edfc35 |
| SHA512 | 381074220974e424a066e5cfd8c302dffe7980e811f08c8732d52eceee28c070e2eedca245113d364d438080f3c3bbbcda8c976cfa5b6aa8303abbde4a94dfaf |
C:\Windows\SysWOW64\Ekhnnojb.dll
| MD5 | 50bd11aa2977c5f4e147bc5bda4f1dce |
| SHA1 | b010d67ffbd3c52663d5672a45417717928dfb80 |
| SHA256 | e5521283e200845c6fbf56a89839d2c9039d04ecb33843bb8d3e61f4b40c46f1 |
| SHA512 | c8fbc05aa3a07a9485477f59e9bdf8dfd1264cde442564c9fcf480ed91cb66f141c34ddd021c4ec4a4209a8982e1553e3f3021bbb701dfd4e20882d0d880a1d4 |
memory/1360-68-0x0000000000250000-0x0000000000290000-memory.dmp
\Windows\SysWOW64\Japciodd.exe
| MD5 | 502510b9d3c94db8b042afc96728821f |
| SHA1 | 15df258a203b3ddcaca96cedfc4575239432cbfe |
| SHA256 | 260972d6e43b61dc474df67b68ca71910bf25be6b0e36d18898c6d8cdafd0510 |
| SHA512 | b8e7a4d614d3c7b08b9eef223603cca921a55e23b4f314c1eff67f7234d124bcf0801806ea3a616a3a3364dcd5bdd8a75e001d3f0c97e1b9f3b071cfc30056a0 |
memory/1360-61-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2548-59-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2832-41-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Jikhnaao.exe
| MD5 | fcc2ae3fbbc0f9dc3cc9151e727571e6 |
| SHA1 | ba35cbd73613327dc9364e8ca55ffc8dbb60d183 |
| SHA256 | 6a40b8a3969f932214ce5376803c87895889b6a4ecd50e0c0290559b29a624b5 |
| SHA512 | bc950f3ad9039b0549f486bb9628ad0c23d9d6fe221c5a087f2886993df94bf927fa5b9e5afcb85935c9490c6ad86c492ab834da6d53c8c5aaedb7b41fb4b881 |
\Windows\SysWOW64\Jfohgepi.exe
| MD5 | c2cc320fa792d329a2bb7ac64501254f |
| SHA1 | bdc5ea1c6c33ecc9d68362ebf8f3c6ac096bc349 |
| SHA256 | 7795310a23052e4bf99ab677d1e82d422a64cf34e9f3eb95e73869bfeff38254 |
| SHA512 | ba87d485e66836e45060037d04f004e629652fef3bbf4b0ac0461bb214635c40cce4573bc3331e31ae1f4ecb77da5c1b8ff09c1d0be255e35b3a15679521e29f |
C:\Windows\SysWOW64\Jcqlkjae.exe
| MD5 | 4540f3acc0a24dceb801b10d713a1258 |
| SHA1 | b714bd92c12bdcc38817183b2c4b56549b58ad9e |
| SHA256 | 10cf988a232dc4ce6835dc252fb037ae10fb491619db4020b9465b11bcab206e |
| SHA512 | 3a7a4c16126ef741b360566883b56821240b1bd17135dd9b1ff1b3382d4efb8c0f023504799908870bd0d0b92c4bfe715d1fefa2663503a4e4c7ace169144e30 |
memory/1292-107-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jabponba.exe
| MD5 | 391492cd8d1d307307615932f0d05655 |
| SHA1 | 67b6c48fee71705525e73109ab98ea2a33b0de0b |
| SHA256 | d5b9368a3d0396bcda213eab932601189d4c86263b510970d561bfb89f1cea42 |
| SHA512 | d7d0519a5efd9f908a51fac79c49a258edd4b64d00ac94743c5bb07f7a324ee8c7383f7c10dc03bf7c8d90f3f15a78a7da31d65f8a7df02510cc1e5193401b92 |
\Windows\SysWOW64\Jjjdhc32.exe
| MD5 | e1cacff24e437ee8f8d93342af4a06cf |
| SHA1 | 55abe1c9ca83821dd35fa4d7736f889545ca149b |
| SHA256 | 382dfe50caa9dd3c8e17bccb8415aacbe50552c1b4c211dab0cf684222697f78 |
| SHA512 | d50c02beb020472319d216e29b6b1109c29aca2c699214192f9da0b7bd6011c05eb6c6cb04c36eaff775ce6c12b63e64ec3f1debc04709eff29b99c7ca77e450 |
memory/1480-133-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1324-116-0x0000000000400000-0x0000000000440000-memory.dmp
memory/400-90-0x0000000000400000-0x0000000000440000-memory.dmp
memory/340-87-0x0000000000250000-0x0000000000290000-memory.dmp
memory/340-80-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1360-79-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2904-141-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Jipaip32.exe
| MD5 | 3e30b2e38b0da9dbd87e663169d03a12 |
| SHA1 | bf272531e924045570e0692dae5ea76860dd2992 |
| SHA256 | f8a75cc439d672781a808d3557c2ccd54e2da5c7a3a4fd1bd1140e8ad9ddf3b6 |
| SHA512 | a65a04e4429d9daa5acf841db7823fb7ca99629ad4947b86833d7c2108b476739316a695a4b927b7439c7d8dcec0981d43dc0dab80403c57e3c374bfa398d770 |
memory/2904-153-0x0000000000440000-0x0000000000480000-memory.dmp
\Windows\SysWOW64\Jlnmel32.exe
| MD5 | 4e61857cfe0977e33866c93747b3cb59 |
| SHA1 | 9e902ecf777bbf5fc77b6079e797beeef1bded64 |
| SHA256 | d0b5f3f8274c42a0b23f333cc32e722d89aaebd92fd48935132e62d8c8ca184d |
| SHA512 | 3ff5886e2d4f187565f5b76f435086bdc20c2648bb845c404ec69da81774fbcbde40c25391981716210e8f7428acf7adb8895fab9a044baea1e931e89299e555 |
memory/292-168-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2004-162-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Jefbnacn.exe
| MD5 | 0c0de41ee088b325a3ce7a3ae9f11a43 |
| SHA1 | f4cdb98495b97b7fbd77e7195a3f25bcaca1bcb7 |
| SHA256 | daf448ee226dd853c9a66c7ba95952b23bf54a58c3fafa5d39f1610eb044fc96 |
| SHA512 | 381d97e72cf14cf7e58016eff0bd8122bb2508c853908a3b24f7f841d4abb62799e3811f53d098a2cbfce4bc2fe7c2d83ee151fd8a69e8f7aad027af99ae8a9c |
memory/2364-194-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jhenjmbb.exe
| MD5 | f5df3fe597c3cc55a7ad5c29932fcd7c |
| SHA1 | 3e6fdda77ce45ccb841483b8d0d95164670d6724 |
| SHA256 | 22e2e64031852042992a6ec76aa95faa61e154098a67aac641549f475c6abe0c |
| SHA512 | 8ef4938dab0acb1d7727f8c36664c5e579b514aa866d3e512c7ae003f9c21774da27d3d1763c86a79a270820961b05af6fe8b989d1c03d7fea314a0c6b0cdc91 |
memory/620-192-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Kidjdpie.exe
| MD5 | 3319713d3122f2e0d82d8b1e5ac85513 |
| SHA1 | 0838e656f7b7ab1c35587149b6cb45e10f69b45d |
| SHA256 | 7fb17a505a0d52a93e4526fdf36670070bdced545172da0059574c832312e951 |
| SHA512 | e71e1d39fd8e43bdca660d531fff7647d472e440e30ea080faebc4ea5fa6f96bc1e4be65e711e822ab81ebceded983bbc328f5295a05be1260f89bd6d9206212 |
memory/2976-208-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Klcgpkhh.exe
| MD5 | 5d4018619a7bfc771318d59e35f11f22 |
| SHA1 | 0b6e736a8769e224d5922f8ab384f751209bb5e7 |
| SHA256 | 770fa7aa4c97073dd59e393f9bac1f9a72aa1d435eb35b5695637b35edbfe449 |
| SHA512 | 3bbea2ec5d6c70e0a7f012f9b40f1c96494479cf513c2df957bda4a79b5041a2cf4a7c9b2771b3440a881cfee01c9593f37b19129f2a961c359ff8486e7b996a |
memory/1308-217-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kapohbfp.exe
| MD5 | 1f936be8b8122f1a7def6833d124c976 |
| SHA1 | c32127cff45166b4c28d8f2c86b64042388aec37 |
| SHA256 | 07f155c1146395b25b9cad6edeac524e37484b8a8efcd307279716b43c5e47a6 |
| SHA512 | e9c57fd2e6e4dc7708b947eaeb58325fcf09897bf45e89121f049c335528df8af99767322f141b7b685fb7e415a71305e205a71d697c5ff31f1a3db21e8e3e49 |
memory/2212-230-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kdnkdmec.exe
| MD5 | 43437378bc817eb20a6c086b17d3234c |
| SHA1 | e48052e031e970bb8953c19ea80684dc96a5e997 |
| SHA256 | 2b072782906849bb5ab630331d9e182f544d081a34eff9547782396412404ba9 |
| SHA512 | 9002a5a63810526d4976a35322c208ff10a58b3215ea6638584609ef8dd009eb4d40e83cd46ffa90baa66188629e76d1a1b98acd5872b3a672255231c6855687 |
memory/928-237-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2212-236-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2212-235-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/1896-248-0x0000000000400000-0x0000000000440000-memory.dmp
memory/928-247-0x00000000002F0000-0x0000000000330000-memory.dmp
memory/928-246-0x00000000002F0000-0x0000000000330000-memory.dmp
C:\Windows\SysWOW64\Klecfkff.exe
| MD5 | 13184e6095bf537d3d20bcef4a95bd7d |
| SHA1 | 3521913159bd887b4ba03ef686341ef4ecdf5aa0 |
| SHA256 | f47b377c0a2d1d304960f9b8ee0b67dd17a374886f9f0a9e00b0af45f7900d8f |
| SHA512 | e13db1c3769c7cdf5ac86496db6ace4c552643450b682a21473150b2c51382b77da12bb7c80469c39c56cc88e551151b1cd580a770f645789a23f87ace6e7dd4 |
memory/1800-259-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1896-258-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/1896-257-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Kmfpmc32.exe
| MD5 | b70428e63aea0511e3a95c4e59b66fa4 |
| SHA1 | 685358a1ba5d55db4f8c86775ae24b30d0e08d9b |
| SHA256 | 8862c960577b54b231dbacb8b36111f19a8dd0a27752c08671658cc17432bda1 |
| SHA512 | db999e6440a3da5ed42139f8d352cd90f578d7de56fb376a9e9dd8e7154bb7044e36864129f7d181f9dc57c6f61cfb7c4dc418e6e37667c26428625f9c5c7dd8 |
memory/1800-269-0x0000000000320000-0x0000000000360000-memory.dmp
memory/1800-268-0x0000000000320000-0x0000000000360000-memory.dmp
C:\Windows\SysWOW64\Kkjpggkn.exe
| MD5 | 3424fc5e29f491828292110ef94a968c |
| SHA1 | 8cdff57f77b5576463cfcdbeaaec8689cb1400f4 |
| SHA256 | c21ab1a95aae9f22d83e5c86f398ad2ec797763857e8c63a35cb7d04caba047b |
| SHA512 | 51a9f14a1105d96b0864857600603cc55d16e2dabca3ca7f249b922ddbd7b70b127433b0f5634d818d6c5c9d6ea538ee12487688a98765ef80929ef42dd821d7 |
memory/1716-280-0x0000000000300000-0x0000000000340000-memory.dmp
C:\Windows\SysWOW64\Kmimcbja.exe
| MD5 | 160c49e4f66ff7536dc14b4c7e23451c |
| SHA1 | 47ee4fc39d09b8c3cc7fb7de1bc07306d65790cf |
| SHA256 | e4db1d1f8238c0e38e9c438eb42e543e360a3fa79e5ddb8d296799165ec8b7b9 |
| SHA512 | ad76a71862b62b16a934759f63c0ada56d567b3f80e1d4dd67a537c5c7046eea1352b155a4ef903c5ad855eccbaf831b5a9eb3a2e4fa58350a10b9f8922ad93a |
memory/1716-276-0x0000000000300000-0x0000000000340000-memory.dmp
memory/1716-275-0x0000000000400000-0x0000000000440000-memory.dmp
memory/376-281-0x0000000000400000-0x0000000000440000-memory.dmp
memory/376-290-0x00000000002E0000-0x0000000000320000-memory.dmp
C:\Windows\SysWOW64\Kpgionie.exe
| MD5 | f5fed799f6f5eb1730e980822bde55fa |
| SHA1 | fe3211dc33d35ba54691c1b5d9be6cf00f2ba6d7 |
| SHA256 | e36e8de186dd917b4d4df5f752ab6f886c4a1520cd7ea6d00731677e2ea8d9c5 |
| SHA512 | 0086d9e452ac49b17e471d00186f9ea7040e2a9582735a765bcc7d405e4ca6bde6cfb7b909a598ca9954a8331d2418a8c4c16ade1808cf2bbe64296a3d182bba |
memory/376-291-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/1816-298-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1816-297-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1816-302-0x0000000000250000-0x0000000000290000-memory.dmp
memory/876-303-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kipmhc32.exe
| MD5 | c1d541acce2e6e2900bfe6ada81655b4 |
| SHA1 | e880535d3f54e398712206e1d3d2d8669895b907 |
| SHA256 | 992cc76577e903dff54a95f93e7c597d0997f9d7e79a275287182d4f5d4e6d32 |
| SHA512 | 29c41ad9aec8480bbb307eb7669a0bd8d4157036305c015aea856375131e53589ddbbe7fa70c2f482e534a806187033f9f0790d088e517af1fc7d069a279ddb1 |
C:\Windows\SysWOW64\Kbhbai32.exe
| MD5 | a9cd72e1faafee67c112dd566c3cb8e0 |
| SHA1 | eb8bd87fb3ce607143c95ed12b34ced113144873 |
| SHA256 | d3ed5b193d4eb995b9b6bfb45652439543d9547d3d59393778e06bc5f2014ca9 |
| SHA512 | dba414a3a743eb949f79dbecd4cc8a1e5adda7a7ecb403191f374197cc479f48f118f907caa59ed5b10b6e6e1b2e6077b9560d6ccd454e9bdac30c6d4dc15317 |
memory/876-317-0x0000000000260000-0x00000000002A0000-memory.dmp
memory/876-316-0x0000000000260000-0x00000000002A0000-memory.dmp
memory/2804-318-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kgcnahoo.exe
| MD5 | a7e6f5a1d3bc4f47d40d798d4ca1296e |
| SHA1 | 28abe1d7344720024a9dfe02eea244e01acdc9c7 |
| SHA256 | 76d0862d63f5bf031791ef7db7155afadcf2e48df7056ecb791f1e8fe3b165cf |
| SHA512 | ea2cb06d4314fe4c363dc2783e0b3352cfe3c8108efec191a5b5f876efd89a12df090a3695ad57e60b228c493930422a553e70d2750538a51c4774063f975fc2 |
memory/2804-323-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2804-324-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2672-328-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2672-335-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2672-334-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Llpfjomf.exe
| MD5 | 813393b9e8795c84f8985b2c69abfe78 |
| SHA1 | d8b9cf90cec9ac5d410976648d6c642f767864e2 |
| SHA256 | 3a0c0d95e183083ddc26839bb26ba5f7c0ab21a777e6af0e0c8e9fbcfc69df24 |
| SHA512 | 269004d7fdc81b83a2bf7f4bceb2b254f867c69c0e3a803fb455a7196514074c7ad62a6cd6f7c7852b435b847ee34ff07c21838b4a56c5b84db23cd246177055 |
C:\Windows\SysWOW64\Lbjofi32.exe
| MD5 | d8948b20832f0324ebb7b8d6fc8a1687 |
| SHA1 | 5f97b2887be646d06f68fae9110a2fccdff6bcee |
| SHA256 | 6ab966acad4d47e1148823a98a391b3dfa637f0d69e6c920d1942b3e4e5ae10d |
| SHA512 | 53b9529a57837dcdc18c0c4768678d722d98f279e709f1ab0f8cc58280e26da850f0aa590745dafa79692449e227a866ad783f7ab65ea38455b20a09e1969006 |
memory/2580-345-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2700-347-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2580-346-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2580-344-0x0000000000400000-0x0000000000440000-memory.dmp
memory/376-351-0x0000000000400000-0x0000000000440000-memory.dmp
memory/876-350-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2672-349-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2700-348-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1896-352-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1800-357-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2004-356-0x0000000000400000-0x0000000000440000-memory.dmp
memory/620-355-0x0000000000400000-0x0000000000440000-memory.dmp
memory/928-354-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2976-353-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1308-359-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2904-358-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-362-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2364-361-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2832-360-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1324-364-0x0000000000400000-0x0000000000440000-memory.dmp
memory/292-363-0x0000000000400000-0x0000000000440000-memory.dmp
memory/400-366-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1360-365-0x0000000000400000-0x0000000000440000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 15:50
Reported
2024-09-16 15:52
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bagmdllg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekngemhd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fqdbdbna.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fgnjqm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fklcgk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmjmekgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eqmlccdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dckoia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Banjnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Biiobo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bagmdllg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddcebe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fcekfnkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bgdemb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dcibca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Edfknb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fdkdibjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekqckmfb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgdemb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdkdibjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fcekfnkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekimjn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjocbhbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdbkja32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekqckmfb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmjmekgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekimjn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fggdpnkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fggdpnkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbaclegm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmggingc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fgnjqm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eqmlccdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fklcgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfkbfd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Biiobo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekngemhd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Fdkdibjp.exe | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmidnm32.exe | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ekimjn32.exe | C:\Windows\SysWOW64\Enemaimp.exe | N/A |
| File created | C:\Windows\SysWOW64\Eclhcj32.dll | C:\Windows\SysWOW64\Edfknb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjinnekj.dll | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fklcgk32.exe | C:\Windows\SysWOW64\Fcekfnkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dcibca32.exe | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Enemaimp.exe | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cigkdmel.exe | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejojljqa.exe | C:\Windows\SysWOW64\Ekimjn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bbaclegm.exe | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Baepolni.exe | C:\Windows\SysWOW64\Bmidnm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgklmacf.exe | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nepmal32.dll | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blghiiea.dll | C:\Windows\SysWOW64\Eqmlccdi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbkfbcpb.exe | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejnnldhi.dll | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bagmdllg.exe | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmjmekgn.exe | C:\Windows\SysWOW64\Dgpeha32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgihop32.exe | C:\Windows\SysWOW64\Dnqcfjae.exe | N/A |
| File created | C:\Windows\SysWOW64\Anijgd32.dll | C:\Windows\SysWOW64\Enemaimp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcggmk32.dll | C:\Windows\SysWOW64\Fjocbhbo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bipecnkd.exe | C:\Windows\SysWOW64\Baepolni.exe | N/A |
| File created | C:\Windows\SysWOW64\Bagmdllg.exe | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjnmkgom.dll | C:\Windows\SysWOW64\Dnqcfjae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkgillpj.exe | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgklmacf.exe | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpcpfg32.exe | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkcpql32.exe | C:\Windows\SysWOW64\Fggdpnkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Gajlgpic.dll | C:\Windows\SysWOW64\Fkgillpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfkbfd32.exe | C:\Windows\SysWOW64\Banjnm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kamonn32.dll | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkddhfnh.dll | C:\Windows\SysWOW64\Bagmdllg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Calfpk32.exe | C:\Windows\SysWOW64\Cbkfbcpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cildom32.exe | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Npgqep32.dll | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fqdbdbna.exe | C:\Windows\SysWOW64\Fkgillpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Eknphfld.dll | C:\Windows\SysWOW64\Bfkbfd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmggingc.exe | C:\Windows\SysWOW64\Bbaclegm.exe | N/A |
| File created | C:\Windows\SysWOW64\Eaecci32.dll | C:\Windows\SysWOW64\Ekimjn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjocbhbo.exe | C:\Windows\SysWOW64\Fklcgk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfkbfd32.exe | C:\Windows\SysWOW64\Banjnm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlkppnab.dll | C:\Windows\SysWOW64\Ddcebe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fnhbmgmk.exe | C:\Windows\SysWOW64\Fgnjqm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekimjn32.exe | C:\Windows\SysWOW64\Enemaimp.exe | N/A |
| File created | C:\Windows\SysWOW64\Fqbeoc32.exe | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbkfbcpb.exe | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgqaip32.dll | C:\Windows\SysWOW64\Dgpeha32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enemaimp.exe | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ekngemhd.exe | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfolacnc.exe | C:\Windows\SysWOW64\Bmggingc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgdemb32.exe | C:\Windows\SysWOW64\Bagmdllg.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgnjqm32.exe | C:\Windows\SysWOW64\Fqdbdbna.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gddgpqbe.exe | C:\Windows\SysWOW64\Fjocbhbo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgpeha32.exe | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpcgahca.dll | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqmlccdi.exe | C:\Windows\SysWOW64\Ekqckmfb.exe | N/A |
| File created | C:\Windows\SysWOW64\Fggdpnkf.exe | C:\Windows\SysWOW64\Eqmlccdi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Banjnm32.exe | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmbpjm32.dll | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghfqhkbn.dll | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdolgfbp.exe | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dnqcfjae.exe | C:\Windows\SysWOW64\Dckoia32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Edfknb32.exe | C:\Windows\SysWOW64\Ekngemhd.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Gddgpqbe.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baepolni.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Edfknb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekqckmfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkgillpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdkdibjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekimjn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnqcfjae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Enemaimp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fklcgk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbkfbcpb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddcebe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fgnjqm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmggingc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekngemhd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdbkja32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gddgpqbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bagmdllg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fcekfnkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Banjnm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dcibca32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfkbfd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbaclegm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjmekgn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biiobo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fqdbdbna.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmidnm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eqmlccdi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fjocbhbo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdocph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgdemb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgpeha32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dckoia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fggdpnkf.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dcibca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnhbmgmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fjocbhbo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baepolni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cajjjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cigkdmel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejojljqa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll" | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ekngemhd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll" | C:\Windows\SysWOW64\Fqbeoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll" | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll" | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgihop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmafal32.dll" | C:\Windows\SysWOW64\Bmidnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fqdbdbna.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll" | C:\Windows\SysWOW64\Bmggingc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enemaimp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll" | C:\Windows\SysWOW64\Fqdbdbna.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fcekfnkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll" | C:\Windows\SysWOW64\Fjocbhbo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fcekfnkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bipecnkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll" | C:\Windows\SysWOW64\Bagmdllg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpacqg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpcpfg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dgpeha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll" | C:\Windows\SysWOW64\Dgbanq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll" | C:\Windows\SysWOW64\Ekimjn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfolacnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dnqcfjae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclhcj32.dll" | C:\Windows\SysWOW64\Edfknb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eqmlccdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll" | C:\Windows\SysWOW64\Fkemfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmggingc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fdkdibjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll" | C:\Windows\SysWOW64\Fdbkja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fdbkja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmkgom.dll" | C:\Windows\SysWOW64\Dnqcfjae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Banjnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" | C:\Windows\SysWOW64\Biiobo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Baepolni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dmjmekgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" | C:\Windows\SysWOW64\Cbkfbcpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmjmekgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll" | C:\Windows\SysWOW64\Fdkdibjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Edfknb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fkcpql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fgnjqm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll" | C:\Windows\SysWOW64\Bgdemb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll" | C:\Windows\SysWOW64\Dcibca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll" | C:\Windows\SysWOW64\Dckoia32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Banjnm32.exe
C:\Windows\system32\Banjnm32.exe
C:\Windows\SysWOW64\Bfkbfd32.exe
C:\Windows\system32\Bfkbfd32.exe
C:\Windows\SysWOW64\Biiobo32.exe
C:\Windows\system32\Biiobo32.exe
C:\Windows\SysWOW64\Bdocph32.exe
C:\Windows\system32\Bdocph32.exe
C:\Windows\SysWOW64\Bbaclegm.exe
C:\Windows\system32\Bbaclegm.exe
C:\Windows\SysWOW64\Bmggingc.exe
C:\Windows\system32\Bmggingc.exe
C:\Windows\SysWOW64\Bfolacnc.exe
C:\Windows\system32\Bfolacnc.exe
C:\Windows\SysWOW64\Bmidnm32.exe
C:\Windows\system32\Bmidnm32.exe
C:\Windows\SysWOW64\Baepolni.exe
C:\Windows\system32\Baepolni.exe
C:\Windows\SysWOW64\Bipecnkd.exe
C:\Windows\system32\Bipecnkd.exe
C:\Windows\SysWOW64\Bagmdllg.exe
C:\Windows\system32\Bagmdllg.exe
C:\Windows\SysWOW64\Bgdemb32.exe
C:\Windows\system32\Bgdemb32.exe
C:\Windows\SysWOW64\Cajjjk32.exe
C:\Windows\system32\Cajjjk32.exe
C:\Windows\SysWOW64\Cbkfbcpb.exe
C:\Windows\system32\Cbkfbcpb.exe
C:\Windows\SysWOW64\Calfpk32.exe
C:\Windows\system32\Calfpk32.exe
C:\Windows\SysWOW64\Cigkdmel.exe
C:\Windows\system32\Cigkdmel.exe
C:\Windows\SysWOW64\Cpacqg32.exe
C:\Windows\system32\Cpacqg32.exe
C:\Windows\SysWOW64\Cgklmacf.exe
C:\Windows\system32\Cgklmacf.exe
C:\Windows\SysWOW64\Cpcpfg32.exe
C:\Windows\system32\Cpcpfg32.exe
C:\Windows\SysWOW64\Cdolgfbp.exe
C:\Windows\system32\Cdolgfbp.exe
C:\Windows\SysWOW64\Cildom32.exe
C:\Windows\system32\Cildom32.exe
C:\Windows\SysWOW64\Dgpeha32.exe
C:\Windows\system32\Dgpeha32.exe
C:\Windows\SysWOW64\Dmjmekgn.exe
C:\Windows\system32\Dmjmekgn.exe
C:\Windows\SysWOW64\Ddcebe32.exe
C:\Windows\system32\Ddcebe32.exe
C:\Windows\SysWOW64\Dgbanq32.exe
C:\Windows\system32\Dgbanq32.exe
C:\Windows\SysWOW64\Dcibca32.exe
C:\Windows\system32\Dcibca32.exe
C:\Windows\SysWOW64\Dckoia32.exe
C:\Windows\system32\Dckoia32.exe
C:\Windows\SysWOW64\Dnqcfjae.exe
C:\Windows\system32\Dnqcfjae.exe
C:\Windows\SysWOW64\Dgihop32.exe
C:\Windows\system32\Dgihop32.exe
C:\Windows\SysWOW64\Enemaimp.exe
C:\Windows\system32\Enemaimp.exe
C:\Windows\SysWOW64\Ekimjn32.exe
C:\Windows\system32\Ekimjn32.exe
C:\Windows\SysWOW64\Ejojljqa.exe
C:\Windows\system32\Ejojljqa.exe
C:\Windows\SysWOW64\Ekngemhd.exe
C:\Windows\system32\Ekngemhd.exe
C:\Windows\SysWOW64\Edfknb32.exe
C:\Windows\system32\Edfknb32.exe
C:\Windows\SysWOW64\Ekqckmfb.exe
C:\Windows\system32\Ekqckmfb.exe
C:\Windows\SysWOW64\Eqmlccdi.exe
C:\Windows\system32\Eqmlccdi.exe
C:\Windows\SysWOW64\Fggdpnkf.exe
C:\Windows\system32\Fggdpnkf.exe
C:\Windows\SysWOW64\Fkcpql32.exe
C:\Windows\system32\Fkcpql32.exe
C:\Windows\SysWOW64\Fdkdibjp.exe
C:\Windows\system32\Fdkdibjp.exe
C:\Windows\SysWOW64\Fkemfl32.exe
C:\Windows\system32\Fkemfl32.exe
C:\Windows\SysWOW64\Fqbeoc32.exe
C:\Windows\system32\Fqbeoc32.exe
C:\Windows\SysWOW64\Fkgillpj.exe
C:\Windows\system32\Fkgillpj.exe
C:\Windows\SysWOW64\Fqdbdbna.exe
C:\Windows\system32\Fqdbdbna.exe
C:\Windows\SysWOW64\Fgnjqm32.exe
C:\Windows\system32\Fgnjqm32.exe
C:\Windows\SysWOW64\Fnhbmgmk.exe
C:\Windows\system32\Fnhbmgmk.exe
C:\Windows\SysWOW64\Fdbkja32.exe
C:\Windows\system32\Fdbkja32.exe
C:\Windows\SysWOW64\Fcekfnkb.exe
C:\Windows\system32\Fcekfnkb.exe
C:\Windows\SysWOW64\Fklcgk32.exe
C:\Windows\system32\Fklcgk32.exe
C:\Windows\SysWOW64\Fjocbhbo.exe
C:\Windows\system32\Fjocbhbo.exe
C:\Windows\SysWOW64\Gddgpqbe.exe
C:\Windows\system32\Gddgpqbe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 408
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4144,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/4692-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4692-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Banjnm32.exe
| MD5 | f5e571f329f4bb95942c8300ff17fdce |
| SHA1 | 8ab38b59ada91ea651582076446630213f3521dd |
| SHA256 | 7f24f567ce17000d6ebae4617e4b3e6c64deefcc9411b9078042b56090255186 |
| SHA512 | c8c57d872c915697c297b17b8ca98664fe1d75c36d55bb57945ce435b23ba89ae5de76e8d936d73d3826685580d8c0f4329ebdeccb85ae4c7caca1b253177b93 |
memory/4864-9-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bfkbfd32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Bfkbfd32.exe
| MD5 | 3ea98544213462d2df033401dfdb5818 |
| SHA1 | 7bd0ecb33f42c5635495be0cee27601be9d4c667 |
| SHA256 | fe7ed37d5e9a3c961566208915991a960114e80d14c4dc8fbd00f2d9e658419f |
| SHA512 | 98c5e7e5d6136db18955ea804209e80d2454ba0224103214e6c84ace5f2e9ae81b81cdb3d8bc940d0bb45e3df5bc5212491f56f914c9b738aacb15bdfeb1cb2c |
memory/4440-17-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Biiobo32.exe
| MD5 | 5b31375d95e63021843abf74a1a5a7e6 |
| SHA1 | 7ab2d162c4604d1f04428e5b09b62e2ea976fa1c |
| SHA256 | 99abcbfc3a42a3747c26b2922c061ad8236a48c2eccf678de92d9e38469b27a2 |
| SHA512 | 571a5eb79343d21996836909b112731a38cae0d86e81030dba4e606359313a5b598d1f6a90556b2b9d699bb680034e5aa56e9b57d9ceafc5578115e239bf8466 |
memory/644-24-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bdocph32.exe
| MD5 | 997be4ec7fcdbd7e10e0b6b0ff5eada6 |
| SHA1 | 9722d1ee0bc07c8522934afefb3f50334fe0bc67 |
| SHA256 | 368a4321f0df968fcfbd6f723a31cf7fa7967e2ee9217701da3ef98439fb21a7 |
| SHA512 | 6c935d6a47b57fb7ec3ce75b614f57956fe0ef03af92467050c597cd6e9398fd36971f0af7763fa6dccd23c8effd46df1370e2c0b0c5c195938d29d17463c555 |
memory/4232-32-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bbaclegm.exe
| MD5 | d657a328d3cd4c32afab099dfbe6f068 |
| SHA1 | 71ff81b10741a5f310806a38c8146a4ef4583057 |
| SHA256 | c5a9aa829f327b6de2397d2783f87bf1950592dc07ca95eba5984c1073b7c6d9 |
| SHA512 | c1f32ff6bcd130695da6d5fac69e59a548fb50779d126e2a008b64f2552c988a766db45c63296a33d33e70f640a05d3a60393686c5853692e354fdd1b51a2817 |
memory/4756-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bmggingc.exe
| MD5 | e33e8180b145b89f3f525c732021f810 |
| SHA1 | 4b53c1e1fa67f3720fda0899440205976502a7b6 |
| SHA256 | afac66c7a7a138a1773789fdbb9e7429425e176dda6d678db9de17e7eb914c5c |
| SHA512 | b73e27fcf58b95f00ea73893846750f48c6389d6f9cb5899a737ab4471b2dd92bd442e7e6e3ca1d4b79735644166a1e2a350dbe89c7c4f26d76d8a6814131ff3 |
memory/1488-48-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bfolacnc.exe
| MD5 | 38ee2f711dfc3f9307c6e416cd330710 |
| SHA1 | eb3b7f1f9e30c259ec1a60dcd198e5cff4575a21 |
| SHA256 | 70252d048ac6231ddbcd4a7f719770d7b53676b2a923ae727b66dfe6086bcde6 |
| SHA512 | 682e035f3a5713aa82134989ef14f12074617ad2e2525b6710f4c7468699382d883a22742bde5334c909eac0801bdd0b5fd1882ed6bd47c1c5a7d2bea898d47b |
memory/2860-57-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bmidnm32.exe
| MD5 | bd25c75ac21dc3008cd5102075dfadfc |
| SHA1 | 5cfe2f2bab993de417f48787f5a74bc3952800ae |
| SHA256 | c6847d7f795a928773e768d1bf434da6699f7b2c36c07c897873e49b375b7ab9 |
| SHA512 | 871fbec2cc98dc6f79d464b2ebf78beb516f24e061b6ebcc270f307a15e909fe41eeed4e22c396da2b799400c692a08ff4d754f8d66adeccc3ab35ddb6d52848 |
memory/2328-65-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Baepolni.exe
| MD5 | 799dd87648ab0f2bd404f0d9e5cf59f5 |
| SHA1 | 54b89891d35e3c12c4eaa1ecb3c573d6eeef0901 |
| SHA256 | 1f73df6a469924a9946433e49466fd4da1b760b5790a3d0cada85c99da285b84 |
| SHA512 | 805d04ba7a9271cfb2cce4a6a6184e503b40033a27455912b52eb36ec08fbe6c7ef367a316f1b72d834fe52f0a34eeefd31e84c10a2f51b7cf20a12251fd4ef7 |
memory/1580-72-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bipecnkd.exe
| MD5 | ffb409ca0523b6fda03d846405606226 |
| SHA1 | 22eab0dfbcbb5edcf2ae51c31f9e15effb2b48dd |
| SHA256 | bf6ba18b9851f905b1bac81feb9f142551b28914b95720b2fe7da37f8201eeec |
| SHA512 | 39fb6c014b15ba0efd6067e55ae57a6eb2c213035e2f602dc4d84fd09be54786caf2f7487f07f7c8d3b4d129cee26da0a0f67dccc978d7bfda3e6f5182a7d866 |
memory/2240-80-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bagmdllg.exe
| MD5 | 311647799637984f63a4889ef9795423 |
| SHA1 | 74c37eb92d3fb10e9defbdd4f2afa423a8b8432a |
| SHA256 | 283a859bc71156c0dd97809033d099fc2e63ceb4527bec57bfddf0abbb971d42 |
| SHA512 | c0ca96607a6777c3e90037ba9abde8f55e379fb6d54657394086b1975944c536101490403f82759f548fd29e4459c2e5a8919b1e034533cc80a295dabed79e7e |
memory/4812-88-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bgdemb32.exe
| MD5 | 6c2cdb010f8d4822daa706b2ce46b7b0 |
| SHA1 | 5db9c4a8c419866e2a89401ec270cb5557721a25 |
| SHA256 | 1170ee63506b2faf4c15e69f7823c3c978829028340e857fb2b3e5c3596cca09 |
| SHA512 | 8ec86132870e350fdf3f5b2e04e43f8a64af98b831547e1890320a4b4cf02351db9db86b610d657995b28b3de9e61bbe0d45bbc5945ad058245e3beaf9722f06 |
memory/736-97-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cajjjk32.exe
| MD5 | 1cdba551186874c2251078aa3f764b0a |
| SHA1 | 7da74ca84e2556ee9f85cdcc21e897725ee42b01 |
| SHA256 | 3c04b72066a52ae122b411edb43c7928c9d9cb94624d0e725f13d482f20e5a47 |
| SHA512 | 4352baa9afd9e9b7bc91445b7c8c47e6bfd46a5671f4de601b19c0fa041a3f5b83fdef3e61e145bbf5d0ddfb85ed3a48c79dc237c8ca07036a0489871bf7774f |
memory/4860-105-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cbkfbcpb.exe
| MD5 | 56122d5b5a056ee76ec4516b9eb7f1ea |
| SHA1 | 8f0e8643b4661a5814bd59b8cc7ae0691ea95903 |
| SHA256 | 69ba2acdc026e47db495428305932c1405ebade8bac526d0cd8e42eccff7e56c |
| SHA512 | 222451ebf6ab2e4d3061dbc84bb1bd74de435868f9d8292f857397aefd344fd974c411a71ec88b0414dd3842c8938d5f984977b1038da13094521c2c52b5846a |
memory/3052-112-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Calfpk32.exe
| MD5 | 037f8f120fa6b4aad9765628ce85fdcc |
| SHA1 | 8e657f8cd1df7ca0744de912cb7a756f88e10ae5 |
| SHA256 | f5b0663cd4ab647d7177205b62f3b15cb49b4be40df0d0362c6312a87c0c5a19 |
| SHA512 | f2d2ef24ec2db54f6afe71bceff200d9c537f57758464f33ee60d90e6ad9a5ce427b91e9bcc5f679fd87a72a6135f986ccbeda32b5af0cac34f6fafb6c0a3cf2 |
memory/4184-120-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cigkdmel.exe
| MD5 | 09e8c8cf631c243fcd5c48c282541f15 |
| SHA1 | 674a36c714ce49b130b7eeeacffae581ac88df75 |
| SHA256 | 1daecdec1035875e1117e8b85291cc2d98e605e056b6686c0a648e1c25d00298 |
| SHA512 | 94b832d83e8ee38ba1ffe2d247c5717754f57ff40c171104fcf95f462b49c887ed0f0d3ea9ef50c4325ea07c3bc06ba13f3f77a314f4b46fede68429c53bc6d9 |
memory/228-128-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cpacqg32.exe
| MD5 | cf756f8c1819f2f629229bb2121a496d |
| SHA1 | e7f5dd99bb3c8d15167085ebc8aed7a6e0ca5be1 |
| SHA256 | 2d38e9e964bce8be5b14456f7e2dc245e8b892f203dc94f82c0583d033d7f09d |
| SHA512 | d5e823bdeaddbd8ebdbc28c6a28a36b70fd0804294631694488e1e422f1f752334637464c4a604a16cbc070c4960bfc9f84d8d02d5b29e7742a61ce72b437385 |
memory/4348-136-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cgklmacf.exe
| MD5 | 5ca6c2ac46d99a17b1e295a6afd12b8c |
| SHA1 | 8ba1ddb8698791f92e6d21b74e455c6b94bcbc8e |
| SHA256 | 8c4f56f05d74a8992d9eccd8f729ee5487fb537662b22776988afc1932524d66 |
| SHA512 | 44b9f33601db1203ec95f44db7651ba556fafe0c0d10e792434260d7ff43cb3c9dfef18830d9cfbf1129be539211fbf9b41f2d9bbb4eeda2dd52d8de8dd757aa |
memory/2840-144-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cpcpfg32.exe
| MD5 | 5804c4da53424c24c0fa15e780439500 |
| SHA1 | d6b45d01a098a8370254e01fe582a240c14106d4 |
| SHA256 | 3f3512379e83582737b61ecf6cde89ed516a8073485b151abfd5ec878e2cfaa3 |
| SHA512 | d71146e2d4c74af020906c7d118b1227b16aec107fd3e5ce3c6b462283949b2146e8fdfc78f3886213537469806e58a9a638c911f4213037c9a3d6989cd3fed8 |
memory/1496-153-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cdolgfbp.exe
| MD5 | 145ea214222eee6352eef02aafc6c39d |
| SHA1 | c8db0ba5670a9a8163e0ca045e5f53d9a2c82172 |
| SHA256 | 0efc9bbdb2531e69fe40b55afb34cfaf1961bc31fda8e0f772d8fd108e783db7 |
| SHA512 | e9b487628c9276e2d152b7c728a5762c5bf0477c867f9bb52effe02ceb2e56467a8b011a2254ea9bd9fa587893e1e6c4df0a8901ef8719a5a8630e49586f3b97 |
memory/1272-160-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cildom32.exe
| MD5 | f3d09e69e44469d48789bdd76c7f0dc1 |
| SHA1 | a205366a2d88e143fc2b72dea7aa83132271a407 |
| SHA256 | a7c794f80eb0284ec0c6a2e911627184bd9267162f1c4d4713d201fbb25e2f56 |
| SHA512 | cacb55dd67521805f3536656513342ab95dfa9c1b18112fd86f09a1c04e9f711f096514bec5945f65cd3cc115f5aa6bf58ab78255c331ca356f47d5207362e6a |
memory/2320-168-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dgpeha32.exe
| MD5 | 6dd6f56c8813c2c0948586accb81a481 |
| SHA1 | 93843328f1eed40d2c63a57636906e638d29a7aa |
| SHA256 | 7ee5f9c7610d372314d5473581ac12f199750aea919448d6bc189e483df7a628 |
| SHA512 | 6b95f440d4170f151754f4a1a5686b0ccfd0767ab5c6f2d6043916a62228864666367b7977dadc8545fc6fe30f15f89163fcee375890b06d341fef5f7dde430c |
memory/1608-176-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dmjmekgn.exe
| MD5 | c76ca3cf7b5ce6c7c7c7ff36ed1496ed |
| SHA1 | 92c64e203e089d67901177d7e521335bc449bb90 |
| SHA256 | 3749fbdf130a700d353198ab476bc7ce1c28ca6ca3bd1e7b721ab4833083b9f6 |
| SHA512 | 9a1a7de99e2fd6898093d8aafb93c628a73fb8647ee84091777000f0c06e1cc608960ca0041a3c9ce287e23bc8c4336542021e19953b789acab73b97c1bafd74 |
memory/2300-184-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ddcebe32.exe
| MD5 | 041b13eaec4fe511da8c031d4718760b |
| SHA1 | 26f03079e904886e764ba1a1dcae70e0c625f228 |
| SHA256 | 335fd10e49b81b013379a6abe9d953ddc843e9997aab05a19a976a96c118b669 |
| SHA512 | c92089ce908ea1b79139bf44948a6cfadf6c5f41a865288cbe91e1a01fe5fcc52fd4126034954e7d1df4745ef4ad5d4784b65528bcb7e06a6fb34d34746910e8 |
C:\Windows\SysWOW64\Dgbanq32.exe
| MD5 | 53a0a2b82ac9c944384e4374713cc9b5 |
| SHA1 | 3fd33470656fe02754d3efd0040789b41292e27d |
| SHA256 | 0a84bea80d0d8c931c4fd38454262de91a7c73b2692367d08ea46d29dcccb595 |
| SHA512 | 4be8f63718d80d2a81258908da00ac256ab7d959322c97dce317b6755abd83389d0fa66a8f8b4e4e79ab2f647c431e23f11e04d6215fbf5e2d9801fe520c04e6 |
memory/3212-200-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5032-198-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dcibca32.exe
| MD5 | 5019410db11c25fbc3bf7c258221c2f6 |
| SHA1 | d73a7ef3b962cb8905d958f7145f9fd531805868 |
| SHA256 | e4204e9555e6cafaefa60eb38720dd0b7fdc5b9784f500aed3b3d33d1539c0d3 |
| SHA512 | c7d73d3aa0761745fabec82dccfe290d33a2e5a5499b4d06300bb0b0040c750e85b98adddd4392a44e390ffc6dbffeb03004188b69dcb7682a35ca77b55cdd0f |
memory/3556-209-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dckoia32.exe
| MD5 | 8b1992504c2238dc5233883a53982b3c |
| SHA1 | a4953c59ec5db6346de8344a2f282a5dc4d47e25 |
| SHA256 | a358775b6b52a1e21ae9971ecd8839fca1b28fb9d6775cf6e038bbcd0372d51d |
| SHA512 | c20010f775d99c86893cd48468df2c15224ca79ce938f50a60d60b76d0c19202f7176923d3c27871322f7d8676cb4ccd2b2727f0b5160cf0faa99ee34e7a5f89 |
memory/3624-216-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dnqcfjae.exe
| MD5 | 5778fc3cb7fbd7b31b3d00ed0284d19f |
| SHA1 | 1a5045ff54824fef147ceaab6569735f63ae467a |
| SHA256 | d9d7c2911545e435836c7df8b20aadda3c9c807cd00cca00f5ad98c8c7ce1d45 |
| SHA512 | 45a4b9606f735373631c4ed6dd4c3be22b66e8e44a3aaf3c312bb94629a7b5f1c650326dc65532aba652fe4dc4d5fc96f8aeff6c460889f2e40bbc22a9edb31c |
memory/3860-224-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dgihop32.exe
| MD5 | 4eaff259416756d722e2946dd2f29648 |
| SHA1 | c5ddfd637c27f36fe49306f32fe7b3cdb4f8d5a5 |
| SHA256 | 1698c5183fae4c1f0f8fc13ae678c4568dd2fe8303a5bb505033b5249dea5b2b |
| SHA512 | dee1e2d8dcf8b45017c2a8059c7284390dd6d973e791e55a3cb38cb5067cc3c9b305dc31e9472466bf7f48043d0d1ff78e97c5d32abb50009b931ec54b881db8 |
memory/2964-232-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Enemaimp.exe
| MD5 | f6263c846c69e89ab053bde61b3b6468 |
| SHA1 | 0a88dd2aa49dc03a0f656f912b366a5bf2ae476a |
| SHA256 | dfb15bbec23796ed84920781626e9bcbab0a022e81e4b875d03bb4be3518607e |
| SHA512 | 61ce539afedf9c8740f6fd0b7736db1a25507c833a68d1772be3cc5a28779cf425d50f32b18db97f771d2a9248aead1154c056c5f4236ba22110ddd29801bdc3 |
memory/4836-240-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ekimjn32.exe
| MD5 | 34b7e677d5f7a4b50c67067e0a90fc92 |
| SHA1 | 661c410a634527559bf43bf651842f645fffb53e |
| SHA256 | f28113cddb73418fc9c24ca1b3280ad6405d5933c192e37291e8837cfd68a305 |
| SHA512 | 16591dd5b5416bab738bf4a07f433deec061a8acd9e34f2efddeaf7d74d0792db45dbc0985791260359a999dc72c3d0793aca5b1ef754e2be2e0f348636a6dd7 |
memory/4404-248-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ejojljqa.exe
| MD5 | dc20aefbffdb75f96e43ef5835c43b36 |
| SHA1 | 4b4fbc4f0bab7efec341ad3345a7b25c165bfb8a |
| SHA256 | fb55902f650c4a66c1e14e6ad596d54b34bae70413f28714c534ebfb8aa6a25c |
| SHA512 | 25e4af0d83b0f07957b992cc094dfcc87ce3c33e7ddbe999aa34d64b07ebf06815b3d3a8a1d452a602baf3d0432257af4db54564c32d929f6b171d4f205e67aa |
memory/3704-256-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2456-263-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1192-269-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ekqckmfb.exe
| MD5 | bd97429610b011c329609516f66388d1 |
| SHA1 | ee9aaeaec30e8b04f27d2ca19b50d17a6b337fed |
| SHA256 | 8f9c415ceae4210ed19eeca9326e08e47f01253671f9e62eebd174c68bafda61 |
| SHA512 | ae28ec6af83dddd9699b1494cea027a19a5bb229e7c05c3b2c03ac8008c85f76482fc2075c830dcf37e0a86185b3adc0c69372791bd9a310360d73447590a6fc |
memory/2004-275-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2616-281-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1176-287-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4888-293-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fdkdibjp.exe
| MD5 | f709319f9e7273b8923667958ea0fab6 |
| SHA1 | ce282ffae3e8aee17692a50010725d96a32d8fd5 |
| SHA256 | 0fad74aeaa582bcc33062bb2f04c81e483f1a95939d7a9f0f09470df7438b3fc |
| SHA512 | dece0ce4ae3bc115cc52d25c015e58d997277eedfe0af059ec8e8433811b728e2507248af525ec15d6eeec34795b4b81adc332160a5a681d6912dcd84c3a3394 |
memory/4784-299-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4304-305-0x0000000000400000-0x0000000000440000-memory.dmp
memory/884-311-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Fkgillpj.exe
| MD5 | 65dd1e2698e1098803e19599a12c0c80 |
| SHA1 | 6baabebb520aa5c57e72c200a525a2c5c1f7a6c9 |
| SHA256 | d504fb0d5489c8d49a684a3439181b6e84c0454dc7f925ecf487ad724a176eed |
| SHA512 | 893855102024ded115423064ec7bdc469af7787d564d402885348ca28d7097adea75761b1e8046b8fafad4db57dea134a31a061b385bdcb203a14b5d17db1685 |
memory/4544-317-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1412-323-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2108-329-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3036-335-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3068-345-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3872-351-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4576-353-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2460-359-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4656-365-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4656-366-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4576-368-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1412-371-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4544-373-0x0000000000400000-0x0000000000440000-memory.dmp
memory/884-372-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2108-370-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3036-369-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2460-367-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4784-374-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4888-376-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4304-375-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4184-397-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2328-404-0x0000000000400000-0x0000000000440000-memory.dmp
memory/644-409-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4232-408-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4756-407-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1488-406-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2860-405-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1580-403-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2240-402-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4812-401-0x0000000000400000-0x0000000000440000-memory.dmp
memory/736-400-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4860-399-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3052-398-0x0000000000400000-0x0000000000440000-memory.dmp
memory/228-396-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4348-395-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2840-394-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1496-393-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1272-392-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2320-391-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1608-390-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2300-389-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3212-388-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3556-387-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3624-386-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3860-385-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2964-384-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4836-383-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3704-382-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2004-381-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1192-379-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2456-380-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1176-378-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2616-377-0x0000000000400000-0x0000000000440000-memory.dmp