Analysis Overview
SHA256
3707c8a58df3211d8536478def2744fad477c58555eb42eb58a710b7d85036b8
Threat Level: Known bad
The file Backdoor.Win32.Berbew.pz-3707c8a58df3211d8536478def2744fad477c58555eb42eb58a710b7d85036b8N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 10:41
Reported
2024-09-16 10:43
Platform
win7-20240903-en
Max time kernel
85s
Max time network
16s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhfmbq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kikokf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkkhmadd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mhkhgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nlbgkgcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ogjhnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Haleefoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipkema32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kobkbaac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfopdk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mbginomj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhadgakg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhadgakg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mbginomj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nlbgkgcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nhnemdbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfhmehji.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kfopdk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mbopon32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkkhmadd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nmhqokcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Heedqe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jngkdj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jcgqbq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnlepioj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfjfik32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kfaljjdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ladpagin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Injlkf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfjjkhhg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfjjkhhg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcgqbq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mfebdm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nahfkigd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhmpbc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nhnemdbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kobkbaac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbjjekhl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlpngd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Heedqe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Haleefoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Injlkf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jdogldmo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnlepioj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mfebdm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mblcin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhkhgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogjhnp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohkdfhge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ohkdfhge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Holldk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Igngim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mlpngd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nifgekbm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laackgka.exe | N/A |
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Kobkbaac.exe | C:\Windows\SysWOW64\Kfjfik32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lajmkhai.exe | C:\Windows\SysWOW64\Kfaljjdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Laackgka.exe | C:\Windows\SysWOW64\Lbjjekhl.exe | N/A |
| File created | C:\Windows\SysWOW64\Haleefoe.exe | C:\Windows\SysWOW64\Heedqe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Haleefoe.exe | C:\Windows\SysWOW64\Heedqe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhfmbq32.exe | C:\Windows\SysWOW64\Haleefoe.exe | N/A |
| File created | C:\Windows\SysWOW64\Cadbgifg.dll | C:\Windows\SysWOW64\Jobocn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhmpbc32.exe | C:\Windows\SysWOW64\Jngkdj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mblcin32.exe | C:\Windows\SysWOW64\Mfebdm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nahfkigd.exe | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blagna32.dll | C:\Windows\SysWOW64\Ogjhnp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffffpb32.dll | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ipfkabpg.exe | C:\Windows\SysWOW64\Igngim32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ladpagin.exe | C:\Windows\SysWOW64\Laackgka.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlnjkhha.dll | C:\Windows\SysWOW64\Nifgekbm.exe | N/A |
| File created | C:\Windows\SysWOW64\Liakodpp.dll | C:\Windows\SysWOW64\Holldk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Injlkf32.exe | C:\Windows\SysWOW64\Ipfkabpg.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpdopknp.dll | C:\Windows\SysWOW64\Injlkf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnglef32.dll | C:\Windows\SysWOW64\Jngkdj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njljfe32.dll | C:\Windows\SysWOW64\Mhkhgd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Heedqe32.exe | C:\Windows\SysWOW64\Holldk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efcjij32.dll | C:\Windows\SysWOW64\Kfjfik32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lajmkhai.exe | C:\Windows\SysWOW64\Kfaljjdj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mfebdm32.exe | C:\Windows\SysWOW64\Mlpngd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifdeao32.dll | C:\Windows\SysWOW64\Jfjjkhhg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbjjekhl.exe | C:\Windows\SysWOW64\Lajmkhai.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kfjfik32.exe | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mlpngd32.exe | C:\Windows\SysWOW64\Mbginomj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nlbgkgcc.exe | C:\Windows\SysWOW64\Nahfkigd.exe | N/A |
| File created | C:\Windows\SysWOW64\Nifgekbm.exe | C:\Windows\SysWOW64\Nlbgkgcc.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjchollj.dll | C:\Windows\SysWOW64\Lajmkhai.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohomgb32.dll | C:\Windows\SysWOW64\Jdogldmo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mbginomj.exe | C:\Windows\SysWOW64\Mfqiingf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipkema32.exe | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kebiiiec.dll | C:\Windows\SysWOW64\Jnlepioj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhflco32.dll | C:\Windows\SysWOW64\Lbjjekhl.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfknaf32.dll | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogjhnp32.exe | C:\Windows\SysWOW64\Nifgekbm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Opblgehg.exe | C:\Windows\SysWOW64\Ohkdfhge.exe | N/A |
| File created | C:\Windows\SysWOW64\Eljgid32.dll | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njlacdcc.dll | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjchkfnl.dll | C:\Windows\SysWOW64\Jhmpbc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Igngim32.exe | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gagmjgmm.dll | C:\Windows\SysWOW64\Igngim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jobocn32.exe | C:\Windows\SysWOW64\Jfjjkhhg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jdogldmo.exe | C:\Windows\SysWOW64\Jobocn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Najgacfg.dll | C:\Windows\SysWOW64\Jjnlikic.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nhnemdbf.exe | C:\Windows\SysWOW64\Nmhqokcq.exe | N/A |
| File created | C:\Windows\SysWOW64\Cckcjpkg.dll | C:\Windows\SysWOW64\Hhfmbq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhkhgd32.exe | C:\Windows\SysWOW64\Mbopon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iaaoqf32.exe | C:\Windows\SysWOW64\Iaobkf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfjjkhhg.exe | C:\Windows\SysWOW64\Jfhmehji.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcgqbq32.exe | C:\Windows\SysWOW64\Jjnlikic.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kfopdk32.exe | C:\Windows\SysWOW64\Kikokf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mbopon32.exe | C:\Windows\SysWOW64\Mblcin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkbafe32.dll | C:\Windows\SysWOW64\Mbopon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhnemdbf.exe | C:\Windows\SysWOW64\Nmhqokcq.exe | N/A |
| File created | C:\Windows\SysWOW64\Igngim32.exe | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipfkabpg.exe | C:\Windows\SysWOW64\Igngim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpclfokl.dll | C:\Windows\SysWOW64\Ipfkabpg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfjjkhhg.exe | C:\Windows\SysWOW64\Jfhmehji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jngkdj32.exe | C:\Windows\SysWOW64\Jdogldmo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkkhmadd.exe | C:\Windows\SysWOW64\Kfopdk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iaaoqf32.exe | C:\Windows\SysWOW64\Iaobkf32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Opblgehg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kikokf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkkhmadd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfebdm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ladpagin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mblcin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ipkema32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jdogldmo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jngkdj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kobkbaac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lajmkhai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hhadgakg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Haleefoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iaobkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jobocn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nahfkigd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hhfmbq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhmpbc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Laackgka.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhkhgd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nhnemdbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ipfkabpg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfhmehji.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlpngd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nifgekbm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogjhnp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohkdfhge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcgqbq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfqiingf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mbginomj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opblgehg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfjjkhhg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfopdk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mbopon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjnlikic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfaljjdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbjjekhl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlbgkgcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Holldk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Injlkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Heedqe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfjfik32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Igngim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnlepioj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmhqokcq.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnjfa32.dll" | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagmjgmm.dll" | C:\Windows\SysWOW64\Igngim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mbginomj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nmhqokcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaljk32.dll" | C:\Windows\SysWOW64\Nhnemdbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mfebdm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ogjhnp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmmhm.dll" | C:\Windows\SysWOW64\Hhadgakg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kikokf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmcdhob.dll" | C:\Windows\SysWOW64\Ladpagin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ladpagin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jcgqbq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooohcdo.dll" | C:\Windows\SysWOW64\Heedqe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljgid32.dll" | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" | C:\Windows\SysWOW64\Ipkema32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Injlkf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jobocn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jjnlikic.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll" | C:\Windows\SysWOW64\Lajmkhai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjkhha.dll" | C:\Windows\SysWOW64\Nifgekbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdbbjll.dll" | C:\Windows\SysWOW64\Iaobkf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdogldmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jnlepioj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbdnonc.dll" | C:\Windows\SysWOW64\Kfopdk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mhkhgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nddeae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Injlkf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ipkema32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdeao32.dll" | C:\Windows\SysWOW64\Jfjjkhhg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgacfg.dll" | C:\Windows\SysWOW64\Jjnlikic.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnlepioj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkkhmadd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lajmkhai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll" | C:\Windows\SysWOW64\Nahfkigd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ohkdfhge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iaobkf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ipfkabpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kgdiho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbafe32.dll" | C:\Windows\SysWOW64\Mbopon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mbopon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ohkdfhge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" | C:\Windows\SysWOW64\Nmhqokcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iaaoqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ieeqpi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ipkema32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll" | C:\Windows\SysWOW64\Mlpngd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhfmbq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadbgifg.dll" | C:\Windows\SysWOW64\Jobocn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jcgqbq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kobkbaac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfopdk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Haleefoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mfqiingf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nlbgkgcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nlbgkgcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaamhjgm.dll" | C:\Windows\SysWOW64\Kobkbaac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" | C:\Windows\SysWOW64\Kfaljjdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lbjjekhl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll" | C:\Windows\SysWOW64\Mhkhgd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Hhadgakg.exe
C:\Windows\system32\Hhadgakg.exe
C:\Windows\SysWOW64\Holldk32.exe
C:\Windows\system32\Holldk32.exe
C:\Windows\SysWOW64\Heedqe32.exe
C:\Windows\system32\Heedqe32.exe
C:\Windows\SysWOW64\Haleefoe.exe
C:\Windows\system32\Haleefoe.exe
C:\Windows\SysWOW64\Hhfmbq32.exe
C:\Windows\system32\Hhfmbq32.exe
C:\Windows\SysWOW64\Iaobkf32.exe
C:\Windows\system32\Iaobkf32.exe
C:\Windows\SysWOW64\Iaaoqf32.exe
C:\Windows\system32\Iaaoqf32.exe
C:\Windows\SysWOW64\Igngim32.exe
C:\Windows\system32\Igngim32.exe
C:\Windows\SysWOW64\Ipfkabpg.exe
C:\Windows\system32\Ipfkabpg.exe
C:\Windows\SysWOW64\Injlkf32.exe
C:\Windows\system32\Injlkf32.exe
C:\Windows\SysWOW64\Ieeqpi32.exe
C:\Windows\system32\Ieeqpi32.exe
C:\Windows\SysWOW64\Ipkema32.exe
C:\Windows\system32\Ipkema32.exe
C:\Windows\SysWOW64\Jfhmehji.exe
C:\Windows\system32\Jfhmehji.exe
C:\Windows\SysWOW64\Jfjjkhhg.exe
C:\Windows\system32\Jfjjkhhg.exe
C:\Windows\SysWOW64\Jobocn32.exe
C:\Windows\system32\Jobocn32.exe
C:\Windows\SysWOW64\Jdogldmo.exe
C:\Windows\system32\Jdogldmo.exe
C:\Windows\SysWOW64\Jngkdj32.exe
C:\Windows\system32\Jngkdj32.exe
C:\Windows\SysWOW64\Jhmpbc32.exe
C:\Windows\system32\Jhmpbc32.exe
C:\Windows\SysWOW64\Jjnlikic.exe
C:\Windows\system32\Jjnlikic.exe
C:\Windows\SysWOW64\Jcgqbq32.exe
C:\Windows\system32\Jcgqbq32.exe
C:\Windows\SysWOW64\Jnlepioj.exe
C:\Windows\system32\Jnlepioj.exe
C:\Windows\SysWOW64\Kgdiho32.exe
C:\Windows\system32\Kgdiho32.exe
C:\Windows\SysWOW64\Kfjfik32.exe
C:\Windows\system32\Kfjfik32.exe
C:\Windows\SysWOW64\Kobkbaac.exe
C:\Windows\system32\Kobkbaac.exe
C:\Windows\SysWOW64\Kikokf32.exe
C:\Windows\system32\Kikokf32.exe
C:\Windows\SysWOW64\Kfopdk32.exe
C:\Windows\system32\Kfopdk32.exe
C:\Windows\SysWOW64\Kkkhmadd.exe
C:\Windows\system32\Kkkhmadd.exe
C:\Windows\SysWOW64\Kfaljjdj.exe
C:\Windows\system32\Kfaljjdj.exe
C:\Windows\SysWOW64\Lajmkhai.exe
C:\Windows\system32\Lajmkhai.exe
C:\Windows\SysWOW64\Lbjjekhl.exe
C:\Windows\system32\Lbjjekhl.exe
C:\Windows\SysWOW64\Laackgka.exe
C:\Windows\system32\Laackgka.exe
C:\Windows\SysWOW64\Ladpagin.exe
C:\Windows\system32\Ladpagin.exe
C:\Windows\SysWOW64\Mfqiingf.exe
C:\Windows\system32\Mfqiingf.exe
C:\Windows\SysWOW64\Mbginomj.exe
C:\Windows\system32\Mbginomj.exe
C:\Windows\SysWOW64\Mlpngd32.exe
C:\Windows\system32\Mlpngd32.exe
C:\Windows\SysWOW64\Mfebdm32.exe
C:\Windows\system32\Mfebdm32.exe
C:\Windows\SysWOW64\Mblcin32.exe
C:\Windows\system32\Mblcin32.exe
C:\Windows\SysWOW64\Mbopon32.exe
C:\Windows\system32\Mbopon32.exe
C:\Windows\SysWOW64\Mhkhgd32.exe
C:\Windows\system32\Mhkhgd32.exe
C:\Windows\SysWOW64\Nmhqokcq.exe
C:\Windows\system32\Nmhqokcq.exe
C:\Windows\SysWOW64\Nhnemdbf.exe
C:\Windows\system32\Nhnemdbf.exe
C:\Windows\SysWOW64\Nddeae32.exe
C:\Windows\system32\Nddeae32.exe
C:\Windows\SysWOW64\Nahfkigd.exe
C:\Windows\system32\Nahfkigd.exe
C:\Windows\SysWOW64\Nlbgkgcc.exe
C:\Windows\system32\Nlbgkgcc.exe
C:\Windows\SysWOW64\Nifgekbm.exe
C:\Windows\system32\Nifgekbm.exe
C:\Windows\SysWOW64\Ogjhnp32.exe
C:\Windows\system32\Ogjhnp32.exe
C:\Windows\SysWOW64\Ohkdfhge.exe
C:\Windows\system32\Ohkdfhge.exe
C:\Windows\SysWOW64\Opblgehg.exe
C:\Windows\system32\Opblgehg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 140
Network
Files
memory/2088-0-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hhadgakg.exe
| MD5 | 7195829db8bf12a4813e3763a83511ed |
| SHA1 | 1b931edb5b82284770991a4878417d8d3ab67f93 |
| SHA256 | 8c433161b5a42547681346a06cec60bacdcc6e0754ec82a6d55636ee69f14d03 |
| SHA512 | 4290c4ff4cc51f66270b169d00d0d25ec4ae5f3fa4e3a039d2e016c1dac4e7aa99a97bd3a85e5f1fbd96bbdab31dd454e07986bb365bf04f421cdd5eeb2bb733 |
C:\Windows\SysWOW64\Holldk32.exe
| MD5 | b23d554fdeb3b3711ef8833446069ddd |
| SHA1 | 9b269ebd455c4c7583133898794045d3cf32cf3b |
| SHA256 | 6f6004f28ea4bc61f8f73ec7328685591f37cc8c17ba17c37344f412b3a9186b |
| SHA512 | fdd9a47f19082b5d1943612dac6daf7bef2d8b1b934bfef8a19b18c82f1b39d8121af44472332d2f388a8bfd6c2c97555ccc95a0aefb16fcf382de1cecdc8c7b |
memory/2900-35-0x0000000000260000-0x00000000002A0000-memory.dmp
C:\Windows\SysWOW64\Heedqe32.exe
| MD5 | 7fa0f7b09f7e25b736f76b79149d894d |
| SHA1 | 26b9a350d690e1727bb46f8fd657baff91fb5d2e |
| SHA256 | 0b29f1c893adbd383471e0b0132857c8a0f43426bba8bb7e5552e61b51e94a8b |
| SHA512 | f2d12e839a4c3a8944fe8d6bcd455f28e9bc9499db0387e51ef47906d923d2ba8c2e97df4c084673d1ca32af84c51655343134aaca7d0d16f636c284aba35c51 |
C:\Windows\SysWOW64\Haleefoe.exe
| MD5 | de98010b4334bce9075ddb516ed376d3 |
| SHA1 | d51eb21a309f83aa64168aaac4dbafe0c51dc2af |
| SHA256 | 62e17a10e427e33275b303b9947c4c55cb5763a03b3b629402c4801e27f34f6d |
| SHA512 | 3b1814e05593200e84e7b7e6af1ea0393dcf520597bd4f56b9854279aac7f432c128dd64a4b6d4b765c2006d4dce9b6e4d5ed8f3daa9e5ef480c09a7e1470482 |
C:\Windows\SysWOW64\Hhfmbq32.exe
| MD5 | b34338e898c8b2be23d692adf797640d |
| SHA1 | f6f149ab1e8cb0409107c152bce22f38811d36f3 |
| SHA256 | 45515a70a211df4c6db8100910b05400b5a729f1ac4b27731e09a4bb28f4a3c0 |
| SHA512 | 85e56293d909107ac7e3be7bfa228f4b17675285bcf7b3320d364072ee1fff1c00962ab536fa7e57568712686c5f7d4a058f1bf372019b843169cf9e268e3db4 |
\Windows\SysWOW64\Iaobkf32.exe
| MD5 | 72cb993e3185f92fab80eedeb9c9d87f |
| SHA1 | 7712333c5706c21cd409b5aed954ef49e9aeeeca |
| SHA256 | cae49ff35513abcaea37a8fc5f99953127ab46ceb8dfc2e1644279b80fcc30e9 |
| SHA512 | f4d3b4befbb57f50ddb25812f1bb9baee89d7ca6aa7134960fd77aeaeb744d26708b9420050c06be498e6e655bedc16b0c14c5547092d8588eb2cb99992f061c |
memory/2964-79-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Iaaoqf32.exe
| MD5 | f9e3bc9c3c2b2cf36817dc99f2857fe9 |
| SHA1 | 86a32f6d85d613eccb66b5aebe699d24f95304a6 |
| SHA256 | 234ba35f9b5449ce08d75e40ed850b86b7fff238a6221411eee4fd5faf71d626 |
| SHA512 | 2ef6ed6ffdcb058e6a9c4ea688ac24a5d9800e139c826e8ae611baa38867de497b55ae97b8c4c2ed2b6d4bca143a92d7edbb1e6e8b71b452bf7ef4a2fcf8619e |
\Windows\SysWOW64\Igngim32.exe
| MD5 | 50cc3bd6b6c7d4e271145be85bc46220 |
| SHA1 | edaa0d89038451e4ae42f75334e3ec7de5e049d9 |
| SHA256 | 337223b0724138f98b1b3c470cb7671208990f4bd6734f63b6fb8358e7c07c92 |
| SHA512 | dbf6f7869bbcf0316d34f03508b5ba6a5e2a4a52284a1cb4b44cb0a5035829ea2539c48519c33fc948d96debd1b8d6eba3eb13877cebbccdda87b41d663a528d |
memory/1564-106-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Ipfkabpg.exe
| MD5 | c73443cb91c06073f2f55f4b43c8ef4f |
| SHA1 | 0fe07ec12bf759094af5d364d8a97a660082fcb6 |
| SHA256 | f6fd3eb088ec8385d7982402f7a1c0d09e2e1ee52c1e1fbad4da58ad887bc1d0 |
| SHA512 | a0db0e186bf214e295af93c8ff65d6d4840c79e56f24dcf988d9aeafb9778d31c0ab6fa307231b000f490daadb253976495cf0262216809c2e2e7c2ffc637e1a |
memory/1564-114-0x0000000000220000-0x0000000000260000-memory.dmp
\Windows\SysWOW64\Injlkf32.exe
| MD5 | 7e33a20f315fb62032f20958c0e61558 |
| SHA1 | dfa4985592b5778bf92a035e2ffeeeb56cfee2c9 |
| SHA256 | 628ac20874a60db4d76bc9fc73f3a09f034c35e836c59d2c9239a59f2182bd06 |
| SHA512 | 36c647f5fcdf033f59ed2df298110fff57154b857fa9561bd6a96353b48d63fedddef1aaa9a6fcd35873e38274a1df0e55cb33f2a96cc6110f73a4b337a5ecdc |
memory/2864-140-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Ieeqpi32.exe
| MD5 | 8484a9f2b27088983117665502333b64 |
| SHA1 | 800d18f3d0629eb3caafea63f9cbf7424f6c5806 |
| SHA256 | 6e5f51923316fe32c5e2e5dcd8b1c55f92ae97385b5992c3a536a1eae683786b |
| SHA512 | 2bd8d19e2c6cf2b99bc588345c6499f57ca5c45d6a1ff8cb5ff2900f0daeae5f24db6a49888d0016de24f57ca8e7e9f1935b914e71731af713aed89f1b875627 |
C:\Windows\SysWOW64\Ipkema32.exe
| MD5 | 98ce1e96043ecc9746d19cf00e3e6fc8 |
| SHA1 | d087ba5df67d0f2c70dc0c2e3091dbc86a75dea3 |
| SHA256 | 5df6626cf4831a79ca084e71b871ebc345960474930d2ad99649606ff2648ad8 |
| SHA512 | 44145a490cd9dd4dc9c0f27cfd6753c25881fff79701be3943a98f8349c2a34e5af76681a8905f55b5b8459e4052c5392c97200effb7ec5b106919b490287763 |
memory/1080-166-0x00000000002C0000-0x0000000000300000-memory.dmp
\Windows\SysWOW64\Jfhmehji.exe
| MD5 | 8d8abfe81bd9075c9405f554dc3d4de7 |
| SHA1 | 9212e07da635ff9142cabeee80b64a6f85682c09 |
| SHA256 | bea8ef900237fa55c1b10c9a8cf0d8e8493158862bbb6de8047d309842f613a7 |
| SHA512 | 3fdd2af4719547c09d5f04cf8caa7215c87b245d12bc4fcb41154eedeb8c0de41cb37908053bfdba7463c59db9d84e84eb1914d152373bdf5aa7d581a5c43cc2 |
\Windows\SysWOW64\Jfjjkhhg.exe
| MD5 | 751e537c038169db2796659ccba41019 |
| SHA1 | ade288c9d36c477999e0ca82a7624c8f52ed2e79 |
| SHA256 | 4b280ad531abf31834a549b1fe30234873f0caae00c7da2b630473a27014cebe |
| SHA512 | 799d74547fd69a7f6b9c29a0ae93e3d534bfa89525c4a15739161990eb6b2de9d4d771d160bebca48f1926c37f1d37857a1fae8588f0f28f530f11903ac31710 |
\Windows\SysWOW64\Jobocn32.exe
| MD5 | ad440e02d3a2dc57f3ae6079cbcfb2ad |
| SHA1 | a97b14e6b98a5fb9c8f399cb215716cd9e56300e |
| SHA256 | ebfabebfe80bb8e4deedf9cc88f28655e2837479b962f4a10bc8e26797bb9e93 |
| SHA512 | ba8f14de3ec3a47bac128e1730ba833baa2c2f907dcd9cf01e26e81b39ee027f043924335598eef9b70745fce290e60694d4da9082fc2382f29be6a8706811b6 |
C:\Windows\SysWOW64\Jdogldmo.exe
| MD5 | 59f59e92e756ed625c099108749b8b03 |
| SHA1 | f881b03140033b6b00b3889f0ff595438ab30b4a |
| SHA256 | 9f4ba5bb050e19f6cacd1eb57d635a40d091f1e0b9d0deac7fa05257c7a7aba2 |
| SHA512 | 1217995252494f1ac6efc69b6247ecd31dcf6933e6296acfcc4e9ff6e93607163ec4bd9c57c6e1331f21374af97ae9ef2294b2c11734a8de99d0fe60d57ba73c |
memory/832-219-0x00000000001C0000-0x0000000000200000-memory.dmp
C:\Windows\SysWOW64\Jngkdj32.exe
| MD5 | f1eed7aedf4fae36ba0ecad2c8c7f476 |
| SHA1 | da2562c407b0d7a29549a50ab4fbb032c919099a |
| SHA256 | 7fb96f286ed4c3c177243a51f4fb741964ece482b493273ce9917e98f09eef64 |
| SHA512 | 1dfbccb543d3a9489119d2372203e61469b06644758ba43499a86d3c9280ad3d0044e8ce8154738dab30f863130657971175f6198f64147c7b41a40c0a5410e2 |
memory/832-212-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jhmpbc32.exe
| MD5 | 1386fafec755c9a432237e0d0918fc4d |
| SHA1 | c6786aa72ed426e4926c4149d7873884c7c3ab08 |
| SHA256 | 8e1a1b18ae536139048618ac96a9e3f410b35a80c3bd938fc799432425dab568 |
| SHA512 | 81a10df7c634ab37b18a52dd4c04c74979d9438dd937f2a6112ac64ee54cfee9daf0598e915aa7bc2428c8560f81f5235bb8d1dab5fddf624395e0983900ce0a |
memory/820-238-0x00000000003B0000-0x00000000003F0000-memory.dmp
memory/1060-232-0x00000000002A0000-0x00000000002E0000-memory.dmp
C:\Windows\SysWOW64\Jjnlikic.exe
| MD5 | 808aa2100a45b4415f5b40856423e417 |
| SHA1 | 16cc4fbf4f36fd1ff5299945e994ca08262b7db8 |
| SHA256 | 77395feddfe97ad96734c92ea41a629b55d55346b494dafbb4ca7ffad88a8e69 |
| SHA512 | c9fe7817f584625dd4913a80e7a9d2d5b834fa51f4b9ad2a0c8b91674da6df0ad19ae7f4e07a83475bca00bfa6d07018e772ed1502ec75bfe6f7d14fd6541c20 |
memory/820-242-0x00000000003B0000-0x00000000003F0000-memory.dmp
C:\Windows\SysWOW64\Jcgqbq32.exe
| MD5 | 062c809412619aa7ab3aa015d4afc9b4 |
| SHA1 | b6e59c1e90e5f823298f85061681abad00702d09 |
| SHA256 | 36d1bafa777bfde9b9a42cac1c0bc4a3a73532bcec4e02465c57ef3f8425a7d1 |
| SHA512 | 67b17dcfc71a09fcc7709e9e49741e3bd84fe82619194544d2d5a6ff21d488fc3e03abbbd12a9444f22f4758d23b7d6612216693ea0761f29da00f1233e15a2f |
memory/1732-253-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kgdiho32.exe
| MD5 | 19183ff76010edb58e94573917a8f2b6 |
| SHA1 | 29c908a19d925e0a6eec7e6cff3cd872fc723acd |
| SHA256 | 596c64d8c0b4f0cde2a84e0f021879586ecf3c7c9015c2c13db64e50a30a76d3 |
| SHA512 | 6b2ecda7b9a9585b33ead8bbee14d6dfc9742a4125587e32a3bb46311a2654ab356cb1c82f77c4368665fcd2f9a8028df36df08ba067b32f3e9712f3eb081b91 |
memory/2224-272-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/2224-268-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/2224-262-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kfjfik32.exe
| MD5 | dcef31c32af2ccd83b8f8d8b36f3efc4 |
| SHA1 | 878f9e34c0fc5a36542a454d964bf219fc63a0c2 |
| SHA256 | c5be54f3b08e2458916890ec5d1dd997922e3f79e42d25bcb98459f1b13ab585 |
| SHA512 | 4c379e51ae5406fc1c5a99a7427c0fd2c5b09794a822e31e9657f5e6cdb8e790e9822ccb42c98dfb4a2ef2d71b300b3978b4a42ac28a287aacda436ac134c498 |
memory/2988-283-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2988-292-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1940-303-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1616-308-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2648-319-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2648-326-0x00000000003C0000-0x0000000000400000-memory.dmp
memory/2648-325-0x00000000003C0000-0x0000000000400000-memory.dmp
memory/1536-329-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2800-342-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lajmkhai.exe
| MD5 | eb8ccb093de71b31a846ec5d845aad5f |
| SHA1 | 3c30612dd897f6498cfccfd93b3d52db8fbc49b1 |
| SHA256 | a2096e6766e12c0572f7b2a5ecef353af60e1e8d39830bce01360e615e4046ea |
| SHA512 | 7136370938e4e7c7c0215a429189c460be357c399e95a9efc6b39b4ec7dea728e90270f241a1be038d61b9d1834039a60fe649d7905f4705237868af998b8973 |
memory/2800-347-0x00000000003A0000-0x00000000003E0000-memory.dmp
memory/2116-351-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lbjjekhl.exe
| MD5 | 6149ab92c0b72a2eb0de22271b7cc663 |
| SHA1 | f6a25c4bc10d9b66b1b2b8aa255421b554f2c397 |
| SHA256 | 88e13f7a06368e12e706cd2818f2ec61d8cddee726d4bba62b8575286f6ae03c |
| SHA512 | d07aef90e5de1a49ca6d7bdf647a247d1ecca8d7712f73152fc460158c81ae9c6301d2103329dcbd4cbd91f87c1adc26cf01ff46d78cc6a1f3f5f8d1c50c0a85 |
memory/2888-361-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2804-360-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2088-350-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2888-367-0x0000000000440000-0x0000000000480000-memory.dmp
C:\Windows\SysWOW64\Laackgka.exe
| MD5 | a429b5b9bf8848b0ec9fe4481b7ed803 |
| SHA1 | 68a04be5711a91f1a8d0e782d86b450d24e6dddd |
| SHA256 | e44fa7a6a7214b99d99d565b21d9b4fea22f7b6056e55d128ee9b82edcd9c516 |
| SHA512 | ed1933dba52816ee90b9c275efb9c57898d20dc1ed45a499ae1b7f07ca3317fb54b94f4dd6717e473c6debd35cabd594c70d542239e04d7aec11ccacaac57e89 |
C:\Windows\SysWOW64\Ladpagin.exe
| MD5 | 65a05ffc0b1523b34843d55c33b36277 |
| SHA1 | f2b1b60aa4d6496ed61f6e258688509b74fd8091 |
| SHA256 | 695d4853f0f5ee7f82d6b5ca07dcc3b0ebcfb0c58d94677598491c93bbd197a5 |
| SHA512 | aebb5049ba2c01f59383fd931894b36a8ea2a171486dcb11998244ccefce9bfba999d96ddb5a848944c5e664b51bbac996f24f273a01f7e59230d4bb70064ff3 |
memory/2860-382-0x0000000000400000-0x0000000000440000-memory.dmp
memory/924-392-0x0000000000220000-0x0000000000260000-memory.dmp
memory/428-398-0x0000000000400000-0x0000000000440000-memory.dmp
memory/924-393-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Mbginomj.exe
| MD5 | 3c49e4202e851cf9205c197c405a8eec |
| SHA1 | 67953e18cdce9daedc8fa50d90e3912cb43bbfef |
| SHA256 | a574cd7d787d37864a6a1dae05afe34bf9df53b69636cce41d8eb0d5a6457780 |
| SHA512 | fd001f14dbee29df31d7919001acb3184975a6d846c8c4f3b6d8c8b5dd7ddb6d9d4200bbda0292d6aa7889e58e0b014d73b470258f50215510dc711a1cb16078 |
memory/2556-404-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2340-416-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2340-415-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2544-417-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mlpngd32.exe
| MD5 | f721fa7b1d6b2ff8b0026a5a5fef8931 |
| SHA1 | a9dbbb7f27f559d4e829ee9d90dd994d1c590bf4 |
| SHA256 | dc2d597136d1954af628290905b1c44df3dc5a92a28cf028c2796c5fcffcb3f6 |
| SHA512 | 110f7b3fa53b5bbd3f3b2f664a769404a02ea12305736a28695b6d81200e3fd5f0f552d9da670171fa3cb7d3934543b5226eb3c4734d2cafea15a43ecedf8c9a |
memory/2964-426-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1488-432-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mblcin32.exe
| MD5 | 62e4f5445dd9d2e8cfdd4ff76e434942 |
| SHA1 | 66ede9c40ae4f47b565acf2ef2fd0bbbb20eff61 |
| SHA256 | f7537acd44af01ca529b9d276b4fc859b546af3fe0c5b106375e07e8da522847 |
| SHA512 | e8cfdfd2889aaa8a0ecabee5afd386fa7f30b82cd8d7979f40ae8c702e1459b8d9fce2c947215a5757ecdb1c722e7209e4850d0c6d6d14106299666d56022024 |
memory/2896-476-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2416-471-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Nhnemdbf.exe
| MD5 | 7d49c1efbd45be2a4f1d65a8870f9c5e |
| SHA1 | 6b2d0412d9d021d292dafc3d05579787addf7152 |
| SHA256 | 8d7d08bd27c9328cfb43490fccd0c3eb4a6095c3393f38af44a389777a82dbc6 |
| SHA512 | 14a7f82ad2ec4009d552013e9a91eecd4ba54d52b26192011fa22f719bf0d0cd32f18e2174e283cfd6245528d4424c7b0614846ede20ac653d37b085dd6dafc2 |
memory/2412-486-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2864-491-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1100-496-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nddeae32.exe
| MD5 | a126dcbbd7c62140824f3fef3a3a99fe |
| SHA1 | 7861e2113c660e70c0e212c03708ba1de6dc9e8d |
| SHA256 | 2411d092cfa022833680289ca6773ce2512085d5c3db1f6647315740814d44bc |
| SHA512 | 504ba15444d93315b472b35e5f47d31b60faa2082948109169e900b0f97349ec105b7cd8af19f895da7961190502fd79916281f34d1104162794c962e9eaae0b |
C:\Windows\SysWOW64\Nahfkigd.exe
| MD5 | 5b50af5ac57bcddc005f86d6d3445417 |
| SHA1 | 8cffc2b6f036d872c123f301e3921b5913dd8d50 |
| SHA256 | 73f74e12fdb39fe969ee5c3bb80a19790423f033ada9ac3d941d392174f9de07 |
| SHA512 | ed3a29e8fce114292050255ecfbaa8fb1691243d4e8913fe8183f73dff12b1e5477519846d2bf84795801de4e618a442a6128f7756814f77fda99dca0094d845 |
memory/1812-506-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2236-502-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Nlbgkgcc.exe
| MD5 | e269e07cf2c8b42b1641a4a1c074e936 |
| SHA1 | fb8cc40f1e011ac8a63b8e001f81213a7afb8934 |
| SHA256 | 69bbed0e08bd8c1ea4506d5f67770875d261e64ce650c8ed3b841d684cee6f61 |
| SHA512 | 8824b91dd3a76537041aa50709e4d9289447cfb6c03d3b150865726fadf7977ccb6cf669a17764ab1bc378b4e13d5454a9961dcb97d2b1adcca6bb7f5bd626c0 |
C:\Windows\SysWOW64\Nifgekbm.exe
| MD5 | ca8a4fa9de2bb6a52b75af0cd982f48a |
| SHA1 | 94b1dc5a0decbbf917fab385cd894110ca782455 |
| SHA256 | 3f55174c254be135b5ef57104789128eaf6ba4b4b57b30b5867e2a739f33941c |
| SHA512 | 7a62608a4a33bef29a857b624475cca7140016b556c6b4161a6faf319e2d92ab440ae384eba9544e6249f769894969a6c84f253e03f7127176e581e36790180b |
C:\Windows\SysWOW64\Ohkdfhge.exe
| MD5 | 932c69afdb99a25c3e1a9a80be5e2db2 |
| SHA1 | 42054e7473e0a16da569b9e9d93180caba636812 |
| SHA256 | a63b0ebc1f99c2700f4ab82427040c0a4684f116be27e5557444aa55af909dbf |
| SHA512 | 01d55adbc52a13ee66f7d71dd164168318a5bfc33676ca618ca04ef8fc385c4b4bd696aebf40aedaa3aeb3f3a46bc890b1393907a4ccaadc5f2a199ae17691a6 |
C:\Windows\SysWOW64\Opblgehg.exe
| MD5 | f443c7373e92ac9f98baf246799d7bed |
| SHA1 | 8bb8b620cdf8049ccf788588d4e4019f786df0d8 |
| SHA256 | 259037237f4d5664259dacf75692845a4dcb4806e87552238918986a09a0ea81 |
| SHA512 | bc70bed5f2a87fd753c73671e4653dbe4e44a15f3bda628bdf224d631b22c66885290b24e02a96cfb0fdd2ba9a8222a084cb83fdaa8e1aae65a2a40f639774f0 |
C:\Windows\SysWOW64\Ogjhnp32.exe
| MD5 | d5e5a60a16715e5a324239e00a89ba13 |
| SHA1 | 5ab7f2cdd95eaa8ef8c131918c0f5b02643ec5f3 |
| SHA256 | 6198d602086ecfe548c3bc7cc0de0b2dd5526c129c09627a4104bd1b656dfdf1 |
| SHA512 | e77fc5324615f77df3c953de05718169a96c76ddab455c3a8f2191ef68d621caea3cc8f31ebd2698706f8f11db134ce694bd3c51a7e2eff4d536d1adcf52bc42 |
memory/2236-501-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2092-481-0x00000000003C0000-0x0000000000400000-memory.dmp
memory/2416-470-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2092-469-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2416-468-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nmhqokcq.exe
| MD5 | 43e95a6ad21f7cedb2674f6d1f8dcb29 |
| SHA1 | 8b8ce86e922eee21bdcded61f726a8650ece38a7 |
| SHA256 | 3e73b50af285dea8e14561936586f508fd7454f11d2e1cb97bb9f229af6ee6ef |
| SHA512 | b6009a381114fba553bb1b271ad43178b3cc13aaad6ae6cdf7474f0630722714c0f876fc8f0e2e43892d81a1f0a41603f7007357200d16dcc682f5bbffac0b8e |
C:\Windows\SysWOW64\Mhkhgd32.exe
| MD5 | a337ebcb725f0e88d8db0b7cff69e16e |
| SHA1 | 8c10f5a72518d758f8b951ca0eada3fddfdd98d0 |
| SHA256 | c6e187ebb636aca523bcb625589af29e845a7db375017c0b18eba395e2d4ace2 |
| SHA512 | 3ceb60501420447e83244e8da3f392534381419f85aa93e65f3153d586cb41c7792d3bef30c01bfac65d3daea623015947e3ede0367a5797f60af4a70728fb0d |
memory/1564-456-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2740-450-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2968-449-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Mbopon32.exe
| MD5 | d0540b3477e138f0a325b7360dec229f |
| SHA1 | a9c41b78ae5002e78bbb97f05642f1c0aac32324 |
| SHA256 | 22cfa4a79e4557f3d8d69fea90fc1d3dabcef8a66d134d3e4d9ac1c87eaecabd |
| SHA512 | 7c89bfd18d47719fc264018ed908027c011f3dbe25013cb6e65cf780e960b541778cbb87ff99eebd2d6493a5c177ea39d6a877cf02c24c9a168722dd14b35169 |
memory/2968-440-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1488-439-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1488-438-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2540-437-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2544-427-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Mfebdm32.exe
| MD5 | cf985b2e2d173b92d827f0781e3480c5 |
| SHA1 | f8dfa98a23301295dceaca7dabd58f1569071d61 |
| SHA256 | d73fe3cfbbad75c9355d2b2012241c6aeb4dbfc8550854330530d070d2ad77b4 |
| SHA512 | 4659041f9ce7591fb4a017f300a1472519141647574ca5843e28963147482da3f8bb0cabcaab269ab44783e6a5a94490b4a12071ce759b7b4133cf29b3e78d2c |
memory/2340-411-0x0000000000400000-0x0000000000440000-memory.dmp
memory/428-409-0x0000000000220000-0x0000000000260000-memory.dmp
memory/428-403-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Mfqiingf.exe
| MD5 | 976619d353172a129b26a8abc8badbb3 |
| SHA1 | 5b6062dc750b2d2187f505513ccac0b62578b813 |
| SHA256 | bd593b12d6e203ea9dfe15ce9a9d60df5e8a36954bec5a614ad392c573ea1c7b |
| SHA512 | 51a215b9ba471038eb2a50ac32e48c6b46e66a87507ab14746691998841d877364c314a6835d39c502051af46c64d24b9234dd9dcf6e9cb942698a0b2db3f760 |
memory/924-385-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2312-378-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2592-372-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2900-369-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2804-349-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2088-348-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kfaljjdj.exe
| MD5 | edc46aeab03d015f276701507669c797 |
| SHA1 | 097ce3c0683ee5fc6869225ff00ed86315106514 |
| SHA256 | b73f015e0605077834f10493a6dc58f79b7f4167cbe1d51d3d85bcab7b8070f5 |
| SHA512 | a541db6e9f7ce5b184826f49ddb29ba67d1b7a9e78e3104da64c04c4405e6021dfe5fd5e52b0956797756970266026bf64a5eee4b6b1d7f8adace1e20acd792c |
memory/1536-337-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1536-336-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kkkhmadd.exe
| MD5 | 3d91fad00b57abd98a842d30e3febeee |
| SHA1 | 5e13f68b97142fd3c066730e0d541bdebb83d84c |
| SHA256 | 472fc99f4216e14aa930c0a4b89d7a0a35751b086d4d192a8439d56451097c7f |
| SHA512 | 1919197028094dc0e9c9642f147f4b94713a5f61ed02ed3fad969ae58521b09a0da77923cd1b8169a189a9e45f2fe5026b5a3ecd42f0bccedbc9b0ff0656dac1 |
memory/1616-315-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kfopdk32.exe
| MD5 | e53f436ba7754b78843038beea31e091 |
| SHA1 | fad3dc1fa05e670fa1171138de82c1b6a423ff04 |
| SHA256 | 733ee14b6db158e74181145e138c8e7fe952c3c9f8fd7388d24af9f76acbbfd9 |
| SHA512 | 9b9322821e5d66eae26de907d0d610b4cbd12e864bb07ac10620c79bcd0528aecbd646b39d24afdcc8270906d6d0b2cf5be7e397e95ff40cbb97a6aab4f66a1e |
memory/1616-314-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1940-304-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kikokf32.exe
| MD5 | c26086e1fddcbbf9f9ce74ed080521cd |
| SHA1 | b0b25051d467a639c8b2e71f26b0fb38e0e6fa15 |
| SHA256 | 2b7973b94a79c364087816fb5b61654223f7dafe67feab2d6dbb424eb58ab18c |
| SHA512 | bc57e63cf932be547ccb74f528101101c37b9db9f86038004f2783e455f3c1fa5fa4c598e93e2233368565300dcacc4583b7421d53b7b8740bb0f05b2c049042 |
memory/1940-294-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2988-293-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kobkbaac.exe
| MD5 | ed9dff8f242071997bb1113a668dbd0f |
| SHA1 | 1b49348b373f482d556449222f4ff675294e6240 |
| SHA256 | 26c4702694ab0ffc6c1bc7105abd7a2bc931e36fd5f93fdf74e9805a995f8705 |
| SHA512 | a9136b752737a635e0a343250a6fbb529b27d8aeb9b1c834ccd9a98fff3e3652d7f7e746e33450b34c2c6fb80e7b8453bf1deff189027536d61d05177604b934 |
memory/1012-282-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1012-281-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Jnlepioj.exe
| MD5 | aaa6b5f5cd859fb1fd64518c3ba52ff5 |
| SHA1 | c689f73357973bcc1eacc8970f2288d084a154ad |
| SHA256 | cf61fdc04e7f91f9d231d5b9587fc26e62205264094e08e06420a309b72257f4 |
| SHA512 | e2a833c5ca789488ac6d505179efc95e98ee7c5cbf466fcee3a11a1c8af0c1aa2f38eddb4adfb731043cd95279854b879538759f486b1f6cebb65f80f8aabc5e |
memory/764-252-0x0000000000220000-0x0000000000260000-memory.dmp
memory/764-251-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1060-231-0x00000000002A0000-0x00000000002E0000-memory.dmp
memory/1372-203-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1044-186-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1684-180-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1080-164-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2236-163-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2864-132-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2964-93-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2964-87-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2860-61-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2312-48-0x00000000001B0000-0x00000000001F0000-memory.dmp
memory/2900-27-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2116-19-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2088-13-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2088-12-0x00000000002D0000-0x0000000000310000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 10:41
Reported
2024-09-16 10:43
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ikpaldog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfjjppmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qmkadgpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieolehop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jblpek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbhoqj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojllan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldleel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmppcbjd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbmhlihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ipdqba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liimncmf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpjcdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pnonbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gicinj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hfifmnij.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iicbehnq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kefkme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibjjhn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiefcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbeqmoji.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hflcbngh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pqmjog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcncpbmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iblfnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afjlnk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Opakbi32.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Gebgohck.dll | C:\Windows\SysWOW64\Kdgljmcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnneknob.exe | C:\Windows\SysWOW64\Njciko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hmjdjgjo.exe | C:\Windows\SysWOW64\Hbeqmoji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Opakbi32.exe | C:\Windows\SysWOW64\Oncofm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qoecnk32.dll | C:\Windows\SysWOW64\Kiidgeki.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncdgcf32.exe | C:\Windows\SysWOW64\Nljofl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciopbjik.dll | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpjcdn32.exe | C:\Windows\SysWOW64\Kfankifm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kefkme32.exe | C:\Windows\SysWOW64\Kbhoqj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Keajjc32.dll | C:\Windows\SysWOW64\Hmjdjgjo.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfoiokfb.exe | C:\Windows\SysWOW64\Icplcpgo.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlnnmb32.exe | C:\Windows\SysWOW64\Jmknaell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdckfk32.exe | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Olcbmj32.exe | C:\Windows\SysWOW64\Nnqbanmo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ognpebpj.exe | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjhgngj.exe | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agjhgngj.exe | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hbeqmoji.exe | C:\Windows\SysWOW64\Hofdacke.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceehho32.exe | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hflcbngh.exe | C:\Windows\SysWOW64\Hkfoeega.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbjiol32.dll | C:\Windows\SysWOW64\Megdccmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngmgne32.exe | C:\Windows\SysWOW64\Ndokbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Knfoif32.dll | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bclhhnca.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gicinj32.exe | C:\Windows\SysWOW64\Gfembo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ikbnacmd.exe | C:\Windows\SysWOW64\Iicbehnq.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikbnacmd.exe | C:\Windows\SysWOW64\Iicbehnq.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhaomhld.dll | C:\Windows\SysWOW64\Kpbmco32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kimnbd32.exe | C:\Windows\SysWOW64\Kfoafi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfkaag32.exe | C:\Windows\SysWOW64\Ldleel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnlden32.dll | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgqeappe.exe | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajanck32.exe | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Delnin32.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkfoeega.exe | C:\Windows\SysWOW64\Hmcojh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfmajipb.exe | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djdmffnn.exe | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjqkei32.dll | C:\Windows\SysWOW64\Ikbnacmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Memcpg32.dll | C:\Windows\SysWOW64\Jidklf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndokbi32.exe | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| File created | C:\Windows\SysWOW64\Eiojlkkj.dll | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iphcjp32.dll | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caebma32.exe | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Maickled.dll | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jiopcppf.dll | C:\Windows\SysWOW64\Jbeidl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbaipkbi.exe | C:\Windows\SysWOW64\Kpbmco32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnjlpo32.exe | C:\Windows\SysWOW64\Njnpppkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfjjppmm.exe | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| File created | C:\Windows\SysWOW64\Laqpgflj.dll | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmmmebhb.dll | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihidlk32.dll | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbpbca32.dll | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcgbco32.exe | C:\Windows\SysWOW64\Jmmjgejj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ognpebpj.exe | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ageolo32.exe | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| File created | C:\Windows\SysWOW64\Oflgep32.exe | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| File created | C:\Windows\SysWOW64\Deeiam32.dll | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ickchq32.exe | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmijbcpl.exe | C:\Windows\SysWOW64\Kimnbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kiljkifg.dll | C:\Windows\SysWOW64\Mlcifmbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Nloiakho.exe | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| File created | C:\Windows\SysWOW64\Lqnjfo32.dll | C:\Windows\SysWOW64\Qmkadgpo.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kimnbd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfkaag32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hofdacke.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlnnmb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hbeqmoji.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfoiokfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jidklf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgfqmfde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nljofl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndhmhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbhoqj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Llcpoo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oncofm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gfembo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbhfjljd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gicinj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hkfoeega.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmfmmcbo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nloiakho.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jefbfgig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Megdccmb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acqimo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Icplcpgo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbmhlihl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Himldi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iicbehnq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jedeph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnfdcjkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbeidl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ocgmpccl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmppcbjd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Menjdbgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnonbk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hmfkoh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kefkme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbaipkbi.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmfkoh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iihkpg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" | C:\Windows\SysWOW64\Icplcpgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pcncpbmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbaipkbi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll" | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll" | C:\Windows\SysWOW64\Hmfkoh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jlednamo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lfkaag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnlaml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiefcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcdmga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iblfnn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laffdj32.dll" | C:\Windows\SysWOW64\Himldi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll" | C:\Windows\SysWOW64\Menjdbgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ipdqba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pqdqof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbcdnbb.dll" | C:\Windows\SysWOW64\Gfembo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll" | C:\Windows\SysWOW64\Hcdmga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iihkpg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll" | C:\Windows\SysWOW64\Jedeph32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpbmco32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll" | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll" | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll" | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" | C:\Windows\SysWOW64\Kfoafi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldoaklml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll" | C:\Windows\SysWOW64\Nfjjppmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lfkaag32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajckij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Himldi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" | C:\Windows\SysWOW64\Hofdacke.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kimnbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll" | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll" | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
C:\Windows\SysWOW64\Gicinj32.exe
C:\Windows\system32\Gicinj32.exe
C:\Windows\SysWOW64\Gmoeoidl.exe
C:\Windows\system32\Gmoeoidl.exe
C:\Windows\SysWOW64\Gomakdcp.exe
C:\Windows\system32\Gomakdcp.exe
C:\Windows\SysWOW64\Gfgjgo32.exe
C:\Windows\system32\Gfgjgo32.exe
C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
C:\Windows\SysWOW64\Hopnqdan.exe
C:\Windows\system32\Hopnqdan.exe
C:\Windows\SysWOW64\Hfifmnij.exe
C:\Windows\system32\Hfifmnij.exe
C:\Windows\SysWOW64\Hmcojh32.exe
C:\Windows\system32\Hmcojh32.exe
C:\Windows\SysWOW64\Hkfoeega.exe
C:\Windows\system32\Hkfoeega.exe
C:\Windows\SysWOW64\Hflcbngh.exe
C:\Windows\system32\Hflcbngh.exe
C:\Windows\SysWOW64\Hijooifk.exe
C:\Windows\system32\Hijooifk.exe
C:\Windows\SysWOW64\Hmfkoh32.exe
C:\Windows\system32\Hmfkoh32.exe
C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
C:\Windows\SysWOW64\Hofdacke.exe
C:\Windows\system32\Hofdacke.exe
C:\Windows\SysWOW64\Hbeqmoji.exe
C:\Windows\system32\Hbeqmoji.exe
C:\Windows\SysWOW64\Hmjdjgjo.exe
C:\Windows\system32\Hmjdjgjo.exe
C:\Windows\SysWOW64\Hcdmga32.exe
C:\Windows\system32\Hcdmga32.exe
C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
C:\Windows\SysWOW64\Ikpaldog.exe
C:\Windows\system32\Ikpaldog.exe
C:\Windows\SysWOW64\Ibjjhn32.exe
C:\Windows\system32\Ibjjhn32.exe
C:\Windows\SysWOW64\Iicbehnq.exe
C:\Windows\system32\Iicbehnq.exe
C:\Windows\SysWOW64\Ikbnacmd.exe
C:\Windows\system32\Ikbnacmd.exe
C:\Windows\SysWOW64\Iblfnn32.exe
C:\Windows\system32\Iblfnn32.exe
C:\Windows\SysWOW64\Iejcji32.exe
C:\Windows\system32\Iejcji32.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
C:\Windows\SysWOW64\Ifjodl32.exe
C:\Windows\system32\Ifjodl32.exe
C:\Windows\SysWOW64\Iihkpg32.exe
C:\Windows\system32\Iihkpg32.exe
C:\Windows\SysWOW64\Ipbdmaah.exe
C:\Windows\system32\Ipbdmaah.exe
C:\Windows\SysWOW64\Ieolehop.exe
C:\Windows\system32\Ieolehop.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
C:\Windows\SysWOW64\Jfoiokfb.exe
C:\Windows\system32\Jfoiokfb.exe
C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
C:\Windows\SysWOW64\Jbeidl32.exe
C:\Windows\system32\Jbeidl32.exe
C:\Windows\SysWOW64\Jedeph32.exe
C:\Windows\system32\Jedeph32.exe
C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
C:\Windows\SysWOW64\Jbhfjljd.exe
C:\Windows\system32\Jbhfjljd.exe
C:\Windows\SysWOW64\Jefbfgig.exe
C:\Windows\system32\Jefbfgig.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
C:\Windows\SysWOW64\Jidklf32.exe
C:\Windows\system32\Jidklf32.exe
C:\Windows\SysWOW64\Jlbgha32.exe
C:\Windows\system32\Jlbgha32.exe
C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
C:\Windows\SysWOW64\Jeklag32.exe
C:\Windows\system32\Jeklag32.exe
C:\Windows\SysWOW64\Jlednamo.exe
C:\Windows\system32\Jlednamo.exe
C:\Windows\SysWOW64\Jcllonma.exe
C:\Windows\system32\Jcllonma.exe
C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
C:\Windows\SysWOW64\Kpbmco32.exe
C:\Windows\system32\Kpbmco32.exe
C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
C:\Windows\SysWOW64\Kikame32.exe
C:\Windows\system32\Kikame32.exe
C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
C:\Windows\SysWOW64\Kbceejpf.exe
C:\Windows\system32\Kbceejpf.exe
C:\Windows\SysWOW64\Kfoafi32.exe
C:\Windows\system32\Kfoafi32.exe
C:\Windows\SysWOW64\Kimnbd32.exe
C:\Windows\system32\Kimnbd32.exe
C:\Windows\SysWOW64\Kmijbcpl.exe
C:\Windows\system32\Kmijbcpl.exe
C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
C:\Windows\SysWOW64\Kpjcdn32.exe
C:\Windows\system32\Kpjcdn32.exe
C:\Windows\SysWOW64\Kbhoqj32.exe
C:\Windows\system32\Kbhoqj32.exe
C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
C:\Windows\SysWOW64\Kplpjn32.exe
C:\Windows\system32\Kplpjn32.exe
C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
C:\Windows\SysWOW64\Lbmhlihl.exe
C:\Windows\system32\Lbmhlihl.exe
C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
C:\Windows\SysWOW64\Liimncmf.exe
C:\Windows\system32\Liimncmf.exe
C:\Windows\SysWOW64\Ldoaklml.exe
C:\Windows\system32\Ldoaklml.exe
C:\Windows\SysWOW64\Lgmngglp.exe
C:\Windows\system32\Lgmngglp.exe
C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Mgfqmfde.exe
C:\Windows\system32\Mgfqmfde.exe
C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
C:\Windows\SysWOW64\Mdjagjco.exe
C:\Windows\system32\Mdjagjco.exe
C:\Windows\SysWOW64\Mgimcebb.exe
C:\Windows\system32\Mgimcebb.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Mlefklpj.exe
C:\Windows\system32\Mlefklpj.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Njnpppkn.exe
C:\Windows\system32\Njnpppkn.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Nloiakho.exe
C:\Windows\system32\Nloiakho.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
C:\Windows\SysWOW64\Nnqbanmo.exe
C:\Windows\system32\Nnqbanmo.exe
C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
C:\Windows\SysWOW64\Opakbi32.exe
C:\Windows\system32\Opakbi32.exe
C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
C:\Windows\SysWOW64\Ognpebpj.exe
C:\Windows\system32\Ognpebpj.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
C:\Windows\SysWOW64\Pnlaml32.exe
C:\Windows\system32\Pnlaml32.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pggbkagp.exe
C:\Windows\system32\Pggbkagp.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pmdkch32.exe
C:\Windows\system32\Pmdkch32.exe
C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Ageolo32.exe
C:\Windows\system32\Ageolo32.exe
C:\Windows\SysWOW64\Ajckij32.exe
C:\Windows\system32\Ajckij32.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Afjlnk32.exe
C:\Windows\system32\Afjlnk32.exe
C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
C:\Windows\SysWOW64\Acqimo32.exe
C:\Windows\system32\Acqimo32.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6500 -ip 6500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 404
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2804-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2804-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Gfembo32.exe
| MD5 | 9b1ad7121af74dc8fd113fa6a15f6e4e |
| SHA1 | 0b9c84bb067194e71301af7d6a74c78574ac98c5 |
| SHA256 | 602e4c263d77dbc6171d39b1940db9b262a6e8f601c96b19735a65fbc16e506d |
| SHA512 | 3badeedb7c0fd6daeb3e302a65cfdea74cfac9d4876e813deee56f6a6962556ed29713440af0af9c7c3ba40bda4110ce56e688349fee11eafde79117e1fd95a3 |
memory/5076-9-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gicinj32.exe
| MD5 | 92215958eb962ebfd40356ff195e8a9c |
| SHA1 | 9df1749e12e9a8bd845c8e41ec7b6a696b1f9751 |
| SHA256 | c843786e2c10116d9a9b679a2d8ff40e2c26a5e8ad8ddc0c5165b30815fef880 |
| SHA512 | 8fbdef1e0fe0e297fb556b3a86a198e521be87f8969cb1545cd093f12678465ebb3a9fe6a60b6c694c73056337288b5455412bf053a16bf1fb2cc2a6e63b3950 |
memory/224-17-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gmoeoidl.exe
| MD5 | 255fcd514baf85331432d100ff69c611 |
| SHA1 | 061926e27ff764dc13ebd84016617093f11396dc |
| SHA256 | 85c651db34d1b94b3585e17c29fd0e799019b68465aea726fd576c7b3c20e887 |
| SHA512 | 5a32ee3560bf880219a0f3111582b21b8aa2bfe693ff3b9d17b9c85e5db9f149e05cf5cf1d845b1c4384d3ab79c8d1f43f7debc693b986a0b698eaa979a3cb14 |
memory/1116-24-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gomakdcp.exe
| MD5 | e75e50d524d82c2fef149d4418faea65 |
| SHA1 | 8471edde5ac2795e1ab95e270e8fb49e4eeede82 |
| SHA256 | 28f3256914e89bb8cea009f30036d283b1f20e7be50bfa9e8c9e3ed565efc4b8 |
| SHA512 | 85d99d281c2b88290e64506f22f75316db1d039695cd3cb3130f2356a50aabb909a200653bed73cecb9db482fff06c6f54b159677d3664e8dcb9954fc6440f52 |
memory/4964-32-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Gfgjgo32.exe
| MD5 | dca26d08eec90a11453f52ac5e40c20a |
| SHA1 | fde737b037813d6f134918281b5638c43d4f24e2 |
| SHA256 | ce78f09ec782506ad2e502779b1f1da5ba991a1ece59afe09751438614762f9a |
| SHA512 | 033704199153ee1d1bab4dd6f2a2985ce6c465a385d9911a94415620ecb0cbd89535c85246bf6393b34497ca50769947a0c2d4f8c2d3b7a9da745088bf478a5b |
C:\Windows\SysWOW64\Gfgjgo32.exe
| MD5 | 3b49f9f23eb3a10757a1cdf85736818a |
| SHA1 | 31ab7c00334557e6f51d99acbac7afb1d25a0091 |
| SHA256 | 92717a2b0c90a2dafbbe01b90800137dc4b09fe5802af6c34ec873093ac85111 |
| SHA512 | 3bfe2e489af40a2c31644a8a3a01d256379563d9333b4d619d4f000c48315547c3ad92cf80fe48a275699e46b9c1227eb3095a8a3ffd501ef6189c9998e5f9fb |
memory/4488-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hiefcj32.exe
| MD5 | cbc524d4077e96e3d92379172962b782 |
| SHA1 | 0b11267ee419537e99a659fa20183e2ba97800dc |
| SHA256 | 7355f6eb3012645ed8c430206e28b0a9c5289466d7955a5f5390a9cab546b561 |
| SHA512 | 49aab246d8a102ecc885a5c2f1446413899687025da81b5e7ac7b251d988c3aafa3f801fbee073fd73a49e4fcdb5bf646055534a36f216e8e62af2ecaa8906c1 |
memory/116-48-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hopnqdan.exe
| MD5 | 62a91f71443ec3eae56113294427738a |
| SHA1 | 4ea27ffb70999199fd1adfec495821c18115dd7c |
| SHA256 | aa8845c506ac6c23fa9affe16391ec232a3f980018bf3232bbddd2a0bd8bd0b4 |
| SHA512 | 713fd5be19945c21ee2498a86f5f39176515ebd064e279f11a91704000b075427f9a03f4c0c1be84c331eae94c56831c074d9cf8c8d870371df3c19433bec81a |
memory/4452-56-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hfifmnij.exe
| MD5 | c22cd6b9da960ef92a406d475446a49b |
| SHA1 | d46bde39f0f60499aac26b893b686fc1ee9e5287 |
| SHA256 | 3adc5484a479ae549e7da6ab527f3c7050d7aba468889bf3159f5eda465b4fef |
| SHA512 | 6aa7725df972d6b07b538e1feb019ffb01cbeff8bb4542b57ba19c1dcab3398aef6c5d6c395db66880241ab6d16800bf38c8ebc64a0dd70b1408cddb589389b0 |
memory/2964-64-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hmcojh32.exe
| MD5 | 330f365e702b9fd453cfd13d274cd5f5 |
| SHA1 | b47df57e4df1b0c83dbe41e60a6eccb9ddfed3e7 |
| SHA256 | 8b09fc7a25b4df238627837570f9187189b2d7f5620be1a43bd22e6c70bb4425 |
| SHA512 | e8ac8bf2f2dc45b08298df2bf7a80dfcf7428675d5dad09e9917c47d7a36a36f05652bd4a89e3558b3f25aa2a45c8daf5cbfbbeb4b7987d935cd28c218d8f0ae |
memory/1640-73-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hkfoeega.exe
| MD5 | 40a93895c5181ac8745ed88b602057d1 |
| SHA1 | d4ce91b1b80a319bab20e192d404aa614115da5a |
| SHA256 | 37c73c745bb81bddb66f1b28c2fdb3b1959f2699d041ff63fe07743a14595379 |
| SHA512 | 490a3e0cd48bf14f77d41f2481ed5fc0017f2252e975e2607f9e61958daff8113ca7a102f9246707ddc385c2f3505c4291b07fa9e2afa5cc457db9d76335e1ea |
memory/3328-80-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hflcbngh.exe
| MD5 | 196e21fab7ff6e6be13a62abb58e2c16 |
| SHA1 | 86f018f8b30716d575c35f8dad1aaa9f8d420bc3 |
| SHA256 | 4f9f27166d9b7558e5667f9c397567798843feb8ce8da1c49110d0c3ab0c1e37 |
| SHA512 | 421f20ae547385d46a2314d1c74883c4dc23c65e8827d2e7386e52faa175ec456461c652e876da6dcf0e1312366288ed65c9ac7a94d38fc684a9569bb704e91e |
memory/2024-88-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hijooifk.exe
| MD5 | 74ad8625070498036abea721c65f0ded |
| SHA1 | d31a3ecd517d14242136e039a381e20c12cd728f |
| SHA256 | 7e3e2d883ae8b3c8e5b854ad68ea964836ed793206db76222a609417fe054d6e |
| SHA512 | 00c8885a2755a183c157232d70ccf0e1a96959c6a84aa8923f46d3e987931fd5fcd03868777895669a293dd7eed2ba579e699726b8b4a1cc7ef4fafbb169cfeb |
memory/2788-97-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hmfkoh32.exe
| MD5 | 3957862be8af91634c06f9bb2c2e78e3 |
| SHA1 | 10f5d8ae6d00774f27247579723950b735c58ff0 |
| SHA256 | 63a59fcffafa541ec3143040413ad09b92c354a14ace22a104f45232edb9860a |
| SHA512 | 170f44c1abf6afb6a790e1c6aae6cfcf53048a7bf82ffa095d4f8fc2553de5d4901c5e2cbe0ebe4241d3c5ae4fd76bccbc3a62b80dfbbf6ebdb93aae525818f5 |
memory/3728-104-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Himldi32.exe
| MD5 | defd5eac7c906e66905eefb6c132237a |
| SHA1 | e3c9933b3d819c683747a0459d40a3b6c1ad126e |
| SHA256 | f29a9354df9a891680670a2455cff1fb7e436a3d14bba384a93b584b9944193a |
| SHA512 | 85d866e4d996739036a6d22548f5c48d7b1c655c8910072b8ec8bfba9d4e045d22f9efd234f45cfc291d42bf3717877990dbccfe6bbf7c5b58b30c29582b2007 |
memory/4568-112-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hofdacke.exe
| MD5 | 809b433723e2203c89805ada4bd40950 |
| SHA1 | c12481f789138c0f79e653271101a06d88d3f320 |
| SHA256 | 1dd3f903d2bd9806b5aa4f119e0b53ba79d1b43c79b518ba3cbbd477eac812e8 |
| SHA512 | 629e7d6a3bcffb03b2a751fba3b683f3a2e17f40329066993de7358cde3e878e210ee2a7db74f6bf9bbcae863548d89972804b966e70dcb507318abfb85cc5cc |
memory/3172-120-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hbeqmoji.exe
| MD5 | 6d9f6f3be8cf039f1fae906c0f2442fb |
| SHA1 | 7038bb41ce7ae887b132e09a1f2145261dde39c4 |
| SHA256 | 46e0e07aad6ff32a4659f793357bdc36674d05e2b67e8817b5efcb34a4762989 |
| SHA512 | 711c3a8e1a7f9b7f8308d6bdd0fdd0e80666475e621bda07ff60b453403d666147f0c3e34378bb52c496bc92bd521ea5f0de69ce096e2572a38bb5c3197c13dd |
memory/3968-128-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hmjdjgjo.exe
| MD5 | 408aeaf3a8e2e93a1f9a08326ea7037b |
| SHA1 | 09efd42ab00bf7de199bf943a70cf9c4a5130e5f |
| SHA256 | 4b835a1a8774fa8a9794561b8dd30a1a872c72166e41c742f2ba31d5c3b4a3c4 |
| SHA512 | 93d19e4650d1cbbef4157e8c80146e8671999c639bd920c87510808b9972a0ede138d2faa826375461fadf0827e31b4462d12fb17306bfe372ae15656e3f651a |
memory/4692-136-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Hcdmga32.exe
| MD5 | 08b3f991a0bd3b04b9d18556e0b0347a |
| SHA1 | 597c496bd61749618f7cbaa6c426bd30f0ee6a01 |
| SHA256 | eb21055b7a036c7f08de1fae7902872dc45e29f7d8b82f0823bba25cf5b3266e |
| SHA512 | 7e34039ea88c6c8c7401615c5f97025b59483dc645ab2d19a5174fbd39a4c8898683b3840ae44f5b2f78f8642464f8ced6fa3f503e9d9d553204e14d603f30fe |
memory/4864-144-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Iefioj32.exe
| MD5 | 5b8dc31b0455ee5d7aa65fb1b3a97ac4 |
| SHA1 | 8f96cb8301e864778b040b0d2ee009ac0bd9a89f |
| SHA256 | 4b7240e105aad94e4ed8056be214d375ecc96832f4444960f4b87c637eaae521 |
| SHA512 | 16a9b5e40cfa64819dc7650b11b754cb6d91d5e931c33cea2326c510a05eb7d5f4459d227832ccc58703e5bd9a8495812edb98bcac23b2594fcb35246df1a73c |
memory/708-152-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ikpaldog.exe
| MD5 | 53ced5e19677aac863f40d34fef46e5c |
| SHA1 | 14c4ce8186accb7acac05f9e74a59d5f2fa6bff8 |
| SHA256 | 9054d6d96b4df237b02c625c6e6f6b33cde5c2a42d9b9fe682bee17710426ec0 |
| SHA512 | ecd6689face355afbea52e9467a57ed137bb18f32f641d7d90d961c45369fd325e0901e24ab7c959a9a7d898c9f5d5ef82c06e00f11d37740ca4dd8173fad7bf |
memory/2136-160-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ibjjhn32.exe
| MD5 | f72be3487da70eb4d35f86d665448a26 |
| SHA1 | 14047cbaa58f44fbce8eb30c3e22d23366339a74 |
| SHA256 | 043f63bf8d8750d3e91aebad614fb046d84f3ba7957e9eef8ad28c2bc3687d52 |
| SHA512 | 65b742f95d1bb69abb2f1798b93e92c3654ebe52801c7db19d735c7141d52e097b5d59d6d2d4141c9f5e870750e97b23034a02e476490b5e205b281444cd028b |
memory/2456-168-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Iicbehnq.exe
| MD5 | 828b2a320c54dd76f63d2885811716a4 |
| SHA1 | ad98861bd24fd24adfcb9a0391d03ecc39037aa0 |
| SHA256 | db147656ca7995c314c91fa2d5a580fb0385c72501a6a7965b8b49ba7693c69c |
| SHA512 | a6180bf02132f8b756986e60246f9e89a3a9c0ce39c1785a818660d0e5b3b817677d7d6cf1414c55957a8f22ae9ba91c73e9aaf1fc2a11aa33c1baba8ddac0ec |
memory/1576-176-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ikbnacmd.exe
| MD5 | 7a7259e199132365d8f8c2a76efdb06b |
| SHA1 | 4996130cfed7c4625ef253ae904b5a6ce60c1a0f |
| SHA256 | 7b010637943c6cc0514a61e1cc521d33e7cb9fe3a990b4106874026764898f7e |
| SHA512 | 2d7e591c61037932b7d98de8bb79d6f98e015d3e2c4ab40f5b28b5051dcbcf04454ad2af39526a53c674d1ee3edd4f7d92f0a584136ec361cfd2411c3b7047b2 |
memory/884-184-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Iblfnn32.exe
| MD5 | 87af59aea0ad845e9b36ae5c2615d4fe |
| SHA1 | 52c22f49b980958f3a74c03daa4d96696af3804d |
| SHA256 | 8dd762648659768e92c9642919e035f001f4babbb875aea0d5b1fff727c89ab0 |
| SHA512 | 2f61cc00b2649d38d406c3525050dfbfa44cc00016990d329e821058a7681c2d37456b4c51cc9589042c72bb8fce485247a8b3ca1356d53cacca950d425dbf37 |
memory/1656-192-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Iejcji32.exe
| MD5 | e0fd7fb6d8927bdbd1ea97ad362206a0 |
| SHA1 | e3b4ccd58510ed3aecffde375a6cb02b10a84c91 |
| SHA256 | db8f81d42f50079ddd99c45b7cbe3009e6a6bfeea8296f8f92a4a8702e1e72cc |
| SHA512 | d2cb1c32699b1faf088744a4c3237ca49d2a06414a7c0dfe8a718eb347d9b3686b289f9412a042230dcff624e67f4cfd19562ae2894ba7f5247bfbb6b76baf8a |
memory/3648-201-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ildkgc32.exe
| MD5 | 8acb66157e9c6c29d01df3a383d5fa87 |
| SHA1 | 43b40ad098baaf7d62b0c0603080790f6690ec6c |
| SHA256 | d52fff42165ef7572ff4d43a35bd28dc3b9730e870fab8bbf7a0ab20607030fc |
| SHA512 | c8d3bd6b9e05d18c7b0b2f5672cee123c1bcaa41e482a78abc6123ecae0198f06d9850a2649cd8944e39726c399a601e4179743985a484355f8ad4416cf4e2cd |
memory/324-208-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ickchq32.exe
| MD5 | 489c8122bfed64b6273b4286b278d09a |
| SHA1 | f57d9d3aa5f3528c2af25b512c82a5cb0adec365 |
| SHA256 | 68eb825ecb59dfe13a22169070f0ffeb5eb6249df853b06f5940bf18315e0b1b |
| SHA512 | 0648fc816f7961d0e02756bb0fa03bb0ec84bebf7ac943fd9d9fddf24546f6749458812bf83853465bbef64549192886e8f09d25c169f19a5e4f37e773bb334d |
memory/3776-217-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ifjodl32.exe
| MD5 | 1d579a67728b610f4d0b37715945c30c |
| SHA1 | 074e29fb8f877bb000b8041c5a3d8adcd088e207 |
| SHA256 | c9387d13b3b364ce13df93e7eefe8e8b4974a36d0f663231ab80e8e367f319d9 |
| SHA512 | 19d109f27a58e8fb54b08bcd5f1c96cc1048b93574e783934b2a0922dbcdb01c8e47ad3c5aae3ff2da8a1c7b41525c943b381952e4e776acc3d69bb2cddad8b2 |
C:\Windows\SysWOW64\Iihkpg32.exe
| MD5 | 536345b1e507ba777b252a0b7227fb80 |
| SHA1 | 15525e9f07240b63f3442b2ccf354d6ed8693beb |
| SHA256 | e3f6104ef893b9119b44f714cdfab0c28795b628da6b943049719eb53f0c4425 |
| SHA512 | 8b76a63a468ba94366178f22b8af9b5bb7fda667ea3a6dc4d4a219acbcd227cfb8a97b16d09847134f173fd5166f0b5f54a106adab19526c2d477bf7894f29dd |
memory/3164-229-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3864-233-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ipbdmaah.exe
| MD5 | bbe431f4d4704af98e47433d4d6b181e |
| SHA1 | dddce3d03363484d887525d9d1c47c15412e3077 |
| SHA256 | 4dc3701c5be96a822c24e5dafaabcb225e6eb8acf0a820f3462ca7106b8697fc |
| SHA512 | f99c93f1f3550c5707372887207bf5ebfdd24ac277a6ffd52aa4bd5add08c3bbfc108ceaf3092251a308a0ed081efff1eb869597970fc8e8200795efb4e34742 |
memory/4060-245-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ieolehop.exe
| MD5 | f9a1730a0a913d53f8bd831d5d416f24 |
| SHA1 | 89d32322d34633b70b819c31b147f9372caea87a |
| SHA256 | c2a6eec1f474a835ac334a52f33fd83f982181191c9c27dbbafc5c31e97900b6 |
| SHA512 | 2aea00a6b26c378ac4ad18c62a74b1fdb52479bc5d90bf06aa5d2605d0ce7b06493ffba078a60d6c76558cc29209a0ae4ec14aeed43724c39df97836fde92e46 |
memory/4788-248-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ipdqba32.exe
| MD5 | 274ac9790cab5fd25a7cc6a7bec957e0 |
| SHA1 | 70c9b96033e8d2dceb6aa7d63329640ddd1a0cb7 |
| SHA256 | 5cac7b357a7ab470bd82ab9069bbd62084f45a00af3dcadc4aa5c007e3e86b61 |
| SHA512 | 65445e0ad8ddac13386ee36f35087f8220c81af113f66e2726efa7228c972f48b0defd9381d7abc861e275908adbae53d9c765cb53c3a63e731d64246130e68f |
memory/1940-262-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1672-263-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2288-269-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2956-275-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jbeidl32.exe
| MD5 | f97948c1b3522eaed4401942168a94df |
| SHA1 | a46f48828c4a33ed130c01261de9e1b90cac1968 |
| SHA256 | e930ce3669d25a15ca977eef20c25036e7db9b688555f8bdd1dde85b3400a411 |
| SHA512 | c7d33c255b54f7472b6a2f957fcf99e61f93d4171d2bd686de90deb0f0ea17b31ea4b8feaec929e5bdd31e61e74685f37dbea406b91bf2985f3c80a0b010b64f |
memory/4068-281-0x0000000000400000-0x0000000000440000-memory.dmp
memory/868-287-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4344-293-0x0000000000400000-0x0000000000440000-memory.dmp
memory/208-299-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3416-305-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jefbfgig.exe
| MD5 | 033e84de664efd0268e5fe41c21f8d47 |
| SHA1 | d371af0717825e79b2a49e85b334044a56bdebfe |
| SHA256 | 7f377a974e311eb8ffa98f94d994764b27a43c38c669727036256a7fd5d1de44 |
| SHA512 | e55effc2c6f9bb30c36e7bcb97e23e6e1c93b1306328c91d3601773d159938558931e233bf2e2144a0f14006d4f3805e1c212bc0bca6ddc3a38913239f67b089 |
memory/3048-311-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4828-317-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jcgbco32.exe
| MD5 | 2fd987120b729cc767f6073eb598030d |
| SHA1 | f403143285b34fd7d93f9cf80d86c723e7cb2216 |
| SHA256 | 3222637e263cdc24b1af475cbe2ce721b3427225a903d06b495e4461d2eea362 |
| SHA512 | 311072422f42c1e7bb3794c37fd23c77cf77e59190d78b21bc266f0a9a84a351dfd0d7a9245a8c33c6fac5523d6eaf3281d6c7106109580c6aee7d91f9c5e257 |
memory/3132-323-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2540-333-0x0000000000400000-0x0000000000440000-memory.dmp
memory/552-335-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jlbgha32.exe
| MD5 | 51fb9a5f9c58a6a2796ec252b68f1db4 |
| SHA1 | 11fd9134c608bc18c27431c14281cc2a99c4190c |
| SHA256 | 1858d997e7d316387fd34c7af0a1f1c9a64402d72ab79099209ecef2daf7eb9a |
| SHA512 | e21a6adac89de83113da4c425af7b5572932e228eef7f051dd31e540f1b34e515e9b73bbb3f5076a94c2bd07006e846b1a520256acf2e70c79b8c9a113c6348d |
memory/4440-341-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1892-347-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2312-353-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jlednamo.exe
| MD5 | 9d789ab2cdf9359aa94dd6a0147f872e |
| SHA1 | e56272c0ec5c8c3619d274ea7809e3fb77de644b |
| SHA256 | 02d94f4bd042735c466b059b6f8d75fe9c2e51061313b4f995a302cbded4d4d4 |
| SHA512 | 11212a0b8e32aad4a37eac0aa555f6480f6701074c062918b89cfed1ff0187147b4898ffc2609b1eaab40b64dc0ee6f4a55e6ffe89c49ae08effb885bd4e2a59 |
memory/4556-359-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2368-365-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4656-371-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4216-377-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kpbmco32.exe
| MD5 | ece79b9bcfe7b3543d484ae0162fcb3b |
| SHA1 | 57edba6eb3ae55a690934ece2efae46117f83d9c |
| SHA256 | fdf30805f33badee8b49fccc3b58991582350ab3a4c2c160eb62e53d2dbc1706 |
| SHA512 | 98cf7fea1ffaa00fd4381e339f7c5c32eed44d467f3e322445048dc7bd2972e3f6a99d1c7c5d238251051967a4f7be1ff35dc0527a8f33ad67e7935f811cdd4b |
memory/4004-383-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1328-389-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kikame32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1052-395-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2932-401-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3724-407-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kfoafi32.exe
| MD5 | 97923a155e4044f7d712277ab4e7f8c1 |
| SHA1 | d1b20d3f120d4e01f631f55f93b890a2f1122cfe |
| SHA256 | 5be4d3e7b15141dc200a8353c86783fb04c2a0a090bd171923c9ea3277dc0679 |
| SHA512 | 0134bf84162f9ef2e747bc913bda76895c7dad4f6e5ca55cc8a1ebbb32da0f78c6a403dde0c465230d3c558d22b7b1a65251db904e2163d3fa8123ea9560a50c |
memory/4888-417-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3632-419-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kmijbcpl.exe
| MD5 | 9fb80fbfa687a66496d301f64656eeb8 |
| SHA1 | c7eeaa9411d3fc3e4056c542acbd2475a15aa67c |
| SHA256 | 13554c0c04f95c6d96d1a32b46da787a8befb77e8e15e94095824a66612a50a9 |
| SHA512 | 71d4b314745155436612b7bc86264d122268fb9fcdc39acebba407d9440c1bd83c5ab23190d31bd15031ff98588d6e06d3daaf663dc0d61dbdc3becd8bde01be |
memory/2432-425-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3260-431-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3956-437-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1476-443-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4264-449-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-455-0x0000000000400000-0x0000000000440000-memory.dmp
memory/732-461-0x0000000000400000-0x0000000000440000-memory.dmp
memory/640-467-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3372-478-0x0000000000400000-0x0000000000440000-memory.dmp
memory/964-479-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3400-485-0x0000000000400000-0x0000000000440000-memory.dmp
memory/436-491-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2732-502-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3304-505-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1636-509-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4408-515-0x0000000000400000-0x0000000000440000-memory.dmp
memory/856-521-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3740-527-0x0000000000400000-0x0000000000440000-memory.dmp
memory/512-533-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3568-540-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2804-539-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lllcen32.exe
| MD5 | 6b433f00b280ea497dce74cbbce647c1 |
| SHA1 | 4493d859d649a35cb09dcf8d0482a06436af72aa |
| SHA256 | e9af4bbac125442df7ead41a87e47fded28fab5737f45f6df7631b5a19ecbe9e |
| SHA512 | 06f2bef34c8d27e0bb068db94c2d00d62c642295d8148783a9da682472435dff442e71579db5e25beee3f940b83187d92fb530ee276c79cae92a3b4d47448aae |
memory/1528-550-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5076-552-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2492-553-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Medgncoe.exe
| MD5 | 88fc5460d696dde2987432463c2e3e1d |
| SHA1 | 52f0585ca5602d82c4ac6c553369e2278b2943ee |
| SHA256 | 77928fb6f0498869364c43820d1be8ec9981b2c81f8270ffa07593f6372ad7ff |
| SHA512 | 360ef2ffa20a4d93d47d2e417c04034d8f1cf415d9f8b945cd2d86d35b396e51f6281f19d14e7f3ccf7173dcc58e69ee6d762eb71efc4945cf8be0adbe97d300 |
memory/224-559-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4624-560-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3848-567-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1116-566-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4856-574-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4964-573-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1020-581-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4488-580-0x0000000000400000-0x0000000000440000-memory.dmp
memory/116-587-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4684-588-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4452-594-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mgfqmfde.exe
| MD5 | fe56b94ecc01ac0f3a4eeb196edb862c |
| SHA1 | 9e2db3a3f5f96ae4accedf38aba062dca5f06814 |
| SHA256 | 956183d6ef50211b42986b42cf7510e20dc3ed28858bcb16ad2e79bd6eec7d56 |
| SHA512 | 855c29cc952629d6a9dd4a7c719e767c84a562d371c81a255e637efe169337cab127d6ac3f094a2462b46a3a82b7a9bdaabec5a84d63f51a386fc6df057cdaaf |
C:\Windows\SysWOW64\Mlefklpj.exe
| MD5 | 242b7abb62d3d63b50e35eb5deb7df2b |
| SHA1 | 9e0465895f8751a34e24e6610ceb99772432678e |
| SHA256 | f37bd671cb28d5b91cd9c862f9fa969fbcd2dfd643d507d449b81c2678eaad04 |
| SHA512 | 939f51fa2b6f1e824507bab2ca0c5198b6e6cc8ea13528aaa1b7fa1c4f25d1fd2c9a38d6b7f78356afb6ff482ed90871c306dd60f3d39ee4c0ef3e12367c4db5 |
C:\Windows\SysWOW64\Ndokbi32.exe
| MD5 | aa65d536605f74ea75051db195199bbf |
| SHA1 | eea22ef42056aa7dd70409d11a8727f1cfb9fdb8 |
| SHA256 | be9af6ac5066acada8c7a4291c2cc546bf8bcb8fa2c60cc1928612e16902898b |
| SHA512 | 452f36ffba33c45f80049391e2dc0e38640196b01ea146a73a2efbd8439fd53d57892b40cd5cd14e3f131f8ccfa7f5abb120923358cad373737ffef607111aec |
C:\Windows\SysWOW64\Nilcjp32.exe
| MD5 | 088f27ecd0f335f6cf229dba04ee810a |
| SHA1 | 8a51fbca324e7904c42070a4e73bd0a2a48e1b47 |
| SHA256 | b505b6dad834bdea1a212f7c7ee20b89b0e6ff4e3722bdad79c42169f5898e15 |
| SHA512 | 15e68cdb7cb8156ef6e2b4d99ab93e0a0736663621f00e52217f4284d6e52c812785c8e4a2c5eea004bf2605a842b3e9cd49fc5c38836e3c25da67d6ef33ef09 |
C:\Windows\SysWOW64\Opakbi32.exe
| MD5 | e761235568719a2cc670b2cd61ef589d |
| SHA1 | 8a57079ab123f69a663c1144744ab7e254550bda |
| SHA256 | 80551508aac607c5ba6741f9f0a135e5b36c304095d9f565ad2d49c7911270a1 |
| SHA512 | e85196020dd58636ea69ae277fb063424fa16aca36ba987f408a461352138c3da9c1b2a9accc4f0d25228f9200f1c73c9b00c5e978ae753f472e68a340734a2b |
C:\Windows\SysWOW64\Ofcmfodb.exe
| MD5 | 41841019553c64ae21536efd5176f904 |
| SHA1 | 159806b00ed6bb9ae6b8f3be83be412a97859223 |
| SHA256 | 01bcc6e708de40a47074cd151749783d35b9112b98121d4d0abadb42550b30d9 |
| SHA512 | f86e724c4de28b68dd86cb31a8b22cb78dc28041b32e6f5cab6a89c266bd23c7bf1b5ff4065459094ff5a5c87244811f05b33063f654a07ddf01dbf65976563b |
C:\Windows\SysWOW64\Pggbkagp.exe
| MD5 | f0366a41091302e3985f8f2aaffcdcec |
| SHA1 | 0652ac7446596764491952d57302c218d33ae7a8 |
| SHA256 | beaaa98c2b9fe9d988f54773982805af16db1f8245419ca346d6d2ff6587701d |
| SHA512 | e3a40b28a5b79a5480ee28816bae873f8a265bc7bd0eddb6baa54c55cc1538f33abb68b0d14c06472837523f12d410700aee671cf9f5074855a94c0472da73ec |
C:\Windows\SysWOW64\Pcncpbmd.exe
| MD5 | ea13c0784c017513f3016149a589d8c7 |
| SHA1 | 930695082413c3dc90dba4d24983fd96bdf6cd99 |
| SHA256 | dc5675f0a79255d5c64a1af526c349f5b5269c7564930ca907d75b299c2b3a35 |
| SHA512 | f5adee72b139efcb9535379a5d1b874e7455b08253c4e10f6fe100ba74af62f3e9146b469b1026d4eccab96c6d1e07465c235da7257facff6cfb64facb8041d3 |
C:\Windows\SysWOW64\Pncgmkmj.exe
| MD5 | d1198d334669a368e73e3f8e03d24c84 |
| SHA1 | 2863b2793de7fd0ad4b40276bff3b74204502750 |
| SHA256 | 5b70e9ef35848c0297fbc735ff3e83455d10ee2a9cb2d6ef3e7399bc057165b8 |
| SHA512 | 6692aa7d9a7ceddfd213be44859de8a337cccc4466bbfc80d7d252a56434aecf2ab58f5f2ca3c7ee8961f4bc78cb3ca6b3596e18a5a3ae21877e475177b9b1e4 |
C:\Windows\SysWOW64\Pfolbmje.exe
| MD5 | 9eb4f8d991812f8294c5bc961d26c858 |
| SHA1 | b3d1a8409a2635b9e8a9a5740fdd44b0340e51af |
| SHA256 | 6b90f49256d89ba9deb9deb60180c9a10baf55423a45e68d318b1df1d1b19911 |
| SHA512 | 262b80525029929c995c0c2645755f807f33bdfd634b9e0a5f9395acee0cb2e90071f42a0d82576e8a3d5a5d417dc570351dd7886c1caa9eab2504d622c3d2d8 |
C:\Windows\SysWOW64\Pjmehkqk.exe
| MD5 | bc8c0f92495ac71951aa8b5f0a4ffa70 |
| SHA1 | 508e29ef82bd2a2483e16a58ff20c9d1a99dc6d2 |
| SHA256 | 763505fc8fbe91f2edbfcab90c88b54b140c585465afec913120c554c4a162fb |
| SHA512 | 00c8bba402a4cfacf06f8e3008594ef34f845676a3831c10d9690e341659271615148e18e7f51d33e01cb8d01672da04e1b697f6afb3893a8e0182b4a1d46043 |
C:\Windows\SysWOW64\Qqfmde32.exe
| MD5 | b988cf0ac0b66c50c513bad769a96d75 |
| SHA1 | 2511999cd2a4c6124a61c42486bf93afc53ce1b3 |
| SHA256 | 43c03effd4d43bb74e44e0169934c8300da939bc755cf728179a898da600a881 |
| SHA512 | 7cfc209901bf30e260ef2e96fc570e8d61b906633a963705674983b85e8db7937d87f7d9c51024eda2a6d0900b7b2fe63078fd610cd42535c84ce09ee6070e4b |
C:\Windows\SysWOW64\Qddfkd32.exe
| MD5 | ba880ef5145d58f1282da0c60caf0660 |
| SHA1 | a4ac00ec80a080d1615d36a5582f584a2f192e9d |
| SHA256 | 657d4e3e136692c27a12758d6d2a3216bcc2a3459ec9c12013c9ff60d20d4a54 |
| SHA512 | 62ea18ea90d4deeb243906765daeb1302edab1bd3bd27999ea8d8b961ecae6a0f62e3f2093346e0897bd5ee81b865825a0aed8951d2414dfe24e06776f724662 |
C:\Windows\SysWOW64\Ambgef32.exe
| MD5 | a306eaef747f65c5dde40913dfd84d03 |
| SHA1 | 2dbd16b7d4d662098fcaf963f25e7c6c1ceea57e |
| SHA256 | 7cefd686a8ae87e648d91a3f3a134d89f74e404c0b88b0920c684483955a3ae0 |
| SHA512 | abe2ac870e4e9a7c2b6432d6aba6cb2dd8e903628479b75c3c3e8d4242a63156182723391e6d3d50291fd47a313a06e8f9dd8a7a38e975589a15494fac38902a |
C:\Windows\SysWOW64\Amgapeea.exe
| MD5 | 68636f50e717bebb6e97319617234a08 |
| SHA1 | fd7ef9323042fa68b3559c86fec726f01df9aff8 |
| SHA256 | b4289740f46a18e93377ea86292d617803b99cf30fd7d607bd91f6ec819e5d3e |
| SHA512 | 4c431246aca0e49fcdc07f56d427ae3d5735bb3c3cb94780e3940bb6f49da01f1e80b9a2048d619b5174968ab179a24c21640c1b3437ab23bf01029207c2c4a6 |
C:\Windows\SysWOW64\Aadifclh.exe
| MD5 | f0fa1279b64c147b9215c2e3455469f9 |
| SHA1 | 6118b0d89318551230b17bd2202ee96e7a90e12d |
| SHA256 | baf32ed2256f906141f07b94ba26a9f7b69707001bb4cd51c77f8c66e9d96b88 |
| SHA512 | 3dbd0cc6cf6f1e6b5a13bc503b1e49ddb283f029899a2a407777eddd6be49cbb0dadd023c6053138e360dab4f99a13d59c28da7dcc764f22dd4f526fcef4ea1f |
C:\Windows\SysWOW64\Bnhjohkb.exe
| MD5 | dfefa32c4092986b37ea69a706be375c |
| SHA1 | 6ad6008f9d36d629f55b1a06dfee6b59e5ed6961 |
| SHA256 | 82b40f11f81bf744d6b3d58edf31e1c6f9a8d993fac44d61bb122f65b5d4369a |
| SHA512 | 16d36772e3bfed790cb83df4a868976619c30e091a86f98dd231c21810fe3f99c8659d20a767fa98c79ba1ba69df962dd5987176c5bce18963ed44941e6731f4 |
C:\Windows\SysWOW64\Bfhhoi32.exe
| MD5 | 3a88d10c961a4ab47a5473c0fd1dc683 |
| SHA1 | 66bc86f7aa20eb7656cd8f7a269b2b1ef3abc057 |
| SHA256 | 6bcc2fe2b779bb065c4924d2076288a83dfe2b554f33e4df4f9450e28182e8af |
| SHA512 | b21205e1868cf9fc53c6c514e6c331bea38ca7540932e9e1cc8ac37132d681aecb4aca1a058e4db8295b8a7d24ac44a026d5f4742d5a808f0f189d24f9301df8 |
C:\Windows\SysWOW64\Banllbdn.exe
| MD5 | 2fb9e6e742628c16e28647e131c24098 |
| SHA1 | f9509a1e2b404d05cf5ebbb22fb87ad838338d2f |
| SHA256 | e609eaf484b8763245fa5660e7ace61db5cf0a6065e751d8ff2b60451a1dbe3b |
| SHA512 | 2535217d426c429ae63292634358f76f5435533c7ae60d7b250471553ccf8c5573b49f74e6e4abd6d4320f05f01771fd5b815854bca358fad83dc4870eb2a62b |
C:\Windows\SysWOW64\Bjfaeh32.exe
| MD5 | a9675d34f5fffee0a8223b0197d656db |
| SHA1 | 8b85c92b8ef0ca605327de644aa668dad22838b9 |
| SHA256 | 0d0e4126892f94d4b4edf1c9d773c160253b4198ca460a4fb58447d3e411e17d |
| SHA512 | 7f131c3c3632787627bec5ba045ee080a421c8d0885fd1d84195a7017c2ccc533b2ea53fdeecc98a0d496f2335d283ed5afe1f54c92c7c8c8a2833821bcb2988 |
C:\Windows\SysWOW64\Cdabcm32.exe
| MD5 | 8aa864283c7f18dbf4d2dcb06b968290 |
| SHA1 | bd18df28e4a2d37cba4bf6b1a9090e820f15f2aa |
| SHA256 | d2f356770679a64ee4c118d876ab326e8144e7a479141377be4575088aaa5a7f |
| SHA512 | 6e603eaa9f4fbaa8760448034e98bdc368754074ccf900b566a31190da19822ce31a1ccd6041b70df69f24d8f362360532579d7580cd803f3c8d2e03d521be95 |
C:\Windows\SysWOW64\Cjmgfgdf.exe
| MD5 | 2b8d3cf6246faa9ff1b7a8b6ae57b483 |
| SHA1 | b4da9c675bfaea039b14ae6a9600d4d271e5a86a |
| SHA256 | 6c0dd1c04018698de43571f8939d48e5ae0b4dc2318acb439e7b5fbb760f4d8b |
| SHA512 | 58a30dd27d90187a5a90253cff397925230c83536a4c09d09ecd2ab7d7658f2e9af2b446870a16b879c14cb51ef12090bca4e7a9067956961e61316e1c5cbc9b |
C:\Windows\SysWOW64\Ceckcp32.exe
| MD5 | 957e44779c55f2d5a70cdad7312db4b2 |
| SHA1 | 1eb3fe0c84280578ac719137e65b7b13ce0fc3d4 |
| SHA256 | d91730ec90a4520603442ed0c30af4924079c7c02e904495b9b5c642c63c0bed |
| SHA512 | bc90b618834d17647f1c80cc9c844cba6041efbb642c77ba5d70120b2d81d7a04d6d629946c9a90eb869d5621d2318c6e7255e443f270545378f51f11e35f409 |
C:\Windows\SysWOW64\Ceehho32.exe
| MD5 | 437be9e06e72262c54003c7c699defb4 |
| SHA1 | 91a7e4ff84655f4ef7030a4b52c5ea23b963f01d |
| SHA256 | ce0f8c1020743a9c349d26140d4f01b8bb47c359310fd33f1ed36acc5ffe7ded |
| SHA512 | 2a4018723bffe97163354ec60edf5029c6bf0eccf4a61aa54ffdedc803c39b87fc0606a15719170fd54ac490c94f9367f8168cf681de6c26e5e601717934b9cb |
C:\Windows\SysWOW64\Cjbpaf32.exe
| MD5 | c2635b11a7b5ebd40d14b0a82331c3a6 |
| SHA1 | e7aed45df138bddaa01de46ecccd293cec644aa5 |
| SHA256 | d6e78e3a14f5b5e937e8a93a6e4614118c5fd876bbcde7f1271d684c94375409 |
| SHA512 | 7e336c1bae3b694f31bd4234023c9d8e99e6c3481957025dc320633171d22ebc457d0aaadc80be0336f8db579c4bc7b646bad14e016bad593df365450dbeb5a2 |
C:\Windows\SysWOW64\Danecp32.exe
| MD5 | fc94a06da90173d34b3a9938134c3196 |
| SHA1 | 55daa14118493d7c9c6c3d358901bca3c7ef952a |
| SHA256 | d817a3735baa2a4c81f3fa285585209fdaddf84c99a14cdb56b68595e5ccc8a3 |
| SHA512 | 59d66c24fa8fc9a23c766e20647f30ef8111bb9ca1604101b21ee0b1f5f3335eaaca525b8082c86719f2dba3224014fcfc2464322dff5f31a8e1571e35a9e081 |
C:\Windows\SysWOW64\Delnin32.exe
| MD5 | 585b5f1c214c6d51b3370f89f91c16fd |
| SHA1 | 54df2e8b27ed042fcee76dbb9488ab81f33afb7a |
| SHA256 | 8557946a0a0a59fdc2f11671437dbdac68c90ada6988579e7ef939631406b940 |
| SHA512 | 796c9687a24ead5452de6cb9b3b9acdd7a101c7df15db645a51b52b6f14335beb116ff5a9ea94419113be2a39131e87c3f73400231af351b88c0c205e6232b85 |
C:\Windows\SysWOW64\Deagdn32.exe
| MD5 | 99b9eddffe9f8d0c43fbb18235f67765 |
| SHA1 | 15acded416bbbc11912940ea9942809c95db12a5 |
| SHA256 | 0ad3d94dd656b4b002524d265870c159294075c3dfef03a3078f6370f55b98f5 |
| SHA512 | 59e0c7f730662fafce37189fc3c9d59804de7fb3205e5f153179134560e1b64ba13de570b78bc95897cade663c93234c7ee1a1bc39f91b05d0b832b4f6ff5999 |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 2f99e49faeda75d6c1e29ec27f07c395 |
| SHA1 | da6afdf4c455ca022b52be63a954db7178245d6d |
| SHA256 | b07d152192d1d65f8a68653c0579a15683c218c11f19eaae071e6439d07d91e4 |
| SHA512 | 8e0015a6192c0461e36952b6c6fac2f34264080e87970fc0f03ae2340fa6faef800f48a82586449e0492336ed308d79551c1bc02141fd9df138f65c9933feb28 |