Analysis Overview
SHA256
044f6504dbc9b11acb015c1c8934d822b164f894e50004e6216c81220d86c911
Threat Level: Known bad
The file Backdoor.Win32.Berbew.pz-044f6504dbc9b11acb015c1c8934d822b164f894e50004e6216c81220d86c911N was found to be: Known bad.
Malicious Activity Summary
Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 11:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 11:12
Reported
2024-09-16 11:14
Platform
win7-20240903-en
Max time kernel
33s
Max time network
16s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pomfkndo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfkpqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oghopm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcdipnqn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpceidcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Onecbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmlmic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Clmbddgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oghopm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oopfakpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Onecbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bhdgjb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfkpqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohcaoajg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odoloalf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogmhkmki.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Pfdabino.exe | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qbplbi32.exe | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File created | C:\Windows\SysWOW64\Aliolp32.dll | C:\Windows\SysWOW64\Oopfakpa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Okfgfl32.exe | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Blmfea32.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpceidcn.exe | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgpjlnhh.exe | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmclhi32.exe | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Pomfkndo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qeaedd32.exe | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpfeppop.exe | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfnmfn32.exe | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqcngnae.dll | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oancnfoe.exe | C:\Windows\SysWOW64\Oopfakpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ennlme32.dll | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Biojif32.exe | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjpdmqog.dll | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfikmh32.exe | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Becnhgmg.exe | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qijdocfj.exe | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfpnmj32.exe | C:\Windows\SysWOW64\Bbdallnd.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbikgk32.exe | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| File created | C:\Windows\SysWOW64\Aohjlnjk.dll | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoogfhfp.dll | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjnmlk32.exe | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apoooa32.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnkbam32.exe | C:\Windows\SysWOW64\Blmfea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqfjpj32.dll | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdiadenf.dll | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckiigmcd.exe | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oomjlk32.exe | C:\Windows\SysWOW64\Ohcaoajg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pomfkndo.exe | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhhpeafc.exe | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jodjlm32.dll | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| File created | C:\Windows\SysWOW64\Baadng32.exe | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncmdic32.dll | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Koldhi32.dll | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfkpqn32.exe | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipgljgoi.dll | C:\Windows\SysWOW64\Pcdipnqn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnielm32.exe | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| File created | C:\Windows\SysWOW64\Biafnecn.exe | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljacemio.dll | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbgjqo32.exe | C:\Windows\SysWOW64\Cphndc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bqjfjb32.dll | C:\Windows\SysWOW64\Oomjlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhdgjb32.exe | C:\Windows\SysWOW64\Biafnecn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmeimhdj.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chkmkacq.exe | C:\Windows\SysWOW64\Cpceidcn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Pomfkndo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnielm32.exe | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekdnehnn.dll | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbdnko32.exe | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File created | C:\Windows\SysWOW64\Clmbddgp.exe | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qijdocfj.exe | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aeqabgoj.exe | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpfaocal.exe | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmjqcc32.exe | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Pokieo32.exe | C:\Windows\SysWOW64\Pmlmic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bilmcf32.exe | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajgpbj32.exe | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfpnmj32.exe | C:\Windows\SysWOW64\Bbdallnd.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odoloalf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbgjqo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcdipnqn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceegmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biafnecn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohcaoajg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogmhkmki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cphndc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pomfkndo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blmfea32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oghopm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Onecbg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oomjlk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alhmjbhj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oopfakpa.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ohcaoajg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll" | C:\Windows\SysWOW64\Pjnamh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Blmfea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" | C:\Windows\SysWOW64\Blmfea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll" | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll" | C:\Windows\SysWOW64\Bnielm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdkgocpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll" | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll" | C:\Windows\SysWOW64\Cgpjlnhh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Onecbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll" | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afnagk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaofqdkb.dll" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" | C:\Windows\SysWOW64\Oopfakpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Onecbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pcdipnqn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" | C:\Windows\SysWOW64\Bhhpeafc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Odlojanh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cinfhigl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Piekcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Oeeecekc.exe
C:\Windows\system32\Oeeecekc.exe
C:\Windows\SysWOW64\Ohcaoajg.exe
C:\Windows\system32\Ohcaoajg.exe
C:\Windows\SysWOW64\Oomjlk32.exe
C:\Windows\system32\Oomjlk32.exe
C:\Windows\SysWOW64\Oalfhf32.exe
C:\Windows\system32\Oalfhf32.exe
C:\Windows\SysWOW64\Oghopm32.exe
C:\Windows\system32\Oghopm32.exe
C:\Windows\SysWOW64\Oopfakpa.exe
C:\Windows\system32\Oopfakpa.exe
C:\Windows\SysWOW64\Oancnfoe.exe
C:\Windows\system32\Oancnfoe.exe
C:\Windows\SysWOW64\Odlojanh.exe
C:\Windows\system32\Odlojanh.exe
C:\Windows\SysWOW64\Okfgfl32.exe
C:\Windows\system32\Okfgfl32.exe
C:\Windows\SysWOW64\Onecbg32.exe
C:\Windows\system32\Onecbg32.exe
C:\Windows\SysWOW64\Odoloalf.exe
C:\Windows\system32\Odoloalf.exe
C:\Windows\SysWOW64\Ogmhkmki.exe
C:\Windows\system32\Ogmhkmki.exe
C:\Windows\SysWOW64\Pjldghjm.exe
C:\Windows\system32\Pjldghjm.exe
C:\Windows\SysWOW64\Pmjqcc32.exe
C:\Windows\system32\Pmjqcc32.exe
C:\Windows\SysWOW64\Pcdipnqn.exe
C:\Windows\system32\Pcdipnqn.exe
C:\Windows\SysWOW64\Pgpeal32.exe
C:\Windows\system32\Pgpeal32.exe
C:\Windows\SysWOW64\Pjnamh32.exe
C:\Windows\system32\Pjnamh32.exe
C:\Windows\SysWOW64\Pmlmic32.exe
C:\Windows\system32\Pmlmic32.exe
C:\Windows\SysWOW64\Pokieo32.exe
C:\Windows\system32\Pokieo32.exe
C:\Windows\SysWOW64\Pfdabino.exe
C:\Windows\system32\Pfdabino.exe
C:\Windows\SysWOW64\Pomfkndo.exe
C:\Windows\system32\Pomfkndo.exe
C:\Windows\SysWOW64\Pbkbgjcc.exe
C:\Windows\system32\Pbkbgjcc.exe
C:\Windows\SysWOW64\Piekcd32.exe
C:\Windows\system32\Piekcd32.exe
C:\Windows\SysWOW64\Pkdgpo32.exe
C:\Windows\system32\Pkdgpo32.exe
C:\Windows\SysWOW64\Pfikmh32.exe
C:\Windows\system32\Pfikmh32.exe
C:\Windows\SysWOW64\Pmccjbaf.exe
C:\Windows\system32\Pmccjbaf.exe
C:\Windows\SysWOW64\Qbplbi32.exe
C:\Windows\system32\Qbplbi32.exe
C:\Windows\SysWOW64\Qijdocfj.exe
C:\Windows\system32\Qijdocfj.exe
C:\Windows\SysWOW64\Qkhpkoen.exe
C:\Windows\system32\Qkhpkoen.exe
C:\Windows\SysWOW64\Qodlkm32.exe
C:\Windows\system32\Qodlkm32.exe
C:\Windows\SysWOW64\Qeaedd32.exe
C:\Windows\system32\Qeaedd32.exe
C:\Windows\SysWOW64\Qgoapp32.exe
C:\Windows\system32\Qgoapp32.exe
C:\Windows\SysWOW64\Qjnmlk32.exe
C:\Windows\system32\Qjnmlk32.exe
C:\Windows\SysWOW64\Aecaidjl.exe
C:\Windows\system32\Aecaidjl.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Ajpjakhc.exe
C:\Windows\system32\Ajpjakhc.exe
C:\Windows\SysWOW64\Anlfbi32.exe
C:\Windows\system32\Anlfbi32.exe
C:\Windows\SysWOW64\Afgkfl32.exe
C:\Windows\system32\Afgkfl32.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Apoooa32.exe
C:\Windows\system32\Apoooa32.exe
C:\Windows\SysWOW64\Ajecmj32.exe
C:\Windows\system32\Ajecmj32.exe
C:\Windows\SysWOW64\Amcpie32.exe
C:\Windows\system32\Amcpie32.exe
C:\Windows\SysWOW64\Aaolidlk.exe
C:\Windows\system32\Aaolidlk.exe
C:\Windows\SysWOW64\Ajgpbj32.exe
C:\Windows\system32\Ajgpbj32.exe
C:\Windows\SysWOW64\Alhmjbhj.exe
C:\Windows\system32\Alhmjbhj.exe
C:\Windows\SysWOW64\Apdhjq32.exe
C:\Windows\system32\Apdhjq32.exe
C:\Windows\SysWOW64\Acpdko32.exe
C:\Windows\system32\Acpdko32.exe
C:\Windows\SysWOW64\Abbeflpf.exe
C:\Windows\system32\Abbeflpf.exe
C:\Windows\SysWOW64\Afnagk32.exe
C:\Windows\system32\Afnagk32.exe
C:\Windows\SysWOW64\Aeqabgoj.exe
C:\Windows\system32\Aeqabgoj.exe
C:\Windows\SysWOW64\Bilmcf32.exe
C:\Windows\system32\Bilmcf32.exe
C:\Windows\SysWOW64\Bpfeppop.exe
C:\Windows\system32\Bpfeppop.exe
C:\Windows\SysWOW64\Bnielm32.exe
C:\Windows\system32\Bnielm32.exe
C:\Windows\SysWOW64\Bbdallnd.exe
C:\Windows\system32\Bbdallnd.exe
C:\Windows\SysWOW64\Bfpnmj32.exe
C:\Windows\system32\Bfpnmj32.exe
C:\Windows\SysWOW64\Becnhgmg.exe
C:\Windows\system32\Becnhgmg.exe
C:\Windows\SysWOW64\Biojif32.exe
C:\Windows\system32\Biojif32.exe
C:\Windows\SysWOW64\Blmfea32.exe
C:\Windows\system32\Blmfea32.exe
C:\Windows\SysWOW64\Bnkbam32.exe
C:\Windows\system32\Bnkbam32.exe
C:\Windows\SysWOW64\Bajomhbl.exe
C:\Windows\system32\Bajomhbl.exe
C:\Windows\SysWOW64\Beejng32.exe
C:\Windows\system32\Beejng32.exe
C:\Windows\SysWOW64\Biafnecn.exe
C:\Windows\system32\Biafnecn.exe
C:\Windows\SysWOW64\Bhdgjb32.exe
C:\Windows\system32\Bhdgjb32.exe
C:\Windows\SysWOW64\Blobjaba.exe
C:\Windows\system32\Blobjaba.exe
C:\Windows\SysWOW64\Bbikgk32.exe
C:\Windows\system32\Bbikgk32.exe
C:\Windows\SysWOW64\Bdkgocpm.exe
C:\Windows\system32\Bdkgocpm.exe
C:\Windows\SysWOW64\Bjdplm32.exe
C:\Windows\system32\Bjdplm32.exe
C:\Windows\SysWOW64\Bmclhi32.exe
C:\Windows\system32\Bmclhi32.exe
C:\Windows\SysWOW64\Bejdiffp.exe
C:\Windows\system32\Bejdiffp.exe
C:\Windows\SysWOW64\Bhhpeafc.exe
C:\Windows\system32\Bhhpeafc.exe
C:\Windows\SysWOW64\Bhhpeafc.exe
C:\Windows\system32\Bhhpeafc.exe
C:\Windows\SysWOW64\Bfkpqn32.exe
C:\Windows\system32\Bfkpqn32.exe
C:\Windows\SysWOW64\Bkglameg.exe
C:\Windows\system32\Bkglameg.exe
C:\Windows\SysWOW64\Bmeimhdj.exe
C:\Windows\system32\Bmeimhdj.exe
C:\Windows\SysWOW64\Baadng32.exe
C:\Windows\system32\Baadng32.exe
C:\Windows\SysWOW64\Cpceidcn.exe
C:\Windows\system32\Cpceidcn.exe
C:\Windows\SysWOW64\Chkmkacq.exe
C:\Windows\system32\Chkmkacq.exe
C:\Windows\SysWOW64\Cfnmfn32.exe
C:\Windows\system32\Cfnmfn32.exe
C:\Windows\SysWOW64\Ckiigmcd.exe
C:\Windows\system32\Ckiigmcd.exe
C:\Windows\SysWOW64\Cmgechbh.exe
C:\Windows\system32\Cmgechbh.exe
C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
C:\Windows\SysWOW64\Cbdnko32.exe
C:\Windows\system32\Cbdnko32.exe
C:\Windows\SysWOW64\Cgpjlnhh.exe
C:\Windows\system32\Cgpjlnhh.exe
C:\Windows\SysWOW64\Cinfhigl.exe
C:\Windows\system32\Cinfhigl.exe
C:\Windows\SysWOW64\Cmjbhh32.exe
C:\Windows\system32\Cmjbhh32.exe
C:\Windows\SysWOW64\Clmbddgp.exe
C:\Windows\system32\Clmbddgp.exe
C:\Windows\SysWOW64\Cphndc32.exe
C:\Windows\system32\Cphndc32.exe
C:\Windows\SysWOW64\Cbgjqo32.exe
C:\Windows\system32\Cbgjqo32.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 140
Network
Files
memory/2748-0-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Ohcaoajg.exe
| MD5 | c1f298501f771020e6138ba2e42b9eb5 |
| SHA1 | 32ad0d5bab709bc8540b335a5e9ad789e2c8a2f6 |
| SHA256 | 65baf7a1d75083a558d927ca4823cf740c02121f5c5cf63d0238fa4735794e99 |
| SHA512 | b6610dcb01839601e8c21e6104b88cc887822059a3d3ed55b468c5833d6432d09acc1794525498a46ab8d0b807f030917aea0d36199332857b2c97a33d615252 |
C:\Windows\SysWOW64\Oeeecekc.exe
| MD5 | d09390629c1a21b92dc8684a06c22486 |
| SHA1 | 4533290206eb31ca49c267ff5e7d41656145adae |
| SHA256 | d81dfe94a6a03ec600e7a4af9560ec167c145256009a1c7b8c5beda7d33dd5da |
| SHA512 | 4742e14f5b95e07909846ab35a7d81d8843d816bbbfa3e8371eb4a9fa8d11ba956897d26d3062f07a6864a281ac14d9a02cf8bfd3617bae4430c2f0e5deaca27 |
memory/2748-17-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2284-26-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2876-24-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Oomjlk32.exe
| MD5 | 06f4b5ebe8fe035113a4e1fe0c012f23 |
| SHA1 | 9f53c88f78dd5f0c1337ced86feaf0e07afce025 |
| SHA256 | 92e67255b52ff81747d8234188c40b2c8caf1db5bf59c09bf98d7c9aa5103c31 |
| SHA512 | 46bbcf63c7a1d60fb8d279d7b5e41dc57696ecca5f8528ac454de7779b89e22d0090e934b10b35e4fde979079bad5d881d2611fabf5c4932ce6a04af5e95a6fc |
memory/2284-34-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2636-41-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2244-53-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Oalfhf32.exe
| MD5 | 6649c9fd7cc7cbaa45495b3c203143bd |
| SHA1 | 409602fc9fd1d8d74054ab8a39dd02bf8350ca71 |
| SHA256 | d04dfe178f44d70074e9471d914fc395991460c64c35007c1a65f84cf1b87a91 |
| SHA512 | 37eb898722d58f28fcb85b92838ba718f54f3ab6776a5ee88c7b5ed25e5729f0d5b712518a376be12a0889b1af831a02cde3d36e6b9c468239756bc3cda314b4 |
\Windows\SysWOW64\Oghopm32.exe
| MD5 | 2bcee3605a4d5d2b24078d59eb65649f |
| SHA1 | f69330f77f19ceb7991dae834c07edfbb5bd2fb8 |
| SHA256 | 34d555148ed65a10adf69f5310295aa665f371e8f521517e8f0d31d73403e4c4 |
| SHA512 | b0ed4f6ffd5263a33c3bb8e13ba5f33c277f8132858935b0183f7d2bb860c8226c01d2e19361d0fbfcd58faeedd065a44a129279c0d9843f06d58d983ff83187 |
memory/2244-61-0x0000000000260000-0x00000000002A0000-memory.dmp
\Windows\SysWOW64\Oopfakpa.exe
| MD5 | a21c1fc5de51f77a4efd27758263789b |
| SHA1 | e8118dafc84da49a0ccb343f9d7822c03fd73cac |
| SHA256 | e879a3e5cd8de2fc19a011d4c0799e926fe73ab11d318cdbb6bf4b66fd830b00 |
| SHA512 | 5bb92998b33f084c08deedc848259322a7b3ccef5fde8f0ddce8910a3efeb1f6c380cfd42f1950a302972205a2d202754b2d82cba90a19d5767e1d82618ccd2a |
memory/2828-79-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Oancnfoe.exe
| MD5 | f7801c32ba3ef9364ff1ab6c8db4a8f8 |
| SHA1 | ca572622537a95132d63975bd191052be9c08fc1 |
| SHA256 | 34795389f218534541effbe9c04db992a8684c8de99594bb7c1c657b0d8eea4f |
| SHA512 | 0d160c4cdf824188260dac96cc3e3881ef1e704f9533b76aa89ca1232e19d57a4df2a10c2fe2cfd576bc686e4492f5ce26270c1f3aa8bbbc0dc467a995f2d587 |
memory/2828-87-0x00000000002E0000-0x0000000000320000-memory.dmp
\Windows\SysWOW64\Odlojanh.exe
| MD5 | f7e414639172aa2bc0270efd69968613 |
| SHA1 | bacadada13b23147dc4c49d5dea474e703995948 |
| SHA256 | 7fc363a800fdb5f58f9177ebaa9ca877ab71499e1d6b877510b48d43b5e625cc |
| SHA512 | 2e7343adc9290b95005270a8e3a788518604fb1ce8f90ee7025adce838cf62d15bdeed60a88d594b5b1982c8f211f6ada9a4bcfeb69a343dfaa3fc7bdc23f2d9 |
memory/2980-106-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2324-104-0x00000000005D0000-0x0000000000610000-memory.dmp
\Windows\SysWOW64\Okfgfl32.exe
| MD5 | 7c293a24b4e439ab0a3ddbb19c0224d3 |
| SHA1 | 8049019908d80f1c06936d4143e87b609d6eb3f2 |
| SHA256 | 6e8b77127ad1a72b6e742248dc91a7f83b99d3bdd8db7a435f001368cad980db |
| SHA512 | d54dce52201e32338d29726f31870ba1acb6481ced5c3fee6acb8272085a118a3d4cc70665510e9ca59f6fc702ae93c0fd9df2450ae5d5f1722888b702fdb0a0 |
memory/2980-114-0x00000000002E0000-0x0000000000320000-memory.dmp
C:\Windows\SysWOW64\Onecbg32.exe
| MD5 | d509ceb73b58c24b8c7ebdc1dad87738 |
| SHA1 | 14685faf8a0878ce5b1ac943b37488420aff1821 |
| SHA256 | e45214d80a229a7fbd27ae8e139fd1b74c16aa17a5ad60c04ad14019e3966b1f |
| SHA512 | 43b8e874d4503b363784de017a1bad64b23a88aa190ef2b0f44550229dd3ad9b151dddea0a53755a53c307b99fabb529e227c814ad192e78ac0a70f817594a1d |
memory/1980-132-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Odoloalf.exe
| MD5 | e242143b6d8656305e1e1ed57a0894f4 |
| SHA1 | 98d94e3fb1f73c8843d18d778080e271bda2e367 |
| SHA256 | 0d42ba210b2b76889417a0f7b357bbbf4fa6a923e645c79a3e1172311f3ef7cb |
| SHA512 | 339b37a37820c9d1389d1667efaad87f3c64c0fc6b24fa440924b3adea2fe4d645e02b943cd91c0a57d42540942b9855cae68a91aa2221c5ae0ddf47612e1447 |
memory/1980-139-0x00000000002E0000-0x0000000000320000-memory.dmp
C:\Windows\SysWOW64\Ogmhkmki.exe
| MD5 | f1e331aaf50fff96e5e457ec38c7e284 |
| SHA1 | 8312cb6c84a5df747d3ad9577e7049b1c6ebbeff |
| SHA256 | 2eedcc6355ee8b8b4d4de1895cb4c67c1078a5baeb6a1ce920dd6cb21f6c0361 |
| SHA512 | 48a537faae4d4995d27b54055098696bcaaf8546d9070c2f2269c9be817f5fe73ecaa1d876942f2932e46d645a780e5b94acb225c7f70c572372706f918905c9 |
memory/2116-158-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Pjldghjm.exe
| MD5 | 2c95d2cff2877a6d9f936507292e3a87 |
| SHA1 | 438336f820386eb5a816811c820b3bc29ae9876b |
| SHA256 | c86c5903819b0899e72b8beba2725c05defbfac5c2d81d94ca9397bea5a4f571 |
| SHA512 | b83373b3c8dda4e3655db3e367f15298205a5843b517c83e75fd10676d488471fa027fdec591db96b4d2db3f1fa01a501241fe4cf2144b82f636696cbbf997fa |
memory/2116-166-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1440-172-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Pmjqcc32.exe
| MD5 | 80d54139d050867afa24ea629d97b91b |
| SHA1 | 7c0641e4459c9d19c2d3748cf781f1b0e472e019 |
| SHA256 | 65d62444c6434aeea748446b1b59e92562619284918b0f7c46dc04cf030e9c00 |
| SHA512 | 05c76473aa7e7a38fb915bcde7c9380aba508b9f5ac071b1447f6238ec9f48720142cc740af3f2f4dde084e389a81d7e436242f7ca8a5772e757c553a532d9f4 |
memory/2112-185-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pcdipnqn.exe
| MD5 | 85a5361905a56c695daeba19fbb29c24 |
| SHA1 | eed7352f9ce121b8cb7cb96944b097bf5ce8b496 |
| SHA256 | 06bd636e00165659bb30d0295c8f2826811461c334c38862e7ec4a3de800ac7b |
| SHA512 | 48eb727fa285ca3150b1c63fe7ce089044d8444abf09951804edcd73d8e994fe4f8410ebeab68af8c434c76d9471d59195b1271769163feeaec2c6eaee83c5fc |
memory/2112-193-0x0000000000260000-0x00000000002A0000-memory.dmp
\Windows\SysWOW64\Pgpeal32.exe
| MD5 | f0ed66cc68a30d401ac44ed0b0b99401 |
| SHA1 | b5b4d6d9fe61c01d0493fbafcbdc4bac0825fdf6 |
| SHA256 | 11d63a0ecd1eda4ac7b373f279eb419af2b4d4c5e30f1c60b94d0863d1af3e85 |
| SHA512 | 204f5348487b5d7fdd0d236062318bfa42243b5d9fdadbac4bfea9370f697a8d310e73e4f3ab63924ccf5db723275c2e76f8fde42b3cb1ca5dd41197af99a732 |
memory/2172-212-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2120-211-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pjnamh32.exe
| MD5 | 952ef10066fe958feca3b60bfc966f57 |
| SHA1 | 54f429b990be4822bfa091a8542cf64ef60b3f22 |
| SHA256 | d1142ed0bce5aeeacb7fddc04c53bb27d1ebbd1129fb2260e974c5cbe64694f0 |
| SHA512 | a9aaae571aa59134c117d790f37771a94346545747d81c63a26da1455a629025e8748f3c6da547d31cddc3a510d4dfcd0dc74c4a8dc2ed34e1596a8a47ddd297 |
memory/2172-221-0x0000000000440000-0x0000000000480000-memory.dmp
C:\Windows\SysWOW64\Pmlmic32.exe
| MD5 | 0911328cc5f36be2dfba213a54f4d336 |
| SHA1 | 18abe3ee7b15d316501615532d0b50c716363736 |
| SHA256 | 0d837a78a0fbaecbaa45078c8ea05a5cb7c25886e6139b0f06053fda1d6f0df6 |
| SHA512 | 237248eb26074e77e1202480c0afb0ed85c37dc7889bd224e2597a1203d257995cf4b78de7abf0e29210e6829599f5d5da596555fc5a2ec1cf2eb1b55af27069 |
memory/1160-232-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1096-231-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1160-238-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Pokieo32.exe
| MD5 | 8c999eaf3bd2c94debbdec5853087697 |
| SHA1 | 7428a79c2d61cba56d95b4f6a669374ceb080011 |
| SHA256 | 481f30b437c2dad47ca980a9b6c5bfb31ab6e412ff539a69c2aa54ebf91ee51c |
| SHA512 | f3a6baa68202ba1fec8b8aa3ff14c39316e319e6569a7db2cdf4139a6b1533dd4ea74cb8dac2ec7f379acad87056fdf2770b44f598c061d4c1d04b94ddc3bde4 |
memory/1160-242-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1788-254-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1632-253-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1632-252-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1632-251-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pfdabino.exe
| MD5 | 9ab7316f6b052ff7e272aea16fa7972c |
| SHA1 | 3f0753a7027d7fcfa9e1de63eeff8014a07a175b |
| SHA256 | 175a4050efab887364b012c7f09fe77d5debec22a22d9b471516ea044967791c |
| SHA512 | 017876a70b3ca87fa0ce41b509dadfc84c64de4bc213262810596756f8988515ad77301152b0b796889634a45dd83a5a8756b0c87d694b263f1d458c74d873f5 |
memory/1788-260-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Pomfkndo.exe
| MD5 | ddab648e096c59c409f609127f4b8161 |
| SHA1 | eedff72294599752f6b9d45be7dd86c6bd88c2d0 |
| SHA256 | 7884a57201f858aa6cc0e08034e490ba2cd912efd4aa47810759cd0ae7734ed2 |
| SHA512 | 6a44db31f2b94e1950626336c3579f35e72f915c0ac1d5f4b0c9151b1bf9841e3940c7464df2a3bfea4027fde6da0c9d53900799a5719b8062c359fe67a262f5 |
memory/1788-264-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2160-269-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pbkbgjcc.exe
| MD5 | f278652dbca537a80e0df91acdb69366 |
| SHA1 | d1dc8acc06d2d839f4041bd1ca1612107585b0c1 |
| SHA256 | 16369c2183368f851432a171cd0dcc66b939ff5fda3d9c4e070f42bd8da006c2 |
| SHA512 | ccc0744540a9e2da559015fb20b9e82dc59ec4f419ff8ad46e974f520e3f74c0930b05c3a30096b59937778557fe7498b4ea4cca7035d0f96b946c7984a277c3 |
memory/620-276-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2160-275-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2160-274-0x0000000000250000-0x0000000000290000-memory.dmp
memory/620-282-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2052-298-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2556-297-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2556-296-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2556-295-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pkdgpo32.exe
| MD5 | 1cef0c0b34aa967412eb462b1da30beb |
| SHA1 | 9a3c5a6f568c9be826ef2a070064559ae6f0d28c |
| SHA256 | 2f7065472c1cc9daf93876ea2d90b37285212e01c85b3b2973727b770320a7c6 |
| SHA512 | b197ecaba17b7f43a9f7971bcf67d62c50b72db036a1384d9aae59c6b5b07f40c2a3a5228750fbaa84aa76fbc2e41893ded07e0dd3d95a820feab1819e3b2a49 |
memory/620-286-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Piekcd32.exe
| MD5 | a26ec6b028764376a6e59740388a0292 |
| SHA1 | cfe9da6f3a52682a7ce013aa8da644f4ec8aab46 |
| SHA256 | 73e031c44b22387dd15868938eb18fd83b653e568e1899efe14e826a462288a1 |
| SHA512 | 187bee90cb4afdc201b7c925618c59ab6993dc1baef3ff0af44967ea43d6351c5654851e15831a6d9585246c98de2a55bb05969b29a3c39444c4b64f5cbb8051 |
memory/2052-303-0x00000000002D0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\Pfikmh32.exe
| MD5 | 0ba417e4977a60bc2dcf34c14299d571 |
| SHA1 | ed77e051bf9dbf7978b60f67af6669c11426acd1 |
| SHA256 | 825ad17705d02dea5cad3d6d87dd843e83778e0a57f5c47ee7f0d94936598d12 |
| SHA512 | 57af12ab52f325543fcb2dc8a3cc73744ec87cf92e58183387ee9aad0c4fd1f0de849e1978b7a4c973b5e51ef6b0303289485abd893b4cd4b23d0b7d62184cad |
memory/2052-308-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2904-309-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2904-314-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Pmccjbaf.exe
| MD5 | 1b44116633ea97e68dd9a694f0a60d09 |
| SHA1 | 215678995bd6f4969571881faaa9a9a11b870de9 |
| SHA256 | 754a88691d63ae7f907ebc46126032649b15a3d1c78b6fc24662d56d706dfa36 |
| SHA512 | 91de2ace78779986e3344371727293db6de9133ff588f47f3b84237913d4d832d3e3413b2b845f6eb9fa8e71af53fe3f878df551112314d716f6313a9b34db14 |
memory/2904-319-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2568-325-0x0000000000290000-0x00000000002D0000-memory.dmp
C:\Windows\SysWOW64\Qbplbi32.exe
| MD5 | 155fdcc7b3bdb45e9a2cf45f237394ed |
| SHA1 | 9886c5541c464c85456d206dd0c2827848615953 |
| SHA256 | 7e7c353aa764bc7275be2ff76d98986f27ef00fc14ae8fd7221af5ae0dc70d01 |
| SHA512 | 4a9f0e675baeb27c471029f6b7dcfc7ae2370ccbb81d13a03b2cac2eef15b95d8b8be8f875f5d9c8972443c69609f5b1a3c107aeec4b2f15548eea983f6a7cd0 |
C:\Windows\SysWOW64\Qijdocfj.exe
| MD5 | 4082ddac33e5dbed097ee5e1e3c9c768 |
| SHA1 | c6d775cd51191daff1074f5e5eccd8934bffda04 |
| SHA256 | 93547f61223ebc996a01d3458de4bc69aacc7a000eeb659946569b460d69b214 |
| SHA512 | 0b865ca19d9cbf950fa6de6524e5dbe017bb7e89eb2f77462b2133af64d147c1dd1b4a40bdd08ea88f479ba346b5d1f99bd9eb17f60eb50b6f6025562de8a3cb |
memory/2628-338-0x0000000000280000-0x00000000002C0000-memory.dmp
memory/3048-339-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-337-0x0000000000280000-0x00000000002C0000-memory.dmp
memory/3048-348-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Qkhpkoen.exe
| MD5 | 8e85f3b9e6a8d4c68d4a4c8f1ea94c4b |
| SHA1 | 9ed7cf5ddc003dd3c04ae5a75edabcbc2b23279c |
| SHA256 | b6007f068848c6c1a03654235794fdc748b69b35e06856778b0257ab5a926e18 |
| SHA512 | 24576d7f81352f1205a5753b81af81a3562fe0ae153efb0c780f21540490c20b8f5a6d2631f122723fbd630b1e8b4fc7ee96c8a10c68735ba54ae5a83faf6c85 |
memory/780-353-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3048-355-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Qodlkm32.exe
| MD5 | 43063f0d01f7e0501c4af80942e50766 |
| SHA1 | 3c290c372e7591aefd9c4ff495f66a5daf7fdee2 |
| SHA256 | 4a8779729fdc7c6432160528474d28953eb0e81bcdbc5da6183ac48625590a33 |
| SHA512 | 98b918f3c4ae4c9f297b1c4ddc767de790b0f7b10897414a08d784f44a06ef94598209d579d3947d5286d12a18b7beae02a5270588cc84186eafa8f20b26a59c |
memory/780-359-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1656-361-0x0000000000400000-0x0000000000440000-memory.dmp
memory/780-360-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1656-367-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1656-372-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2284-373-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2748-371-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qeaedd32.exe
| MD5 | 406af42ce7a238b611c6ce9ce33c2a36 |
| SHA1 | 1a0a8fd561777248c0315c197802b9647d5c0e7f |
| SHA256 | 48c2f95e55066aaebef37d18902921f220f07851c329c65cdb0a064919da4222 |
| SHA512 | d52749bc7e973a21a1645201f7bbe2dfb11f0471f9ccc797ba1f2805c731da762196fc83b63dae02da14d8385eaf632b9d5c3c47ee0cda0e81d71a6d78a2312f |
C:\Windows\SysWOW64\Qgoapp32.exe
| MD5 | 4a98339eafea6292d2de885572ad53d6 |
| SHA1 | 946f5f84d9e9276a6b1aa85637c7ac24a7c8afaa |
| SHA256 | 80f4554208426954b689a5057184b6e68bcad756777e5a2b975fb71fabbffdfd |
| SHA512 | 5fe42666cfc66d701a20e8166dcd95da35f5177c5770371406652921e0b7bb8afe92fef623dae437cf3a27b0af141a59cf71b509fc7b3754979d738a071b39fe |
memory/2068-382-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2988-387-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qjnmlk32.exe
| MD5 | de04eafd710b6ae03d58c718b20b7aca |
| SHA1 | 80984481061e6a64b2a483b93b9ac8628a8a1534 |
| SHA256 | 8b558a216c5369f87f404e7f286918c7cec55aaab9bca22827895c410b330740 |
| SHA512 | 47faa311befd18b692d9c3d93d1335d81659d79057149acc3b770c9c11125fa9c57bbf8e0a86dcde7d6744a7951d65085d9b365e5574f0a3918360f61e2f28bf |
memory/2636-394-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2284-393-0x0000000000270000-0x00000000002B0000-memory.dmp
memory/2988-392-0x0000000000260000-0x00000000002A0000-memory.dmp
C:\Windows\SysWOW64\Aecaidjl.exe
| MD5 | c77ad9e924ad65971e0a0dfeca76d2c7 |
| SHA1 | 7327e7a86d32d696495bd3e5709884121e795525 |
| SHA256 | cb78db4b128dc114909ce8a5b2a4bd205fe7a19342ec27f268963c9c9806d551 |
| SHA512 | 9069e1e109fc968fcbf2f32a05054cbc356fca40cc8d5018e038d8bf2efd5493d22734a06f30880b0c99538f475f38e67a94f741079273c92e70810afdf4f411 |
memory/2924-404-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2244-403-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2924-410-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Acfaeq32.exe
| MD5 | 96d17e70296d0987fc0db6c0cda30db9 |
| SHA1 | 1cdf59b07de318a09026c29aba61472b4faefb34 |
| SHA256 | 95fbd12423c4a719c7e4e20c1a09234dc57b232b65028598dab67bbd5fb15dda |
| SHA512 | 97061a2620dd9c9b42752596c448d432a1cf9c5628605a4a9fd3ea4dc2ada384f442a4e3c56adc0bf2664da5d5dbd3b48b619b6e5f34e907ad72375e52d0456e |
memory/1084-414-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ajpjakhc.exe
| MD5 | 78c8b27565117e5a4ac4424ab50b4e4d |
| SHA1 | 390bc3dff43a055b322d1345e66e92eb27d13a49 |
| SHA256 | 9c3cbaa2b40da3f66ecd984df09c79915399edefed6b6576809b8f754c4a3451 |
| SHA512 | 2d426850fbb5ae1e7c789452d64a0802cb9ea6281800fc1f347bd538e059b3be5dbf6771fe4cbcdc58d140ebe6992eeb16695d2e605cd9797a4e8bb1c116b8f6 |
memory/1312-425-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2676-424-0x0000000000300000-0x0000000000340000-memory.dmp
memory/2676-420-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1312-432-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2828-431-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1524-437-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1312-436-0x0000000000310000-0x0000000000350000-memory.dmp
C:\Windows\SysWOW64\Anlfbi32.exe
| MD5 | 69de0c8d7cbd059e320ffe86d77bf2a5 |
| SHA1 | 79f25532f4ce7d49b752943f37f95009cfc1f1fa |
| SHA256 | 6b03d6b9262fe659ae922e1be56a9215762cd5338fd47c6f6a33476563651304 |
| SHA512 | f79b0cb3e6e1c996c96d99415614fa238a63f02edf16c8a01a17afc6fa52a899eb8c0da44411b173ef8b8a70af6dbf33998166de3c6b476bd367338fb892047c |
memory/2324-442-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1524-448-0x0000000000250000-0x0000000000290000-memory.dmp
memory/1524-447-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Afgkfl32.exe
| MD5 | d4bb372a38070aee19f5783e268b974d |
| SHA1 | f1014419370ed9c608a863c501ac88fe5a62183f |
| SHA256 | 8896e63ed24fae3479c059c539874adab665badf67860494157e66cf6eb1a174 |
| SHA512 | 6690d88b651057d170bc8db1d7292d04b7edbce5bd317de87f6386b6b6b95143b0b21052ad0b8a0aa1ce93d1f63feaabe8cd489ac29545896c1b73e2f54dc77a |
C:\Windows\SysWOW64\Aaloddnn.exe
| MD5 | c996440d8dc8e5c23e166f2bec7ad8fa |
| SHA1 | 866b9b383294e3fa6c5ed10835148207ac6c6c43 |
| SHA256 | 98e85da2bc202617ba945521c14735a6bb39769ee354100023ebd1d1c42addbf |
| SHA512 | 3d4168b5674daa82d09d7a7202f807ee4f5a735582d1c8849f580b2bf79d6c58d0d1c75cf5a3cd5c818acf92149010d50bfb7c78ef954ed03de66ad44d22dabe |
memory/2980-453-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2980-463-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/2360-458-0x0000000000300000-0x0000000000340000-memory.dmp
memory/1484-471-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1824-470-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3028-469-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/3028-468-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Apoooa32.exe
| MD5 | a7682cd689d98a3fb2910221dc1d22c3 |
| SHA1 | 57ebd7a5b880a15dce195a0d514e11afa40d5cf4 |
| SHA256 | 558bfca3a4bfdf9ee34e99dd8fd9942b53331558e4aacf85c11f3b0530bf97d1 |
| SHA512 | c52a6bed6c169c1579af230d9d1d7bf094e70b2035a984ceb6a36c6a6523a42f2c15cbf07e2a6a13d82cf9ed9368dd567c8d619fb9a82317b4522031087fd319 |
memory/1980-480-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1536-485-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ajecmj32.exe
| MD5 | a2b548c714730a6a18b86e2bcfc55720 |
| SHA1 | bd0bbbda8bd6c940cadf2e8ea624ef09edffe28a |
| SHA256 | 980d4bc917b9428f474b513494326d132069e7d616000a3a493408e26cb66342 |
| SHA512 | 039f62ce22b327ad4362a658afe319c6529961b38a9b373961e091920a59b1167f3a8454ac40357bd6a82a02ced235fcf4d227cf317cfb9688432019d48a6490 |
memory/2400-493-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1536-492-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/1536-491-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/2480-490-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Amcpie32.exe
| MD5 | 6cfdb33c0a84065d2316235e34c9e1c7 |
| SHA1 | 413c336b3b22b13835f452af5cf6fb1bd8694bf9 |
| SHA256 | 67ba67ced5a1eb12fdc758c4ff2991c96e4f436d4913a2f549945602064a7264 |
| SHA512 | f4491c49e0721495933afebe30f4fb4f6b2893cd05319e342c2d58add7e897599004a6aea11a390e6378aa40411f9488e44ad3141c2cc41062f4a4585e3f431a |
C:\Windows\SysWOW64\Aaolidlk.exe
| MD5 | 31bd83859649a2815f21bdb432ba1bf7 |
| SHA1 | 046cd1061a59cff62c8f15c2aef7ea4ab45fe53b |
| SHA256 | e7306153626449931e5b9558f56b747b94d8fee22bf55e2134e7c2a594f24e5b |
| SHA512 | 83863ff530ed110297ffbba0c43ab49b91c4cfb2a787e4681b74adbc29e74724b6138f747d9d8febe0edac040604ddf39a36afe00d233c064990ee11437f73ea |
memory/2400-503-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/2116-502-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ajgpbj32.exe
| MD5 | 50c079d6ab9dd4a3a8b998064cf582c0 |
| SHA1 | fdbaf4219fd823d7797becd6fb69f9ce7b3d14e6 |
| SHA256 | 3a972917d7b9e77ec86a15a8cf9846c66b75a922583dc0c7c268f45323d997ae |
| SHA512 | 60fe4c55f7f9c03d2255ff004310338e2905207116dbc31f4752a119445addd2cbd90f9ca606b02b62772b0550618f7801df22c0a424daed26a729b4b55d7abc |
C:\Windows\SysWOW64\Alhmjbhj.exe
| MD5 | 0ea76092f4bc16761530c2690c771981 |
| SHA1 | 2c9bd3b8f191683054adab518894baf3699b34f6 |
| SHA256 | 14a2ad105649e89aaac3517bacbe560d09e58f11cf42dd6a94d9a3568e092d2d |
| SHA512 | 932d489e442c8a45bb89e503082a5f95939cdb99e43fec2145a3b9d988e54867c4b9adb921249f731414a7743c894c2e696315f8c3f85f9c7df1c67922b10f8d |
C:\Windows\SysWOW64\Apdhjq32.exe
| MD5 | 9c2cb68626500b46f46eaa47c4cdaaa7 |
| SHA1 | c496e68c61da12f4c62cc8289b9e82316e22b174 |
| SHA256 | 7ae2859bc7babb6acb8f28e7c009c83455cd3c44c06c53cf142f0986e2c3c561 |
| SHA512 | e0093936edffce8f60c2534e2cb23cafaa53571be858b33f8aa6b26c5ddf6618b0ba72ed52275c65cc283f54cc356cf400857df1509e1fc8aba841e5c1896817 |
C:\Windows\SysWOW64\Acpdko32.exe
| MD5 | 620cb2e89ccec1bc212c80e2db16ac4c |
| SHA1 | 3fa1daff190022312472b89593233775b2c6921b |
| SHA256 | 98b81e593533ae64b69c872b0a72a5511723ba9b80c01335ac7a61f533bf1e43 |
| SHA512 | bc6ea5e1374f32c0b503dc99a7d85de150cf05fc8448521f14c0ef5aee6c55eb170f51dc46c25a118ee7dd68eadf3d7ea9df223447f307034586cb2942d9d76b |
C:\Windows\SysWOW64\Abbeflpf.exe
| MD5 | 78fbc6b2e38bb3a7f02dfe8fcf37aaba |
| SHA1 | 92ec673c7e20de7581c9b89cc639a16ae96599b7 |
| SHA256 | 18c461c6922a260580aff7fb4842efd369a459018c21aeb7855de310c8b8378e |
| SHA512 | 829a742efdeaeaafc6f300d0a375424bca75148be0bd5bfeba9a55de643e9278a47c1959a0d58c97e0eab51e40a7a5915ca4ae86f56b430adee556fa06c929e3 |
C:\Windows\SysWOW64\Afnagk32.exe
| MD5 | 135291c7398124f62f7b5cb8ee2676ea |
| SHA1 | 17f0c5a2e211176f87af058e0b614884318d0bbd |
| SHA256 | 198ff1a3971a6b53eba2a481925798cfcf54d25a9acc5a5751a62eb7ca1c0658 |
| SHA512 | 6fd2989e63f58d28e5b5d8d219b0ff5f227fa5c5465efdf2c5d1c645cc380c25218874fbf266491f48a7e677c9e28e23f5fb34f3476cc6f8ab94326690a146bd |
C:\Windows\SysWOW64\Aeqabgoj.exe
| MD5 | 531a7b0191d552013d143ed8325b8ee0 |
| SHA1 | 82524ab655a12dfc1d7f201f632f17d4d371194e |
| SHA256 | 8924fa6979f68d816cd14d20c8b17b63d86440a4e04e024a3460624c73e8d5e4 |
| SHA512 | 4d70cb42c127c54684c45d0d3d2ce597e5345800841cb036990c22f378e0a284b8ba66e2feda5381a9083924e7ae92810779911484ecbc72bd021f3b1cda069c |
C:\Windows\SysWOW64\Bilmcf32.exe
| MD5 | 9ef27457753a8515b71a5a5643882bb6 |
| SHA1 | 1ca9771ed956700324c4524995da6d701f3a7ae8 |
| SHA256 | fa7dfb6fbe18ab62a817633c985a1c98358c7e10c149edf9a2abbf32769af280 |
| SHA512 | 3594c15d4082bdcce9eac6c4d983b50736b9ad4d5bc2a2b2c05ff65470c9569b99ea04dd3e159a7be01b21d9ecb5f955c2fcd2a9d788dd9eb5f7b694a807b93f |
C:\Windows\SysWOW64\Bpfeppop.exe
| MD5 | dd4438af72b13cef4f1a35f9e353426c |
| SHA1 | 4e72f3df5c45ee52c35cb370268211222f79efa7 |
| SHA256 | 097b4ba8b55cb0c14f6735d4c4329be12987503dc2c7b9fa51de4f563f833a50 |
| SHA512 | 2c33977d6216e851846e7be5f30ff4ce6c1b8f5ff5ab477f4d2e170b5419dbc3587d73c5def137768a2894f63e487a28ee83d3c60223d936f9927e62cdc9faff |
C:\Windows\SysWOW64\Bnielm32.exe
| MD5 | 006323dcbe7a80ef65ec9e3a96b9a6d4 |
| SHA1 | 292607f0265e6f2f8708412b125679864b5acd62 |
| SHA256 | 2a7adfa9869d0d8896cb5c1d908fd0e282ee090372cffe203f157e8d86fffb4c |
| SHA512 | 353a62124e84375b13b1b78ade9bfa064ba2622368b98f95fe9ba73975e99b61f9dd08ffaa2407e04f2c0047fe4261abf9f4aea33c3ad623b6b0200cc451fdfb |
C:\Windows\SysWOW64\Bbdallnd.exe
| MD5 | a6c1cfa76c3ae9e8f6677f8bc57da9ce |
| SHA1 | f307edc142276138ae9a54ea39806568602b3f7c |
| SHA256 | fc4bcd5a34cac4183f8dc8d9927cfc5d9cc4f3a53155bcc5ad8b375a4a0f0f57 |
| SHA512 | 5cf9a89e81b8e6b2be689ea47918f04e765b52ab8296ab7206f47286e64ef0a549df8b503cd73ac4ff4db5dad2157bcfc3243a0eb4c1d1c7d7750bc7f5e01115 |
C:\Windows\SysWOW64\Bfpnmj32.exe
| MD5 | e9791f983a2af1b155cd7187d27d91be |
| SHA1 | 34962a6143b2623cfac69433a09c567a23b45948 |
| SHA256 | b1cfe5e07ed0dd2dbe33ae47b9013d50711730bcd83064ef82e4ff238b10f153 |
| SHA512 | 8bcd84fabe40b2508dc1a958ce38b1e9e4318b965c44c617bd3951ed1325a48a6923a9ab14e953860ffb99c8f40452131c12351d075a97ae44ce18cd040e14f7 |
C:\Windows\SysWOW64\Becnhgmg.exe
| MD5 | 0919a67fbf21ebba1c2cdae53fdaec35 |
| SHA1 | d73af091a96b9620e9c2800a372b61a8c1ed7b23 |
| SHA256 | a63a8ba8e52655bc4e1c791eb012f55572f07463d6d4caf4b09774ecd6b321b7 |
| SHA512 | 86ccb2770ce0d43f9bc49d7bbec9be67e8d98f4afb9eb962e61142935cbcdfd0beed5091a293670fb916f03c72ac374599b4e86de68eba4e3bc87d209168a3b2 |
C:\Windows\SysWOW64\Biojif32.exe
| MD5 | 14d12115aca9f8047c1911aad44f809f |
| SHA1 | a5d70f8676d987bc28bfcbc2d3acbeddd19afa65 |
| SHA256 | eda117a7733bdf60c4ceb4e1ebf0bf6d60183b1593ee0f99cd3d905dcfb96aa5 |
| SHA512 | 05f51aede0f4daf0a17ad0e7cc799307f76cb934b1cf403477c49f22e17d7aa1d9d93f0c30c836880148ea30c57e7b46c158c6de4cd92267adc57ffeae025ff4 |
C:\Windows\SysWOW64\Blmfea32.exe
| MD5 | 1b23a2801ae9db750d4b037d67b9c293 |
| SHA1 | a3e5623a8796a1319d92d7101b3181e1546da64c |
| SHA256 | f424965c55c0eef5dd75a4cbfccbebbb0b6dc399b85aa7cfed939a2cbb066268 |
| SHA512 | b4548706dca586feadc692baaccc02c939c1d86aebf0ec757486422845d9fec252434ba2f90026e9f2463df635dd8aacf5ebf284471fd3f6880ac86b70e79960 |
C:\Windows\SysWOW64\Bnkbam32.exe
| MD5 | b8039cd6338ee6a482e54ea169da363b |
| SHA1 | 3d172b961ede3f92abf3d295d7ecabf2a3800ae5 |
| SHA256 | e3fd1f7bc2d52582a744b5832f0092531043dfc1e297b5166c4123c8d91ec215 |
| SHA512 | fb13f08dd073b8a7dd56a4c2661ce9052fb2a87c3bf9ab81da48ce595fdddc8ef1c50ad25e99d55d936e6727aeb02a888459339f104fc901619d9ef8b0e50624 |
C:\Windows\SysWOW64\Bajomhbl.exe
| MD5 | 6ce7c426979180027da075d4225e5a19 |
| SHA1 | 7029d4c9dda8d801d725152dce909ba80836d7fd |
| SHA256 | d73083ee68b352e224317bf1683012b3c27b41fcdc73467e6f2e437288a36876 |
| SHA512 | e3a80a2fbc4a23654c98472912b08008fbf275c1cd23a9fbd62b1d7d1206a141cf3fe0187b463a78714882ecbd60260c446c1092c1a34d6ab216c23ed647dc93 |
C:\Windows\SysWOW64\Beejng32.exe
| MD5 | 09fe78f0e603f567b00a87f9272f80e1 |
| SHA1 | 38d0052abf1164ec5f37fc6ea843c596f97300b5 |
| SHA256 | 426080e8a262f09290330fc9963a5b7df06f0cea11eec50ffa3ce05dc5f41928 |
| SHA512 | 564b078d89fc513b67621c79166004384f378c34065a88ea7e9dc40f17ecaa70dc4dfc92b988e9ed62afa6cd8ad6c97f3072c6c48b8d4aa47a3bc0021444e769 |
C:\Windows\SysWOW64\Biafnecn.exe
| MD5 | 5356f86938df4a8d7795b73b6784e493 |
| SHA1 | 264e1928c861244e79372d03b757e2b86a496954 |
| SHA256 | 9ce1ff0632ba7cead04a3fff3ca8612b9b951645fb9c522fd3b999ab15c32c58 |
| SHA512 | 7a84a1aa67f800b319af76079503b5e90d7e38c9e6383162259ef0496af7164de021e95a50d66b8dedac9fca54fd84f3f50e3c02b39a6128087ec74b3397154d |
C:\Windows\SysWOW64\Bhdgjb32.exe
| MD5 | 4261806572126579e2f9010d26daf4e7 |
| SHA1 | a8206550ef835aaeb99de15816f5463d6d7fe73b |
| SHA256 | da26ec9f36f576d40c9f6a83402baac1172c9057031872a0342b123795eb815d |
| SHA512 | 38396eca2a55405d647718ed3f7a785b66c7b48fac5311b80e623261d43bb128973ecb8976f64a760cf104ef2d16ccd72c28ccfaea78b8de41f971ec60b40bf2 |
C:\Windows\SysWOW64\Blobjaba.exe
| MD5 | 3da2a7595fbf769f68c4f53b53e3ac48 |
| SHA1 | 3e094822c91d9707b61fd838e73150de0374777f |
| SHA256 | 13a086c976723f7e0d9971890d04f2604aa3d594459755d4d2763b65e9497010 |
| SHA512 | 76826a74e0d47d376915a0f22ef2ea9700921ebdca5bccb1ea439fc4ec69237ad632a611623ee39bc09126290252277a8c63c4a557e3038b5ba103cb69ee124f |
C:\Windows\SysWOW64\Bbikgk32.exe
| MD5 | 75740cd7d84f321885f673ed670ee2f6 |
| SHA1 | 73506f86244db564de0f46fdfa265f2156a2309f |
| SHA256 | da110d6f63a77085a993c1843d9d2b07fd8fc3e6c16083e13868dc690ea2e36c |
| SHA512 | 3fb62224b3497e02c601668e453812cf9dca7d7f8253bafdfcc559ef3b48f6b241b960db8481cc3edc2ff9774ea6d7ff09f00cb323805d4850c42204485211ae |
C:\Windows\SysWOW64\Bdkgocpm.exe
| MD5 | 92e14a29f4bcfa5be76a50e1d259f52e |
| SHA1 | 0de6f3bc2e3483853bb0203ed0a391594a8d0961 |
| SHA256 | aa44bd396a03078696db8559aebb60043787609a30d9772efe6107a4c54abab2 |
| SHA512 | 1aae368d3a26b4386486258bf101628be806f81fdc4ca6b2d812181e80d2a5d7080df36200cf0022106b21553e057b778b2a918e8c6881d1296a9b36f6b707a5 |
C:\Windows\SysWOW64\Bjdplm32.exe
| MD5 | ff72ea8f992ba312393ef8b684e5d3df |
| SHA1 | 9452b1f8cd4394a52c787eae47a15632a725f65e |
| SHA256 | af983320299032c00b6afb2cc3e6dade3724f413c6dad9a4f527e4b895085252 |
| SHA512 | 6e3228d82c3a0c8e9a1c760ced1f657ad9b2c93cfb75cfac7dcc0fd52ca064fd1fa894b9abb400853ff06f08d80dfd2e55185a5e506d44e0643b8e90cfe27f55 |
C:\Windows\SysWOW64\Bmclhi32.exe
| MD5 | 03ee2f4c2a3da576ac8547ed0fa06540 |
| SHA1 | e75f102b52e3e95131ab4581512b954e64e03034 |
| SHA256 | 1ab7e7ff91386c34ea89dda36821f3fbdf3cc5562df2394dc72a199f388bb7b2 |
| SHA512 | d6549dfee3b6d7140848d7209ce4ea13bd1f53cb0dbd4da350e69900eaf01ef3f7d5c00f05627abddb39494c30f7969f55a7dc5e280f2ffcb3917141c9c8c121 |
C:\Windows\SysWOW64\Bejdiffp.exe
| MD5 | 38a561df2084bddceeb2a7d7b247b036 |
| SHA1 | 67300ab1b8934b29f016dfdbb8104921740bad21 |
| SHA256 | 855611b7851d3fad06beec1f1760f6be5504ffbd967c750c2ee5a92af0585389 |
| SHA512 | d3c19e230ac7d7a068be79f78b860f4de01a90e4651ad146c25281d212429ce3b05b513aa201bde8246442affb74064971623618c9e0fc61fd501ddcb202adaa |
C:\Windows\SysWOW64\Bhhpeafc.exe
| MD5 | a07d0672cdd6aa5323baf33d57b72803 |
| SHA1 | f3ca37dcc665c9f53504a26cb9a33e937fca5caf |
| SHA256 | 79d6ba9be92afa7dbfe11998377711936213ba32f447aadef80db697c71dbbb5 |
| SHA512 | 1284f2ac5761c4c33c09f765999b94466143c98d1b646897b984e6922c7d13dac66f5057bfc4e21703607909adc44b55edfe3fb402c911f055c3d109f62dea21 |
C:\Windows\SysWOW64\Bfkpqn32.exe
| MD5 | 230f4767fdc4661d30d43f81f8f3652c |
| SHA1 | e90943cf758606e17e374ebe290016708d8d9bb0 |
| SHA256 | 769907d0073b8c16a369a3adc78172352f8a99e8bd27f0c829b2706897251f06 |
| SHA512 | bb6d9ffabc4707e837486cfd77ed4458afbdf150f8b08bcdbc75f63422e26fd685618d27a5a88c962fc530ece8f3e608df1b60c1bf4523246ef14e695689820d |
C:\Windows\SysWOW64\Bkglameg.exe
| MD5 | 4ef207b5d1cbdbaad5e3caecfca10ba4 |
| SHA1 | 36fe20680b61d4e7bd1022b7fbbf56bf6f83260f |
| SHA256 | c48c4f8294e9e8d578f3a98a9d4a60f4b117f5e653bb568cb97dde4eec4a58bd |
| SHA512 | 3bb2484810332083a13124fd5a51bf6f34bdae5380a3c63140c67b8098ff63cf4fa810de79ae0c7d73b717e6c395b7cae4e148634e8fe45bb6f5f3696b28f431 |
C:\Windows\SysWOW64\Bmeimhdj.exe
| MD5 | 6996acadcbede05b750e60c23a697f06 |
| SHA1 | c33a98c96195e86870b03d4984f707843d79d007 |
| SHA256 | d7afec1e24ddfa5430d0475553e82b82c39076379a7d01a1ed4ed6cbf12567fe |
| SHA512 | c81db80417b6b87aeb4672e5bdba11231d49af20dd2a4787e25f294072a29815a94e0612fa4b49f476a4a551b1762a2d977c359ccba56c2db57caa9378ce6be9 |
C:\Windows\SysWOW64\Baadng32.exe
| MD5 | 1ab7aabba989bbc5ea8e38d68df6b372 |
| SHA1 | 472e883cc9568f5e3e3282c3d913d13cc5d071be |
| SHA256 | 84e5c7ca16c48054614b85bd658526793dc05b50a7692d7c60ab927d9963a847 |
| SHA512 | bf8b0a8b8bb41ab51c67ccb71c3e5e222bd548f10871f7c29178664d49f87311ea8b911d273c1e8ffd79609ec56948d9ff0c9ea6a40bd070ab90991b15ef887a |
C:\Windows\SysWOW64\Cpceidcn.exe
| MD5 | e3ee7f293bf18232ada7bdc0755971f1 |
| SHA1 | 90ab992ce3c74ab3d23eaf79f041ae7ecea2d27b |
| SHA256 | 671baa6274abfb7daa7e32f625cd2736492b0b5fbd8226fc6601b9250a2364e5 |
| SHA512 | d028cad66452f33aae3dff0cf41ce8c92e0f700613ca52b9f82728ee991d5f8d9df39b17e9ad2eb7a5d8ccbc86e53b06a2694f59da29ba729c9bdbdd8c485801 |
C:\Windows\SysWOW64\Chkmkacq.exe
| MD5 | db1ef46b4e0cac448637446c9f149e70 |
| SHA1 | 66ece27c8c7a4549fb86acd8939c0f82fe4399d4 |
| SHA256 | 7c837ed6e7cfdce8717c372b5e1ddd69322eb0ec1b7eaf6fb3cb7f4454b54b7c |
| SHA512 | 183dcffac7532be80422ddb44e24de9801ef6b6dba71ddb25c5ba60d1c15c0c36919125184653ccb5d319e82267b48987e287c1cbafc2b7992a2cc06805f1a03 |
C:\Windows\SysWOW64\Cfnmfn32.exe
| MD5 | 2e7e6e3769e56e11f9fb40f270037e3f |
| SHA1 | a25fccd6f4a2fc06bfe57d4ef4e838ee679c881c |
| SHA256 | 26495b5f2c642adf6cd359eaadc9c884ba4c037a0ec92227e580505785e383fe |
| SHA512 | 7b7fbab2494b2d31b4d94993d2fcf7d41edc68c887a27fe1d0e6de2985b4ee388038eac879845a5d22464213914a9535c18b393887454819bbb37f20d6a45441 |
C:\Windows\SysWOW64\Ckiigmcd.exe
| MD5 | ada76214c07eee97acc46a27b0fcace8 |
| SHA1 | ffe26d9997def24ab32a679260e2bcd88cefc7ca |
| SHA256 | 14eb75bc8ab4b739faa1335a897deca932eefa36584fef7ff6567c0cda5efd8c |
| SHA512 | 3c72148da55d391981e0661b94d79acb2c9153ef52378528f2f0648efe4683899030ccc9a0dd3a7bb8bd7d9b61f081268af532253aab7d465a5dc688319fc368 |
C:\Windows\SysWOW64\Cmgechbh.exe
| MD5 | 54acd9ec56729561715425be67def3aa |
| SHA1 | 7fb21c4f577a4312625ed5a85875ef6d5c0d6efd |
| SHA256 | a71f9da5ba4eef771e818e8d49d7b9d803058746298fbeac8cb833e659c60abe |
| SHA512 | ffdb6988ae87bb149881ff3a342e9feaa3fb4b9ebec3bbee0967bbdd0f9dc0b5cfd403071ed0a03cd022206ae27c108b8490e26d2e3fe354144e31e168862883 |
C:\Windows\SysWOW64\Cpfaocal.exe
| MD5 | 849bd8fdc28f50700dd55de1434deec4 |
| SHA1 | d2187fa69fafa01425b554b109c95b0b726cb99f |
| SHA256 | bbe57bb3d749376e402fbd76a3bb1d2f8e784b6028278a155a7c60b192c81e2a |
| SHA512 | 315de4121c7b76bce718bdfb986377c30b40f98967b74aea95dbf43823f3a6d5c7ef249c8ed1adcb0304cb6dfbf1788ca825d24ccc09535b6e9b8b1ab5655fbe |
C:\Windows\SysWOW64\Cbdnko32.exe
| MD5 | 45ca526e6f20257e1b5167b497704733 |
| SHA1 | f60b9457c7c416d70e1d3df1aeb2c6747b5f9816 |
| SHA256 | 4e14aa20f13098fa8b74a709188af1d2d225906f4fd00a233458e40381049326 |
| SHA512 | 5ed88fd4ca853e5a4a43db896ed01d4fc7393c96d04a52cca77339b66ac26f9c7fe0be4c88a68fcace165d5172df013628486c22ed2a6815132fd8cd74ad4441 |
C:\Windows\SysWOW64\Cgpjlnhh.exe
| MD5 | 6074c26b2cba3ec1a6ebb1bdf4260714 |
| SHA1 | 424e3fe768f6596d8bb67e5a51967d17fdc97c4c |
| SHA256 | a7c93900524d4b8abd5462cc4e341be57959c34ed718f6d2c2b68c58b07c283e |
| SHA512 | 46d08d436e7157b257340bfe3f8b6c5971c734322e0d4d2f487645e85d2b90c74320c3367a08ffed8e0a2a6ab2ed06b8b426d60aee402bcce95e789c2f43622f |
C:\Windows\SysWOW64\Cinfhigl.exe
| MD5 | 0fa9649c5358177398d714b6778ee385 |
| SHA1 | 4e65b3d6a12852d17592ec1bccabdd1c78cf49d2 |
| SHA256 | 14c289f8d7c3c359721e7a3902cc91ae6cca7c4c13115a29fb6bd22dd4ca53ce |
| SHA512 | b4c637191ca18dc25a3bbcff2104dfdde0fc27b92020ae8b74091010a4a6378062e8bb3b24b26e05f9edf65ce58aa8c5b5ae5ec913da82bbc0a61beb8dd5cda7 |
C:\Windows\SysWOW64\Cmjbhh32.exe
| MD5 | 82f097d12aecf2db75c31fca67d4f01c |
| SHA1 | 723a07e0af0ca075ac8a033b5a5b3aefc2a3391a |
| SHA256 | 75b4aa9f2b818505e91ccea9cc92340647520e90410f6c8296b0b8c3b28a2420 |
| SHA512 | 999904e058cf726a226b58d4a424dbf8b2cf712e322f6d7b6923b416bb0d0bfaf52255645f50bfe27e6854710eabd8e128692c9e393e74d032efab288688932b |
C:\Windows\SysWOW64\Clmbddgp.exe
| MD5 | 529aa39a7afe51ce8b7eb89615937116 |
| SHA1 | 08dd28b488e762f0bc1022b370d7aa2fe7b015d7 |
| SHA256 | 15180ed01bf55e09b9c32a62ac253641494c69406b7299364735765fa4d1961a |
| SHA512 | ae846f023dfdfd62a65a42d1c2bbab5e3accf5688a3d019b8987462ea73494e8a5ed528668329845de7bd263da4c8186fabf71e79a04503ea851984474e3c2ce |
C:\Windows\SysWOW64\Cphndc32.exe
| MD5 | d0129a6a6dc9175d46581f3ce87ff94c |
| SHA1 | a4fa2708ec9ae70e22818e3ef0b6a056e39f6f97 |
| SHA256 | 0623a3ff59460e8ae36aedb300ebfc86da09212af685f6eaff4d2cfc2c8cb78b |
| SHA512 | cebd571bfecf3cc17b365b47d77dacc4db4d3ef210f8dd817a1af3015fba5d71a9602f2659db5a0f3d8ff789ab3e67b16470cd20970e77d1e06343bd049aa249 |
C:\Windows\SysWOW64\Cbgjqo32.exe
| MD5 | 24439be387b70e586ed855a09faf00f4 |
| SHA1 | 29c0a04352818b31e8d8da80842bdbbe10a0c1d6 |
| SHA256 | 6abd591e9b1ba769a30ae614b1ba584dba4e0e345555e5ee6847bcbf5ba2699f |
| SHA512 | ab2da4211b62bae03f2273baaf03cc934df3f3a395b5b205263dcfa7b79dd0436eddb76100b32f36610e17a14cdfb5a1016ce933be3826ede34e37566a81df1a |
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | 8de7ccf12ad475d561b9c0edcb8a0261 |
| SHA1 | af555697c24f54ac3967fa2578f3931503967ffc |
| SHA256 | 92f7f95e51243d782d8214a72ec9e71d45dca736a336b57eba8c96f4e8bc3771 |
| SHA512 | 28e26f0d849f44b1db1d30a4baed2a53b4fcda03e20a512d12b42109b2e459e90bb64228ad0a5ca36dd25d257e209b4c0c9c9deadad92f4519ef87e192b13060 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 11:12
Reported
2024-09-16 11:14
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgimcebb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Miemjaci.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Npfkgjdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Accfbokl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmidog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ofcmfodb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Mdmnlj32.exe | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Olkhmi32.exe | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pflplnlg.exe | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qjoankoi.exe | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcgffqei.exe | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Kofpij32.dll | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokpao32.dll | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmlpoqpg.exe | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| File created | C:\Windows\SysWOW64\Oflgep32.exe | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjjhbl32.exe | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| File created | C:\Windows\SysWOW64\Accfbokl.exe | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlgno32.dll | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjelcfha.dll | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mckemg32.exe | C:\Windows\SysWOW64\Mdhdajea.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcdmai32.dll | C:\Windows\SysWOW64\Ocdqjceo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajanck32.exe | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfkedibe.exe | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdhhdlid.exe | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgddhf32.exe | C:\Windows\SysWOW64\Mpjlklok.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdhdajea.exe | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgkjhe32.exe | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfkedibe.exe | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mpjlklok.exe | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfgmjqop.exe | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcppfaka.exe | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cffdpghg.exe | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Miemjaci.exe | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgefkimp.dll | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lffnijnj.dll | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmdlbjng.dll | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkmjgool.dll | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjddphlq.exe | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjfhhm32.dll | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| File created | C:\Windows\SysWOW64\Agocgbni.dll | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncdgcf32.exe | C:\Windows\SysWOW64\Npfkgjdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oponmilc.exe | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmdkch32.exe | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgngca32.dll | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjagjhnc.exe | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbloam32.dll | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmgjgcgo.exe | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdabcm32.exe | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mckemg32.exe | C:\Windows\SysWOW64\Mdhdajea.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfgmjqop.exe | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmcjlfqa.dll | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aeiofcji.exe | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Beeoaapl.exe | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmgjgcgo.exe | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacamdcd.dll | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File created | C:\Windows\SysWOW64\Llmglb32.dll | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bapiabak.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Dejacond.exe | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmlihfed.dll | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndcdmikd.exe | C:\Windows\SysWOW64\Nlmllkja.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmcdaagm.dll | C:\Windows\SysWOW64\Oddmdf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjeoglgc.exe | C:\Windows\SysWOW64\Pmannhhj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmidog32.exe | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjmehkqk.exe | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Gifhkeje.dll | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aihbcp32.dll | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfhkicbi.dll | C:\Windows\SysWOW64\Mdhdajea.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndhmhh32.exe | C:\Windows\SysWOW64\Nnneknob.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifoihl32.dll | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Chokikeb.exe | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ocdqjceo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mpjlklok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmannhhj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anadoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Neeqea32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndhmhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdhdajea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgimcebb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfgmjqop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Accfbokl.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll" | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll" | C:\Windows\SysWOW64\Miemjaci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll" | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll" | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocdqjceo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmannhhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll" | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Miemjaci.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Neeqea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lbdolh32.exe
C:\Windows\system32\Lbdolh32.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mibpda32.exe
C:\Windows\system32\Mibpda32.exe
C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
C:\Windows\SysWOW64\Mpoefk32.exe
C:\Windows\system32\Mpoefk32.exe
C:\Windows\SysWOW64\Mgimcebb.exe
C:\Windows\system32\Mgimcebb.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Mlhbal32.exe
C:\Windows\system32\Mlhbal32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Npfkgjdn.exe
C:\Windows\system32\Npfkgjdn.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Nlmllkja.exe
C:\Windows\system32\Nlmllkja.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Neeqea32.exe
C:\Windows\system32\Neeqea32.exe
C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
C:\Windows\SysWOW64\Ocdqjceo.exe
C:\Windows\system32\Ocdqjceo.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Oddmdf32.exe
C:\Windows\system32\Oddmdf32.exe
C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pmdkch32.exe
C:\Windows\system32\Pmdkch32.exe
C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
C:\Windows\SysWOW64\Pcppfaka.exe
C:\Windows\system32\Pcppfaka.exe
C:\Windows\SysWOW64\Pjjhbl32.exe
C:\Windows\system32\Pjjhbl32.exe
C:\Windows\SysWOW64\Pmidog32.exe
C:\Windows\system32\Pmidog32.exe
C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
C:\Windows\SysWOW64\Qmmnjfnl.exe
C:\Windows\system32\Qmmnjfnl.exe
C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6084 -ip 6084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 404
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4220-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4220-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Lljfpnjg.exe
| MD5 | 5bbfe9ef819da1cfed001197dd6d85e4 |
| SHA1 | 391f309cc7d1094e3af3336b98ad04513a87ce33 |
| SHA256 | b3c1b24b083408f3ff8aecb2fdf20cc9052f20032e9ebd07a7fdd7b069ae3184 |
| SHA512 | aef8252623649430ef128d49182fc03f0e9cf6087115bb3f30ab63b7af2cd698a7c35541f3424720f2cef2819381eb4a276bb562bff68ec30298b356a8c75d15 |
C:\Windows\SysWOW64\Ldanqkki.exe
| MD5 | 72bf32a3c9b451855a541a9282074c91 |
| SHA1 | 83c5a46a77888df0d39919ba61b49c3ad4ac5076 |
| SHA256 | bf47427cde098da5d9e51c4902553b9209c03620ddf2a780bf12dee4437fcdf6 |
| SHA512 | 54a108c60e68dd6e87beadd545cc660924de3d85df4b4dd30938e7f04852fc5e745785b15269e90c22fe31739a8c7ef2af9e1507d29b25bc645447fbf2a2b846 |
memory/684-13-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1080-17-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lbdolh32.exe
| MD5 | 16bdce56d257084b46cc7611d33e20ad |
| SHA1 | 00dc13bef32c694c5747e58c22c70554189008e1 |
| SHA256 | 0e9082380a583f7056508f7e1f2c658c7d26446d244aea492a35ed36c906c884 |
| SHA512 | b9b7d23e74e6e1c042fd15dbcfb01b966fb55b84e9d033d675827438e91d47df465865b5952d2cc4025245a7e8b1f1d001eed05263cebe1b5434e15b1ffe36fe |
memory/948-29-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lgokmgjm.exe
| MD5 | f02337c1be1483aec7b83cf443acf9db |
| SHA1 | b4160375384eb346249d32dded311a1ccd16afc1 |
| SHA256 | 2574aa90c735eb349ac336739443f1e493aec17cc699c73ccc46e020ac75defd |
| SHA512 | ce246a7c8eca8e4a3cf64df4656479c1f8616a18c50db507320b7289c0440fcf6a54ad673d993aeeceafc2bb8e18618e3f918421396f3caf3e910e5abfce7bc5 |
memory/3044-32-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lphoelqn.exe
| MD5 | a229a0246a640309f2e3addd7d40b9c2 |
| SHA1 | f3a36375844b2ddfefe6fb5ae9fa0d93662590d3 |
| SHA256 | 0083deac75df46983e01dd4245caa8b7cff503a4a4620c1ccec9889347c9cddb |
| SHA512 | 20d487aeeee70cd0f35f74a5268ad05ff263b95a0b8bbcda7c07cc274fab7fe7ca87c8d1b96fa9c3b3f03ceb15db4db91e00037857ecd76f6885edb9ff9b3718 |
memory/3464-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mdckfk32.exe
| MD5 | 78d634887336e7796def6fe026a196da |
| SHA1 | 5672422034630b6f62101b2164593cee9814d247 |
| SHA256 | e48f5fa3b5d2993d0b8aba8d499b944a7250c16545b7294209dd8d9162eaf891 |
| SHA512 | 9d812c8c0b357c31c3e2a1783554289a082647b3d1b0682198ebd47bd9410e32e588e5584714e5a7d9eb436d9935bb682d9fade44525ff7e855809a83bf99a0e |
memory/460-49-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Medgncoe.exe
| MD5 | 0e1ec0dd74b35b4d75bcceb4cdb4fc5d |
| SHA1 | 61048498d887fddb78b234b9cf7e2d05de550152 |
| SHA256 | 658204a673b2b24b4daddae4f36286c62180d59c42305e4b94f8d48d72184584 |
| SHA512 | 2a4b5d5f8e830a59c4556969368b96d335231c7618c64b724d397b26ebcef947f9a64fac6e26e9542624d0f2fb97552c02a956722d40e588cc21486ac9f379f8 |
memory/3764-57-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mmlpoqpg.exe
| MD5 | 8da02547074f8a18d4d0d2d86137527a |
| SHA1 | 3448a5a5a6991840f97be59eed92a441f4beccf6 |
| SHA256 | 82bb993e08cd6ff1dedd5158c700fa6cfb0d136c37875aedc870050cc6442cfb |
| SHA512 | 91a49389233ca94c9af7b73fcc602b4b83895159679a2d5fd0aaf27904918c4dbf10274071ecdffcb84b1d26cc165a591bf4d4d81a70e8c4a6379023d04e2f61 |
memory/4040-65-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mpjlklok.exe
| MD5 | 5a65adfd8b2676141f1ba44d40a20c21 |
| SHA1 | dbf0b3b3b749888a099e00576e4b7d9b08cd8f55 |
| SHA256 | 2a1d670545f1a94174b12d607e011b5b8833c5d310d934a1304d8e6f29e855cd |
| SHA512 | 499d8f3acb5384f390d9d627e1b43df32567143633642a9c2fedd69cba7d90fd4be6e815fecac93046a5a4c3b77ca96a065e47f4af015e88cfdf124f1f25036f |
memory/4536-72-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mgddhf32.exe
| MD5 | a2f34518e45f9a425bfc25cea40d8070 |
| SHA1 | 324206a7001897e8bb493a1792660a9d05b18257 |
| SHA256 | e938206fb115cab4fc6ec316318ca340c069a4839369bcb51d1f6c83fe84e73a |
| SHA512 | 9b5ef859d93f8a87fb5db841bc0802e6a3a8c6d09c54e0811d81dbda7fa569fddd92b974078651bd5915f59cafe4721f3c05e81dbf60918be3c57f553ac11d83 |
memory/2072-80-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mibpda32.exe
| MD5 | b47ae40f499c5f5da02b124e260669d7 |
| SHA1 | b1ddfd0c842fb14fb3d8c01513f0bc739322eaad |
| SHA256 | e1ae362a24ec98b19027353d4f517794a65040b8b707af0470544f659171a782 |
| SHA512 | c9db6f6dea69dd013fd4ef5c57b627d0e966821cae91f579df0c33a04a4e6b9585772a660dbbc45439d10261f03f096c8a7090db44e33ccc42db087f374a3c32 |
memory/1524-89-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mmnldp32.exe
| MD5 | ca1fd0919f4bc47ab3b749668049d550 |
| SHA1 | 80e704c914e0ccd353b26e3e0140dbabd01831bd |
| SHA256 | 7eb112590379c08d8fe72d13c5f3bbcf625b72bbbfa3fb580909a86a09719821 |
| SHA512 | ef5747e6abddf9e5edcf4a5d904eabb971bf4b38ab4607921c036390a2f8ada0946ecf415e1599e1a406c53c5f7822b3664a4b026dc4f9db8cf86ee1d19e53a7 |
memory/3224-101-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mplhql32.exe
| MD5 | 0b96ce6f7abdb6e958e184f0fdadcfb2 |
| SHA1 | e56b628c568b5dbf9931408048791db4d7b0ed58 |
| SHA256 | e096e63c73e71e29a665c11bdac989c0f222ca44a17ecf43da4145c5db3841b8 |
| SHA512 | 3fbd81dc145023472e4eb786ed7fdfaff1d313022e3c3ffa7fa460eb4dd4e51d04d0e61a03c8e2b2b11d8cd23c588cc8277c60a821812212d3550c277fed8689 |
C:\Windows\SysWOW64\Mdhdajea.exe
| MD5 | 88ebad94208ef84c6b5a0fd2bbfb45c9 |
| SHA1 | 0e64c74c8f5058f848299796e01745f93cf710ae |
| SHA256 | 2be584bd8bd48260fb435ebf4c75e54881eabd892a4d978452983cf4f5532320 |
| SHA512 | 18b4c54843b73b86f87d39a181d7622bf546663bf3b5c3b17569b54cf5077e51bfdf97176bd97cf92a7ac4cc7e423e4071732b8724995481dee9c32be7355a75 |
memory/4872-113-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mckemg32.exe
| MD5 | 0d48d384b04983c98d069f6c7c15dc86 |
| SHA1 | 3ec21efdc465e855d131ecd6f33584d9d847e7a6 |
| SHA256 | df0dc07aaed658129704ad5534300159438bed2e7b09211a3aee48e46dc377a7 |
| SHA512 | 06d5f4ba79d6178e94911d5bd9ad0b4351aa1c3a300dc4013fd4b6f8caa3635edd64fc694d36cd62a899d92082078d8fd367ab6c6b5fd9cdff5baa90011a2e91 |
memory/1600-121-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3256-104-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Miemjaci.exe
| MD5 | 840fc97a795725c1e46cb7a52f26944e |
| SHA1 | 5e6e839daea77ea7b64421706b15e9c8ecc1f713 |
| SHA256 | ef9e8fc4b9de38e412582a748893fe2aa4a94b5c7c3918357c7244ff05991578 |
| SHA512 | 393e12b46376accfd1a6683b5f5315786e240629c01f486b6b3e5faa350a1e4fd26f4db278d38a4b329ed5071ba03e1415c49f95be3659a0734ea5ce93799866 |
memory/1520-128-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mpoefk32.exe
| MD5 | e0f705e816b713a3e637f90736c79dfc |
| SHA1 | bc05a87271a1f61c5a025dc51340cd0bd12c52d4 |
| SHA256 | 52b14f4aafa6678783de886c0de66ca4fda51a032ee4b725eddeca4d95ce7720 |
| SHA512 | ef307dcdfce003e484f5211b2f28b52b897fa458603f984da06efe82a305be0c758112ee02e9027070aaae0e6801368431b818b872d7fda35a109170b600053b |
memory/4084-137-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mgimcebb.exe
| MD5 | aa25ebcc1f5d73401c4fe047f0d87abf |
| SHA1 | bed3791ca3ef282425dceb6b835424f6c079b8e9 |
| SHA256 | 4231ad7773cbe49dac486e76e2158bb5aa211e01c54da840c1af6887b7c56bc5 |
| SHA512 | 669a5c621f5f65d70035c07fd18216a7e11724f5f85d30028553ec2a0c5bf3168fb673317a9bdf0fb0a46ad0241938228de3a40312ec5a70fc4785b265e9aa37 |
memory/4296-145-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mmbfpp32.exe
| MD5 | bf0933dbd8c3aaa59ef2cb3702d3bb88 |
| SHA1 | 9b320703031cbc8af04745462b73916786925b7a |
| SHA256 | 9e4953040ef90214e95497f79722e12875297406965ef6bd395072ba993cec91 |
| SHA512 | 12f093d868b7801f8277b44ad75d53bc8ba9389335b3562a83be3a86ea303cd42588a2ea8c2f210ce465e67614c49eb128b302b1112792f6881de624f99484a0 |
memory/3684-152-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mdmnlj32.exe
| MD5 | 1bd5808084aa4bc3890daf9aadc97396 |
| SHA1 | d9cb97721f2cde7f13483a0f714e27f7c20163d7 |
| SHA256 | caf280fb43d1516a61a0c36a50e3e5646d0ba685d62b150c8d146ed6ca54cc18 |
| SHA512 | f91195370cb47952471bb8e44d47092892cf51ff0f308fd09e741921e12e19d06fc3aee50f03b563a9080b5f51ecee297d8a29ad0e2df3e346dd3216e88edc2c |
memory/4992-160-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mgkjhe32.exe
| MD5 | 990027acf2425da0cd199b1eb68ff082 |
| SHA1 | faaa1c0be41d3caf0f88f6a234a6feda208c515b |
| SHA256 | 65e29413f81958e72d13a1cbd51314478548f30f7d1a3e5aaf98c93817aeda25 |
| SHA512 | a1c4ccbf088348524b653e4da1b51f4aa42af66d46298026b9611fce72e9d1ea0fa4caf819feff00b6c9e8c00a26e53fff6d03fbefa7ebd3fafd95c4c10ef610 |
memory/2228-168-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mlhbal32.exe
| MD5 | f07b708620fc664552628e28521c3cc2 |
| SHA1 | 17082cbbc0b6e42e0922a6eaaeaf2a2e689cb0d7 |
| SHA256 | b1445f67cccd654c408d2e431ac67a79c054899358a76e73ce0e8cef57b86dea |
| SHA512 | 509cd3f73c6c30bf759a10748ef3b3ce0b0ff422b11fe79e3e3f837c5d5ada348db4678173fd23866d78f9814dfdabd473361172b1b431e9164089d939d1367d |
memory/4884-176-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ngmgne32.exe
| MD5 | d6ac6b2fd01b7533213fa9a12c8f8a4d |
| SHA1 | 915cbee4fec772cbe1922b395f900e6bc2896888 |
| SHA256 | 831c4d3ac7a39b62c4aa327ba5169c7594b151ae6b7be5f6ff0d684b5c48ba39 |
| SHA512 | 69979c1ef004293f1b0fc802517b76335f874c39b5ed42bbb7bb2457fd1db832499bbdcd66b8291b7c105c623269e0b20972718e08528d4bef125ce525812d3b |
memory/2592-184-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Npfkgjdn.exe
| MD5 | f54848b035e15d51d5f189c918b856c0 |
| SHA1 | 595bd8c4ebab09cd925a938135e1bea053c991f4 |
| SHA256 | 2ed652fbbf7b36de668afdb94b7607f88aad86df3b2a38b575305091801f850e |
| SHA512 | 8dabd67c0f1c1948b7094111285dd51101a4e36155d31d6fe6efd799c92058670ab7fccbf85c7d93771c3b299495345b582b326e81b434a70d524f5c8500c63d |
memory/4280-193-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ncdgcf32.exe
| MD5 | 010ffd14862f96d638da6b96d34707c2 |
| SHA1 | 6f3397b961fdb41e4087492fe726126faa1deb85 |
| SHA256 | 216a5fa4bcd25ee2d18e55810cfb9ba699fa45d23cf092f2432f0784512bd31c |
| SHA512 | 5451ebb17bb99dc8701d20f4bab263424bc2c3e329d526389d46c30776b3446dc41e695ee3c856b825d5995e4824373e9a983a07291016ac97cf5c3e48f4bde7 |
memory/2888-200-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nlmllkja.exe
| MD5 | b818e162e6fd4631214eecb571baff4e |
| SHA1 | 9edea68262f47d9441ffe9eaa80d0a87999046b5 |
| SHA256 | 9e60289a1b87d2b984a514a47b1295075723a26af9f9ab54b51001f9632bb682 |
| SHA512 | 3f42804005134aa379fe446b84e579a271ad220bd679f5af37bd397ebbec06ac3dae7bdb39cbdff2a471fc9572ec54b22cd0ea3266f2525ec59537d4a977a71d |
memory/4932-208-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ndcdmikd.exe
| MD5 | 2d5dc76a66c15cf944a1bd3a6ab00d3a |
| SHA1 | 267897d734184bb75906b8920d90499939be121f |
| SHA256 | 6ae173c7f7ba8b444c324fc92ea2efc23db3d9042734c31aa7abaecb020954cb |
| SHA512 | 1926f52b0c33bae0ce2622a5a4f92a239238fc170cc8864bc0c450a9a77669df6eb2776884a6d41427776475763b49264d3a2efa8c5cbeef3b10820a6c182f26 |
memory/3100-216-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Neeqea32.exe
| MD5 | 311d7407e6c3f720ae3e89f509a632f4 |
| SHA1 | 2b73e7104c4a679854064acf3cccf9761cb62fef |
| SHA256 | b64ca0346f4349c3271ee6079a81e8d12f8404fc704a85791d94d84db062d371 |
| SHA512 | f7f7f57d853a4962acd4f9eb256420b9960ae564951f3d60b99a7ceb4676da10e82daaa8fb87f966a1196031f12f16ba22a3453585ec00bbb1d5083f1e572eac |
memory/3564-224-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nnlhfn32.exe
| MD5 | 32fe9d4e842fabfe4181fbff37828cea |
| SHA1 | f14be765520da14f8c42f2d932c9d6fd1101f5a0 |
| SHA256 | d7bf52d118d4a7a3cf41014bdd03ae7439ea97fe55a32eff9369d8d2d106afb5 |
| SHA512 | f83573d51591b2002ccf53533a6c7941467c27acfc21b8a5c7e0f46cc5fb4a3c5aba7609a16229072fe37d665cf4d6181052887d8b6aabe465906df8ee185441 |
memory/1020-232-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nfgmjqop.exe
| MD5 | 13013aa8f5586c63ea6b09ce42c03907 |
| SHA1 | cda7406ef3a17968548a82c67ca6103574aa34f5 |
| SHA256 | 7fc6f2019af0c606bfcec07320331d13a72dc71821641a2d5efd0f5fd6db5e1e |
| SHA512 | fb1be628a6556e165f260a5e54dd6e046148aba199d8077418531961551b69a2a07a5cb88174b98fd953d90e19e34d7972580056b247873eb154d5f1a81d6187 |
memory/4228-245-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nnneknob.exe
| MD5 | 940381385c22659cc9b7b4a7a742e4ec |
| SHA1 | 3aec2e78403810d3908e65943cf9326a81de36c1 |
| SHA256 | 3f0c80a7f1b93daa5eee251f62dd26f7d7b0dcc94187bcec4f4cb8b88dcec175 |
| SHA512 | 3d5d65e29436e79bce342f24d341571d31b012620df2542d4eaf71900490f68e93fe5d911e80260a145f68340e0c0c2b8778f36d025a23ec89ab2de370b3b502 |
memory/1772-248-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ndhmhh32.exe
| MD5 | 00e1aef2b36556d48e7f21e77172380f |
| SHA1 | 74301df74b9d07701ea63487213aa842ca95c991 |
| SHA256 | b401a12cdc8f5b0aefb916f3854738f720c95b1df51609eac3a3fe1e0e7efae6 |
| SHA512 | 972688ba3a05e2c6ec7115c6be3cdca90496b45e34969f5303e523db1d5e8d6292385d62d17f540140b7b6c482e2b29ed01cebf569ac6028e0a2dd180e29bd63 |
memory/4828-261-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2080-263-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3940-269-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4300-275-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3036-281-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4060-287-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2856-293-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2148-299-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Olkhmi32.exe
| MD5 | 2144a018d6643fe39ae776b73e221b0c |
| SHA1 | f274ef23daa4a64992b9849cdb693fbbf3b31a95 |
| SHA256 | e85ac45900b9b57516266e0e9e0a2ae29c941387a16b3e801b522295e152d0a8 |
| SHA512 | dfc299bb2aa034f6217ca1a6719b867fa39d567449fbcd4b68a581ab3fe23bef8229df3f56ee6880ef04181a259b30ee326f7c3f64386fbaf6aed27f155c67e9 |
memory/4264-305-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4184-311-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3812-317-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1944-323-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ofeilobp.exe
| MD5 | dc9ca8869866eba3fbba96522d462049 |
| SHA1 | ef93044cd9411520e12c6b42cf4cbbc39f82d2eb |
| SHA256 | d26046fe134578fa74a22306e23360262958fb81d36acba1083065996cbfb2d4 |
| SHA512 | 05bfe314f2613ab14b992015bfa1bb58b50b28954465fa268c43d08f7063dd541e799f33052bc5769530fe7c9772d9ae58efae58a129444a61e252487ff51702 |
memory/3120-329-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3136-335-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4924-341-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3808-347-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4688-353-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Pflplnlg.exe
| MD5 | 24a57971b35a47f03bcdd5a01b0f399b |
| SHA1 | 65da4aa9241ecba93d0ef1999b750758dfacd760 |
| SHA256 | d74d559644c612cf14b49607833ff056ec8fe0c94dbcefde0fd0eda87e73b5f0 |
| SHA512 | 1de7564944711fcda38c149175aabc405cfe17f852a4b12fbdb7ddf7635c1e2e6db57a75fddf52d4bfdda17c53069f08e32b4c4b0edd6ff98f66549ac1a4c84c |
memory/3024-359-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3144-365-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4004-371-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5072-377-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3924-387-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2056-389-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1684-395-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qqfmde32.exe
| MD5 | 74055f0f8f07b09575f567db643f1269 |
| SHA1 | b706b55a07098255dc443b7ce369e1a64a1a1759 |
| SHA256 | f2d5157d6dde88495fbe2b8603fcde2c808ae2fc70899849d265dbdf17b279d5 |
| SHA512 | c7d83a30e690910b474148d41263478ce5bdf061ff1f4ae5b3d0867237b6bb78ca9e920b14d4e994ea4587b1a694a9acab5c4b39b0dc73471579b1e0477c6855 |
memory/3556-401-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Qjoankoi.exe
| MD5 | 533a52435e761700e636190e469894d3 |
| SHA1 | 4f70f4d6e37bc01f56e25270e5d96457863ac1b3 |
| SHA256 | 6eb79dd8e60220ea727c5aaf65dd2cabff67defb615b9930707f7638493b9fc1 |
| SHA512 | d38ebe66f51a65b97d4229a86760ccdbebf5c0691e844cc3e17603448e984f1c99ba9065977dd2810959854934d0ebef586c695f6134f6ac5f73fb6f5faf7cdd |
memory/4484-407-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1112-413-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4336-419-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ajanck32.exe
| MD5 | 3bb936fe95fd1945f02450371611beba |
| SHA1 | 658c8ff6bd60baa17cb360f4a5723189e988eeda |
| SHA256 | e1153af926648fd3cc3b0db2e7f830e642823fd3d4f2cc6ea552ce409bcf9e08 |
| SHA512 | 53a36f0caa8303afcc349ee002da845f8dba2d4e29de0b7b64342e16206e41a4d6f3947a275b8a4cafbc1c60f31a2f123c1430a657bce16a43454dfecf310d31 |
memory/4768-425-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4080-431-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4388-437-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4188-447-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3804-449-0x0000000000400000-0x0000000000440000-memory.dmp
memory/8-455-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2512-461-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1672-467-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1848-473-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2684-479-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aglemn32.exe
| MD5 | 4824f095e6c398d6947b9eec0c5f79c4 |
| SHA1 | c7b3abc8f0e1cba15521448840e5e81acf40bb4d |
| SHA256 | 717677ed220589879bf2a35d91d65532aaf145ce63530541e0815b594820ac1e |
| SHA512 | 556276ac8fbbfe962adb475eac89bd45bfc300c8845ab9b2cb3e81d4055635b0e513914794218e39a3c624972fbab1266716478b7e42097822215c30d1bf1d84 |
memory/4428-485-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1208-491-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2568-497-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-503-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bmkjkd32.exe
| MD5 | db88d8bea48c7313ba1bf5b12a9ed398 |
| SHA1 | c9e472e25cc9ff0e67138ec6d602927aebeb23e0 |
| SHA256 | e1fb896c718bdba18c2685ba3de2046a9acc59213aac1ad5c822be5d734bc853 |
| SHA512 | 1dc1dbe21ea15fd9ec386f48ad488068d33b197d2d57de0020a2dc23075ddaad82377593f9c79313121b4b518e91489162026da637d0fe77b91ce978ed38567f |
memory/3688-509-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2896-515-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bjokdipf.exe
| MD5 | 880804e680e4d56bae3af28d0081cce2 |
| SHA1 | ad6df31f7fda2103418737dbb756d37648adb7c4 |
| SHA256 | 68e04ce72084cf01ba07882f7a2d1de7f98e472f9a232124ff704ce95f7e6b37 |
| SHA512 | cf85019a07504c7014e049729e7a1d00ea827e560030c7d5546fbcd5ab4474130c4e54e6e734e2e28f0401547ad4cf37fdc8e0e276fb538268cc9a1d1d8ceeb1 |
memory/3312-525-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3996-527-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2560-533-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bjagjhnc.exe
| MD5 | 5132174da5d7dfdc3e3c188a5922395e |
| SHA1 | 99aba03207a97594ab4058c55fc45575a8d06da6 |
| SHA256 | d05cbde9c5d02557e10275c2d7630a1a6c005abc921ddea64ca7fef5cd84a489 |
| SHA512 | 77eab5e5920d3404a12fcd0d7cd2cf8107638fce04629064ef6d3f27ca8dfad34e45508dd53e86f9823abc0de2277d43c65a9f959c8d9df00dc07836568662ac |
memory/4220-539-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1860-540-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3192-550-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1716-552-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1080-558-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3096-561-0x0000000000400000-0x0000000000440000-memory.dmp
memory/948-565-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1984-566-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3044-572-0x0000000000400000-0x0000000000440000-memory.dmp
memory/380-575-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3464-579-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4968-580-0x0000000000400000-0x0000000000440000-memory.dmp
memory/460-586-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4476-591-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4320-594-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3764-593-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Cdabcm32.exe
| MD5 | b8855f196838cc0cfd07aed295e42abd |
| SHA1 | 5ffd94170f3b7d570b410180db6adbd226f1fe8a |
| SHA256 | d71d35643948271ad3ef9302b8143b8ec72ee87b8f7f5fc068eea5e414abddd3 |
| SHA512 | 12c5c2c05f6c27beb369f00f9e5c17893784da0f5943db32c8025299b3d47b27c10deef7a324aa8e2d0f9249a19892e18735e24cccfeb7b6e90ef73e142ae6ad |
C:\Windows\SysWOW64\Chokikeb.exe
| MD5 | fb40f5d82f2768a2d3ef64a888c4f5da |
| SHA1 | 585913574b95c289f36412e6ba09b71a3abdccfe |
| SHA256 | 49fc90e0bdf0b1d4c50dfc02218b2c61da0f86fc60c2cd01d6804012c3c14a50 |
| SHA512 | 16537a313553916e78d01627f07f00edb9b9ea2a0d6be38d3afe5978933e1acb7e26ce4acfe166d285e1f1fb2ca20c5833c2f6612a7fd760b9ba95890f210195 |
C:\Windows\SysWOW64\Dmcibama.exe
| MD5 | 199ee54f147e5386810d8a924101ec2f |
| SHA1 | 5d62a65bd0e74d6e7de3d818ba43d4f21e3d7861 |
| SHA256 | 2664a7c9f5239e804998a75f76ec79224be92c6bebba0721e7ab3586fd700da8 |
| SHA512 | a55338e3d293d3e5bef7a40e547a012160d308ddcbd6a1b6cff26879a7f0563509c7437f68d41ee4302564155161cc744209df51f47a449ba4df758e43859657 |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |