Malware Analysis Report

2024-10-16 03:40

Sample ID 240916-mq5scashpb
Target Backdoor.Win32.Berbew.pz-3707c8a58df3211d8536478def2744fad477c58555eb42eb58a710b7d85036b8N
SHA256 3707c8a58df3211d8536478def2744fad477c58555eb42eb58a710b7d85036b8
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3707c8a58df3211d8536478def2744fad477c58555eb42eb58a710b7d85036b8

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pz-3707c8a58df3211d8536478def2744fad477c58555eb42eb58a710b7d85036b8N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 10:41

Reported

2024-09-16 10:43

Platform

win7-20240903-en

Max time kernel

85s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhfmbq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieeqpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kikokf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkkhmadd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhkhgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Haleefoe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipkema32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kobkbaac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfopdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mbginomj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhadgakg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhadgakg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mbginomj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhnemdbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iaaoqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfhmehji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgdiho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfopdk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mbopon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkkhmadd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmhqokcq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddeae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Heedqe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jngkdj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcgqbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnlepioj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfjfik32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgdiho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfaljjdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ladpagin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iaaoqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Injlkf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcgqbq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfebdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nahfkigd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhmpbc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhnemdbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kobkbaac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbjjekhl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlpngd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Heedqe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Haleefoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Injlkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdogldmo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnlepioj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfebdm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mblcin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhkhgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nddeae32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Holldk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Igngim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ieeqpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlpngd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nifgekbm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laackgka.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hhadgakg.exe N/A
N/A N/A C:\Windows\SysWOW64\Holldk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Heedqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Haleefoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhfmbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaobkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaaoqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igngim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipfkabpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Injlkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieeqpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipkema32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfhmehji.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jobocn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdogldmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jngkdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhmpbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjnlikic.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcgqbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnlepioj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdiho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfjfik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kobkbaac.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikokf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfopdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkhmadd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfaljjdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lajmkhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbjjekhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Laackgka.exe N/A
N/A N/A C:\Windows\SysWOW64\Ladpagin.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfqiingf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbginomj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlpngd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfebdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mblcin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbopon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhkhgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmhqokcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhnemdbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddeae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nahfkigd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nifgekbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjhnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohkdfhge.exe N/A
N/A N/A C:\Windows\SysWOW64\Opblgehg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhadgakg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhadgakg.exe N/A
N/A N/A C:\Windows\SysWOW64\Holldk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Holldk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Heedqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Heedqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Haleefoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Haleefoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhfmbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhfmbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaobkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaobkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaaoqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaaoqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igngim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igngim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipfkabpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipfkabpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Injlkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Injlkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieeqpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieeqpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipkema32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipkema32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfhmehji.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfhmehji.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jobocn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jobocn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdogldmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdogldmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jngkdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jngkdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhmpbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhmpbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjnlikic.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjnlikic.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcgqbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcgqbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnlepioj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnlepioj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdiho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdiho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfjfik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfjfik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kobkbaac.exe N/A
N/A N/A C:\Windows\SysWOW64\Kobkbaac.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikokf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikokf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfopdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfopdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkhmadd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkkhmadd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfaljjdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfaljjdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lajmkhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Lajmkhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbjjekhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbjjekhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Laackgka.exe N/A
N/A N/A C:\Windows\SysWOW64\Laackgka.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Kobkbaac.exe C:\Windows\SysWOW64\Kfjfik32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lajmkhai.exe C:\Windows\SysWOW64\Kfaljjdj.exe N/A
File created C:\Windows\SysWOW64\Laackgka.exe C:\Windows\SysWOW64\Lbjjekhl.exe N/A
File created C:\Windows\SysWOW64\Haleefoe.exe C:\Windows\SysWOW64\Heedqe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Haleefoe.exe C:\Windows\SysWOW64\Heedqe32.exe N/A
File created C:\Windows\SysWOW64\Hhfmbq32.exe C:\Windows\SysWOW64\Haleefoe.exe N/A
File created C:\Windows\SysWOW64\Cadbgifg.dll C:\Windows\SysWOW64\Jobocn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhmpbc32.exe C:\Windows\SysWOW64\Jngkdj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mblcin32.exe C:\Windows\SysWOW64\Mfebdm32.exe N/A
File created C:\Windows\SysWOW64\Nahfkigd.exe C:\Windows\SysWOW64\Nddeae32.exe N/A
File created C:\Windows\SysWOW64\Blagna32.dll C:\Windows\SysWOW64\Ogjhnp32.exe N/A
File created C:\Windows\SysWOW64\Ffffpb32.dll C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipfkabpg.exe C:\Windows\SysWOW64\Igngim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ladpagin.exe C:\Windows\SysWOW64\Laackgka.exe N/A
File created C:\Windows\SysWOW64\Nlnjkhha.dll C:\Windows\SysWOW64\Nifgekbm.exe N/A
File created C:\Windows\SysWOW64\Liakodpp.dll C:\Windows\SysWOW64\Holldk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Injlkf32.exe C:\Windows\SysWOW64\Ipfkabpg.exe N/A
File created C:\Windows\SysWOW64\Fpdopknp.dll C:\Windows\SysWOW64\Injlkf32.exe N/A
File created C:\Windows\SysWOW64\Dnglef32.dll C:\Windows\SysWOW64\Jngkdj32.exe N/A
File created C:\Windows\SysWOW64\Njljfe32.dll C:\Windows\SysWOW64\Mhkhgd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Heedqe32.exe C:\Windows\SysWOW64\Holldk32.exe N/A
File created C:\Windows\SysWOW64\Efcjij32.dll C:\Windows\SysWOW64\Kfjfik32.exe N/A
File created C:\Windows\SysWOW64\Lajmkhai.exe C:\Windows\SysWOW64\Kfaljjdj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mfebdm32.exe C:\Windows\SysWOW64\Mlpngd32.exe N/A
File created C:\Windows\SysWOW64\Ifdeao32.dll C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbjjekhl.exe C:\Windows\SysWOW64\Lajmkhai.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfjfik32.exe C:\Windows\SysWOW64\Kgdiho32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mlpngd32.exe C:\Windows\SysWOW64\Mbginomj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlbgkgcc.exe C:\Windows\SysWOW64\Nahfkigd.exe N/A
File created C:\Windows\SysWOW64\Nifgekbm.exe C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
File created C:\Windows\SysWOW64\Cjchollj.dll C:\Windows\SysWOW64\Lajmkhai.exe N/A
File created C:\Windows\SysWOW64\Ohomgb32.dll C:\Windows\SysWOW64\Jdogldmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Mbginomj.exe C:\Windows\SysWOW64\Mfqiingf.exe N/A
File created C:\Windows\SysWOW64\Ipkema32.exe C:\Windows\SysWOW64\Ieeqpi32.exe N/A
File created C:\Windows\SysWOW64\Kebiiiec.dll C:\Windows\SysWOW64\Jnlepioj.exe N/A
File created C:\Windows\SysWOW64\Jhflco32.dll C:\Windows\SysWOW64\Lbjjekhl.exe N/A
File created C:\Windows\SysWOW64\Pfknaf32.dll C:\Windows\SysWOW64\Nddeae32.exe N/A
File created C:\Windows\SysWOW64\Ogjhnp32.exe C:\Windows\SysWOW64\Nifgekbm.exe N/A
File opened for modification C:\Windows\SysWOW64\Opblgehg.exe C:\Windows\SysWOW64\Ohkdfhge.exe N/A
File created C:\Windows\SysWOW64\Eljgid32.dll C:\Windows\SysWOW64\Ieeqpi32.exe N/A
File created C:\Windows\SysWOW64\Njlacdcc.dll C:\Windows\SysWOW64\Kgdiho32.exe N/A
File created C:\Windows\SysWOW64\Hjchkfnl.dll C:\Windows\SysWOW64\Jhmpbc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Igngim32.exe C:\Windows\SysWOW64\Iaaoqf32.exe N/A
File created C:\Windows\SysWOW64\Gagmjgmm.dll C:\Windows\SysWOW64\Igngim32.exe N/A
File created C:\Windows\SysWOW64\Jobocn32.exe C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
File opened for modification C:\Windows\SysWOW64\Jdogldmo.exe C:\Windows\SysWOW64\Jobocn32.exe N/A
File created C:\Windows\SysWOW64\Najgacfg.dll C:\Windows\SysWOW64\Jjnlikic.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhnemdbf.exe C:\Windows\SysWOW64\Nmhqokcq.exe N/A
File created C:\Windows\SysWOW64\Cckcjpkg.dll C:\Windows\SysWOW64\Hhfmbq32.exe N/A
File created C:\Windows\SysWOW64\Mhkhgd32.exe C:\Windows\SysWOW64\Mbopon32.exe N/A
File created C:\Windows\SysWOW64\Iaaoqf32.exe C:\Windows\SysWOW64\Iaobkf32.exe N/A
File created C:\Windows\SysWOW64\Jfjjkhhg.exe C:\Windows\SysWOW64\Jfhmehji.exe N/A
File created C:\Windows\SysWOW64\Jcgqbq32.exe C:\Windows\SysWOW64\Jjnlikic.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfopdk32.exe C:\Windows\SysWOW64\Kikokf32.exe N/A
File created C:\Windows\SysWOW64\Mbopon32.exe C:\Windows\SysWOW64\Mblcin32.exe N/A
File created C:\Windows\SysWOW64\Gkbafe32.dll C:\Windows\SysWOW64\Mbopon32.exe N/A
File created C:\Windows\SysWOW64\Nhnemdbf.exe C:\Windows\SysWOW64\Nmhqokcq.exe N/A
File created C:\Windows\SysWOW64\Igngim32.exe C:\Windows\SysWOW64\Iaaoqf32.exe N/A
File created C:\Windows\SysWOW64\Ipfkabpg.exe C:\Windows\SysWOW64\Igngim32.exe N/A
File created C:\Windows\SysWOW64\Kpclfokl.dll C:\Windows\SysWOW64\Ipfkabpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe C:\Windows\SysWOW64\Jfhmehji.exe N/A
File opened for modification C:\Windows\SysWOW64\Jngkdj32.exe C:\Windows\SysWOW64\Jdogldmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkkhmadd.exe C:\Windows\SysWOW64\Kfopdk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iaaoqf32.exe C:\Windows\SysWOW64\Iaobkf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Opblgehg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kikokf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkkhmadd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfebdm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nddeae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iaaoqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ladpagin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mblcin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipkema32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdogldmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jngkdj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kobkbaac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lajmkhai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhadgakg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Haleefoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iaobkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jobocn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nahfkigd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhfmbq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhmpbc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Laackgka.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhkhgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhnemdbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipfkabpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfhmehji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlpngd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieeqpi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nifgekbm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcgqbq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfqiingf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbginomj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opblgehg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgdiho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfopdk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbopon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjnlikic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfaljjdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbjjekhl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Holldk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Injlkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Heedqe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfjfik32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igngim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnlepioj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmhqokcq.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnjfa32.dll" C:\Windows\SysWOW64\Iaaoqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagmjgmm.dll" C:\Windows\SysWOW64\Igngim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mbginomj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmhqokcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaljk32.dll" C:\Windows\SysWOW64\Nhnemdbf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfebdm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nddeae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmmhm.dll" C:\Windows\SysWOW64\Hhadgakg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieeqpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kikokf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmcdhob.dll" C:\Windows\SysWOW64\Ladpagin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ladpagin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iaaoqf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcgqbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgdiho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooohcdo.dll" C:\Windows\SysWOW64\Heedqe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljgid32.dll" C:\Windows\SysWOW64\Ieeqpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" C:\Windows\SysWOW64\Ipkema32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Injlkf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jobocn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjnlikic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll" C:\Windows\SysWOW64\Lajmkhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjkhha.dll" C:\Windows\SysWOW64\Nifgekbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdbbjll.dll" C:\Windows\SysWOW64\Iaobkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdogldmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnlepioj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbdnonc.dll" C:\Windows\SysWOW64\Kfopdk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mhkhgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nddeae32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Injlkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipkema32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdeao32.dll" C:\Windows\SysWOW64\Jfjjkhhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgacfg.dll" C:\Windows\SysWOW64\Jjnlikic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnlepioj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkkhmadd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lajmkhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll" C:\Windows\SysWOW64\Nahfkigd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iaobkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipfkabpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgdiho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbafe32.dll" C:\Windows\SysWOW64\Mbopon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mbopon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" C:\Windows\SysWOW64\Nmhqokcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iaaoqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieeqpi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipkema32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcacc32.dll" C:\Windows\SysWOW64\Mlpngd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhfmbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadbgifg.dll" C:\Windows\SysWOW64\Jobocn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcgqbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kobkbaac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfopdk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Haleefoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfqiingf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlbgkgcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaamhjgm.dll" C:\Windows\SysWOW64\Kobkbaac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" C:\Windows\SysWOW64\Kfaljjdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbjjekhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll" C:\Windows\SysWOW64\Mhkhgd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Hhadgakg.exe
PID 2088 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Hhadgakg.exe
PID 2088 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Hhadgakg.exe
PID 2088 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Hhadgakg.exe
PID 2116 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Hhadgakg.exe C:\Windows\SysWOW64\Holldk32.exe
PID 2116 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Hhadgakg.exe C:\Windows\SysWOW64\Holldk32.exe
PID 2116 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Hhadgakg.exe C:\Windows\SysWOW64\Holldk32.exe
PID 2116 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Hhadgakg.exe C:\Windows\SysWOW64\Holldk32.exe
PID 2900 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Holldk32.exe C:\Windows\SysWOW64\Heedqe32.exe
PID 2900 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Holldk32.exe C:\Windows\SysWOW64\Heedqe32.exe
PID 2900 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Holldk32.exe C:\Windows\SysWOW64\Heedqe32.exe
PID 2900 wrote to memory of 2312 N/A C:\Windows\SysWOW64\Holldk32.exe C:\Windows\SysWOW64\Heedqe32.exe
PID 2312 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Heedqe32.exe C:\Windows\SysWOW64\Haleefoe.exe
PID 2312 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Heedqe32.exe C:\Windows\SysWOW64\Haleefoe.exe
PID 2312 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Heedqe32.exe C:\Windows\SysWOW64\Haleefoe.exe
PID 2312 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Heedqe32.exe C:\Windows\SysWOW64\Haleefoe.exe
PID 2860 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Haleefoe.exe C:\Windows\SysWOW64\Hhfmbq32.exe
PID 2860 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Haleefoe.exe C:\Windows\SysWOW64\Hhfmbq32.exe
PID 2860 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Haleefoe.exe C:\Windows\SysWOW64\Hhfmbq32.exe
PID 2860 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Haleefoe.exe C:\Windows\SysWOW64\Hhfmbq32.exe
PID 2556 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hhfmbq32.exe C:\Windows\SysWOW64\Iaobkf32.exe
PID 2556 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hhfmbq32.exe C:\Windows\SysWOW64\Iaobkf32.exe
PID 2556 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hhfmbq32.exe C:\Windows\SysWOW64\Iaobkf32.exe
PID 2556 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hhfmbq32.exe C:\Windows\SysWOW64\Iaobkf32.exe
PID 2964 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Iaobkf32.exe C:\Windows\SysWOW64\Iaaoqf32.exe
PID 2964 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Iaobkf32.exe C:\Windows\SysWOW64\Iaaoqf32.exe
PID 2964 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Iaobkf32.exe C:\Windows\SysWOW64\Iaaoqf32.exe
PID 2964 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Iaobkf32.exe C:\Windows\SysWOW64\Iaaoqf32.exe
PID 2540 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Iaaoqf32.exe C:\Windows\SysWOW64\Igngim32.exe
PID 2540 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Iaaoqf32.exe C:\Windows\SysWOW64\Igngim32.exe
PID 2540 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Iaaoqf32.exe C:\Windows\SysWOW64\Igngim32.exe
PID 2540 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Iaaoqf32.exe C:\Windows\SysWOW64\Igngim32.exe
PID 1564 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Igngim32.exe C:\Windows\SysWOW64\Ipfkabpg.exe
PID 1564 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Igngim32.exe C:\Windows\SysWOW64\Ipfkabpg.exe
PID 1564 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Igngim32.exe C:\Windows\SysWOW64\Ipfkabpg.exe
PID 1564 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Igngim32.exe C:\Windows\SysWOW64\Ipfkabpg.exe
PID 2896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ipfkabpg.exe C:\Windows\SysWOW64\Injlkf32.exe
PID 2896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ipfkabpg.exe C:\Windows\SysWOW64\Injlkf32.exe
PID 2896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ipfkabpg.exe C:\Windows\SysWOW64\Injlkf32.exe
PID 2896 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ipfkabpg.exe C:\Windows\SysWOW64\Injlkf32.exe
PID 2864 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Injlkf32.exe C:\Windows\SysWOW64\Ieeqpi32.exe
PID 2864 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Injlkf32.exe C:\Windows\SysWOW64\Ieeqpi32.exe
PID 2864 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Injlkf32.exe C:\Windows\SysWOW64\Ieeqpi32.exe
PID 2864 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Injlkf32.exe C:\Windows\SysWOW64\Ieeqpi32.exe
PID 2236 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ieeqpi32.exe C:\Windows\SysWOW64\Ipkema32.exe
PID 2236 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ieeqpi32.exe C:\Windows\SysWOW64\Ipkema32.exe
PID 2236 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ieeqpi32.exe C:\Windows\SysWOW64\Ipkema32.exe
PID 2236 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ieeqpi32.exe C:\Windows\SysWOW64\Ipkema32.exe
PID 1080 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Ipkema32.exe C:\Windows\SysWOW64\Jfhmehji.exe
PID 1080 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Ipkema32.exe C:\Windows\SysWOW64\Jfhmehji.exe
PID 1080 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Ipkema32.exe C:\Windows\SysWOW64\Jfhmehji.exe
PID 1080 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Ipkema32.exe C:\Windows\SysWOW64\Jfhmehji.exe
PID 1684 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Jfhmehji.exe C:\Windows\SysWOW64\Jfjjkhhg.exe
PID 1684 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Jfhmehji.exe C:\Windows\SysWOW64\Jfjjkhhg.exe
PID 1684 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Jfhmehji.exe C:\Windows\SysWOW64\Jfjjkhhg.exe
PID 1684 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Jfhmehji.exe C:\Windows\SysWOW64\Jfjjkhhg.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Jfjjkhhg.exe C:\Windows\SysWOW64\Jobocn32.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Jfjjkhhg.exe C:\Windows\SysWOW64\Jobocn32.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Jfjjkhhg.exe C:\Windows\SysWOW64\Jobocn32.exe
PID 1044 wrote to memory of 1372 N/A C:\Windows\SysWOW64\Jfjjkhhg.exe C:\Windows\SysWOW64\Jobocn32.exe
PID 1372 wrote to memory of 832 N/A C:\Windows\SysWOW64\Jobocn32.exe C:\Windows\SysWOW64\Jdogldmo.exe
PID 1372 wrote to memory of 832 N/A C:\Windows\SysWOW64\Jobocn32.exe C:\Windows\SysWOW64\Jdogldmo.exe
PID 1372 wrote to memory of 832 N/A C:\Windows\SysWOW64\Jobocn32.exe C:\Windows\SysWOW64\Jdogldmo.exe
PID 1372 wrote to memory of 832 N/A C:\Windows\SysWOW64\Jobocn32.exe C:\Windows\SysWOW64\Jdogldmo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Hhadgakg.exe

C:\Windows\system32\Hhadgakg.exe

C:\Windows\SysWOW64\Holldk32.exe

C:\Windows\system32\Holldk32.exe

C:\Windows\SysWOW64\Heedqe32.exe

C:\Windows\system32\Heedqe32.exe

C:\Windows\SysWOW64\Haleefoe.exe

C:\Windows\system32\Haleefoe.exe

C:\Windows\SysWOW64\Hhfmbq32.exe

C:\Windows\system32\Hhfmbq32.exe

C:\Windows\SysWOW64\Iaobkf32.exe

C:\Windows\system32\Iaobkf32.exe

C:\Windows\SysWOW64\Iaaoqf32.exe

C:\Windows\system32\Iaaoqf32.exe

C:\Windows\SysWOW64\Igngim32.exe

C:\Windows\system32\Igngim32.exe

C:\Windows\SysWOW64\Ipfkabpg.exe

C:\Windows\system32\Ipfkabpg.exe

C:\Windows\SysWOW64\Injlkf32.exe

C:\Windows\system32\Injlkf32.exe

C:\Windows\SysWOW64\Ieeqpi32.exe

C:\Windows\system32\Ieeqpi32.exe

C:\Windows\SysWOW64\Ipkema32.exe

C:\Windows\system32\Ipkema32.exe

C:\Windows\SysWOW64\Jfhmehji.exe

C:\Windows\system32\Jfhmehji.exe

C:\Windows\SysWOW64\Jfjjkhhg.exe

C:\Windows\system32\Jfjjkhhg.exe

C:\Windows\SysWOW64\Jobocn32.exe

C:\Windows\system32\Jobocn32.exe

C:\Windows\SysWOW64\Jdogldmo.exe

C:\Windows\system32\Jdogldmo.exe

C:\Windows\SysWOW64\Jngkdj32.exe

C:\Windows\system32\Jngkdj32.exe

C:\Windows\SysWOW64\Jhmpbc32.exe

C:\Windows\system32\Jhmpbc32.exe

C:\Windows\SysWOW64\Jjnlikic.exe

C:\Windows\system32\Jjnlikic.exe

C:\Windows\SysWOW64\Jcgqbq32.exe

C:\Windows\system32\Jcgqbq32.exe

C:\Windows\SysWOW64\Jnlepioj.exe

C:\Windows\system32\Jnlepioj.exe

C:\Windows\SysWOW64\Kgdiho32.exe

C:\Windows\system32\Kgdiho32.exe

C:\Windows\SysWOW64\Kfjfik32.exe

C:\Windows\system32\Kfjfik32.exe

C:\Windows\SysWOW64\Kobkbaac.exe

C:\Windows\system32\Kobkbaac.exe

C:\Windows\SysWOW64\Kikokf32.exe

C:\Windows\system32\Kikokf32.exe

C:\Windows\SysWOW64\Kfopdk32.exe

C:\Windows\system32\Kfopdk32.exe

C:\Windows\SysWOW64\Kkkhmadd.exe

C:\Windows\system32\Kkkhmadd.exe

C:\Windows\SysWOW64\Kfaljjdj.exe

C:\Windows\system32\Kfaljjdj.exe

C:\Windows\SysWOW64\Lajmkhai.exe

C:\Windows\system32\Lajmkhai.exe

C:\Windows\SysWOW64\Lbjjekhl.exe

C:\Windows\system32\Lbjjekhl.exe

C:\Windows\SysWOW64\Laackgka.exe

C:\Windows\system32\Laackgka.exe

C:\Windows\SysWOW64\Ladpagin.exe

C:\Windows\system32\Ladpagin.exe

C:\Windows\SysWOW64\Mfqiingf.exe

C:\Windows\system32\Mfqiingf.exe

C:\Windows\SysWOW64\Mbginomj.exe

C:\Windows\system32\Mbginomj.exe

C:\Windows\SysWOW64\Mlpngd32.exe

C:\Windows\system32\Mlpngd32.exe

C:\Windows\SysWOW64\Mfebdm32.exe

C:\Windows\system32\Mfebdm32.exe

C:\Windows\SysWOW64\Mblcin32.exe

C:\Windows\system32\Mblcin32.exe

C:\Windows\SysWOW64\Mbopon32.exe

C:\Windows\system32\Mbopon32.exe

C:\Windows\SysWOW64\Mhkhgd32.exe

C:\Windows\system32\Mhkhgd32.exe

C:\Windows\SysWOW64\Nmhqokcq.exe

C:\Windows\system32\Nmhqokcq.exe

C:\Windows\SysWOW64\Nhnemdbf.exe

C:\Windows\system32\Nhnemdbf.exe

C:\Windows\SysWOW64\Nddeae32.exe

C:\Windows\system32\Nddeae32.exe

C:\Windows\SysWOW64\Nahfkigd.exe

C:\Windows\system32\Nahfkigd.exe

C:\Windows\SysWOW64\Nlbgkgcc.exe

C:\Windows\system32\Nlbgkgcc.exe

C:\Windows\SysWOW64\Nifgekbm.exe

C:\Windows\system32\Nifgekbm.exe

C:\Windows\SysWOW64\Ogjhnp32.exe

C:\Windows\system32\Ogjhnp32.exe

C:\Windows\SysWOW64\Ohkdfhge.exe

C:\Windows\system32\Ohkdfhge.exe

C:\Windows\SysWOW64\Opblgehg.exe

C:\Windows\system32\Opblgehg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 140

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hhadgakg.exe

MD5 7195829db8bf12a4813e3763a83511ed
SHA1 1b931edb5b82284770991a4878417d8d3ab67f93
SHA256 8c433161b5a42547681346a06cec60bacdcc6e0754ec82a6d55636ee69f14d03
SHA512 4290c4ff4cc51f66270b169d00d0d25ec4ae5f3fa4e3a039d2e016c1dac4e7aa99a97bd3a85e5f1fbd96bbdab31dd454e07986bb365bf04f421cdd5eeb2bb733

C:\Windows\SysWOW64\Holldk32.exe

MD5 b23d554fdeb3b3711ef8833446069ddd
SHA1 9b269ebd455c4c7583133898794045d3cf32cf3b
SHA256 6f6004f28ea4bc61f8f73ec7328685591f37cc8c17ba17c37344f412b3a9186b
SHA512 fdd9a47f19082b5d1943612dac6daf7bef2d8b1b934bfef8a19b18c82f1b39d8121af44472332d2f388a8bfd6c2c97555ccc95a0aefb16fcf382de1cecdc8c7b

memory/2900-35-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Heedqe32.exe

MD5 7fa0f7b09f7e25b736f76b79149d894d
SHA1 26b9a350d690e1727bb46f8fd657baff91fb5d2e
SHA256 0b29f1c893adbd383471e0b0132857c8a0f43426bba8bb7e5552e61b51e94a8b
SHA512 f2d12e839a4c3a8944fe8d6bcd455f28e9bc9499db0387e51ef47906d923d2ba8c2e97df4c084673d1ca32af84c51655343134aaca7d0d16f636c284aba35c51

C:\Windows\SysWOW64\Haleefoe.exe

MD5 de98010b4334bce9075ddb516ed376d3
SHA1 d51eb21a309f83aa64168aaac4dbafe0c51dc2af
SHA256 62e17a10e427e33275b303b9947c4c55cb5763a03b3b629402c4801e27f34f6d
SHA512 3b1814e05593200e84e7b7e6af1ea0393dcf520597bd4f56b9854279aac7f432c128dd64a4b6d4b765c2006d4dce9b6e4d5ed8f3daa9e5ef480c09a7e1470482

C:\Windows\SysWOW64\Hhfmbq32.exe

MD5 b34338e898c8b2be23d692adf797640d
SHA1 f6f149ab1e8cb0409107c152bce22f38811d36f3
SHA256 45515a70a211df4c6db8100910b05400b5a729f1ac4b27731e09a4bb28f4a3c0
SHA512 85e56293d909107ac7e3be7bfa228f4b17675285bcf7b3320d364072ee1fff1c00962ab536fa7e57568712686c5f7d4a058f1bf372019b843169cf9e268e3db4

\Windows\SysWOW64\Iaobkf32.exe

MD5 72cb993e3185f92fab80eedeb9c9d87f
SHA1 7712333c5706c21cd409b5aed954ef49e9aeeeca
SHA256 cae49ff35513abcaea37a8fc5f99953127ab46ceb8dfc2e1644279b80fcc30e9
SHA512 f4d3b4befbb57f50ddb25812f1bb9baee89d7ca6aa7134960fd77aeaeb744d26708b9420050c06be498e6e655bedc16b0c14c5547092d8588eb2cb99992f061c

memory/2964-79-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Iaaoqf32.exe

MD5 f9e3bc9c3c2b2cf36817dc99f2857fe9
SHA1 86a32f6d85d613eccb66b5aebe699d24f95304a6
SHA256 234ba35f9b5449ce08d75e40ed850b86b7fff238a6221411eee4fd5faf71d626
SHA512 2ef6ed6ffdcb058e6a9c4ea688ac24a5d9800e139c826e8ae611baa38867de497b55ae97b8c4c2ed2b6d4bca143a92d7edbb1e6e8b71b452bf7ef4a2fcf8619e

\Windows\SysWOW64\Igngim32.exe

MD5 50cc3bd6b6c7d4e271145be85bc46220
SHA1 edaa0d89038451e4ae42f75334e3ec7de5e049d9
SHA256 337223b0724138f98b1b3c470cb7671208990f4bd6734f63b6fb8358e7c07c92
SHA512 dbf6f7869bbcf0316d34f03508b5ba6a5e2a4a52284a1cb4b44cb0a5035829ea2539c48519c33fc948d96debd1b8d6eba3eb13877cebbccdda87b41d663a528d

memory/1564-106-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ipfkabpg.exe

MD5 c73443cb91c06073f2f55f4b43c8ef4f
SHA1 0fe07ec12bf759094af5d364d8a97a660082fcb6
SHA256 f6fd3eb088ec8385d7982402f7a1c0d09e2e1ee52c1e1fbad4da58ad887bc1d0
SHA512 a0db0e186bf214e295af93c8ff65d6d4840c79e56f24dcf988d9aeafb9778d31c0ab6fa307231b000f490daadb253976495cf0262216809c2e2e7c2ffc637e1a

memory/1564-114-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Injlkf32.exe

MD5 7e33a20f315fb62032f20958c0e61558
SHA1 dfa4985592b5778bf92a035e2ffeeeb56cfee2c9
SHA256 628ac20874a60db4d76bc9fc73f3a09f034c35e836c59d2c9239a59f2182bd06
SHA512 36c647f5fcdf033f59ed2df298110fff57154b857fa9561bd6a96353b48d63fedddef1aaa9a6fcd35873e38274a1df0e55cb33f2a96cc6110f73a4b337a5ecdc

memory/2864-140-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Ieeqpi32.exe

MD5 8484a9f2b27088983117665502333b64
SHA1 800d18f3d0629eb3caafea63f9cbf7424f6c5806
SHA256 6e5f51923316fe32c5e2e5dcd8b1c55f92ae97385b5992c3a536a1eae683786b
SHA512 2bd8d19e2c6cf2b99bc588345c6499f57ca5c45d6a1ff8cb5ff2900f0daeae5f24db6a49888d0016de24f57ca8e7e9f1935b914e71731af713aed89f1b875627

C:\Windows\SysWOW64\Ipkema32.exe

MD5 98ce1e96043ecc9746d19cf00e3e6fc8
SHA1 d087ba5df67d0f2c70dc0c2e3091dbc86a75dea3
SHA256 5df6626cf4831a79ca084e71b871ebc345960474930d2ad99649606ff2648ad8
SHA512 44145a490cd9dd4dc9c0f27cfd6753c25881fff79701be3943a98f8349c2a34e5af76681a8905f55b5b8459e4052c5392c97200effb7ec5b106919b490287763

memory/1080-166-0x00000000002C0000-0x0000000000300000-memory.dmp

\Windows\SysWOW64\Jfhmehji.exe

MD5 8d8abfe81bd9075c9405f554dc3d4de7
SHA1 9212e07da635ff9142cabeee80b64a6f85682c09
SHA256 bea8ef900237fa55c1b10c9a8cf0d8e8493158862bbb6de8047d309842f613a7
SHA512 3fdd2af4719547c09d5f04cf8caa7215c87b245d12bc4fcb41154eedeb8c0de41cb37908053bfdba7463c59db9d84e84eb1914d152373bdf5aa7d581a5c43cc2

\Windows\SysWOW64\Jfjjkhhg.exe

MD5 751e537c038169db2796659ccba41019
SHA1 ade288c9d36c477999e0ca82a7624c8f52ed2e79
SHA256 4b280ad531abf31834a549b1fe30234873f0caae00c7da2b630473a27014cebe
SHA512 799d74547fd69a7f6b9c29a0ae93e3d534bfa89525c4a15739161990eb6b2de9d4d771d160bebca48f1926c37f1d37857a1fae8588f0f28f530f11903ac31710

\Windows\SysWOW64\Jobocn32.exe

MD5 ad440e02d3a2dc57f3ae6079cbcfb2ad
SHA1 a97b14e6b98a5fb9c8f399cb215716cd9e56300e
SHA256 ebfabebfe80bb8e4deedf9cc88f28655e2837479b962f4a10bc8e26797bb9e93
SHA512 ba8f14de3ec3a47bac128e1730ba833baa2c2f907dcd9cf01e26e81b39ee027f043924335598eef9b70745fce290e60694d4da9082fc2382f29be6a8706811b6

C:\Windows\SysWOW64\Jdogldmo.exe

MD5 59f59e92e756ed625c099108749b8b03
SHA1 f881b03140033b6b00b3889f0ff595438ab30b4a
SHA256 9f4ba5bb050e19f6cacd1eb57d635a40d091f1e0b9d0deac7fa05257c7a7aba2
SHA512 1217995252494f1ac6efc69b6247ecd31dcf6933e6296acfcc4e9ff6e93607163ec4bd9c57c6e1331f21374af97ae9ef2294b2c11734a8de99d0fe60d57ba73c

memory/832-219-0x00000000001C0000-0x0000000000200000-memory.dmp

C:\Windows\SysWOW64\Jngkdj32.exe

MD5 f1eed7aedf4fae36ba0ecad2c8c7f476
SHA1 da2562c407b0d7a29549a50ab4fbb032c919099a
SHA256 7fb96f286ed4c3c177243a51f4fb741964ece482b493273ce9917e98f09eef64
SHA512 1dfbccb543d3a9489119d2372203e61469b06644758ba43499a86d3c9280ad3d0044e8ce8154738dab30f863130657971175f6198f64147c7b41a40c0a5410e2

memory/832-212-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jhmpbc32.exe

MD5 1386fafec755c9a432237e0d0918fc4d
SHA1 c6786aa72ed426e4926c4149d7873884c7c3ab08
SHA256 8e1a1b18ae536139048618ac96a9e3f410b35a80c3bd938fc799432425dab568
SHA512 81a10df7c634ab37b18a52dd4c04c74979d9438dd937f2a6112ac64ee54cfee9daf0598e915aa7bc2428c8560f81f5235bb8d1dab5fddf624395e0983900ce0a

memory/820-238-0x00000000003B0000-0x00000000003F0000-memory.dmp

memory/1060-232-0x00000000002A0000-0x00000000002E0000-memory.dmp

C:\Windows\SysWOW64\Jjnlikic.exe

MD5 808aa2100a45b4415f5b40856423e417
SHA1 16cc4fbf4f36fd1ff5299945e994ca08262b7db8
SHA256 77395feddfe97ad96734c92ea41a629b55d55346b494dafbb4ca7ffad88a8e69
SHA512 c9fe7817f584625dd4913a80e7a9d2d5b834fa51f4b9ad2a0c8b91674da6df0ad19ae7f4e07a83475bca00bfa6d07018e772ed1502ec75bfe6f7d14fd6541c20

memory/820-242-0x00000000003B0000-0x00000000003F0000-memory.dmp

C:\Windows\SysWOW64\Jcgqbq32.exe

MD5 062c809412619aa7ab3aa015d4afc9b4
SHA1 b6e59c1e90e5f823298f85061681abad00702d09
SHA256 36d1bafa777bfde9b9a42cac1c0bc4a3a73532bcec4e02465c57ef3f8425a7d1
SHA512 67b17dcfc71a09fcc7709e9e49741e3bd84fe82619194544d2d5a6ff21d488fc3e03abbbd12a9444f22f4758d23b7d6612216693ea0761f29da00f1233e15a2f

memory/1732-253-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kgdiho32.exe

MD5 19183ff76010edb58e94573917a8f2b6
SHA1 29c908a19d925e0a6eec7e6cff3cd872fc723acd
SHA256 596c64d8c0b4f0cde2a84e0f021879586ecf3c7c9015c2c13db64e50a30a76d3
SHA512 6b2ecda7b9a9585b33ead8bbee14d6dfc9742a4125587e32a3bb46311a2654ab356cb1c82f77c4368665fcd2f9a8028df36df08ba067b32f3e9712f3eb081b91

memory/2224-272-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2224-268-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/2224-262-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kfjfik32.exe

MD5 dcef31c32af2ccd83b8f8d8b36f3efc4
SHA1 878f9e34c0fc5a36542a454d964bf219fc63a0c2
SHA256 c5be54f3b08e2458916890ec5d1dd997922e3f79e42d25bcb98459f1b13ab585
SHA512 4c379e51ae5406fc1c5a99a7427c0fd2c5b09794a822e31e9657f5e6cdb8e790e9822ccb42c98dfb4a2ef2d71b300b3978b4a42ac28a287aacda436ac134c498

memory/2988-283-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2988-292-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1940-303-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1616-308-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-319-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-326-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/2648-325-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/1536-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2800-342-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lajmkhai.exe

MD5 eb8ccb093de71b31a846ec5d845aad5f
SHA1 3c30612dd897f6498cfccfd93b3d52db8fbc49b1
SHA256 a2096e6766e12c0572f7b2a5ecef353af60e1e8d39830bce01360e615e4046ea
SHA512 7136370938e4e7c7c0215a429189c460be357c399e95a9efc6b39b4ec7dea728e90270f241a1be038d61b9d1834039a60fe649d7905f4705237868af998b8973

memory/2800-347-0x00000000003A0000-0x00000000003E0000-memory.dmp

memory/2116-351-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lbjjekhl.exe

MD5 6149ab92c0b72a2eb0de22271b7cc663
SHA1 f6a25c4bc10d9b66b1b2b8aa255421b554f2c397
SHA256 88e13f7a06368e12e706cd2818f2ec61d8cddee726d4bba62b8575286f6ae03c
SHA512 d07aef90e5de1a49ca6d7bdf647a247d1ecca8d7712f73152fc460158c81ae9c6301d2103329dcbd4cbd91f87c1adc26cf01ff46d78cc6a1f3f5f8d1c50c0a85

memory/2888-361-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2804-360-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2088-350-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2888-367-0x0000000000440000-0x0000000000480000-memory.dmp

C:\Windows\SysWOW64\Laackgka.exe

MD5 a429b5b9bf8848b0ec9fe4481b7ed803
SHA1 68a04be5711a91f1a8d0e782d86b450d24e6dddd
SHA256 e44fa7a6a7214b99d99d565b21d9b4fea22f7b6056e55d128ee9b82edcd9c516
SHA512 ed1933dba52816ee90b9c275efb9c57898d20dc1ed45a499ae1b7f07ca3317fb54b94f4dd6717e473c6debd35cabd594c70d542239e04d7aec11ccacaac57e89

C:\Windows\SysWOW64\Ladpagin.exe

MD5 65a05ffc0b1523b34843d55c33b36277
SHA1 f2b1b60aa4d6496ed61f6e258688509b74fd8091
SHA256 695d4853f0f5ee7f82d6b5ca07dcc3b0ebcfb0c58d94677598491c93bbd197a5
SHA512 aebb5049ba2c01f59383fd931894b36a8ea2a171486dcb11998244ccefce9bfba999d96ddb5a848944c5e664b51bbac996f24f273a01f7e59230d4bb70064ff3

memory/2860-382-0x0000000000400000-0x0000000000440000-memory.dmp

memory/924-392-0x0000000000220000-0x0000000000260000-memory.dmp

memory/428-398-0x0000000000400000-0x0000000000440000-memory.dmp

memory/924-393-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Mbginomj.exe

MD5 3c49e4202e851cf9205c197c405a8eec
SHA1 67953e18cdce9daedc8fa50d90e3912cb43bbfef
SHA256 a574cd7d787d37864a6a1dae05afe34bf9df53b69636cce41d8eb0d5a6457780
SHA512 fd001f14dbee29df31d7919001acb3184975a6d846c8c4f3b6d8c8b5dd7ddb6d9d4200bbda0292d6aa7889e58e0b014d73b470258f50215510dc711a1cb16078

memory/2556-404-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2340-416-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2340-415-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2544-417-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mlpngd32.exe

MD5 f721fa7b1d6b2ff8b0026a5a5fef8931
SHA1 a9dbbb7f27f559d4e829ee9d90dd994d1c590bf4
SHA256 dc2d597136d1954af628290905b1c44df3dc5a92a28cf028c2796c5fcffcb3f6
SHA512 110f7b3fa53b5bbd3f3b2f664a769404a02ea12305736a28695b6d81200e3fd5f0f552d9da670171fa3cb7d3934543b5226eb3c4734d2cafea15a43ecedf8c9a

memory/2964-426-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1488-432-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mblcin32.exe

MD5 62e4f5445dd9d2e8cfdd4ff76e434942
SHA1 66ede9c40ae4f47b565acf2ef2fd0bbbb20eff61
SHA256 f7537acd44af01ca529b9d276b4fc859b546af3fe0c5b106375e07e8da522847
SHA512 e8cfdfd2889aaa8a0ecabee5afd386fa7f30b82cd8d7979f40ae8c702e1459b8d9fce2c947215a5757ecdb1c722e7209e4850d0c6d6d14106299666d56022024

memory/2896-476-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2416-471-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Nhnemdbf.exe

MD5 7d49c1efbd45be2a4f1d65a8870f9c5e
SHA1 6b2d0412d9d021d292dafc3d05579787addf7152
SHA256 8d7d08bd27c9328cfb43490fccd0c3eb4a6095c3393f38af44a389777a82dbc6
SHA512 14a7f82ad2ec4009d552013e9a91eecd4ba54d52b26192011fa22f719bf0d0cd32f18e2174e283cfd6245528d4424c7b0614846ede20ac653d37b085dd6dafc2

memory/2412-486-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2864-491-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1100-496-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nddeae32.exe

MD5 a126dcbbd7c62140824f3fef3a3a99fe
SHA1 7861e2113c660e70c0e212c03708ba1de6dc9e8d
SHA256 2411d092cfa022833680289ca6773ce2512085d5c3db1f6647315740814d44bc
SHA512 504ba15444d93315b472b35e5f47d31b60faa2082948109169e900b0f97349ec105b7cd8af19f895da7961190502fd79916281f34d1104162794c962e9eaae0b

C:\Windows\SysWOW64\Nahfkigd.exe

MD5 5b50af5ac57bcddc005f86d6d3445417
SHA1 8cffc2b6f036d872c123f301e3921b5913dd8d50
SHA256 73f74e12fdb39fe969ee5c3bb80a19790423f033ada9ac3d941d392174f9de07
SHA512 ed3a29e8fce114292050255ecfbaa8fb1691243d4e8913fe8183f73dff12b1e5477519846d2bf84795801de4e618a442a6128f7756814f77fda99dca0094d845

memory/1812-506-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2236-502-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Nlbgkgcc.exe

MD5 e269e07cf2c8b42b1641a4a1c074e936
SHA1 fb8cc40f1e011ac8a63b8e001f81213a7afb8934
SHA256 69bbed0e08bd8c1ea4506d5f67770875d261e64ce650c8ed3b841d684cee6f61
SHA512 8824b91dd3a76537041aa50709e4d9289447cfb6c03d3b150865726fadf7977ccb6cf669a17764ab1bc378b4e13d5454a9961dcb97d2b1adcca6bb7f5bd626c0

C:\Windows\SysWOW64\Nifgekbm.exe

MD5 ca8a4fa9de2bb6a52b75af0cd982f48a
SHA1 94b1dc5a0decbbf917fab385cd894110ca782455
SHA256 3f55174c254be135b5ef57104789128eaf6ba4b4b57b30b5867e2a739f33941c
SHA512 7a62608a4a33bef29a857b624475cca7140016b556c6b4161a6faf319e2d92ab440ae384eba9544e6249f769894969a6c84f253e03f7127176e581e36790180b

C:\Windows\SysWOW64\Ohkdfhge.exe

MD5 932c69afdb99a25c3e1a9a80be5e2db2
SHA1 42054e7473e0a16da569b9e9d93180caba636812
SHA256 a63b0ebc1f99c2700f4ab82427040c0a4684f116be27e5557444aa55af909dbf
SHA512 01d55adbc52a13ee66f7d71dd164168318a5bfc33676ca618ca04ef8fc385c4b4bd696aebf40aedaa3aeb3f3a46bc890b1393907a4ccaadc5f2a199ae17691a6

C:\Windows\SysWOW64\Opblgehg.exe

MD5 f443c7373e92ac9f98baf246799d7bed
SHA1 8bb8b620cdf8049ccf788588d4e4019f786df0d8
SHA256 259037237f4d5664259dacf75692845a4dcb4806e87552238918986a09a0ea81
SHA512 bc70bed5f2a87fd753c73671e4653dbe4e44a15f3bda628bdf224d631b22c66885290b24e02a96cfb0fdd2ba9a8222a084cb83fdaa8e1aae65a2a40f639774f0

C:\Windows\SysWOW64\Ogjhnp32.exe

MD5 d5e5a60a16715e5a324239e00a89ba13
SHA1 5ab7f2cdd95eaa8ef8c131918c0f5b02643ec5f3
SHA256 6198d602086ecfe548c3bc7cc0de0b2dd5526c129c09627a4104bd1b656dfdf1
SHA512 e77fc5324615f77df3c953de05718169a96c76ddab455c3a8f2191ef68d621caea3cc8f31ebd2698706f8f11db134ce694bd3c51a7e2eff4d536d1adcf52bc42

memory/2236-501-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2092-481-0x00000000003C0000-0x0000000000400000-memory.dmp

memory/2416-470-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2092-469-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2416-468-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nmhqokcq.exe

MD5 43e95a6ad21f7cedb2674f6d1f8dcb29
SHA1 8b8ce86e922eee21bdcded61f726a8650ece38a7
SHA256 3e73b50af285dea8e14561936586f508fd7454f11d2e1cb97bb9f229af6ee6ef
SHA512 b6009a381114fba553bb1b271ad43178b3cc13aaad6ae6cdf7474f0630722714c0f876fc8f0e2e43892d81a1f0a41603f7007357200d16dcc682f5bbffac0b8e

C:\Windows\SysWOW64\Mhkhgd32.exe

MD5 a337ebcb725f0e88d8db0b7cff69e16e
SHA1 8c10f5a72518d758f8b951ca0eada3fddfdd98d0
SHA256 c6e187ebb636aca523bcb625589af29e845a7db375017c0b18eba395e2d4ace2
SHA512 3ceb60501420447e83244e8da3f392534381419f85aa93e65f3153d586cb41c7792d3bef30c01bfac65d3daea623015947e3ede0367a5797f60af4a70728fb0d

memory/1564-456-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2740-450-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2968-449-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Mbopon32.exe

MD5 d0540b3477e138f0a325b7360dec229f
SHA1 a9c41b78ae5002e78bbb97f05642f1c0aac32324
SHA256 22cfa4a79e4557f3d8d69fea90fc1d3dabcef8a66d134d3e4d9ac1c87eaecabd
SHA512 7c89bfd18d47719fc264018ed908027c011f3dbe25013cb6e65cf780e960b541778cbb87ff99eebd2d6493a5c177ea39d6a877cf02c24c9a168722dd14b35169

memory/2968-440-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1488-439-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1488-438-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2540-437-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2544-427-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Mfebdm32.exe

MD5 cf985b2e2d173b92d827f0781e3480c5
SHA1 f8dfa98a23301295dceaca7dabd58f1569071d61
SHA256 d73fe3cfbbad75c9355d2b2012241c6aeb4dbfc8550854330530d070d2ad77b4
SHA512 4659041f9ce7591fb4a017f300a1472519141647574ca5843e28963147482da3f8bb0cabcaab269ab44783e6a5a94490b4a12071ce759b7b4133cf29b3e78d2c

memory/2340-411-0x0000000000400000-0x0000000000440000-memory.dmp

memory/428-409-0x0000000000220000-0x0000000000260000-memory.dmp

memory/428-403-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Mfqiingf.exe

MD5 976619d353172a129b26a8abc8badbb3
SHA1 5b6062dc750b2d2187f505513ccac0b62578b813
SHA256 bd593b12d6e203ea9dfe15ce9a9d60df5e8a36954bec5a614ad392c573ea1c7b
SHA512 51a215b9ba471038eb2a50ac32e48c6b46e66a87507ab14746691998841d877364c314a6835d39c502051af46c64d24b9234dd9dcf6e9cb942698a0b2db3f760

memory/924-385-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2312-378-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2592-372-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2900-369-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2804-349-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2088-348-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kfaljjdj.exe

MD5 edc46aeab03d015f276701507669c797
SHA1 097ce3c0683ee5fc6869225ff00ed86315106514
SHA256 b73f015e0605077834f10493a6dc58f79b7f4167cbe1d51d3d85bcab7b8070f5
SHA512 a541db6e9f7ce5b184826f49ddb29ba67d1b7a9e78e3104da64c04c4405e6021dfe5fd5e52b0956797756970266026bf64a5eee4b6b1d7f8adace1e20acd792c

memory/1536-337-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1536-336-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kkkhmadd.exe

MD5 3d91fad00b57abd98a842d30e3febeee
SHA1 5e13f68b97142fd3c066730e0d541bdebb83d84c
SHA256 472fc99f4216e14aa930c0a4b89d7a0a35751b086d4d192a8439d56451097c7f
SHA512 1919197028094dc0e9c9642f147f4b94713a5f61ed02ed3fad969ae58521b09a0da77923cd1b8169a189a9e45f2fe5026b5a3ecd42f0bccedbc9b0ff0656dac1

memory/1616-315-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kfopdk32.exe

MD5 e53f436ba7754b78843038beea31e091
SHA1 fad3dc1fa05e670fa1171138de82c1b6a423ff04
SHA256 733ee14b6db158e74181145e138c8e7fe952c3c9f8fd7388d24af9f76acbbfd9
SHA512 9b9322821e5d66eae26de907d0d610b4cbd12e864bb07ac10620c79bcd0528aecbd646b39d24afdcc8270906d6d0b2cf5be7e397e95ff40cbb97a6aab4f66a1e

memory/1616-314-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1940-304-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kikokf32.exe

MD5 c26086e1fddcbbf9f9ce74ed080521cd
SHA1 b0b25051d467a639c8b2e71f26b0fb38e0e6fa15
SHA256 2b7973b94a79c364087816fb5b61654223f7dafe67feab2d6dbb424eb58ab18c
SHA512 bc57e63cf932be547ccb74f528101101c37b9db9f86038004f2783e455f3c1fa5fa4c598e93e2233368565300dcacc4583b7421d53b7b8740bb0f05b2c049042

memory/1940-294-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2988-293-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Kobkbaac.exe

MD5 ed9dff8f242071997bb1113a668dbd0f
SHA1 1b49348b373f482d556449222f4ff675294e6240
SHA256 26c4702694ab0ffc6c1bc7105abd7a2bc931e36fd5f93fdf74e9805a995f8705
SHA512 a9136b752737a635e0a343250a6fbb529b27d8aeb9b1c834ccd9a98fff3e3652d7f7e746e33450b34c2c6fb80e7b8453bf1deff189027536d61d05177604b934

memory/1012-282-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1012-281-0x0000000000220000-0x0000000000260000-memory.dmp

C:\Windows\SysWOW64\Jnlepioj.exe

MD5 aaa6b5f5cd859fb1fd64518c3ba52ff5
SHA1 c689f73357973bcc1eacc8970f2288d084a154ad
SHA256 cf61fdc04e7f91f9d231d5b9587fc26e62205264094e08e06420a309b72257f4
SHA512 e2a833c5ca789488ac6d505179efc95e98ee7c5cbf466fcee3a11a1c8af0c1aa2f38eddb4adfb731043cd95279854b879538759f486b1f6cebb65f80f8aabc5e

memory/764-252-0x0000000000220000-0x0000000000260000-memory.dmp

memory/764-251-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1060-231-0x00000000002A0000-0x00000000002E0000-memory.dmp

memory/1372-203-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1044-186-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1684-180-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1080-164-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2236-163-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2864-132-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2964-93-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2964-87-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2860-61-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2312-48-0x00000000001B0000-0x00000000001F0000-memory.dmp

memory/2900-27-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2116-19-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2088-13-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2088-12-0x00000000002D0000-0x0000000000310000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 10:41

Reported

2024-09-16 10:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ikpaldog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oneklm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bclhhnca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldanqkki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieolehop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jblpek32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amddjegd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mplhql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojllan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldleel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olcbmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmppcbjd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbmhlihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmgfda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipdqba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liimncmf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ildkgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpjcdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnonbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gicinj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hfifmnij.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iicbehnq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nphhmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcijeb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kefkme32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibjjhn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiefcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbeqmoji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmemac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hflcbngh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aclpap32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqmjog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iblfnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afjlnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Opakbi32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Gfembo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gicinj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmoeoidl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gomakdcp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfgjgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiefcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hopnqdan.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfifmnij.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmcojh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkfoeega.exe N/A
N/A N/A C:\Windows\SysWOW64\Hflcbngh.exe N/A
N/A N/A C:\Windows\SysWOW64\Hijooifk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmfkoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Himldi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hofdacke.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbeqmoji.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcdmga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iefioj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikpaldog.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibjjhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iicbehnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikbnacmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Iblfnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iejcji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ildkgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ickchq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifjodl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihkpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipbdmaah.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieolehop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipdqba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icplcpgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfoiokfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmhale32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbeidl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jedeph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmknaell.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlnnmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhfjljd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jefbfgig.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmmjgejj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcgbco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfeopj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jidklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlbgha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jblpek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeklag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlednamo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcllonma.exe N/A
N/A N/A C:\Windows\SysWOW64\Kboljk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kiidgeki.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpbmco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbaipkbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikame32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbceejpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfoafi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kimnbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmijbcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfankifm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpjcdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbhoqj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kefkme32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Gebgohck.dll C:\Windows\SysWOW64\Kdgljmcd.exe N/A
File created C:\Windows\SysWOW64\Nnneknob.exe C:\Windows\SysWOW64\Njciko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmjdjgjo.exe C:\Windows\SysWOW64\Hbeqmoji.exe N/A
File opened for modification C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Oncofm32.exe N/A
File created C:\Windows\SysWOW64\Qoecnk32.dll C:\Windows\SysWOW64\Kiidgeki.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Nljofl32.exe N/A
File created C:\Windows\SysWOW64\Ciopbjik.dll C:\Windows\SysWOW64\Pmfhig32.exe N/A
File created C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cfmajipb.exe N/A
File created C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Kpjcdn32.exe C:\Windows\SysWOW64\Kfankifm.exe N/A
File opened for modification C:\Windows\SysWOW64\Kefkme32.exe C:\Windows\SysWOW64\Kbhoqj32.exe N/A
File created C:\Windows\SysWOW64\Keajjc32.dll C:\Windows\SysWOW64\Hmjdjgjo.exe N/A
File created C:\Windows\SysWOW64\Jfoiokfb.exe C:\Windows\SysWOW64\Icplcpgo.exe N/A
File created C:\Windows\SysWOW64\Jlnnmb32.exe C:\Windows\SysWOW64\Jmknaell.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Lllcen32.exe N/A
File created C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Nnqbanmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Oneklm32.exe N/A
File created C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hbeqmoji.exe C:\Windows\SysWOW64\Hofdacke.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hkfoeega.exe N/A
File created C:\Windows\SysWOW64\Bbjiol32.dll C:\Windows\SysWOW64\Megdccmb.exe N/A
File created C:\Windows\SysWOW64\Ngmgne32.exe C:\Windows\SysWOW64\Ndokbi32.exe N/A
File created C:\Windows\SysWOW64\Knfoif32.dll C:\Windows\SysWOW64\Oflgep32.exe N/A
File created C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Gicinj32.exe C:\Windows\SysWOW64\Gfembo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikbnacmd.exe C:\Windows\SysWOW64\Iicbehnq.exe N/A
File created C:\Windows\SysWOW64\Ikbnacmd.exe C:\Windows\SysWOW64\Iicbehnq.exe N/A
File created C:\Windows\SysWOW64\Bhaomhld.dll C:\Windows\SysWOW64\Kpbmco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kimnbd32.exe C:\Windows\SysWOW64\Kfoafi32.exe N/A
File created C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Ldleel32.exe N/A
File created C:\Windows\SysWOW64\Lnlden32.dll C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Qgcbgo32.exe N/A
File created C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkfoeega.exe C:\Windows\SysWOW64\Hmcojh32.exe N/A
File created C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Djdmffnn.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Kjqkei32.dll C:\Windows\SysWOW64\Ikbnacmd.exe N/A
File created C:\Windows\SysWOW64\Memcpg32.dll C:\Windows\SysWOW64\Jidklf32.exe N/A
File created C:\Windows\SysWOW64\Ndokbi32.exe C:\Windows\SysWOW64\Mnebeogl.exe N/A
File created C:\Windows\SysWOW64\Eiojlkkj.dll C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Iphcjp32.dll C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Maickled.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Jiopcppf.dll C:\Windows\SysWOW64\Jbeidl32.exe N/A
File created C:\Windows\SysWOW64\Kbaipkbi.exe C:\Windows\SysWOW64\Kpbmco32.exe N/A
File created C:\Windows\SysWOW64\Nnjlpo32.exe C:\Windows\SysWOW64\Njnpppkn.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe C:\Windows\SysWOW64\Nckndeni.exe N/A
File created C:\Windows\SysWOW64\Laqpgflj.dll C:\Windows\SysWOW64\Qddfkd32.exe N/A
File created C:\Windows\SysWOW64\Jmmmebhb.dll C:\Windows\SysWOW64\Aclpap32.exe N/A
File created C:\Windows\SysWOW64\Ihidlk32.dll C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Jbpbca32.dll C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Jcgbco32.exe C:\Windows\SysWOW64\Jmmjgejj.exe N/A
File created C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Oneklm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Acjclpcf.exe N/A
File created C:\Windows\SysWOW64\Oflgep32.exe C:\Windows\SysWOW64\Ogifjcdp.exe N/A
File created C:\Windows\SysWOW64\Deeiam32.dll C:\Windows\SysWOW64\Pgioqq32.exe N/A
File created C:\Windows\SysWOW64\Ickchq32.exe C:\Windows\SysWOW64\Ildkgc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmijbcpl.exe C:\Windows\SysWOW64\Kimnbd32.exe N/A
File created C:\Windows\SysWOW64\Kiljkifg.dll C:\Windows\SysWOW64\Mlcifmbl.exe N/A
File created C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Njqmepik.exe N/A
File created C:\Windows\SysWOW64\Lqnjfo32.dll C:\Windows\SysWOW64\Qmkadgpo.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kimnbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfkaag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hofdacke.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlnnmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofeilobp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hbeqmoji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmgfda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfoiokfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jidklf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Medgncoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgfqmfde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nljofl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbhoqj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llcpoo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oncofm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Banllbdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfembo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbhfjljd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajanck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gicinj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oflgep32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pncgmkmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hkfoeega.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nloiakho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aclpap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caebma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jefbfgig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Megdccmb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acqimo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icplcpgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbmhlihl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njqmepik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Himldi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iicbehnq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deagdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jedeph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbeidl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmppcbjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Menjdbgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnonbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmfkoh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kefkme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgqeappe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbaipkbi.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmfkoh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iihkpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" C:\Windows\SysWOW64\Icplcpgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" C:\Windows\SysWOW64\Kplpjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldanqkki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbaipkbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll" C:\Windows\SysWOW64\Qfcfml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll" C:\Windows\SysWOW64\Hmfkoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jlednamo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfkaag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnlaml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiefcj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcdmga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iblfnn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcbmka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amddjegd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmemac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laffdj32.dll" C:\Windows\SysWOW64\Himldi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Melnob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll" C:\Windows\SysWOW64\Menjdbgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" C:\Windows\SysWOW64\Balpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bclhhnca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ipdqba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npmagine.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbcdnbb.dll" C:\Windows\SysWOW64\Gfembo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll" C:\Windows\SysWOW64\Hcdmga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iihkpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll" C:\Windows\SysWOW64\Jedeph32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpbmco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll" C:\Windows\SysWOW64\Olcbmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npmagine.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll" C:\Windows\SysWOW64\Oflgep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnebeogl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll" C:\Windows\SysWOW64\Kfoafi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldoaklml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll" C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pncgmkmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqfmde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfkaag32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajckij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Himldi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll" C:\Windows\SysWOW64\Hofdacke.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kimnbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll" C:\Windows\SysWOW64\Lmgfda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll" C:\Windows\SysWOW64\Pfolbmje.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Gfembo32.exe
PID 2804 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Gfembo32.exe
PID 2804 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Gfembo32.exe
PID 5076 wrote to memory of 224 N/A C:\Windows\SysWOW64\Gfembo32.exe C:\Windows\SysWOW64\Gicinj32.exe
PID 5076 wrote to memory of 224 N/A C:\Windows\SysWOW64\Gfembo32.exe C:\Windows\SysWOW64\Gicinj32.exe
PID 5076 wrote to memory of 224 N/A C:\Windows\SysWOW64\Gfembo32.exe C:\Windows\SysWOW64\Gicinj32.exe
PID 224 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Gicinj32.exe C:\Windows\SysWOW64\Gmoeoidl.exe
PID 224 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Gicinj32.exe C:\Windows\SysWOW64\Gmoeoidl.exe
PID 224 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Gicinj32.exe C:\Windows\SysWOW64\Gmoeoidl.exe
PID 1116 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Gmoeoidl.exe C:\Windows\SysWOW64\Gomakdcp.exe
PID 1116 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Gmoeoidl.exe C:\Windows\SysWOW64\Gomakdcp.exe
PID 1116 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Gmoeoidl.exe C:\Windows\SysWOW64\Gomakdcp.exe
PID 4964 wrote to memory of 4488 N/A C:\Windows\SysWOW64\Gomakdcp.exe C:\Windows\SysWOW64\Gfgjgo32.exe
PID 4964 wrote to memory of 4488 N/A C:\Windows\SysWOW64\Gomakdcp.exe C:\Windows\SysWOW64\Gfgjgo32.exe
PID 4964 wrote to memory of 4488 N/A C:\Windows\SysWOW64\Gomakdcp.exe C:\Windows\SysWOW64\Gfgjgo32.exe
PID 4488 wrote to memory of 116 N/A C:\Windows\SysWOW64\Gfgjgo32.exe C:\Windows\SysWOW64\Hiefcj32.exe
PID 4488 wrote to memory of 116 N/A C:\Windows\SysWOW64\Gfgjgo32.exe C:\Windows\SysWOW64\Hiefcj32.exe
PID 4488 wrote to memory of 116 N/A C:\Windows\SysWOW64\Gfgjgo32.exe C:\Windows\SysWOW64\Hiefcj32.exe
PID 116 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Hiefcj32.exe C:\Windows\SysWOW64\Hopnqdan.exe
PID 116 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Hiefcj32.exe C:\Windows\SysWOW64\Hopnqdan.exe
PID 116 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Hiefcj32.exe C:\Windows\SysWOW64\Hopnqdan.exe
PID 4452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hopnqdan.exe C:\Windows\SysWOW64\Hfifmnij.exe
PID 4452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hopnqdan.exe C:\Windows\SysWOW64\Hfifmnij.exe
PID 4452 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Hopnqdan.exe C:\Windows\SysWOW64\Hfifmnij.exe
PID 2964 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Hfifmnij.exe C:\Windows\SysWOW64\Hmcojh32.exe
PID 2964 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Hfifmnij.exe C:\Windows\SysWOW64\Hmcojh32.exe
PID 2964 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Hfifmnij.exe C:\Windows\SysWOW64\Hmcojh32.exe
PID 1640 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Hmcojh32.exe C:\Windows\SysWOW64\Hkfoeega.exe
PID 1640 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Hmcojh32.exe C:\Windows\SysWOW64\Hkfoeega.exe
PID 1640 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Hmcojh32.exe C:\Windows\SysWOW64\Hkfoeega.exe
PID 3328 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Hkfoeega.exe C:\Windows\SysWOW64\Hflcbngh.exe
PID 3328 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Hkfoeega.exe C:\Windows\SysWOW64\Hflcbngh.exe
PID 3328 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Hkfoeega.exe C:\Windows\SysWOW64\Hflcbngh.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hijooifk.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hijooifk.exe
PID 2024 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Hflcbngh.exe C:\Windows\SysWOW64\Hijooifk.exe
PID 2788 wrote to memory of 3728 N/A C:\Windows\SysWOW64\Hijooifk.exe C:\Windows\SysWOW64\Hmfkoh32.exe
PID 2788 wrote to memory of 3728 N/A C:\Windows\SysWOW64\Hijooifk.exe C:\Windows\SysWOW64\Hmfkoh32.exe
PID 2788 wrote to memory of 3728 N/A C:\Windows\SysWOW64\Hijooifk.exe C:\Windows\SysWOW64\Hmfkoh32.exe
PID 3728 wrote to memory of 4568 N/A C:\Windows\SysWOW64\Hmfkoh32.exe C:\Windows\SysWOW64\Himldi32.exe
PID 3728 wrote to memory of 4568 N/A C:\Windows\SysWOW64\Hmfkoh32.exe C:\Windows\SysWOW64\Himldi32.exe
PID 3728 wrote to memory of 4568 N/A C:\Windows\SysWOW64\Hmfkoh32.exe C:\Windows\SysWOW64\Himldi32.exe
PID 4568 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Himldi32.exe C:\Windows\SysWOW64\Hofdacke.exe
PID 4568 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Himldi32.exe C:\Windows\SysWOW64\Hofdacke.exe
PID 4568 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Himldi32.exe C:\Windows\SysWOW64\Hofdacke.exe
PID 3172 wrote to memory of 3968 N/A C:\Windows\SysWOW64\Hofdacke.exe C:\Windows\SysWOW64\Hbeqmoji.exe
PID 3172 wrote to memory of 3968 N/A C:\Windows\SysWOW64\Hofdacke.exe C:\Windows\SysWOW64\Hbeqmoji.exe
PID 3172 wrote to memory of 3968 N/A C:\Windows\SysWOW64\Hofdacke.exe C:\Windows\SysWOW64\Hbeqmoji.exe
PID 3968 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Hbeqmoji.exe C:\Windows\SysWOW64\Hmjdjgjo.exe
PID 3968 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Hbeqmoji.exe C:\Windows\SysWOW64\Hmjdjgjo.exe
PID 3968 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Hbeqmoji.exe C:\Windows\SysWOW64\Hmjdjgjo.exe
PID 4692 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Hmjdjgjo.exe C:\Windows\SysWOW64\Hcdmga32.exe
PID 4692 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Hmjdjgjo.exe C:\Windows\SysWOW64\Hcdmga32.exe
PID 4692 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Hmjdjgjo.exe C:\Windows\SysWOW64\Hcdmga32.exe
PID 4864 wrote to memory of 708 N/A C:\Windows\SysWOW64\Hcdmga32.exe C:\Windows\SysWOW64\Iefioj32.exe
PID 4864 wrote to memory of 708 N/A C:\Windows\SysWOW64\Hcdmga32.exe C:\Windows\SysWOW64\Iefioj32.exe
PID 4864 wrote to memory of 708 N/A C:\Windows\SysWOW64\Hcdmga32.exe C:\Windows\SysWOW64\Iefioj32.exe
PID 708 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Ikpaldog.exe
PID 708 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Ikpaldog.exe
PID 708 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Ikpaldog.exe
PID 2136 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Ikpaldog.exe C:\Windows\SysWOW64\Ibjjhn32.exe
PID 2136 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Ikpaldog.exe C:\Windows\SysWOW64\Ibjjhn32.exe
PID 2136 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Ikpaldog.exe C:\Windows\SysWOW64\Ibjjhn32.exe
PID 2456 wrote to memory of 1576 N/A C:\Windows\SysWOW64\Ibjjhn32.exe C:\Windows\SysWOW64\Iicbehnq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gicinj32.exe

C:\Windows\system32\Gicinj32.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gomakdcp.exe

C:\Windows\system32\Gomakdcp.exe

C:\Windows\SysWOW64\Gfgjgo32.exe

C:\Windows\system32\Gfgjgo32.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hopnqdan.exe

C:\Windows\system32\Hopnqdan.exe

C:\Windows\SysWOW64\Hfifmnij.exe

C:\Windows\system32\Hfifmnij.exe

C:\Windows\SysWOW64\Hmcojh32.exe

C:\Windows\system32\Hmcojh32.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hofdacke.exe

C:\Windows\system32\Hofdacke.exe

C:\Windows\SysWOW64\Hbeqmoji.exe

C:\Windows\system32\Hbeqmoji.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hcdmga32.exe

C:\Windows\system32\Hcdmga32.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Ikpaldog.exe

C:\Windows\system32\Ikpaldog.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Iicbehnq.exe

C:\Windows\system32\Iicbehnq.exe

C:\Windows\SysWOW64\Ikbnacmd.exe

C:\Windows\system32\Ikbnacmd.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ickchq32.exe

C:\Windows\system32\Ickchq32.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Iihkpg32.exe

C:\Windows\system32\Iihkpg32.exe

C:\Windows\SysWOW64\Ipbdmaah.exe

C:\Windows\system32\Ipbdmaah.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Ipdqba32.exe

C:\Windows\system32\Ipdqba32.exe

C:\Windows\SysWOW64\Icplcpgo.exe

C:\Windows\system32\Icplcpgo.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jbeidl32.exe

C:\Windows\system32\Jbeidl32.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jbhfjljd.exe

C:\Windows\system32\Jbhfjljd.exe

C:\Windows\SysWOW64\Jefbfgig.exe

C:\Windows\system32\Jefbfgig.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jcgbco32.exe

C:\Windows\system32\Jcgbco32.exe

C:\Windows\SysWOW64\Jfeopj32.exe

C:\Windows\system32\Jfeopj32.exe

C:\Windows\SysWOW64\Jidklf32.exe

C:\Windows\system32\Jidklf32.exe

C:\Windows\SysWOW64\Jlbgha32.exe

C:\Windows\system32\Jlbgha32.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jlednamo.exe

C:\Windows\system32\Jlednamo.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kiidgeki.exe

C:\Windows\system32\Kiidgeki.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kikame32.exe

C:\Windows\system32\Kikame32.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kfoafi32.exe

C:\Windows\system32\Kfoafi32.exe

C:\Windows\SysWOW64\Kimnbd32.exe

C:\Windows\system32\Kimnbd32.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kbhoqj32.exe

C:\Windows\system32\Kbhoqj32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Ajckij32.exe

C:\Windows\system32\Ajckij32.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6500 -ip 6500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 404

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2804-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2804-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Gfembo32.exe

MD5 9b1ad7121af74dc8fd113fa6a15f6e4e
SHA1 0b9c84bb067194e71301af7d6a74c78574ac98c5
SHA256 602e4c263d77dbc6171d39b1940db9b262a6e8f601c96b19735a65fbc16e506d
SHA512 3badeedb7c0fd6daeb3e302a65cfdea74cfac9d4876e813deee56f6a6962556ed29713440af0af9c7c3ba40bda4110ce56e688349fee11eafde79117e1fd95a3

memory/5076-9-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gicinj32.exe

MD5 92215958eb962ebfd40356ff195e8a9c
SHA1 9df1749e12e9a8bd845c8e41ec7b6a696b1f9751
SHA256 c843786e2c10116d9a9b679a2d8ff40e2c26a5e8ad8ddc0c5165b30815fef880
SHA512 8fbdef1e0fe0e297fb556b3a86a198e521be87f8969cb1545cd093f12678465ebb3a9fe6a60b6c694c73056337288b5455412bf053a16bf1fb2cc2a6e63b3950

memory/224-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gmoeoidl.exe

MD5 255fcd514baf85331432d100ff69c611
SHA1 061926e27ff764dc13ebd84016617093f11396dc
SHA256 85c651db34d1b94b3585e17c29fd0e799019b68465aea726fd576c7b3c20e887
SHA512 5a32ee3560bf880219a0f3111582b21b8aa2bfe693ff3b9d17b9c85e5db9f149e05cf5cf1d845b1c4384d3ab79c8d1f43f7debc693b986a0b698eaa979a3cb14

memory/1116-24-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gomakdcp.exe

MD5 e75e50d524d82c2fef149d4418faea65
SHA1 8471edde5ac2795e1ab95e270e8fb49e4eeede82
SHA256 28f3256914e89bb8cea009f30036d283b1f20e7be50bfa9e8c9e3ed565efc4b8
SHA512 85d99d281c2b88290e64506f22f75316db1d039695cd3cb3130f2356a50aabb909a200653bed73cecb9db482fff06c6f54b159677d3664e8dcb9954fc6440f52

memory/4964-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gfgjgo32.exe

MD5 dca26d08eec90a11453f52ac5e40c20a
SHA1 fde737b037813d6f134918281b5638c43d4f24e2
SHA256 ce78f09ec782506ad2e502779b1f1da5ba991a1ece59afe09751438614762f9a
SHA512 033704199153ee1d1bab4dd6f2a2985ce6c465a385d9911a94415620ecb0cbd89535c85246bf6393b34497ca50769947a0c2d4f8c2d3b7a9da745088bf478a5b

C:\Windows\SysWOW64\Gfgjgo32.exe

MD5 3b49f9f23eb3a10757a1cdf85736818a
SHA1 31ab7c00334557e6f51d99acbac7afb1d25a0091
SHA256 92717a2b0c90a2dafbbe01b90800137dc4b09fe5802af6c34ec873093ac85111
SHA512 3bfe2e489af40a2c31644a8a3a01d256379563d9333b4d619d4f000c48315547c3ad92cf80fe48a275699e46b9c1227eb3095a8a3ffd501ef6189c9998e5f9fb

memory/4488-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hiefcj32.exe

MD5 cbc524d4077e96e3d92379172962b782
SHA1 0b11267ee419537e99a659fa20183e2ba97800dc
SHA256 7355f6eb3012645ed8c430206e28b0a9c5289466d7955a5f5390a9cab546b561
SHA512 49aab246d8a102ecc885a5c2f1446413899687025da81b5e7ac7b251d988c3aafa3f801fbee073fd73a49e4fcdb5bf646055534a36f216e8e62af2ecaa8906c1

memory/116-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hopnqdan.exe

MD5 62a91f71443ec3eae56113294427738a
SHA1 4ea27ffb70999199fd1adfec495821c18115dd7c
SHA256 aa8845c506ac6c23fa9affe16391ec232a3f980018bf3232bbddd2a0bd8bd0b4
SHA512 713fd5be19945c21ee2498a86f5f39176515ebd064e279f11a91704000b075427f9a03f4c0c1be84c331eae94c56831c074d9cf8c8d870371df3c19433bec81a

memory/4452-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hfifmnij.exe

MD5 c22cd6b9da960ef92a406d475446a49b
SHA1 d46bde39f0f60499aac26b893b686fc1ee9e5287
SHA256 3adc5484a479ae549e7da6ab527f3c7050d7aba468889bf3159f5eda465b4fef
SHA512 6aa7725df972d6b07b538e1feb019ffb01cbeff8bb4542b57ba19c1dcab3398aef6c5d6c395db66880241ab6d16800bf38c8ebc64a0dd70b1408cddb589389b0

memory/2964-64-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hmcojh32.exe

MD5 330f365e702b9fd453cfd13d274cd5f5
SHA1 b47df57e4df1b0c83dbe41e60a6eccb9ddfed3e7
SHA256 8b09fc7a25b4df238627837570f9187189b2d7f5620be1a43bd22e6c70bb4425
SHA512 e8ac8bf2f2dc45b08298df2bf7a80dfcf7428675d5dad09e9917c47d7a36a36f05652bd4a89e3558b3f25aa2a45c8daf5cbfbbeb4b7987d935cd28c218d8f0ae

memory/1640-73-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hkfoeega.exe

MD5 40a93895c5181ac8745ed88b602057d1
SHA1 d4ce91b1b80a319bab20e192d404aa614115da5a
SHA256 37c73c745bb81bddb66f1b28c2fdb3b1959f2699d041ff63fe07743a14595379
SHA512 490a3e0cd48bf14f77d41f2481ed5fc0017f2252e975e2607f9e61958daff8113ca7a102f9246707ddc385c2f3505c4291b07fa9e2afa5cc457db9d76335e1ea

memory/3328-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hflcbngh.exe

MD5 196e21fab7ff6e6be13a62abb58e2c16
SHA1 86f018f8b30716d575c35f8dad1aaa9f8d420bc3
SHA256 4f9f27166d9b7558e5667f9c397567798843feb8ce8da1c49110d0c3ab0c1e37
SHA512 421f20ae547385d46a2314d1c74883c4dc23c65e8827d2e7386e52faa175ec456461c652e876da6dcf0e1312366288ed65c9ac7a94d38fc684a9569bb704e91e

memory/2024-88-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hijooifk.exe

MD5 74ad8625070498036abea721c65f0ded
SHA1 d31a3ecd517d14242136e039a381e20c12cd728f
SHA256 7e3e2d883ae8b3c8e5b854ad68ea964836ed793206db76222a609417fe054d6e
SHA512 00c8885a2755a183c157232d70ccf0e1a96959c6a84aa8923f46d3e987931fd5fcd03868777895669a293dd7eed2ba579e699726b8b4a1cc7ef4fafbb169cfeb

memory/2788-97-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hmfkoh32.exe

MD5 3957862be8af91634c06f9bb2c2e78e3
SHA1 10f5d8ae6d00774f27247579723950b735c58ff0
SHA256 63a59fcffafa541ec3143040413ad09b92c354a14ace22a104f45232edb9860a
SHA512 170f44c1abf6afb6a790e1c6aae6cfcf53048a7bf82ffa095d4f8fc2553de5d4901c5e2cbe0ebe4241d3c5ae4fd76bccbc3a62b80dfbbf6ebdb93aae525818f5

memory/3728-104-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Himldi32.exe

MD5 defd5eac7c906e66905eefb6c132237a
SHA1 e3c9933b3d819c683747a0459d40a3b6c1ad126e
SHA256 f29a9354df9a891680670a2455cff1fb7e436a3d14bba384a93b584b9944193a
SHA512 85d866e4d996739036a6d22548f5c48d7b1c655c8910072b8ec8bfba9d4e045d22f9efd234f45cfc291d42bf3717877990dbccfe6bbf7c5b58b30c29582b2007

memory/4568-112-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hofdacke.exe

MD5 809b433723e2203c89805ada4bd40950
SHA1 c12481f789138c0f79e653271101a06d88d3f320
SHA256 1dd3f903d2bd9806b5aa4f119e0b53ba79d1b43c79b518ba3cbbd477eac812e8
SHA512 629e7d6a3bcffb03b2a751fba3b683f3a2e17f40329066993de7358cde3e878e210ee2a7db74f6bf9bbcae863548d89972804b966e70dcb507318abfb85cc5cc

memory/3172-120-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hbeqmoji.exe

MD5 6d9f6f3be8cf039f1fae906c0f2442fb
SHA1 7038bb41ce7ae887b132e09a1f2145261dde39c4
SHA256 46e0e07aad6ff32a4659f793357bdc36674d05e2b67e8817b5efcb34a4762989
SHA512 711c3a8e1a7f9b7f8308d6bdd0fdd0e80666475e621bda07ff60b453403d666147f0c3e34378bb52c496bc92bd521ea5f0de69ce096e2572a38bb5c3197c13dd

memory/3968-128-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hmjdjgjo.exe

MD5 408aeaf3a8e2e93a1f9a08326ea7037b
SHA1 09efd42ab00bf7de199bf943a70cf9c4a5130e5f
SHA256 4b835a1a8774fa8a9794561b8dd30a1a872c72166e41c742f2ba31d5c3b4a3c4
SHA512 93d19e4650d1cbbef4157e8c80146e8671999c639bd920c87510808b9972a0ede138d2faa826375461fadf0827e31b4462d12fb17306bfe372ae15656e3f651a

memory/4692-136-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hcdmga32.exe

MD5 08b3f991a0bd3b04b9d18556e0b0347a
SHA1 597c496bd61749618f7cbaa6c426bd30f0ee6a01
SHA256 eb21055b7a036c7f08de1fae7902872dc45e29f7d8b82f0823bba25cf5b3266e
SHA512 7e34039ea88c6c8c7401615c5f97025b59483dc645ab2d19a5174fbd39a4c8898683b3840ae44f5b2f78f8642464f8ced6fa3f503e9d9d553204e14d603f30fe

memory/4864-144-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Iefioj32.exe

MD5 5b8dc31b0455ee5d7aa65fb1b3a97ac4
SHA1 8f96cb8301e864778b040b0d2ee009ac0bd9a89f
SHA256 4b7240e105aad94e4ed8056be214d375ecc96832f4444960f4b87c637eaae521
SHA512 16a9b5e40cfa64819dc7650b11b754cb6d91d5e931c33cea2326c510a05eb7d5f4459d227832ccc58703e5bd9a8495812edb98bcac23b2594fcb35246df1a73c

memory/708-152-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ikpaldog.exe

MD5 53ced5e19677aac863f40d34fef46e5c
SHA1 14c4ce8186accb7acac05f9e74a59d5f2fa6bff8
SHA256 9054d6d96b4df237b02c625c6e6f6b33cde5c2a42d9b9fe682bee17710426ec0
SHA512 ecd6689face355afbea52e9467a57ed137bb18f32f641d7d90d961c45369fd325e0901e24ab7c959a9a7d898c9f5d5ef82c06e00f11d37740ca4dd8173fad7bf

memory/2136-160-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ibjjhn32.exe

MD5 f72be3487da70eb4d35f86d665448a26
SHA1 14047cbaa58f44fbce8eb30c3e22d23366339a74
SHA256 043f63bf8d8750d3e91aebad614fb046d84f3ba7957e9eef8ad28c2bc3687d52
SHA512 65b742f95d1bb69abb2f1798b93e92c3654ebe52801c7db19d735c7141d52e097b5d59d6d2d4141c9f5e870750e97b23034a02e476490b5e205b281444cd028b

memory/2456-168-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Iicbehnq.exe

MD5 828b2a320c54dd76f63d2885811716a4
SHA1 ad98861bd24fd24adfcb9a0391d03ecc39037aa0
SHA256 db147656ca7995c314c91fa2d5a580fb0385c72501a6a7965b8b49ba7693c69c
SHA512 a6180bf02132f8b756986e60246f9e89a3a9c0ce39c1785a818660d0e5b3b817677d7d6cf1414c55957a8f22ae9ba91c73e9aaf1fc2a11aa33c1baba8ddac0ec

memory/1576-176-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ikbnacmd.exe

MD5 7a7259e199132365d8f8c2a76efdb06b
SHA1 4996130cfed7c4625ef253ae904b5a6ce60c1a0f
SHA256 7b010637943c6cc0514a61e1cc521d33e7cb9fe3a990b4106874026764898f7e
SHA512 2d7e591c61037932b7d98de8bb79d6f98e015d3e2c4ab40f5b28b5051dcbcf04454ad2af39526a53c674d1ee3edd4f7d92f0a584136ec361cfd2411c3b7047b2

memory/884-184-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Iblfnn32.exe

MD5 87af59aea0ad845e9b36ae5c2615d4fe
SHA1 52c22f49b980958f3a74c03daa4d96696af3804d
SHA256 8dd762648659768e92c9642919e035f001f4babbb875aea0d5b1fff727c89ab0
SHA512 2f61cc00b2649d38d406c3525050dfbfa44cc00016990d329e821058a7681c2d37456b4c51cc9589042c72bb8fce485247a8b3ca1356d53cacca950d425dbf37

memory/1656-192-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Iejcji32.exe

MD5 e0fd7fb6d8927bdbd1ea97ad362206a0
SHA1 e3b4ccd58510ed3aecffde375a6cb02b10a84c91
SHA256 db8f81d42f50079ddd99c45b7cbe3009e6a6bfeea8296f8f92a4a8702e1e72cc
SHA512 d2cb1c32699b1faf088744a4c3237ca49d2a06414a7c0dfe8a718eb347d9b3686b289f9412a042230dcff624e67f4cfd19562ae2894ba7f5247bfbb6b76baf8a

memory/3648-201-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ildkgc32.exe

MD5 8acb66157e9c6c29d01df3a383d5fa87
SHA1 43b40ad098baaf7d62b0c0603080790f6690ec6c
SHA256 d52fff42165ef7572ff4d43a35bd28dc3b9730e870fab8bbf7a0ab20607030fc
SHA512 c8d3bd6b9e05d18c7b0b2f5672cee123c1bcaa41e482a78abc6123ecae0198f06d9850a2649cd8944e39726c399a601e4179743985a484355f8ad4416cf4e2cd

memory/324-208-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ickchq32.exe

MD5 489c8122bfed64b6273b4286b278d09a
SHA1 f57d9d3aa5f3528c2af25b512c82a5cb0adec365
SHA256 68eb825ecb59dfe13a22169070f0ffeb5eb6249df853b06f5940bf18315e0b1b
SHA512 0648fc816f7961d0e02756bb0fa03bb0ec84bebf7ac943fd9d9fddf24546f6749458812bf83853465bbef64549192886e8f09d25c169f19a5e4f37e773bb334d

memory/3776-217-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ifjodl32.exe

MD5 1d579a67728b610f4d0b37715945c30c
SHA1 074e29fb8f877bb000b8041c5a3d8adcd088e207
SHA256 c9387d13b3b364ce13df93e7eefe8e8b4974a36d0f663231ab80e8e367f319d9
SHA512 19d109f27a58e8fb54b08bcd5f1c96cc1048b93574e783934b2a0922dbcdb01c8e47ad3c5aae3ff2da8a1c7b41525c943b381952e4e776acc3d69bb2cddad8b2

C:\Windows\SysWOW64\Iihkpg32.exe

MD5 536345b1e507ba777b252a0b7227fb80
SHA1 15525e9f07240b63f3442b2ccf354d6ed8693beb
SHA256 e3f6104ef893b9119b44f714cdfab0c28795b628da6b943049719eb53f0c4425
SHA512 8b76a63a468ba94366178f22b8af9b5bb7fda667ea3a6dc4d4a219acbcd227cfb8a97b16d09847134f173fd5166f0b5f54a106adab19526c2d477bf7894f29dd

memory/3164-229-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3864-233-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ipbdmaah.exe

MD5 bbe431f4d4704af98e47433d4d6b181e
SHA1 dddce3d03363484d887525d9d1c47c15412e3077
SHA256 4dc3701c5be96a822c24e5dafaabcb225e6eb8acf0a820f3462ca7106b8697fc
SHA512 f99c93f1f3550c5707372887207bf5ebfdd24ac277a6ffd52aa4bd5add08c3bbfc108ceaf3092251a308a0ed081efff1eb869597970fc8e8200795efb4e34742

memory/4060-245-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ieolehop.exe

MD5 f9a1730a0a913d53f8bd831d5d416f24
SHA1 89d32322d34633b70b819c31b147f9372caea87a
SHA256 c2a6eec1f474a835ac334a52f33fd83f982181191c9c27dbbafc5c31e97900b6
SHA512 2aea00a6b26c378ac4ad18c62a74b1fdb52479bc5d90bf06aa5d2605d0ce7b06493ffba078a60d6c76558cc29209a0ae4ec14aeed43724c39df97836fde92e46

memory/4788-248-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ipdqba32.exe

MD5 274ac9790cab5fd25a7cc6a7bec957e0
SHA1 70c9b96033e8d2dceb6aa7d63329640ddd1a0cb7
SHA256 5cac7b357a7ab470bd82ab9069bbd62084f45a00af3dcadc4aa5c007e3e86b61
SHA512 65445e0ad8ddac13386ee36f35087f8220c81af113f66e2726efa7228c972f48b0defd9381d7abc861e275908adbae53d9c765cb53c3a63e731d64246130e68f

memory/1940-262-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1672-263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2288-269-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2956-275-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jbeidl32.exe

MD5 f97948c1b3522eaed4401942168a94df
SHA1 a46f48828c4a33ed130c01261de9e1b90cac1968
SHA256 e930ce3669d25a15ca977eef20c25036e7db9b688555f8bdd1dde85b3400a411
SHA512 c7d33c255b54f7472b6a2f957fcf99e61f93d4171d2bd686de90deb0f0ea17b31ea4b8feaec929e5bdd31e61e74685f37dbea406b91bf2985f3c80a0b010b64f

memory/4068-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/868-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4344-293-0x0000000000400000-0x0000000000440000-memory.dmp

memory/208-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3416-305-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jefbfgig.exe

MD5 033e84de664efd0268e5fe41c21f8d47
SHA1 d371af0717825e79b2a49e85b334044a56bdebfe
SHA256 7f377a974e311eb8ffa98f94d994764b27a43c38c669727036256a7fd5d1de44
SHA512 e55effc2c6f9bb30c36e7bcb97e23e6e1c93b1306328c91d3601773d159938558931e233bf2e2144a0f14006d4f3805e1c212bc0bca6ddc3a38913239f67b089

memory/3048-311-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4828-317-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jcgbco32.exe

MD5 2fd987120b729cc767f6073eb598030d
SHA1 f403143285b34fd7d93f9cf80d86c723e7cb2216
SHA256 3222637e263cdc24b1af475cbe2ce721b3427225a903d06b495e4461d2eea362
SHA512 311072422f42c1e7bb3794c37fd23c77cf77e59190d78b21bc266f0a9a84a351dfd0d7a9245a8c33c6fac5523d6eaf3281d6c7106109580c6aee7d91f9c5e257

memory/3132-323-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2540-333-0x0000000000400000-0x0000000000440000-memory.dmp

memory/552-335-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jlbgha32.exe

MD5 51fb9a5f9c58a6a2796ec252b68f1db4
SHA1 11fd9134c608bc18c27431c14281cc2a99c4190c
SHA256 1858d997e7d316387fd34c7af0a1f1c9a64402d72ab79099209ecef2daf7eb9a
SHA512 e21a6adac89de83113da4c425af7b5572932e228eef7f051dd31e540f1b34e515e9b73bbb3f5076a94c2bd07006e846b1a520256acf2e70c79b8c9a113c6348d

memory/4440-341-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1892-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2312-353-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Jlednamo.exe

MD5 9d789ab2cdf9359aa94dd6a0147f872e
SHA1 e56272c0ec5c8c3619d274ea7809e3fb77de644b
SHA256 02d94f4bd042735c466b059b6f8d75fe9c2e51061313b4f995a302cbded4d4d4
SHA512 11212a0b8e32aad4a37eac0aa555f6480f6701074c062918b89cfed1ff0187147b4898ffc2609b1eaab40b64dc0ee6f4a55e6ffe89c49ae08effb885bd4e2a59

memory/4556-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2368-365-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4656-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4216-377-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kpbmco32.exe

MD5 ece79b9bcfe7b3543d484ae0162fcb3b
SHA1 57edba6eb3ae55a690934ece2efae46117f83d9c
SHA256 fdf30805f33badee8b49fccc3b58991582350ab3a4c2c160eb62e53d2dbc1706
SHA512 98cf7fea1ffaa00fd4381e339f7c5c32eed44d467f3e322445048dc7bd2972e3f6a99d1c7c5d238251051967a4f7be1ff35dc0527a8f33ad67e7935f811cdd4b

memory/4004-383-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1328-389-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kikame32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1052-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2932-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3724-407-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kfoafi32.exe

MD5 97923a155e4044f7d712277ab4e7f8c1
SHA1 d1b20d3f120d4e01f631f55f93b890a2f1122cfe
SHA256 5be4d3e7b15141dc200a8353c86783fb04c2a0a090bd171923c9ea3277dc0679
SHA512 0134bf84162f9ef2e747bc913bda76895c7dad4f6e5ca55cc8a1ebbb32da0f78c6a403dde0c465230d3c558d22b7b1a65251db904e2163d3fa8123ea9560a50c

memory/4888-417-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3632-419-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Kmijbcpl.exe

MD5 9fb80fbfa687a66496d301f64656eeb8
SHA1 c7eeaa9411d3fc3e4056c542acbd2475a15aa67c
SHA256 13554c0c04f95c6d96d1a32b46da787a8befb77e8e15e94095824a66612a50a9
SHA512 71d4b314745155436612b7bc86264d122268fb9fcdc39acebba407d9440c1bd83c5ab23190d31bd15031ff98588d6e06d3daaf663dc0d61dbdc3becd8bde01be

memory/2432-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3260-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3956-437-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1476-443-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4264-449-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-455-0x0000000000400000-0x0000000000440000-memory.dmp

memory/732-461-0x0000000000400000-0x0000000000440000-memory.dmp

memory/640-467-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3372-478-0x0000000000400000-0x0000000000440000-memory.dmp

memory/964-479-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3400-485-0x0000000000400000-0x0000000000440000-memory.dmp

memory/436-491-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2732-502-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3304-505-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1636-509-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4408-515-0x0000000000400000-0x0000000000440000-memory.dmp

memory/856-521-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3740-527-0x0000000000400000-0x0000000000440000-memory.dmp

memory/512-533-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3568-540-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2804-539-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lllcen32.exe

MD5 6b433f00b280ea497dce74cbbce647c1
SHA1 4493d859d649a35cb09dcf8d0482a06436af72aa
SHA256 e9af4bbac125442df7ead41a87e47fded28fab5737f45f6df7631b5a19ecbe9e
SHA512 06f2bef34c8d27e0bb068db94c2d00d62c642295d8148783a9da682472435dff442e71579db5e25beee3f940b83187d92fb530ee276c79cae92a3b4d47448aae

memory/1528-550-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5076-552-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2492-553-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Medgncoe.exe

MD5 88fc5460d696dde2987432463c2e3e1d
SHA1 52f0585ca5602d82c4ac6c553369e2278b2943ee
SHA256 77928fb6f0498869364c43820d1be8ec9981b2c81f8270ffa07593f6372ad7ff
SHA512 360ef2ffa20a4d93d47d2e417c04034d8f1cf415d9f8b945cd2d86d35b396e51f6281f19d14e7f3ccf7173dcc58e69ee6d762eb71efc4945cf8be0adbe97d300

memory/224-559-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4624-560-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3848-567-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1116-566-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4856-574-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4964-573-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1020-581-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4488-580-0x0000000000400000-0x0000000000440000-memory.dmp

memory/116-587-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4684-588-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4452-594-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mgfqmfde.exe

MD5 fe56b94ecc01ac0f3a4eeb196edb862c
SHA1 9e2db3a3f5f96ae4accedf38aba062dca5f06814
SHA256 956183d6ef50211b42986b42cf7510e20dc3ed28858bcb16ad2e79bd6eec7d56
SHA512 855c29cc952629d6a9dd4a7c719e767c84a562d371c81a255e637efe169337cab127d6ac3f094a2462b46a3a82b7a9bdaabec5a84d63f51a386fc6df057cdaaf

C:\Windows\SysWOW64\Mlefklpj.exe

MD5 242b7abb62d3d63b50e35eb5deb7df2b
SHA1 9e0465895f8751a34e24e6610ceb99772432678e
SHA256 f37bd671cb28d5b91cd9c862f9fa969fbcd2dfd643d507d449b81c2678eaad04
SHA512 939f51fa2b6f1e824507bab2ca0c5198b6e6cc8ea13528aaa1b7fa1c4f25d1fd2c9a38d6b7f78356afb6ff482ed90871c306dd60f3d39ee4c0ef3e12367c4db5

C:\Windows\SysWOW64\Ndokbi32.exe

MD5 aa65d536605f74ea75051db195199bbf
SHA1 eea22ef42056aa7dd70409d11a8727f1cfb9fdb8
SHA256 be9af6ac5066acada8c7a4291c2cc546bf8bcb8fa2c60cc1928612e16902898b
SHA512 452f36ffba33c45f80049391e2dc0e38640196b01ea146a73a2efbd8439fd53d57892b40cd5cd14e3f131f8ccfa7f5abb120923358cad373737ffef607111aec

C:\Windows\SysWOW64\Nilcjp32.exe

MD5 088f27ecd0f335f6cf229dba04ee810a
SHA1 8a51fbca324e7904c42070a4e73bd0a2a48e1b47
SHA256 b505b6dad834bdea1a212f7c7ee20b89b0e6ff4e3722bdad79c42169f5898e15
SHA512 15e68cdb7cb8156ef6e2b4d99ab93e0a0736663621f00e52217f4284d6e52c812785c8e4a2c5eea004bf2605a842b3e9cd49fc5c38836e3c25da67d6ef33ef09

C:\Windows\SysWOW64\Opakbi32.exe

MD5 e761235568719a2cc670b2cd61ef589d
SHA1 8a57079ab123f69a663c1144744ab7e254550bda
SHA256 80551508aac607c5ba6741f9f0a135e5b36c304095d9f565ad2d49c7911270a1
SHA512 e85196020dd58636ea69ae277fb063424fa16aca36ba987f408a461352138c3da9c1b2a9accc4f0d25228f9200f1c73c9b00c5e978ae753f472e68a340734a2b

C:\Windows\SysWOW64\Ofcmfodb.exe

MD5 41841019553c64ae21536efd5176f904
SHA1 159806b00ed6bb9ae6b8f3be83be412a97859223
SHA256 01bcc6e708de40a47074cd151749783d35b9112b98121d4d0abadb42550b30d9
SHA512 f86e724c4de28b68dd86cb31a8b22cb78dc28041b32e6f5cab6a89c266bd23c7bf1b5ff4065459094ff5a5c87244811f05b33063f654a07ddf01dbf65976563b

C:\Windows\SysWOW64\Pggbkagp.exe

MD5 f0366a41091302e3985f8f2aaffcdcec
SHA1 0652ac7446596764491952d57302c218d33ae7a8
SHA256 beaaa98c2b9fe9d988f54773982805af16db1f8245419ca346d6d2ff6587701d
SHA512 e3a40b28a5b79a5480ee28816bae873f8a265bc7bd0eddb6baa54c55cc1538f33abb68b0d14c06472837523f12d410700aee671cf9f5074855a94c0472da73ec

C:\Windows\SysWOW64\Pcncpbmd.exe

MD5 ea13c0784c017513f3016149a589d8c7
SHA1 930695082413c3dc90dba4d24983fd96bdf6cd99
SHA256 dc5675f0a79255d5c64a1af526c349f5b5269c7564930ca907d75b299c2b3a35
SHA512 f5adee72b139efcb9535379a5d1b874e7455b08253c4e10f6fe100ba74af62f3e9146b469b1026d4eccab96c6d1e07465c235da7257facff6cfb64facb8041d3

C:\Windows\SysWOW64\Pncgmkmj.exe

MD5 d1198d334669a368e73e3f8e03d24c84
SHA1 2863b2793de7fd0ad4b40276bff3b74204502750
SHA256 5b70e9ef35848c0297fbc735ff3e83455d10ee2a9cb2d6ef3e7399bc057165b8
SHA512 6692aa7d9a7ceddfd213be44859de8a337cccc4466bbfc80d7d252a56434aecf2ab58f5f2ca3c7ee8961f4bc78cb3ca6b3596e18a5a3ae21877e475177b9b1e4

C:\Windows\SysWOW64\Pfolbmje.exe

MD5 9eb4f8d991812f8294c5bc961d26c858
SHA1 b3d1a8409a2635b9e8a9a5740fdd44b0340e51af
SHA256 6b90f49256d89ba9deb9deb60180c9a10baf55423a45e68d318b1df1d1b19911
SHA512 262b80525029929c995c0c2645755f807f33bdfd634b9e0a5f9395acee0cb2e90071f42a0d82576e8a3d5a5d417dc570351dd7886c1caa9eab2504d622c3d2d8

C:\Windows\SysWOW64\Pjmehkqk.exe

MD5 bc8c0f92495ac71951aa8b5f0a4ffa70
SHA1 508e29ef82bd2a2483e16a58ff20c9d1a99dc6d2
SHA256 763505fc8fbe91f2edbfcab90c88b54b140c585465afec913120c554c4a162fb
SHA512 00c8bba402a4cfacf06f8e3008594ef34f845676a3831c10d9690e341659271615148e18e7f51d33e01cb8d01672da04e1b697f6afb3893a8e0182b4a1d46043

C:\Windows\SysWOW64\Qqfmde32.exe

MD5 b988cf0ac0b66c50c513bad769a96d75
SHA1 2511999cd2a4c6124a61c42486bf93afc53ce1b3
SHA256 43c03effd4d43bb74e44e0169934c8300da939bc755cf728179a898da600a881
SHA512 7cfc209901bf30e260ef2e96fc570e8d61b906633a963705674983b85e8db7937d87f7d9c51024eda2a6d0900b7b2fe63078fd610cd42535c84ce09ee6070e4b

C:\Windows\SysWOW64\Qddfkd32.exe

MD5 ba880ef5145d58f1282da0c60caf0660
SHA1 a4ac00ec80a080d1615d36a5582f584a2f192e9d
SHA256 657d4e3e136692c27a12758d6d2a3216bcc2a3459ec9c12013c9ff60d20d4a54
SHA512 62ea18ea90d4deeb243906765daeb1302edab1bd3bd27999ea8d8b961ecae6a0f62e3f2093346e0897bd5ee81b865825a0aed8951d2414dfe24e06776f724662

C:\Windows\SysWOW64\Ambgef32.exe

MD5 a306eaef747f65c5dde40913dfd84d03
SHA1 2dbd16b7d4d662098fcaf963f25e7c6c1ceea57e
SHA256 7cefd686a8ae87e648d91a3f3a134d89f74e404c0b88b0920c684483955a3ae0
SHA512 abe2ac870e4e9a7c2b6432d6aba6cb2dd8e903628479b75c3c3e8d4242a63156182723391e6d3d50291fd47a313a06e8f9dd8a7a38e975589a15494fac38902a

C:\Windows\SysWOW64\Amgapeea.exe

MD5 68636f50e717bebb6e97319617234a08
SHA1 fd7ef9323042fa68b3559c86fec726f01df9aff8
SHA256 b4289740f46a18e93377ea86292d617803b99cf30fd7d607bd91f6ec819e5d3e
SHA512 4c431246aca0e49fcdc07f56d427ae3d5735bb3c3cb94780e3940bb6f49da01f1e80b9a2048d619b5174968ab179a24c21640c1b3437ab23bf01029207c2c4a6

C:\Windows\SysWOW64\Aadifclh.exe

MD5 f0fa1279b64c147b9215c2e3455469f9
SHA1 6118b0d89318551230b17bd2202ee96e7a90e12d
SHA256 baf32ed2256f906141f07b94ba26a9f7b69707001bb4cd51c77f8c66e9d96b88
SHA512 3dbd0cc6cf6f1e6b5a13bc503b1e49ddb283f029899a2a407777eddd6be49cbb0dadd023c6053138e360dab4f99a13d59c28da7dcc764f22dd4f526fcef4ea1f

C:\Windows\SysWOW64\Bnhjohkb.exe

MD5 dfefa32c4092986b37ea69a706be375c
SHA1 6ad6008f9d36d629f55b1a06dfee6b59e5ed6961
SHA256 82b40f11f81bf744d6b3d58edf31e1c6f9a8d993fac44d61bb122f65b5d4369a
SHA512 16d36772e3bfed790cb83df4a868976619c30e091a86f98dd231c21810fe3f99c8659d20a767fa98c79ba1ba69df962dd5987176c5bce18963ed44941e6731f4

C:\Windows\SysWOW64\Bfhhoi32.exe

MD5 3a88d10c961a4ab47a5473c0fd1dc683
SHA1 66bc86f7aa20eb7656cd8f7a269b2b1ef3abc057
SHA256 6bcc2fe2b779bb065c4924d2076288a83dfe2b554f33e4df4f9450e28182e8af
SHA512 b21205e1868cf9fc53c6c514e6c331bea38ca7540932e9e1cc8ac37132d681aecb4aca1a058e4db8295b8a7d24ac44a026d5f4742d5a808f0f189d24f9301df8

C:\Windows\SysWOW64\Banllbdn.exe

MD5 2fb9e6e742628c16e28647e131c24098
SHA1 f9509a1e2b404d05cf5ebbb22fb87ad838338d2f
SHA256 e609eaf484b8763245fa5660e7ace61db5cf0a6065e751d8ff2b60451a1dbe3b
SHA512 2535217d426c429ae63292634358f76f5435533c7ae60d7b250471553ccf8c5573b49f74e6e4abd6d4320f05f01771fd5b815854bca358fad83dc4870eb2a62b

C:\Windows\SysWOW64\Bjfaeh32.exe

MD5 a9675d34f5fffee0a8223b0197d656db
SHA1 8b85c92b8ef0ca605327de644aa668dad22838b9
SHA256 0d0e4126892f94d4b4edf1c9d773c160253b4198ca460a4fb58447d3e411e17d
SHA512 7f131c3c3632787627bec5ba045ee080a421c8d0885fd1d84195a7017c2ccc533b2ea53fdeecc98a0d496f2335d283ed5afe1f54c92c7c8c8a2833821bcb2988

C:\Windows\SysWOW64\Cdabcm32.exe

MD5 8aa864283c7f18dbf4d2dcb06b968290
SHA1 bd18df28e4a2d37cba4bf6b1a9090e820f15f2aa
SHA256 d2f356770679a64ee4c118d876ab326e8144e7a479141377be4575088aaa5a7f
SHA512 6e603eaa9f4fbaa8760448034e98bdc368754074ccf900b566a31190da19822ce31a1ccd6041b70df69f24d8f362360532579d7580cd803f3c8d2e03d521be95

C:\Windows\SysWOW64\Cjmgfgdf.exe

MD5 2b8d3cf6246faa9ff1b7a8b6ae57b483
SHA1 b4da9c675bfaea039b14ae6a9600d4d271e5a86a
SHA256 6c0dd1c04018698de43571f8939d48e5ae0b4dc2318acb439e7b5fbb760f4d8b
SHA512 58a30dd27d90187a5a90253cff397925230c83536a4c09d09ecd2ab7d7658f2e9af2b446870a16b879c14cb51ef12090bca4e7a9067956961e61316e1c5cbc9b

C:\Windows\SysWOW64\Ceckcp32.exe

MD5 957e44779c55f2d5a70cdad7312db4b2
SHA1 1eb3fe0c84280578ac719137e65b7b13ce0fc3d4
SHA256 d91730ec90a4520603442ed0c30af4924079c7c02e904495b9b5c642c63c0bed
SHA512 bc90b618834d17647f1c80cc9c844cba6041efbb642c77ba5d70120b2d81d7a04d6d629946c9a90eb869d5621d2318c6e7255e443f270545378f51f11e35f409

C:\Windows\SysWOW64\Ceehho32.exe

MD5 437be9e06e72262c54003c7c699defb4
SHA1 91a7e4ff84655f4ef7030a4b52c5ea23b963f01d
SHA256 ce0f8c1020743a9c349d26140d4f01b8bb47c359310fd33f1ed36acc5ffe7ded
SHA512 2a4018723bffe97163354ec60edf5029c6bf0eccf4a61aa54ffdedc803c39b87fc0606a15719170fd54ac490c94f9367f8168cf681de6c26e5e601717934b9cb

C:\Windows\SysWOW64\Cjbpaf32.exe

MD5 c2635b11a7b5ebd40d14b0a82331c3a6
SHA1 e7aed45df138bddaa01de46ecccd293cec644aa5
SHA256 d6e78e3a14f5b5e937e8a93a6e4614118c5fd876bbcde7f1271d684c94375409
SHA512 7e336c1bae3b694f31bd4234023c9d8e99e6c3481957025dc320633171d22ebc457d0aaadc80be0336f8db579c4bc7b646bad14e016bad593df365450dbeb5a2

C:\Windows\SysWOW64\Danecp32.exe

MD5 fc94a06da90173d34b3a9938134c3196
SHA1 55daa14118493d7c9c6c3d358901bca3c7ef952a
SHA256 d817a3735baa2a4c81f3fa285585209fdaddf84c99a14cdb56b68595e5ccc8a3
SHA512 59d66c24fa8fc9a23c766e20647f30ef8111bb9ca1604101b21ee0b1f5f3335eaaca525b8082c86719f2dba3224014fcfc2464322dff5f31a8e1571e35a9e081

C:\Windows\SysWOW64\Delnin32.exe

MD5 585b5f1c214c6d51b3370f89f91c16fd
SHA1 54df2e8b27ed042fcee76dbb9488ab81f33afb7a
SHA256 8557946a0a0a59fdc2f11671437dbdac68c90ada6988579e7ef939631406b940
SHA512 796c9687a24ead5452de6cb9b3b9acdd7a101c7df15db645a51b52b6f14335beb116ff5a9ea94419113be2a39131e87c3f73400231af351b88c0c205e6232b85

C:\Windows\SysWOW64\Deagdn32.exe

MD5 99b9eddffe9f8d0c43fbb18235f67765
SHA1 15acded416bbbc11912940ea9942809c95db12a5
SHA256 0ad3d94dd656b4b002524d265870c159294075c3dfef03a3078f6370f55b98f5
SHA512 59e0c7f730662fafce37189fc3c9d59804de7fb3205e5f153179134560e1b64ba13de570b78bc95897cade663c93234c7ee1a1bc39f91b05d0b832b4f6ff5999

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 2f99e49faeda75d6c1e29ec27f07c395
SHA1 da6afdf4c455ca022b52be63a954db7178245d6d
SHA256 b07d152192d1d65f8a68653c0579a15683c218c11f19eaae071e6439d07d91e4
SHA512 8e0015a6192c0461e36952b6c6fac2f34264080e87970fc0f03ae2340fa6faef800f48a82586449e0492336ed308d79551c1bc02141fd9df138f65c9933feb28