Malware Analysis Report

2024-10-24 19:01

Sample ID 240916-na1dcsvalj
Target Backdoor.Win32.Berbew.pz-044f6504dbc9b11acb015c1c8934d822b164f894e50004e6216c81220d86c911N
SHA256 044f6504dbc9b11acb015c1c8934d822b164f894e50004e6216c81220d86c911
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

044f6504dbc9b11acb015c1c8934d822b164f894e50004e6216c81220d86c911

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pz-044f6504dbc9b11acb015c1c8934d822b164f894e50004e6216c81220d86c911N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 11:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 11:12

Reported

2024-09-16 11:14

Platform

win7-20240903-en

Max time kernel

33s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odlojanh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pomfkndo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajecmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blobjaba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdnko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oghopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcdipnqn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apdhjq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpceidcn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinfhigl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onecbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmlmic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qijdocfj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clmbddgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oghopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgpeal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aecaidjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnielm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oopfakpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piekcd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onecbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckiigmcd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oancnfoe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qbplbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohcaoajg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odoloalf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfdabino.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oeeecekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohcaoajg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oopfakpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A
N/A N/A C:\Windows\SysWOW64\Okfgfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onecbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odoloalf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjldghjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjqcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcdipnqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjnamh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pomfkndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbplbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aecaidjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpjakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Anlfbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajecmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajgpbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alhmjbhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Apdhjq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acpdko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeqabgoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfeppop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnielm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdallnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpnmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blmfea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bajomhbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biafnecn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdgjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blobjaba.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeeecekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeeecekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohcaoajg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohcaoajg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oopfakpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Oopfakpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A
N/A N/A C:\Windows\SysWOW64\Odlojanh.exe N/A
N/A N/A C:\Windows\SysWOW64\Okfgfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okfgfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onecbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onecbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odoloalf.exe N/A
N/A N/A C:\Windows\SysWOW64\Odoloalf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjldghjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjldghjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjqcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjqcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcdipnqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcdipnqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgpeal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjnamh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjnamh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pomfkndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pomfkndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbplbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbplbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pokieo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qbplbi32.exe C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File created C:\Windows\SysWOW64\Aliolp32.dll C:\Windows\SysWOW64\Oopfakpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Odlojanh.exe N/A
File opened for modification C:\Windows\SysWOW64\Blmfea32.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpceidcn.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Cgpjlnhh.exe C:\Windows\SysWOW64\Cbdnko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Bjdplm32.exe N/A
File created C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pomfkndo.exe N/A
File opened for modification C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qodlkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpfeppop.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe C:\Windows\SysWOW64\Chkmkacq.exe N/A
File created C:\Windows\SysWOW64\Dqcngnae.dll C:\Windows\SysWOW64\Cmgechbh.exe N/A
File opened for modification C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Oopfakpa.exe N/A
File created C:\Windows\SysWOW64\Ennlme32.dll C:\Windows\SysWOW64\Bpfeppop.exe N/A
File opened for modification C:\Windows\SysWOW64\Biojif32.exe C:\Windows\SysWOW64\Becnhgmg.exe N/A
File created C:\Windows\SysWOW64\Bjpdmqog.dll C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Becnhgmg.exe C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qbplbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bbdallnd.exe N/A
File created C:\Windows\SysWOW64\Bbikgk32.exe C:\Windows\SysWOW64\Blobjaba.exe N/A
File created C:\Windows\SysWOW64\Aohjlnjk.dll C:\Windows\SysWOW64\Odlojanh.exe N/A
File created C:\Windows\SysWOW64\Aoogfhfp.dll C:\Windows\SysWOW64\Cbgjqo32.exe N/A
File created C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Qgoapp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aecaidjl.exe N/A
File opened for modification C:\Windows\SysWOW64\Apoooa32.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Blmfea32.exe N/A
File created C:\Windows\SysWOW64\Pqfjpj32.dll C:\Windows\SysWOW64\Afnagk32.exe N/A
File created C:\Windows\SysWOW64\Pdiadenf.dll C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckiigmcd.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Ohcaoajg.exe N/A
File opened for modification C:\Windows\SysWOW64\Pomfkndo.exe C:\Windows\SysWOW64\Pfdabino.exe N/A
File created C:\Windows\SysWOW64\Bhhpeafc.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File opened for modification C:\Windows\SysWOW64\Jodjlm32.dll C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File created C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Ncmdic32.dll C:\Windows\SysWOW64\Qbplbi32.exe N/A
File created C:\Windows\SysWOW64\Koldhi32.dll C:\Windows\SysWOW64\Ajgpbj32.exe N/A
File created C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File created C:\Windows\SysWOW64\Ipgljgoi.dll C:\Windows\SysWOW64\Pcdipnqn.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnielm32.exe C:\Windows\SysWOW64\Bpfeppop.exe N/A
File created C:\Windows\SysWOW64\Biafnecn.exe C:\Windows\SysWOW64\Beejng32.exe N/A
File created C:\Windows\SysWOW64\Ljacemio.dll C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Cbgjqo32.exe C:\Windows\SysWOW64\Cphndc32.exe N/A
File created C:\Windows\SysWOW64\Bqjfjb32.dll C:\Windows\SysWOW64\Oomjlk32.exe N/A
File created C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aecaidjl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe C:\Windows\SysWOW64\Biafnecn.exe N/A
File created C:\Windows\SysWOW64\Bmeimhdj.exe C:\Windows\SysWOW64\Bkglameg.exe N/A
File opened for modification C:\Windows\SysWOW64\Chkmkacq.exe C:\Windows\SysWOW64\Cpceidcn.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pomfkndo.exe N/A
File created C:\Windows\SysWOW64\Bnielm32.exe C:\Windows\SysWOW64\Bpfeppop.exe N/A
File created C:\Windows\SysWOW64\Ekdnehnn.dll C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Cbdnko32.exe C:\Windows\SysWOW64\Cpfaocal.exe N/A
File created C:\Windows\SysWOW64\Clmbddgp.exe C:\Windows\SysWOW64\Cmjbhh32.exe N/A
File created C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qbplbi32.exe N/A
File created C:\Windows\SysWOW64\Aeqabgoj.exe C:\Windows\SysWOW64\Afnagk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Cmgechbh.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pjldghjm.exe N/A
File created C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pmlmic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Aeqabgoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajgpbj32.exe C:\Windows\SysWOW64\Aaolidlk.exe N/A
File created C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bbdallnd.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odoloalf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbgjqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biojif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcdipnqn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinfhigl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceegmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qbplbi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biafnecn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohcaoajg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckiigmcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgechbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cphndc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pomfkndo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apoooa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amcpie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acpdko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpfeppop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blmfea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baadng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeeecekc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oghopm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aecaidjl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onecbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pokieo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Piekcd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgpeal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkglameg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oomjlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anlfbi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alhmjbhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oancnfoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajecmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blobjaba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbikgk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oopfakpa.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohcaoajg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll" C:\Windows\SysWOW64\Pjnamh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blmfea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" C:\Windows\SysWOW64\Blmfea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnielm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll" C:\Windows\SysWOW64\Bnielm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Biojif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" C:\Windows\SysWOW64\Odlojanh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odlojanh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bajomhbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qbplbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll" C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll" C:\Windows\SysWOW64\Cgpjlnhh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apoooa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Onecbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" C:\Windows\SysWOW64\Piekcd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" C:\Windows\SysWOW64\Chkmkacq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbhhkda.dll" C:\Windows\SysWOW64\Pgpeal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" C:\Windows\SysWOW64\Pokieo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anlfbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajecmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afnagk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaofqdkb.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" C:\Windows\SysWOW64\Oopfakpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onecbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcdipnqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qbplbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odlojanh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cinfhigl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll" C:\Windows\SysWOW64\Biojif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chkmkacq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2748 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2748 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2748 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2876 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Ohcaoajg.exe
PID 2876 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Ohcaoajg.exe
PID 2876 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Ohcaoajg.exe
PID 2876 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Ohcaoajg.exe
PID 2284 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ohcaoajg.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2284 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ohcaoajg.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2284 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ohcaoajg.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2284 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Ohcaoajg.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2636 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2636 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2636 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2636 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2244 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oghopm32.exe
PID 2244 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oghopm32.exe
PID 2244 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oghopm32.exe
PID 2244 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oghopm32.exe
PID 1084 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Oghopm32.exe C:\Windows\SysWOW64\Oopfakpa.exe
PID 1084 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Oghopm32.exe C:\Windows\SysWOW64\Oopfakpa.exe
PID 1084 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Oghopm32.exe C:\Windows\SysWOW64\Oopfakpa.exe
PID 1084 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Oghopm32.exe C:\Windows\SysWOW64\Oopfakpa.exe
PID 2828 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Oopfakpa.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 2828 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Oopfakpa.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 2828 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Oopfakpa.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 2828 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Oopfakpa.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 2324 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 2324 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 2324 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 2324 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Odlojanh.exe
PID 2980 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 2980 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 2980 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 2980 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Odlojanh.exe C:\Windows\SysWOW64\Okfgfl32.exe
PID 1824 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1824 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1824 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1824 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Okfgfl32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1980 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Odoloalf.exe
PID 1980 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Odoloalf.exe
PID 1980 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Odoloalf.exe
PID 1980 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Odoloalf.exe
PID 2480 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Odoloalf.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2480 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Odoloalf.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2480 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Odoloalf.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2480 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Odoloalf.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2116 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2116 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2116 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 2116 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pjldghjm.exe
PID 1440 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 1440 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 1440 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 1440 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Pjldghjm.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 2112 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2112 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2112 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2112 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2120 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2120 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2120 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pgpeal32.exe
PID 2120 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pgpeal32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Oeeecekc.exe

C:\Windows\system32\Oeeecekc.exe

C:\Windows\SysWOW64\Ohcaoajg.exe

C:\Windows\system32\Ohcaoajg.exe

C:\Windows\SysWOW64\Oomjlk32.exe

C:\Windows\system32\Oomjlk32.exe

C:\Windows\SysWOW64\Oalfhf32.exe

C:\Windows\system32\Oalfhf32.exe

C:\Windows\SysWOW64\Oghopm32.exe

C:\Windows\system32\Oghopm32.exe

C:\Windows\SysWOW64\Oopfakpa.exe

C:\Windows\system32\Oopfakpa.exe

C:\Windows\SysWOW64\Oancnfoe.exe

C:\Windows\system32\Oancnfoe.exe

C:\Windows\SysWOW64\Odlojanh.exe

C:\Windows\system32\Odlojanh.exe

C:\Windows\SysWOW64\Okfgfl32.exe

C:\Windows\system32\Okfgfl32.exe

C:\Windows\SysWOW64\Onecbg32.exe

C:\Windows\system32\Onecbg32.exe

C:\Windows\SysWOW64\Odoloalf.exe

C:\Windows\system32\Odoloalf.exe

C:\Windows\SysWOW64\Ogmhkmki.exe

C:\Windows\system32\Ogmhkmki.exe

C:\Windows\SysWOW64\Pjldghjm.exe

C:\Windows\system32\Pjldghjm.exe

C:\Windows\SysWOW64\Pmjqcc32.exe

C:\Windows\system32\Pmjqcc32.exe

C:\Windows\SysWOW64\Pcdipnqn.exe

C:\Windows\system32\Pcdipnqn.exe

C:\Windows\SysWOW64\Pgpeal32.exe

C:\Windows\system32\Pgpeal32.exe

C:\Windows\SysWOW64\Pjnamh32.exe

C:\Windows\system32\Pjnamh32.exe

C:\Windows\SysWOW64\Pmlmic32.exe

C:\Windows\system32\Pmlmic32.exe

C:\Windows\SysWOW64\Pokieo32.exe

C:\Windows\system32\Pokieo32.exe

C:\Windows\SysWOW64\Pfdabino.exe

C:\Windows\system32\Pfdabino.exe

C:\Windows\SysWOW64\Pomfkndo.exe

C:\Windows\system32\Pomfkndo.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Piekcd32.exe

C:\Windows\system32\Piekcd32.exe

C:\Windows\SysWOW64\Pkdgpo32.exe

C:\Windows\system32\Pkdgpo32.exe

C:\Windows\SysWOW64\Pfikmh32.exe

C:\Windows\system32\Pfikmh32.exe

C:\Windows\SysWOW64\Pmccjbaf.exe

C:\Windows\system32\Pmccjbaf.exe

C:\Windows\SysWOW64\Qbplbi32.exe

C:\Windows\system32\Qbplbi32.exe

C:\Windows\SysWOW64\Qijdocfj.exe

C:\Windows\system32\Qijdocfj.exe

C:\Windows\SysWOW64\Qkhpkoen.exe

C:\Windows\system32\Qkhpkoen.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Qeaedd32.exe

C:\Windows\system32\Qeaedd32.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Qjnmlk32.exe

C:\Windows\system32\Qjnmlk32.exe

C:\Windows\SysWOW64\Aecaidjl.exe

C:\Windows\system32\Aecaidjl.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Ajpjakhc.exe

C:\Windows\system32\Ajpjakhc.exe

C:\Windows\SysWOW64\Anlfbi32.exe

C:\Windows\system32\Anlfbi32.exe

C:\Windows\SysWOW64\Afgkfl32.exe

C:\Windows\system32\Afgkfl32.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Apoooa32.exe

C:\Windows\system32\Apoooa32.exe

C:\Windows\SysWOW64\Ajecmj32.exe

C:\Windows\system32\Ajecmj32.exe

C:\Windows\SysWOW64\Amcpie32.exe

C:\Windows\system32\Amcpie32.exe

C:\Windows\SysWOW64\Aaolidlk.exe

C:\Windows\system32\Aaolidlk.exe

C:\Windows\SysWOW64\Ajgpbj32.exe

C:\Windows\system32\Ajgpbj32.exe

C:\Windows\SysWOW64\Alhmjbhj.exe

C:\Windows\system32\Alhmjbhj.exe

C:\Windows\SysWOW64\Apdhjq32.exe

C:\Windows\system32\Apdhjq32.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Afnagk32.exe

C:\Windows\system32\Afnagk32.exe

C:\Windows\SysWOW64\Aeqabgoj.exe

C:\Windows\system32\Aeqabgoj.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Bpfeppop.exe

C:\Windows\system32\Bpfeppop.exe

C:\Windows\SysWOW64\Bnielm32.exe

C:\Windows\system32\Bnielm32.exe

C:\Windows\SysWOW64\Bbdallnd.exe

C:\Windows\system32\Bbdallnd.exe

C:\Windows\SysWOW64\Bfpnmj32.exe

C:\Windows\system32\Bfpnmj32.exe

C:\Windows\SysWOW64\Becnhgmg.exe

C:\Windows\system32\Becnhgmg.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Blmfea32.exe

C:\Windows\system32\Blmfea32.exe

C:\Windows\SysWOW64\Bnkbam32.exe

C:\Windows\system32\Bnkbam32.exe

C:\Windows\SysWOW64\Bajomhbl.exe

C:\Windows\system32\Bajomhbl.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Biafnecn.exe

C:\Windows\system32\Biafnecn.exe

C:\Windows\SysWOW64\Bhdgjb32.exe

C:\Windows\system32\Bhdgjb32.exe

C:\Windows\SysWOW64\Blobjaba.exe

C:\Windows\system32\Blobjaba.exe

C:\Windows\SysWOW64\Bbikgk32.exe

C:\Windows\system32\Bbikgk32.exe

C:\Windows\SysWOW64\Bdkgocpm.exe

C:\Windows\system32\Bdkgocpm.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Bmclhi32.exe

C:\Windows\system32\Bmclhi32.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Bhhpeafc.exe

C:\Windows\system32\Bhhpeafc.exe

C:\Windows\SysWOW64\Bhhpeafc.exe

C:\Windows\system32\Bhhpeafc.exe

C:\Windows\SysWOW64\Bfkpqn32.exe

C:\Windows\system32\Bfkpqn32.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Bmeimhdj.exe

C:\Windows\system32\Bmeimhdj.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cpceidcn.exe

C:\Windows\system32\Cpceidcn.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Ckiigmcd.exe

C:\Windows\system32\Ckiigmcd.exe

C:\Windows\SysWOW64\Cmgechbh.exe

C:\Windows\system32\Cmgechbh.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Cbdnko32.exe

C:\Windows\system32\Cbdnko32.exe

C:\Windows\SysWOW64\Cgpjlnhh.exe

C:\Windows\system32\Cgpjlnhh.exe

C:\Windows\SysWOW64\Cinfhigl.exe

C:\Windows\system32\Cinfhigl.exe

C:\Windows\SysWOW64\Cmjbhh32.exe

C:\Windows\system32\Cmjbhh32.exe

C:\Windows\SysWOW64\Clmbddgp.exe

C:\Windows\system32\Clmbddgp.exe

C:\Windows\SysWOW64\Cphndc32.exe

C:\Windows\system32\Cphndc32.exe

C:\Windows\SysWOW64\Cbgjqo32.exe

C:\Windows\system32\Cbgjqo32.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 140

Network

N/A

Files

memory/2748-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ohcaoajg.exe

MD5 c1f298501f771020e6138ba2e42b9eb5
SHA1 32ad0d5bab709bc8540b335a5e9ad789e2c8a2f6
SHA256 65baf7a1d75083a558d927ca4823cf740c02121f5c5cf63d0238fa4735794e99
SHA512 b6610dcb01839601e8c21e6104b88cc887822059a3d3ed55b468c5833d6432d09acc1794525498a46ab8d0b807f030917aea0d36199332857b2c97a33d615252

C:\Windows\SysWOW64\Oeeecekc.exe

MD5 d09390629c1a21b92dc8684a06c22486
SHA1 4533290206eb31ca49c267ff5e7d41656145adae
SHA256 d81dfe94a6a03ec600e7a4af9560ec167c145256009a1c7b8c5beda7d33dd5da
SHA512 4742e14f5b95e07909846ab35a7d81d8843d816bbbfa3e8371eb4a9fa8d11ba956897d26d3062f07a6864a281ac14d9a02cf8bfd3617bae4430c2f0e5deaca27

memory/2748-17-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2284-26-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2876-24-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Oomjlk32.exe

MD5 06f4b5ebe8fe035113a4e1fe0c012f23
SHA1 9f53c88f78dd5f0c1337ced86feaf0e07afce025
SHA256 92e67255b52ff81747d8234188c40b2c8caf1db5bf59c09bf98d7c9aa5103c31
SHA512 46bbcf63c7a1d60fb8d279d7b5e41dc57696ecca5f8528ac454de7779b89e22d0090e934b10b35e4fde979079bad5d881d2611fabf5c4932ce6a04af5e95a6fc

memory/2284-34-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2636-41-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2244-53-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Oalfhf32.exe

MD5 6649c9fd7cc7cbaa45495b3c203143bd
SHA1 409602fc9fd1d8d74054ab8a39dd02bf8350ca71
SHA256 d04dfe178f44d70074e9471d914fc395991460c64c35007c1a65f84cf1b87a91
SHA512 37eb898722d58f28fcb85b92838ba718f54f3ab6776a5ee88c7b5ed25e5729f0d5b712518a376be12a0889b1af831a02cde3d36e6b9c468239756bc3cda314b4

\Windows\SysWOW64\Oghopm32.exe

MD5 2bcee3605a4d5d2b24078d59eb65649f
SHA1 f69330f77f19ceb7991dae834c07edfbb5bd2fb8
SHA256 34d555148ed65a10adf69f5310295aa665f371e8f521517e8f0d31d73403e4c4
SHA512 b0ed4f6ffd5263a33c3bb8e13ba5f33c277f8132858935b0183f7d2bb860c8226c01d2e19361d0fbfcd58faeedd065a44a129279c0d9843f06d58d983ff83187

memory/2244-61-0x0000000000260000-0x00000000002A0000-memory.dmp

\Windows\SysWOW64\Oopfakpa.exe

MD5 a21c1fc5de51f77a4efd27758263789b
SHA1 e8118dafc84da49a0ccb343f9d7822c03fd73cac
SHA256 e879a3e5cd8de2fc19a011d4c0799e926fe73ab11d318cdbb6bf4b66fd830b00
SHA512 5bb92998b33f084c08deedc848259322a7b3ccef5fde8f0ddce8910a3efeb1f6c380cfd42f1950a302972205a2d202754b2d82cba90a19d5767e1d82618ccd2a

memory/2828-79-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Oancnfoe.exe

MD5 f7801c32ba3ef9364ff1ab6c8db4a8f8
SHA1 ca572622537a95132d63975bd191052be9c08fc1
SHA256 34795389f218534541effbe9c04db992a8684c8de99594bb7c1c657b0d8eea4f
SHA512 0d160c4cdf824188260dac96cc3e3881ef1e704f9533b76aa89ca1232e19d57a4df2a10c2fe2cfd576bc686e4492f5ce26270c1f3aa8bbbc0dc467a995f2d587

memory/2828-87-0x00000000002E0000-0x0000000000320000-memory.dmp

\Windows\SysWOW64\Odlojanh.exe

MD5 f7e414639172aa2bc0270efd69968613
SHA1 bacadada13b23147dc4c49d5dea474e703995948
SHA256 7fc363a800fdb5f58f9177ebaa9ca877ab71499e1d6b877510b48d43b5e625cc
SHA512 2e7343adc9290b95005270a8e3a788518604fb1ce8f90ee7025adce838cf62d15bdeed60a88d594b5b1982c8f211f6ada9a4bcfeb69a343dfaa3fc7bdc23f2d9

memory/2980-106-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2324-104-0x00000000005D0000-0x0000000000610000-memory.dmp

\Windows\SysWOW64\Okfgfl32.exe

MD5 7c293a24b4e439ab0a3ddbb19c0224d3
SHA1 8049019908d80f1c06936d4143e87b609d6eb3f2
SHA256 6e8b77127ad1a72b6e742248dc91a7f83b99d3bdd8db7a435f001368cad980db
SHA512 d54dce52201e32338d29726f31870ba1acb6481ced5c3fee6acb8272085a118a3d4cc70665510e9ca59f6fc702ae93c0fd9df2450ae5d5f1722888b702fdb0a0

memory/2980-114-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\Onecbg32.exe

MD5 d509ceb73b58c24b8c7ebdc1dad87738
SHA1 14685faf8a0878ce5b1ac943b37488420aff1821
SHA256 e45214d80a229a7fbd27ae8e139fd1b74c16aa17a5ad60c04ad14019e3966b1f
SHA512 43b8e874d4503b363784de017a1bad64b23a88aa190ef2b0f44550229dd3ad9b151dddea0a53755a53c307b99fabb529e227c814ad192e78ac0a70f817594a1d

memory/1980-132-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Odoloalf.exe

MD5 e242143b6d8656305e1e1ed57a0894f4
SHA1 98d94e3fb1f73c8843d18d778080e271bda2e367
SHA256 0d42ba210b2b76889417a0f7b357bbbf4fa6a923e645c79a3e1172311f3ef7cb
SHA512 339b37a37820c9d1389d1667efaad87f3c64c0fc6b24fa440924b3adea2fe4d645e02b943cd91c0a57d42540942b9855cae68a91aa2221c5ae0ddf47612e1447

memory/1980-139-0x00000000002E0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\Ogmhkmki.exe

MD5 f1e331aaf50fff96e5e457ec38c7e284
SHA1 8312cb6c84a5df747d3ad9577e7049b1c6ebbeff
SHA256 2eedcc6355ee8b8b4d4de1895cb4c67c1078a5baeb6a1ce920dd6cb21f6c0361
SHA512 48a537faae4d4995d27b54055098696bcaaf8546d9070c2f2269c9be817f5fe73ecaa1d876942f2932e46d645a780e5b94acb225c7f70c572372706f918905c9

memory/2116-158-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Pjldghjm.exe

MD5 2c95d2cff2877a6d9f936507292e3a87
SHA1 438336f820386eb5a816811c820b3bc29ae9876b
SHA256 c86c5903819b0899e72b8beba2725c05defbfac5c2d81d94ca9397bea5a4f571
SHA512 b83373b3c8dda4e3655db3e367f15298205a5843b517c83e75fd10676d488471fa027fdec591db96b4d2db3f1fa01a501241fe4cf2144b82f636696cbbf997fa

memory/2116-166-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1440-172-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Pmjqcc32.exe

MD5 80d54139d050867afa24ea629d97b91b
SHA1 7c0641e4459c9d19c2d3748cf781f1b0e472e019
SHA256 65d62444c6434aeea748446b1b59e92562619284918b0f7c46dc04cf030e9c00
SHA512 05c76473aa7e7a38fb915bcde7c9380aba508b9f5ac071b1447f6238ec9f48720142cc740af3f2f4dde084e389a81d7e436242f7ca8a5772e757c553a532d9f4

memory/2112-185-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pcdipnqn.exe

MD5 85a5361905a56c695daeba19fbb29c24
SHA1 eed7352f9ce121b8cb7cb96944b097bf5ce8b496
SHA256 06bd636e00165659bb30d0295c8f2826811461c334c38862e7ec4a3de800ac7b
SHA512 48eb727fa285ca3150b1c63fe7ce089044d8444abf09951804edcd73d8e994fe4f8410ebeab68af8c434c76d9471d59195b1271769163feeaec2c6eaee83c5fc

memory/2112-193-0x0000000000260000-0x00000000002A0000-memory.dmp

\Windows\SysWOW64\Pgpeal32.exe

MD5 f0ed66cc68a30d401ac44ed0b0b99401
SHA1 b5b4d6d9fe61c01d0493fbafcbdc4bac0825fdf6
SHA256 11d63a0ecd1eda4ac7b373f279eb419af2b4d4c5e30f1c60b94d0863d1af3e85
SHA512 204f5348487b5d7fdd0d236062318bfa42243b5d9fdadbac4bfea9370f697a8d310e73e4f3ab63924ccf5db723275c2e76f8fde42b3cb1ca5dd41197af99a732

memory/2172-212-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2120-211-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pjnamh32.exe

MD5 952ef10066fe958feca3b60bfc966f57
SHA1 54f429b990be4822bfa091a8542cf64ef60b3f22
SHA256 d1142ed0bce5aeeacb7fddc04c53bb27d1ebbd1129fb2260e974c5cbe64694f0
SHA512 a9aaae571aa59134c117d790f37771a94346545747d81c63a26da1455a629025e8748f3c6da547d31cddc3a510d4dfcd0dc74c4a8dc2ed34e1596a8a47ddd297

memory/2172-221-0x0000000000440000-0x0000000000480000-memory.dmp

C:\Windows\SysWOW64\Pmlmic32.exe

MD5 0911328cc5f36be2dfba213a54f4d336
SHA1 18abe3ee7b15d316501615532d0b50c716363736
SHA256 0d837a78a0fbaecbaa45078c8ea05a5cb7c25886e6139b0f06053fda1d6f0df6
SHA512 237248eb26074e77e1202480c0afb0ed85c37dc7889bd224e2597a1203d257995cf4b78de7abf0e29210e6829599f5d5da596555fc5a2ec1cf2eb1b55af27069

memory/1160-232-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1096-231-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1160-238-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Pokieo32.exe

MD5 8c999eaf3bd2c94debbdec5853087697
SHA1 7428a79c2d61cba56d95b4f6a669374ceb080011
SHA256 481f30b437c2dad47ca980a9b6c5bfb31ab6e412ff539a69c2aa54ebf91ee51c
SHA512 f3a6baa68202ba1fec8b8aa3ff14c39316e319e6569a7db2cdf4139a6b1533dd4ea74cb8dac2ec7f379acad87056fdf2770b44f598c061d4c1d04b94ddc3bde4

memory/1160-242-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1788-254-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1632-253-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1632-252-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1632-251-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pfdabino.exe

MD5 9ab7316f6b052ff7e272aea16fa7972c
SHA1 3f0753a7027d7fcfa9e1de63eeff8014a07a175b
SHA256 175a4050efab887364b012c7f09fe77d5debec22a22d9b471516ea044967791c
SHA512 017876a70b3ca87fa0ce41b509dadfc84c64de4bc213262810596756f8988515ad77301152b0b796889634a45dd83a5a8756b0c87d694b263f1d458c74d873f5

memory/1788-260-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Pomfkndo.exe

MD5 ddab648e096c59c409f609127f4b8161
SHA1 eedff72294599752f6b9d45be7dd86c6bd88c2d0
SHA256 7884a57201f858aa6cc0e08034e490ba2cd912efd4aa47810759cd0ae7734ed2
SHA512 6a44db31f2b94e1950626336c3579f35e72f915c0ac1d5f4b0c9151b1bf9841e3940c7464df2a3bfea4027fde6da0c9d53900799a5719b8062c359fe67a262f5

memory/1788-264-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2160-269-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pbkbgjcc.exe

MD5 f278652dbca537a80e0df91acdb69366
SHA1 d1dc8acc06d2d839f4041bd1ca1612107585b0c1
SHA256 16369c2183368f851432a171cd0dcc66b939ff5fda3d9c4e070f42bd8da006c2
SHA512 ccc0744540a9e2da559015fb20b9e82dc59ec4f419ff8ad46e974f520e3f74c0930b05c3a30096b59937778557fe7498b4ea4cca7035d0f96b946c7984a277c3

memory/620-276-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2160-275-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2160-274-0x0000000000250000-0x0000000000290000-memory.dmp

memory/620-282-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2052-298-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2556-297-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2556-296-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2556-295-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pkdgpo32.exe

MD5 1cef0c0b34aa967412eb462b1da30beb
SHA1 9a3c5a6f568c9be826ef2a070064559ae6f0d28c
SHA256 2f7065472c1cc9daf93876ea2d90b37285212e01c85b3b2973727b770320a7c6
SHA512 b197ecaba17b7f43a9f7971bcf67d62c50b72db036a1384d9aae59c6b5b07f40c2a3a5228750fbaa84aa76fbc2e41893ded07e0dd3d95a820feab1819e3b2a49

memory/620-286-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Piekcd32.exe

MD5 a26ec6b028764376a6e59740388a0292
SHA1 cfe9da6f3a52682a7ce013aa8da644f4ec8aab46
SHA256 73e031c44b22387dd15868938eb18fd83b653e568e1899efe14e826a462288a1
SHA512 187bee90cb4afdc201b7c925618c59ab6993dc1baef3ff0af44967ea43d6351c5654851e15831a6d9585246c98de2a55bb05969b29a3c39444c4b64f5cbb8051

memory/2052-303-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Pfikmh32.exe

MD5 0ba417e4977a60bc2dcf34c14299d571
SHA1 ed77e051bf9dbf7978b60f67af6669c11426acd1
SHA256 825ad17705d02dea5cad3d6d87dd843e83778e0a57f5c47ee7f0d94936598d12
SHA512 57af12ab52f325543fcb2dc8a3cc73744ec87cf92e58183387ee9aad0c4fd1f0de849e1978b7a4c973b5e51ef6b0303289485abd893b4cd4b23d0b7d62184cad

memory/2052-308-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2904-309-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2904-314-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Pmccjbaf.exe

MD5 1b44116633ea97e68dd9a694f0a60d09
SHA1 215678995bd6f4969571881faaa9a9a11b870de9
SHA256 754a88691d63ae7f907ebc46126032649b15a3d1c78b6fc24662d56d706dfa36
SHA512 91de2ace78779986e3344371727293db6de9133ff588f47f3b84237913d4d832d3e3413b2b845f6eb9fa8e71af53fe3f878df551112314d716f6313a9b34db14

memory/2904-319-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2568-325-0x0000000000290000-0x00000000002D0000-memory.dmp

C:\Windows\SysWOW64\Qbplbi32.exe

MD5 155fdcc7b3bdb45e9a2cf45f237394ed
SHA1 9886c5541c464c85456d206dd0c2827848615953
SHA256 7e7c353aa764bc7275be2ff76d98986f27ef00fc14ae8fd7221af5ae0dc70d01
SHA512 4a9f0e675baeb27c471029f6b7dcfc7ae2370ccbb81d13a03b2cac2eef15b95d8b8be8f875f5d9c8972443c69609f5b1a3c107aeec4b2f15548eea983f6a7cd0

C:\Windows\SysWOW64\Qijdocfj.exe

MD5 4082ddac33e5dbed097ee5e1e3c9c768
SHA1 c6d775cd51191daff1074f5e5eccd8934bffda04
SHA256 93547f61223ebc996a01d3458de4bc69aacc7a000eeb659946569b460d69b214
SHA512 0b865ca19d9cbf950fa6de6524e5dbe017bb7e89eb2f77462b2133af64d147c1dd1b4a40bdd08ea88f479ba346b5d1f99bd9eb17f60eb50b6f6025562de8a3cb

memory/2628-338-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/3048-339-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-337-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/3048-348-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Qkhpkoen.exe

MD5 8e85f3b9e6a8d4c68d4a4c8f1ea94c4b
SHA1 9ed7cf5ddc003dd3c04ae5a75edabcbc2b23279c
SHA256 b6007f068848c6c1a03654235794fdc748b69b35e06856778b0257ab5a926e18
SHA512 24576d7f81352f1205a5753b81af81a3562fe0ae153efb0c780f21540490c20b8f5a6d2631f122723fbd630b1e8b4fc7ee96c8a10c68735ba54ae5a83faf6c85

memory/780-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3048-355-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Qodlkm32.exe

MD5 43063f0d01f7e0501c4af80942e50766
SHA1 3c290c372e7591aefd9c4ff495f66a5daf7fdee2
SHA256 4a8779729fdc7c6432160528474d28953eb0e81bcdbc5da6183ac48625590a33
SHA512 98b918f3c4ae4c9f297b1c4ddc767de790b0f7b10897414a08d784f44a06ef94598209d579d3947d5286d12a18b7beae02a5270588cc84186eafa8f20b26a59c

memory/780-359-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1656-361-0x0000000000400000-0x0000000000440000-memory.dmp

memory/780-360-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1656-367-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1656-372-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2284-373-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2748-371-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qeaedd32.exe

MD5 406af42ce7a238b611c6ce9ce33c2a36
SHA1 1a0a8fd561777248c0315c197802b9647d5c0e7f
SHA256 48c2f95e55066aaebef37d18902921f220f07851c329c65cdb0a064919da4222
SHA512 d52749bc7e973a21a1645201f7bbe2dfb11f0471f9ccc797ba1f2805c731da762196fc83b63dae02da14d8385eaf632b9d5c3c47ee0cda0e81d71a6d78a2312f

C:\Windows\SysWOW64\Qgoapp32.exe

MD5 4a98339eafea6292d2de885572ad53d6
SHA1 946f5f84d9e9276a6b1aa85637c7ac24a7c8afaa
SHA256 80f4554208426954b689a5057184b6e68bcad756777e5a2b975fb71fabbffdfd
SHA512 5fe42666cfc66d701a20e8166dcd95da35f5177c5770371406652921e0b7bb8afe92fef623dae437cf3a27b0af141a59cf71b509fc7b3754979d738a071b39fe

memory/2068-382-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2988-387-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qjnmlk32.exe

MD5 de04eafd710b6ae03d58c718b20b7aca
SHA1 80984481061e6a64b2a483b93b9ac8628a8a1534
SHA256 8b558a216c5369f87f404e7f286918c7cec55aaab9bca22827895c410b330740
SHA512 47faa311befd18b692d9c3d93d1335d81659d79057149acc3b770c9c11125fa9c57bbf8e0a86dcde7d6744a7951d65085d9b365e5574f0a3918360f61e2f28bf

memory/2636-394-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2284-393-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2988-392-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Aecaidjl.exe

MD5 c77ad9e924ad65971e0a0dfeca76d2c7
SHA1 7327e7a86d32d696495bd3e5709884121e795525
SHA256 cb78db4b128dc114909ce8a5b2a4bd205fe7a19342ec27f268963c9c9806d551
SHA512 9069e1e109fc968fcbf2f32a05054cbc356fca40cc8d5018e038d8bf2efd5493d22734a06f30880b0c99538f475f38e67a94f741079273c92e70810afdf4f411

memory/2924-404-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2244-403-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2924-410-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 96d17e70296d0987fc0db6c0cda30db9
SHA1 1cdf59b07de318a09026c29aba61472b4faefb34
SHA256 95fbd12423c4a719c7e4e20c1a09234dc57b232b65028598dab67bbd5fb15dda
SHA512 97061a2620dd9c9b42752596c448d432a1cf9c5628605a4a9fd3ea4dc2ada384f442a4e3c56adc0bf2664da5d5dbd3b48b619b6e5f34e907ad72375e52d0456e

memory/1084-414-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajpjakhc.exe

MD5 78c8b27565117e5a4ac4424ab50b4e4d
SHA1 390bc3dff43a055b322d1345e66e92eb27d13a49
SHA256 9c3cbaa2b40da3f66ecd984df09c79915399edefed6b6576809b8f754c4a3451
SHA512 2d426850fbb5ae1e7c789452d64a0802cb9ea6281800fc1f347bd538e059b3be5dbf6771fe4cbcdc58d140ebe6992eeb16695d2e605cd9797a4e8bb1c116b8f6

memory/1312-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2676-424-0x0000000000300000-0x0000000000340000-memory.dmp

memory/2676-420-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1312-432-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2828-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1524-437-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1312-436-0x0000000000310000-0x0000000000350000-memory.dmp

C:\Windows\SysWOW64\Anlfbi32.exe

MD5 69de0c8d7cbd059e320ffe86d77bf2a5
SHA1 79f25532f4ce7d49b752943f37f95009cfc1f1fa
SHA256 6b03d6b9262fe659ae922e1be56a9215762cd5338fd47c6f6a33476563651304
SHA512 f79b0cb3e6e1c996c96d99415614fa238a63f02edf16c8a01a17afc6fa52a899eb8c0da44411b173ef8b8a70af6dbf33998166de3c6b476bd367338fb892047c

memory/2324-442-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1524-448-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1524-447-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Afgkfl32.exe

MD5 d4bb372a38070aee19f5783e268b974d
SHA1 f1014419370ed9c608a863c501ac88fe5a62183f
SHA256 8896e63ed24fae3479c059c539874adab665badf67860494157e66cf6eb1a174
SHA512 6690d88b651057d170bc8db1d7292d04b7edbce5bd317de87f6386b6b6b95143b0b21052ad0b8a0aa1ce93d1f63feaabe8cd489ac29545896c1b73e2f54dc77a

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 c996440d8dc8e5c23e166f2bec7ad8fa
SHA1 866b9b383294e3fa6c5ed10835148207ac6c6c43
SHA256 98e85da2bc202617ba945521c14735a6bb39769ee354100023ebd1d1c42addbf
SHA512 3d4168b5674daa82d09d7a7202f807ee4f5a735582d1c8849f580b2bf79d6c58d0d1c75cf5a3cd5c818acf92149010d50bfb7c78ef954ed03de66ad44d22dabe

memory/2980-453-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2980-463-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2360-458-0x0000000000300000-0x0000000000340000-memory.dmp

memory/1484-471-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1824-470-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3028-469-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/3028-468-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Apoooa32.exe

MD5 a7682cd689d98a3fb2910221dc1d22c3
SHA1 57ebd7a5b880a15dce195a0d514e11afa40d5cf4
SHA256 558bfca3a4bfdf9ee34e99dd8fd9942b53331558e4aacf85c11f3b0530bf97d1
SHA512 c52a6bed6c169c1579af230d9d1d7bf094e70b2035a984ceb6a36c6a6523a42f2c15cbf07e2a6a13d82cf9ed9368dd567c8d619fb9a82317b4522031087fd319

memory/1980-480-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1536-485-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajecmj32.exe

MD5 a2b548c714730a6a18b86e2bcfc55720
SHA1 bd0bbbda8bd6c940cadf2e8ea624ef09edffe28a
SHA256 980d4bc917b9428f474b513494326d132069e7d616000a3a493408e26cb66342
SHA512 039f62ce22b327ad4362a658afe319c6529961b38a9b373961e091920a59b1167f3a8454ac40357bd6a82a02ced235fcf4d227cf317cfb9688432019d48a6490

memory/2400-493-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1536-492-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1536-491-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2480-490-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Amcpie32.exe

MD5 6cfdb33c0a84065d2316235e34c9e1c7
SHA1 413c336b3b22b13835f452af5cf6fb1bd8694bf9
SHA256 67ba67ced5a1eb12fdc758c4ff2991c96e4f436d4913a2f549945602064a7264
SHA512 f4491c49e0721495933afebe30f4fb4f6b2893cd05319e342c2d58add7e897599004a6aea11a390e6378aa40411f9488e44ad3141c2cc41062f4a4585e3f431a

C:\Windows\SysWOW64\Aaolidlk.exe

MD5 31bd83859649a2815f21bdb432ba1bf7
SHA1 046cd1061a59cff62c8f15c2aef7ea4ab45fe53b
SHA256 e7306153626449931e5b9558f56b747b94d8fee22bf55e2134e7c2a594f24e5b
SHA512 83863ff530ed110297ffbba0c43ab49b91c4cfb2a787e4681b74adbc29e74724b6138f747d9d8febe0edac040604ddf39a36afe00d233c064990ee11437f73ea

memory/2400-503-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2116-502-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajgpbj32.exe

MD5 50c079d6ab9dd4a3a8b998064cf582c0
SHA1 fdbaf4219fd823d7797becd6fb69f9ce7b3d14e6
SHA256 3a972917d7b9e77ec86a15a8cf9846c66b75a922583dc0c7c268f45323d997ae
SHA512 60fe4c55f7f9c03d2255ff004310338e2905207116dbc31f4752a119445addd2cbd90f9ca606b02b62772b0550618f7801df22c0a424daed26a729b4b55d7abc

C:\Windows\SysWOW64\Alhmjbhj.exe

MD5 0ea76092f4bc16761530c2690c771981
SHA1 2c9bd3b8f191683054adab518894baf3699b34f6
SHA256 14a2ad105649e89aaac3517bacbe560d09e58f11cf42dd6a94d9a3568e092d2d
SHA512 932d489e442c8a45bb89e503082a5f95939cdb99e43fec2145a3b9d988e54867c4b9adb921249f731414a7743c894c2e696315f8c3f85f9c7df1c67922b10f8d

C:\Windows\SysWOW64\Apdhjq32.exe

MD5 9c2cb68626500b46f46eaa47c4cdaaa7
SHA1 c496e68c61da12f4c62cc8289b9e82316e22b174
SHA256 7ae2859bc7babb6acb8f28e7c009c83455cd3c44c06c53cf142f0986e2c3c561
SHA512 e0093936edffce8f60c2534e2cb23cafaa53571be858b33f8aa6b26c5ddf6618b0ba72ed52275c65cc283f54cc356cf400857df1509e1fc8aba841e5c1896817

C:\Windows\SysWOW64\Acpdko32.exe

MD5 620cb2e89ccec1bc212c80e2db16ac4c
SHA1 3fa1daff190022312472b89593233775b2c6921b
SHA256 98b81e593533ae64b69c872b0a72a5511723ba9b80c01335ac7a61f533bf1e43
SHA512 bc6ea5e1374f32c0b503dc99a7d85de150cf05fc8448521f14c0ef5aee6c55eb170f51dc46c25a118ee7dd68eadf3d7ea9df223447f307034586cb2942d9d76b

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 78fbc6b2e38bb3a7f02dfe8fcf37aaba
SHA1 92ec673c7e20de7581c9b89cc639a16ae96599b7
SHA256 18c461c6922a260580aff7fb4842efd369a459018c21aeb7855de310c8b8378e
SHA512 829a742efdeaeaafc6f300d0a375424bca75148be0bd5bfeba9a55de643e9278a47c1959a0d58c97e0eab51e40a7a5915ca4ae86f56b430adee556fa06c929e3

C:\Windows\SysWOW64\Afnagk32.exe

MD5 135291c7398124f62f7b5cb8ee2676ea
SHA1 17f0c5a2e211176f87af058e0b614884318d0bbd
SHA256 198ff1a3971a6b53eba2a481925798cfcf54d25a9acc5a5751a62eb7ca1c0658
SHA512 6fd2989e63f58d28e5b5d8d219b0ff5f227fa5c5465efdf2c5d1c645cc380c25218874fbf266491f48a7e677c9e28e23f5fb34f3476cc6f8ab94326690a146bd

C:\Windows\SysWOW64\Aeqabgoj.exe

MD5 531a7b0191d552013d143ed8325b8ee0
SHA1 82524ab655a12dfc1d7f201f632f17d4d371194e
SHA256 8924fa6979f68d816cd14d20c8b17b63d86440a4e04e024a3460624c73e8d5e4
SHA512 4d70cb42c127c54684c45d0d3d2ce597e5345800841cb036990c22f378e0a284b8ba66e2feda5381a9083924e7ae92810779911484ecbc72bd021f3b1cda069c

C:\Windows\SysWOW64\Bilmcf32.exe

MD5 9ef27457753a8515b71a5a5643882bb6
SHA1 1ca9771ed956700324c4524995da6d701f3a7ae8
SHA256 fa7dfb6fbe18ab62a817633c985a1c98358c7e10c149edf9a2abbf32769af280
SHA512 3594c15d4082bdcce9eac6c4d983b50736b9ad4d5bc2a2b2c05ff65470c9569b99ea04dd3e159a7be01b21d9ecb5f955c2fcd2a9d788dd9eb5f7b694a807b93f

C:\Windows\SysWOW64\Bpfeppop.exe

MD5 dd4438af72b13cef4f1a35f9e353426c
SHA1 4e72f3df5c45ee52c35cb370268211222f79efa7
SHA256 097b4ba8b55cb0c14f6735d4c4329be12987503dc2c7b9fa51de4f563f833a50
SHA512 2c33977d6216e851846e7be5f30ff4ce6c1b8f5ff5ab477f4d2e170b5419dbc3587d73c5def137768a2894f63e487a28ee83d3c60223d936f9927e62cdc9faff

C:\Windows\SysWOW64\Bnielm32.exe

MD5 006323dcbe7a80ef65ec9e3a96b9a6d4
SHA1 292607f0265e6f2f8708412b125679864b5acd62
SHA256 2a7adfa9869d0d8896cb5c1d908fd0e282ee090372cffe203f157e8d86fffb4c
SHA512 353a62124e84375b13b1b78ade9bfa064ba2622368b98f95fe9ba73975e99b61f9dd08ffaa2407e04f2c0047fe4261abf9f4aea33c3ad623b6b0200cc451fdfb

C:\Windows\SysWOW64\Bbdallnd.exe

MD5 a6c1cfa76c3ae9e8f6677f8bc57da9ce
SHA1 f307edc142276138ae9a54ea39806568602b3f7c
SHA256 fc4bcd5a34cac4183f8dc8d9927cfc5d9cc4f3a53155bcc5ad8b375a4a0f0f57
SHA512 5cf9a89e81b8e6b2be689ea47918f04e765b52ab8296ab7206f47286e64ef0a549df8b503cd73ac4ff4db5dad2157bcfc3243a0eb4c1d1c7d7750bc7f5e01115

C:\Windows\SysWOW64\Bfpnmj32.exe

MD5 e9791f983a2af1b155cd7187d27d91be
SHA1 34962a6143b2623cfac69433a09c567a23b45948
SHA256 b1cfe5e07ed0dd2dbe33ae47b9013d50711730bcd83064ef82e4ff238b10f153
SHA512 8bcd84fabe40b2508dc1a958ce38b1e9e4318b965c44c617bd3951ed1325a48a6923a9ab14e953860ffb99c8f40452131c12351d075a97ae44ce18cd040e14f7

C:\Windows\SysWOW64\Becnhgmg.exe

MD5 0919a67fbf21ebba1c2cdae53fdaec35
SHA1 d73af091a96b9620e9c2800a372b61a8c1ed7b23
SHA256 a63a8ba8e52655bc4e1c791eb012f55572f07463d6d4caf4b09774ecd6b321b7
SHA512 86ccb2770ce0d43f9bc49d7bbec9be67e8d98f4afb9eb962e61142935cbcdfd0beed5091a293670fb916f03c72ac374599b4e86de68eba4e3bc87d209168a3b2

C:\Windows\SysWOW64\Biojif32.exe

MD5 14d12115aca9f8047c1911aad44f809f
SHA1 a5d70f8676d987bc28bfcbc2d3acbeddd19afa65
SHA256 eda117a7733bdf60c4ceb4e1ebf0bf6d60183b1593ee0f99cd3d905dcfb96aa5
SHA512 05f51aede0f4daf0a17ad0e7cc799307f76cb934b1cf403477c49f22e17d7aa1d9d93f0c30c836880148ea30c57e7b46c158c6de4cd92267adc57ffeae025ff4

C:\Windows\SysWOW64\Blmfea32.exe

MD5 1b23a2801ae9db750d4b037d67b9c293
SHA1 a3e5623a8796a1319d92d7101b3181e1546da64c
SHA256 f424965c55c0eef5dd75a4cbfccbebbb0b6dc399b85aa7cfed939a2cbb066268
SHA512 b4548706dca586feadc692baaccc02c939c1d86aebf0ec757486422845d9fec252434ba2f90026e9f2463df635dd8aacf5ebf284471fd3f6880ac86b70e79960

C:\Windows\SysWOW64\Bnkbam32.exe

MD5 b8039cd6338ee6a482e54ea169da363b
SHA1 3d172b961ede3f92abf3d295d7ecabf2a3800ae5
SHA256 e3fd1f7bc2d52582a744b5832f0092531043dfc1e297b5166c4123c8d91ec215
SHA512 fb13f08dd073b8a7dd56a4c2661ce9052fb2a87c3bf9ab81da48ce595fdddc8ef1c50ad25e99d55d936e6727aeb02a888459339f104fc901619d9ef8b0e50624

C:\Windows\SysWOW64\Bajomhbl.exe

MD5 6ce7c426979180027da075d4225e5a19
SHA1 7029d4c9dda8d801d725152dce909ba80836d7fd
SHA256 d73083ee68b352e224317bf1683012b3c27b41fcdc73467e6f2e437288a36876
SHA512 e3a80a2fbc4a23654c98472912b08008fbf275c1cd23a9fbd62b1d7d1206a141cf3fe0187b463a78714882ecbd60260c446c1092c1a34d6ab216c23ed647dc93

C:\Windows\SysWOW64\Beejng32.exe

MD5 09fe78f0e603f567b00a87f9272f80e1
SHA1 38d0052abf1164ec5f37fc6ea843c596f97300b5
SHA256 426080e8a262f09290330fc9963a5b7df06f0cea11eec50ffa3ce05dc5f41928
SHA512 564b078d89fc513b67621c79166004384f378c34065a88ea7e9dc40f17ecaa70dc4dfc92b988e9ed62afa6cd8ad6c97f3072c6c48b8d4aa47a3bc0021444e769

C:\Windows\SysWOW64\Biafnecn.exe

MD5 5356f86938df4a8d7795b73b6784e493
SHA1 264e1928c861244e79372d03b757e2b86a496954
SHA256 9ce1ff0632ba7cead04a3fff3ca8612b9b951645fb9c522fd3b999ab15c32c58
SHA512 7a84a1aa67f800b319af76079503b5e90d7e38c9e6383162259ef0496af7164de021e95a50d66b8dedac9fca54fd84f3f50e3c02b39a6128087ec74b3397154d

C:\Windows\SysWOW64\Bhdgjb32.exe

MD5 4261806572126579e2f9010d26daf4e7
SHA1 a8206550ef835aaeb99de15816f5463d6d7fe73b
SHA256 da26ec9f36f576d40c9f6a83402baac1172c9057031872a0342b123795eb815d
SHA512 38396eca2a55405d647718ed3f7a785b66c7b48fac5311b80e623261d43bb128973ecb8976f64a760cf104ef2d16ccd72c28ccfaea78b8de41f971ec60b40bf2

C:\Windows\SysWOW64\Blobjaba.exe

MD5 3da2a7595fbf769f68c4f53b53e3ac48
SHA1 3e094822c91d9707b61fd838e73150de0374777f
SHA256 13a086c976723f7e0d9971890d04f2604aa3d594459755d4d2763b65e9497010
SHA512 76826a74e0d47d376915a0f22ef2ea9700921ebdca5bccb1ea439fc4ec69237ad632a611623ee39bc09126290252277a8c63c4a557e3038b5ba103cb69ee124f

C:\Windows\SysWOW64\Bbikgk32.exe

MD5 75740cd7d84f321885f673ed670ee2f6
SHA1 73506f86244db564de0f46fdfa265f2156a2309f
SHA256 da110d6f63a77085a993c1843d9d2b07fd8fc3e6c16083e13868dc690ea2e36c
SHA512 3fb62224b3497e02c601668e453812cf9dca7d7f8253bafdfcc559ef3b48f6b241b960db8481cc3edc2ff9774ea6d7ff09f00cb323805d4850c42204485211ae

C:\Windows\SysWOW64\Bdkgocpm.exe

MD5 92e14a29f4bcfa5be76a50e1d259f52e
SHA1 0de6f3bc2e3483853bb0203ed0a391594a8d0961
SHA256 aa44bd396a03078696db8559aebb60043787609a30d9772efe6107a4c54abab2
SHA512 1aae368d3a26b4386486258bf101628be806f81fdc4ca6b2d812181e80d2a5d7080df36200cf0022106b21553e057b778b2a918e8c6881d1296a9b36f6b707a5

C:\Windows\SysWOW64\Bjdplm32.exe

MD5 ff72ea8f992ba312393ef8b684e5d3df
SHA1 9452b1f8cd4394a52c787eae47a15632a725f65e
SHA256 af983320299032c00b6afb2cc3e6dade3724f413c6dad9a4f527e4b895085252
SHA512 6e3228d82c3a0c8e9a1c760ced1f657ad9b2c93cfb75cfac7dcc0fd52ca064fd1fa894b9abb400853ff06f08d80dfd2e55185a5e506d44e0643b8e90cfe27f55

C:\Windows\SysWOW64\Bmclhi32.exe

MD5 03ee2f4c2a3da576ac8547ed0fa06540
SHA1 e75f102b52e3e95131ab4581512b954e64e03034
SHA256 1ab7e7ff91386c34ea89dda36821f3fbdf3cc5562df2394dc72a199f388bb7b2
SHA512 d6549dfee3b6d7140848d7209ce4ea13bd1f53cb0dbd4da350e69900eaf01ef3f7d5c00f05627abddb39494c30f7969f55a7dc5e280f2ffcb3917141c9c8c121

C:\Windows\SysWOW64\Bejdiffp.exe

MD5 38a561df2084bddceeb2a7d7b247b036
SHA1 67300ab1b8934b29f016dfdbb8104921740bad21
SHA256 855611b7851d3fad06beec1f1760f6be5504ffbd967c750c2ee5a92af0585389
SHA512 d3c19e230ac7d7a068be79f78b860f4de01a90e4651ad146c25281d212429ce3b05b513aa201bde8246442affb74064971623618c9e0fc61fd501ddcb202adaa

C:\Windows\SysWOW64\Bhhpeafc.exe

MD5 a07d0672cdd6aa5323baf33d57b72803
SHA1 f3ca37dcc665c9f53504a26cb9a33e937fca5caf
SHA256 79d6ba9be92afa7dbfe11998377711936213ba32f447aadef80db697c71dbbb5
SHA512 1284f2ac5761c4c33c09f765999b94466143c98d1b646897b984e6922c7d13dac66f5057bfc4e21703607909adc44b55edfe3fb402c911f055c3d109f62dea21

C:\Windows\SysWOW64\Bfkpqn32.exe

MD5 230f4767fdc4661d30d43f81f8f3652c
SHA1 e90943cf758606e17e374ebe290016708d8d9bb0
SHA256 769907d0073b8c16a369a3adc78172352f8a99e8bd27f0c829b2706897251f06
SHA512 bb6d9ffabc4707e837486cfd77ed4458afbdf150f8b08bcdbc75f63422e26fd685618d27a5a88c962fc530ece8f3e608df1b60c1bf4523246ef14e695689820d

C:\Windows\SysWOW64\Bkglameg.exe

MD5 4ef207b5d1cbdbaad5e3caecfca10ba4
SHA1 36fe20680b61d4e7bd1022b7fbbf56bf6f83260f
SHA256 c48c4f8294e9e8d578f3a98a9d4a60f4b117f5e653bb568cb97dde4eec4a58bd
SHA512 3bb2484810332083a13124fd5a51bf6f34bdae5380a3c63140c67b8098ff63cf4fa810de79ae0c7d73b717e6c395b7cae4e148634e8fe45bb6f5f3696b28f431

C:\Windows\SysWOW64\Bmeimhdj.exe

MD5 6996acadcbede05b750e60c23a697f06
SHA1 c33a98c96195e86870b03d4984f707843d79d007
SHA256 d7afec1e24ddfa5430d0475553e82b82c39076379a7d01a1ed4ed6cbf12567fe
SHA512 c81db80417b6b87aeb4672e5bdba11231d49af20dd2a4787e25f294072a29815a94e0612fa4b49f476a4a551b1762a2d977c359ccba56c2db57caa9378ce6be9

C:\Windows\SysWOW64\Baadng32.exe

MD5 1ab7aabba989bbc5ea8e38d68df6b372
SHA1 472e883cc9568f5e3e3282c3d913d13cc5d071be
SHA256 84e5c7ca16c48054614b85bd658526793dc05b50a7692d7c60ab927d9963a847
SHA512 bf8b0a8b8bb41ab51c67ccb71c3e5e222bd548f10871f7c29178664d49f87311ea8b911d273c1e8ffd79609ec56948d9ff0c9ea6a40bd070ab90991b15ef887a

C:\Windows\SysWOW64\Cpceidcn.exe

MD5 e3ee7f293bf18232ada7bdc0755971f1
SHA1 90ab992ce3c74ab3d23eaf79f041ae7ecea2d27b
SHA256 671baa6274abfb7daa7e32f625cd2736492b0b5fbd8226fc6601b9250a2364e5
SHA512 d028cad66452f33aae3dff0cf41ce8c92e0f700613ca52b9f82728ee991d5f8d9df39b17e9ad2eb7a5d8ccbc86e53b06a2694f59da29ba729c9bdbdd8c485801

C:\Windows\SysWOW64\Chkmkacq.exe

MD5 db1ef46b4e0cac448637446c9f149e70
SHA1 66ece27c8c7a4549fb86acd8939c0f82fe4399d4
SHA256 7c837ed6e7cfdce8717c372b5e1ddd69322eb0ec1b7eaf6fb3cb7f4454b54b7c
SHA512 183dcffac7532be80422ddb44e24de9801ef6b6dba71ddb25c5ba60d1c15c0c36919125184653ccb5d319e82267b48987e287c1cbafc2b7992a2cc06805f1a03

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 2e7e6e3769e56e11f9fb40f270037e3f
SHA1 a25fccd6f4a2fc06bfe57d4ef4e838ee679c881c
SHA256 26495b5f2c642adf6cd359eaadc9c884ba4c037a0ec92227e580505785e383fe
SHA512 7b7fbab2494b2d31b4d94993d2fcf7d41edc68c887a27fe1d0e6de2985b4ee388038eac879845a5d22464213914a9535c18b393887454819bbb37f20d6a45441

C:\Windows\SysWOW64\Ckiigmcd.exe

MD5 ada76214c07eee97acc46a27b0fcace8
SHA1 ffe26d9997def24ab32a679260e2bcd88cefc7ca
SHA256 14eb75bc8ab4b739faa1335a897deca932eefa36584fef7ff6567c0cda5efd8c
SHA512 3c72148da55d391981e0661b94d79acb2c9153ef52378528f2f0648efe4683899030ccc9a0dd3a7bb8bd7d9b61f081268af532253aab7d465a5dc688319fc368

C:\Windows\SysWOW64\Cmgechbh.exe

MD5 54acd9ec56729561715425be67def3aa
SHA1 7fb21c4f577a4312625ed5a85875ef6d5c0d6efd
SHA256 a71f9da5ba4eef771e818e8d49d7b9d803058746298fbeac8cb833e659c60abe
SHA512 ffdb6988ae87bb149881ff3a342e9feaa3fb4b9ebec3bbee0967bbdd0f9dc0b5cfd403071ed0a03cd022206ae27c108b8490e26d2e3fe354144e31e168862883

C:\Windows\SysWOW64\Cpfaocal.exe

MD5 849bd8fdc28f50700dd55de1434deec4
SHA1 d2187fa69fafa01425b554b109c95b0b726cb99f
SHA256 bbe57bb3d749376e402fbd76a3bb1d2f8e784b6028278a155a7c60b192c81e2a
SHA512 315de4121c7b76bce718bdfb986377c30b40f98967b74aea95dbf43823f3a6d5c7ef249c8ed1adcb0304cb6dfbf1788ca825d24ccc09535b6e9b8b1ab5655fbe

C:\Windows\SysWOW64\Cbdnko32.exe

MD5 45ca526e6f20257e1b5167b497704733
SHA1 f60b9457c7c416d70e1d3df1aeb2c6747b5f9816
SHA256 4e14aa20f13098fa8b74a709188af1d2d225906f4fd00a233458e40381049326
SHA512 5ed88fd4ca853e5a4a43db896ed01d4fc7393c96d04a52cca77339b66ac26f9c7fe0be4c88a68fcace165d5172df013628486c22ed2a6815132fd8cd74ad4441

C:\Windows\SysWOW64\Cgpjlnhh.exe

MD5 6074c26b2cba3ec1a6ebb1bdf4260714
SHA1 424e3fe768f6596d8bb67e5a51967d17fdc97c4c
SHA256 a7c93900524d4b8abd5462cc4e341be57959c34ed718f6d2c2b68c58b07c283e
SHA512 46d08d436e7157b257340bfe3f8b6c5971c734322e0d4d2f487645e85d2b90c74320c3367a08ffed8e0a2a6ab2ed06b8b426d60aee402bcce95e789c2f43622f

C:\Windows\SysWOW64\Cinfhigl.exe

MD5 0fa9649c5358177398d714b6778ee385
SHA1 4e65b3d6a12852d17592ec1bccabdd1c78cf49d2
SHA256 14c289f8d7c3c359721e7a3902cc91ae6cca7c4c13115a29fb6bd22dd4ca53ce
SHA512 b4c637191ca18dc25a3bbcff2104dfdde0fc27b92020ae8b74091010a4a6378062e8bb3b24b26e05f9edf65ce58aa8c5b5ae5ec913da82bbc0a61beb8dd5cda7

C:\Windows\SysWOW64\Cmjbhh32.exe

MD5 82f097d12aecf2db75c31fca67d4f01c
SHA1 723a07e0af0ca075ac8a033b5a5b3aefc2a3391a
SHA256 75b4aa9f2b818505e91ccea9cc92340647520e90410f6c8296b0b8c3b28a2420
SHA512 999904e058cf726a226b58d4a424dbf8b2cf712e322f6d7b6923b416bb0d0bfaf52255645f50bfe27e6854710eabd8e128692c9e393e74d032efab288688932b

C:\Windows\SysWOW64\Clmbddgp.exe

MD5 529aa39a7afe51ce8b7eb89615937116
SHA1 08dd28b488e762f0bc1022b370d7aa2fe7b015d7
SHA256 15180ed01bf55e09b9c32a62ac253641494c69406b7299364735765fa4d1961a
SHA512 ae846f023dfdfd62a65a42d1c2bbab5e3accf5688a3d019b8987462ea73494e8a5ed528668329845de7bd263da4c8186fabf71e79a04503ea851984474e3c2ce

C:\Windows\SysWOW64\Cphndc32.exe

MD5 d0129a6a6dc9175d46581f3ce87ff94c
SHA1 a4fa2708ec9ae70e22818e3ef0b6a056e39f6f97
SHA256 0623a3ff59460e8ae36aedb300ebfc86da09212af685f6eaff4d2cfc2c8cb78b
SHA512 cebd571bfecf3cc17b365b47d77dacc4db4d3ef210f8dd817a1af3015fba5d71a9602f2659db5a0f3d8ff789ab3e67b16470cd20970e77d1e06343bd049aa249

C:\Windows\SysWOW64\Cbgjqo32.exe

MD5 24439be387b70e586ed855a09faf00f4
SHA1 29c0a04352818b31e8d8da80842bdbbe10a0c1d6
SHA256 6abd591e9b1ba769a30ae614b1ba584dba4e0e345555e5ee6847bcbf5ba2699f
SHA512 ab2da4211b62bae03f2273baaf03cc934df3f3a395b5b205263dcfa7b79dd0436eddb76100b32f36610e17a14cdfb5a1016ce933be3826ede34e37566a81df1a

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 8de7ccf12ad475d561b9c0edcb8a0261
SHA1 af555697c24f54ac3967fa2578f3931503967ffc
SHA256 92f7f95e51243d782d8214a72ec9e71d45dca736a336b57eba8c96f4e8bc3771
SHA512 28e26f0d849f44b1db1d30a4baed2a53b4fcda03e20a512d12b42109b2e459e90bb64228ad0a5ca36dd25d257e209b4c0c9c9deadad92f4519ef87e192b13060

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 11:12

Reported

2024-09-16 11:14

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pncgmkmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agglboim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Medgncoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oflgep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocbddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pflplnlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgimcebb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajanck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngmgne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mckemg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlhbal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmnldp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Miemjaci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofeilobp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddjejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmnldp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Accfbokl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmidog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofcmfodb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcppfaka.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lljfpnjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldanqkki.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbdolh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgokmgjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphoelqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdckfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Medgncoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpjlklok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgddhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mibpda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmnldp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mplhql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdhdajea.exe N/A
N/A N/A C:\Windows\SysWOW64\Mckemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Miemjaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpoefk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgimcebb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmbfpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmnlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgkjhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhbal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmgne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npfkgjdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncdgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlmllkja.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcdmikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Neeqea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnlhfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfgmjqop.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnneknob.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndhmhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckndeni.exe N/A
N/A N/A C:\Windows\SysWOW64\Njefqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oponmilc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oflgep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odmgcgbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Oneklm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocbddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olkhmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocdqjceo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcmfodb.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddmdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofeilobp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdfjifjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmannhhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjeoglgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmdkch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pflplnlg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pncgmkmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcppfaka.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjjhbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmidog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmehkqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqfmde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjoankoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgffqei.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajanck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjclpcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambgef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeiofcji.exe N/A
N/A N/A C:\Windows\SysWOW64\Agglboim.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Mmbfpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Olkhmi32.exe C:\Windows\SysWOW64\Ocbddc32.exe N/A
File created C:\Windows\SysWOW64\Pflplnlg.exe C:\Windows\SysWOW64\Pmdkch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjoankoi.exe C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
File created C:\Windows\SysWOW64\Kofpij32.dll C:\Windows\SysWOW64\Beglgani.exe N/A
File created C:\Windows\SysWOW64\Nokpao32.dll C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Medgncoe.exe N/A
File created C:\Windows\SysWOW64\Oflgep32.exe C:\Windows\SysWOW64\Oponmilc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe C:\Windows\SysWOW64\Pcppfaka.exe N/A
File created C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Cdlgno32.dll C:\Windows\SysWOW64\Bebblb32.exe N/A
File created C:\Windows\SysWOW64\Mjelcfha.dll C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Mdhdajea.exe N/A
File created C:\Windows\SysWOW64\Gcdmai32.dll C:\Windows\SysWOW64\Ocdqjceo.exe N/A
File created C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Qcgffqei.exe N/A
File created C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bclhhnca.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mpjlklok.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdhdajea.exe C:\Windows\SysWOW64\Mplhql32.exe N/A
File created C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mdmnlj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bclhhnca.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfgmjqop.exe C:\Windows\SysWOW64\Nnlhfn32.exe N/A
File created C:\Windows\SysWOW64\Pcppfaka.exe C:\Windows\SysWOW64\Pncgmkmj.exe N/A
File created C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File opened for modification C:\Windows\SysWOW64\Miemjaci.exe C:\Windows\SysWOW64\Mckemg32.exe N/A
File created C:\Windows\SysWOW64\Jgefkimp.dll C:\Windows\SysWOW64\Mmbfpp32.exe N/A
File created C:\Windows\SysWOW64\Lffnijnj.dll C:\Windows\SysWOW64\Mdmnlj32.exe N/A
File created C:\Windows\SysWOW64\Gmdlbjng.dll C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Ddjejl32.exe N/A
File created C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Bfhhoi32.exe N/A
File created C:\Windows\SysWOW64\Hjfhhm32.dll C:\Windows\SysWOW64\Cfmajipb.exe N/A
File created C:\Windows\SysWOW64\Agocgbni.dll C:\Windows\SysWOW64\Mlhbal32.exe N/A
File created C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Npfkgjdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Oponmilc.exe C:\Windows\SysWOW64\Njefqo32.exe N/A
File created C:\Windows\SysWOW64\Pmdkch32.exe C:\Windows\SysWOW64\Pjeoglgc.exe N/A
File created C:\Windows\SysWOW64\Kgngca32.dll C:\Windows\SysWOW64\Qjoankoi.exe N/A
File created C:\Windows\SysWOW64\Bjagjhnc.exe C:\Windows\SysWOW64\Beeoaapl.exe N/A
File created C:\Windows\SysWOW64\Bbloam32.dll C:\Windows\SysWOW64\Cnffqf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cfmajipb.exe N/A
File created C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cabfga32.exe N/A
File created C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Mdhdajea.exe N/A
File created C:\Windows\SysWOW64\Nfgmjqop.exe C:\Windows\SysWOW64\Nnlhfn32.exe N/A
File created C:\Windows\SysWOW64\Hmcjlfqa.dll C:\Windows\SysWOW64\Ajanck32.exe N/A
File created C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File created C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cfmajipb.exe N/A
File created C:\Windows\SysWOW64\Cacamdcd.dll C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Llmglb32.dll C:\Windows\SysWOW64\Oneklm32.exe N/A
File created C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Dmcibama.exe N/A
File created C:\Windows\SysWOW64\Cmlihfed.dll C:\Windows\SysWOW64\Mpoefk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndcdmikd.exe C:\Windows\SysWOW64\Nlmllkja.exe N/A
File created C:\Windows\SysWOW64\Mmcdaagm.dll C:\Windows\SysWOW64\Oddmdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjeoglgc.exe C:\Windows\SysWOW64\Pmannhhj.exe N/A
File created C:\Windows\SysWOW64\Pmidog32.exe C:\Windows\SysWOW64\Pjjhbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjmehkqk.exe C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
File created C:\Windows\SysWOW64\Gifhkeje.dll C:\Windows\SysWOW64\Dmgbnq32.exe N/A
File created C:\Windows\SysWOW64\Aihbcp32.dll C:\Windows\SysWOW64\Mplhql32.exe N/A
File created C:\Windows\SysWOW64\Gfhkicbi.dll C:\Windows\SysWOW64\Mdhdajea.exe N/A
File created C:\Windows\SysWOW64\Ndhmhh32.exe C:\Windows\SysWOW64\Nnneknob.exe N/A
File created C:\Windows\SysWOW64\Ifoihl32.dll C:\Windows\SysWOW64\Pncgmkmj.exe N/A
File created C:\Windows\SysWOW64\Chokikeb.exe C:\Windows\SysWOW64\Cmiflbel.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlhbal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bapiabak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beglgani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpjlklok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldanqkki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chokikeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmannhhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acjclpcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anadoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmefhako.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mckemg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neeqea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdhdajea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajanck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgimcebb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oponmilc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmcibama.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Medgncoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagobalc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oneklm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agoabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dejacond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oflgep32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agglboim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accfbokl.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mplhql32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mckemg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll" C:\Windows\SysWOW64\Medgncoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oflgep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dejacond.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll" C:\Windows\SysWOW64\Miemjaci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll" C:\Windows\SysWOW64\Oflgep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oflgep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlhbal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oneklm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll" C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bclhhnca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldanqkki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmannhhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" C:\Windows\SysWOW64\Pmdkch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" C:\Windows\SysWOW64\Lphoelqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll" C:\Windows\SysWOW64\Mckemg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Miemjaci.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Neeqea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofeilobp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" C:\Windows\SysWOW64\Ofeilobp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfmajipb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Lljfpnjg.exe
PID 4220 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Lljfpnjg.exe
PID 4220 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Lljfpnjg.exe
PID 684 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Ldanqkki.exe
PID 684 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Ldanqkki.exe
PID 684 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Ldanqkki.exe
PID 1080 wrote to memory of 948 N/A C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 1080 wrote to memory of 948 N/A C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 1080 wrote to memory of 948 N/A C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 948 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lgokmgjm.exe
PID 948 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lgokmgjm.exe
PID 948 wrote to memory of 3044 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lgokmgjm.exe
PID 3044 wrote to memory of 3464 N/A C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3044 wrote to memory of 3464 N/A C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3044 wrote to memory of 3464 N/A C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3464 wrote to memory of 460 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 3464 wrote to memory of 460 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 3464 wrote to memory of 460 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 460 wrote to memory of 3764 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 460 wrote to memory of 3764 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 460 wrote to memory of 3764 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 3764 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mmlpoqpg.exe
PID 3764 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mmlpoqpg.exe
PID 3764 wrote to memory of 4040 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mmlpoqpg.exe
PID 4040 wrote to memory of 4536 N/A C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Mpjlklok.exe
PID 4040 wrote to memory of 4536 N/A C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Mpjlklok.exe
PID 4040 wrote to memory of 4536 N/A C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Mpjlklok.exe
PID 4536 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 4536 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 4536 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Mpjlklok.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 2072 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mibpda32.exe
PID 2072 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mibpda32.exe
PID 2072 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mibpda32.exe
PID 1524 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 1524 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 1524 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 3224 wrote to memory of 3256 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 3224 wrote to memory of 3256 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 3224 wrote to memory of 3256 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 3256 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mdhdajea.exe
PID 3256 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mdhdajea.exe
PID 3256 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mdhdajea.exe
PID 4872 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Mdhdajea.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 4872 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Mdhdajea.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 4872 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Mdhdajea.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 1600 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Miemjaci.exe
PID 1600 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Miemjaci.exe
PID 1600 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Miemjaci.exe
PID 1520 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Miemjaci.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 1520 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Miemjaci.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 1520 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Miemjaci.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 4084 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 4084 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 4084 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 4296 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mmbfpp32.exe
PID 4296 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mmbfpp32.exe
PID 4296 wrote to memory of 3684 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mmbfpp32.exe
PID 3684 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mdmnlj32.exe
PID 3684 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mdmnlj32.exe
PID 3684 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mdmnlj32.exe
PID 4992 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Mgkjhe32.exe
PID 4992 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Mgkjhe32.exe
PID 4992 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Mgkjhe32.exe
PID 2228 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mlhbal32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6084 -ip 6084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 404

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4220-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4220-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Lljfpnjg.exe

MD5 5bbfe9ef819da1cfed001197dd6d85e4
SHA1 391f309cc7d1094e3af3336b98ad04513a87ce33
SHA256 b3c1b24b083408f3ff8aecb2fdf20cc9052f20032e9ebd07a7fdd7b069ae3184
SHA512 aef8252623649430ef128d49182fc03f0e9cf6087115bb3f30ab63b7af2cd698a7c35541f3424720f2cef2819381eb4a276bb562bff68ec30298b356a8c75d15

C:\Windows\SysWOW64\Ldanqkki.exe

MD5 72bf32a3c9b451855a541a9282074c91
SHA1 83c5a46a77888df0d39919ba61b49c3ad4ac5076
SHA256 bf47427cde098da5d9e51c4902553b9209c03620ddf2a780bf12dee4437fcdf6
SHA512 54a108c60e68dd6e87beadd545cc660924de3d85df4b4dd30938e7f04852fc5e745785b15269e90c22fe31739a8c7ef2af9e1507d29b25bc645447fbf2a2b846

memory/684-13-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1080-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lbdolh32.exe

MD5 16bdce56d257084b46cc7611d33e20ad
SHA1 00dc13bef32c694c5747e58c22c70554189008e1
SHA256 0e9082380a583f7056508f7e1f2c658c7d26446d244aea492a35ed36c906c884
SHA512 b9b7d23e74e6e1c042fd15dbcfb01b966fb55b84e9d033d675827438e91d47df465865b5952d2cc4025245a7e8b1f1d001eed05263cebe1b5434e15b1ffe36fe

memory/948-29-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lgokmgjm.exe

MD5 f02337c1be1483aec7b83cf443acf9db
SHA1 b4160375384eb346249d32dded311a1ccd16afc1
SHA256 2574aa90c735eb349ac336739443f1e493aec17cc699c73ccc46e020ac75defd
SHA512 ce246a7c8eca8e4a3cf64df4656479c1f8616a18c50db507320b7289c0440fcf6a54ad673d993aeeceafc2bb8e18618e3f918421396f3caf3e910e5abfce7bc5

memory/3044-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 a229a0246a640309f2e3addd7d40b9c2
SHA1 f3a36375844b2ddfefe6fb5ae9fa0d93662590d3
SHA256 0083deac75df46983e01dd4245caa8b7cff503a4a4620c1ccec9889347c9cddb
SHA512 20d487aeeee70cd0f35f74a5268ad05ff263b95a0b8bbcda7c07cc274fab7fe7ca87c8d1b96fa9c3b3f03ceb15db4db91e00037857ecd76f6885edb9ff9b3718

memory/3464-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mdckfk32.exe

MD5 78d634887336e7796def6fe026a196da
SHA1 5672422034630b6f62101b2164593cee9814d247
SHA256 e48f5fa3b5d2993d0b8aba8d499b944a7250c16545b7294209dd8d9162eaf891
SHA512 9d812c8c0b357c31c3e2a1783554289a082647b3d1b0682198ebd47bd9410e32e588e5584714e5a7d9eb436d9935bb682d9fade44525ff7e855809a83bf99a0e

memory/460-49-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Medgncoe.exe

MD5 0e1ec0dd74b35b4d75bcceb4cdb4fc5d
SHA1 61048498d887fddb78b234b9cf7e2d05de550152
SHA256 658204a673b2b24b4daddae4f36286c62180d59c42305e4b94f8d48d72184584
SHA512 2a4b5d5f8e830a59c4556969368b96d335231c7618c64b724d397b26ebcef947f9a64fac6e26e9542624d0f2fb97552c02a956722d40e588cc21486ac9f379f8

memory/3764-57-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mmlpoqpg.exe

MD5 8da02547074f8a18d4d0d2d86137527a
SHA1 3448a5a5a6991840f97be59eed92a441f4beccf6
SHA256 82bb993e08cd6ff1dedd5158c700fa6cfb0d136c37875aedc870050cc6442cfb
SHA512 91a49389233ca94c9af7b73fcc602b4b83895159679a2d5fd0aaf27904918c4dbf10274071ecdffcb84b1d26cc165a591bf4d4d81a70e8c4a6379023d04e2f61

memory/4040-65-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mpjlklok.exe

MD5 5a65adfd8b2676141f1ba44d40a20c21
SHA1 dbf0b3b3b749888a099e00576e4b7d9b08cd8f55
SHA256 2a1d670545f1a94174b12d607e011b5b8833c5d310d934a1304d8e6f29e855cd
SHA512 499d8f3acb5384f390d9d627e1b43df32567143633642a9c2fedd69cba7d90fd4be6e815fecac93046a5a4c3b77ca96a065e47f4af015e88cfdf124f1f25036f

memory/4536-72-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mgddhf32.exe

MD5 a2f34518e45f9a425bfc25cea40d8070
SHA1 324206a7001897e8bb493a1792660a9d05b18257
SHA256 e938206fb115cab4fc6ec316318ca340c069a4839369bcb51d1f6c83fe84e73a
SHA512 9b5ef859d93f8a87fb5db841bc0802e6a3a8c6d09c54e0811d81dbda7fa569fddd92b974078651bd5915f59cafe4721f3c05e81dbf60918be3c57f553ac11d83

memory/2072-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mibpda32.exe

MD5 b47ae40f499c5f5da02b124e260669d7
SHA1 b1ddfd0c842fb14fb3d8c01513f0bc739322eaad
SHA256 e1ae362a24ec98b19027353d4f517794a65040b8b707af0470544f659171a782
SHA512 c9db6f6dea69dd013fd4ef5c57b627d0e966821cae91f579df0c33a04a4e6b9585772a660dbbc45439d10261f03f096c8a7090db44e33ccc42db087f374a3c32

memory/1524-89-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mmnldp32.exe

MD5 ca1fd0919f4bc47ab3b749668049d550
SHA1 80e704c914e0ccd353b26e3e0140dbabd01831bd
SHA256 7eb112590379c08d8fe72d13c5f3bbcf625b72bbbfa3fb580909a86a09719821
SHA512 ef5747e6abddf9e5edcf4a5d904eabb971bf4b38ab4607921c036390a2f8ada0946ecf415e1599e1a406c53c5f7822b3664a4b026dc4f9db8cf86ee1d19e53a7

memory/3224-101-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mplhql32.exe

MD5 0b96ce6f7abdb6e958e184f0fdadcfb2
SHA1 e56b628c568b5dbf9931408048791db4d7b0ed58
SHA256 e096e63c73e71e29a665c11bdac989c0f222ca44a17ecf43da4145c5db3841b8
SHA512 3fbd81dc145023472e4eb786ed7fdfaff1d313022e3c3ffa7fa460eb4dd4e51d04d0e61a03c8e2b2b11d8cd23c588cc8277c60a821812212d3550c277fed8689

C:\Windows\SysWOW64\Mdhdajea.exe

MD5 88ebad94208ef84c6b5a0fd2bbfb45c9
SHA1 0e64c74c8f5058f848299796e01745f93cf710ae
SHA256 2be584bd8bd48260fb435ebf4c75e54881eabd892a4d978452983cf4f5532320
SHA512 18b4c54843b73b86f87d39a181d7622bf546663bf3b5c3b17569b54cf5077e51bfdf97176bd97cf92a7ac4cc7e423e4071732b8724995481dee9c32be7355a75

memory/4872-113-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mckemg32.exe

MD5 0d48d384b04983c98d069f6c7c15dc86
SHA1 3ec21efdc465e855d131ecd6f33584d9d847e7a6
SHA256 df0dc07aaed658129704ad5534300159438bed2e7b09211a3aee48e46dc377a7
SHA512 06d5f4ba79d6178e94911d5bd9ad0b4351aa1c3a300dc4013fd4b6f8caa3635edd64fc694d36cd62a899d92082078d8fd367ab6c6b5fd9cdff5baa90011a2e91

memory/1600-121-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3256-104-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Miemjaci.exe

MD5 840fc97a795725c1e46cb7a52f26944e
SHA1 5e6e839daea77ea7b64421706b15e9c8ecc1f713
SHA256 ef9e8fc4b9de38e412582a748893fe2aa4a94b5c7c3918357c7244ff05991578
SHA512 393e12b46376accfd1a6683b5f5315786e240629c01f486b6b3e5faa350a1e4fd26f4db278d38a4b329ed5071ba03e1415c49f95be3659a0734ea5ce93799866

memory/1520-128-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mpoefk32.exe

MD5 e0f705e816b713a3e637f90736c79dfc
SHA1 bc05a87271a1f61c5a025dc51340cd0bd12c52d4
SHA256 52b14f4aafa6678783de886c0de66ca4fda51a032ee4b725eddeca4d95ce7720
SHA512 ef307dcdfce003e484f5211b2f28b52b897fa458603f984da06efe82a305be0c758112ee02e9027070aaae0e6801368431b818b872d7fda35a109170b600053b

memory/4084-137-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mgimcebb.exe

MD5 aa25ebcc1f5d73401c4fe047f0d87abf
SHA1 bed3791ca3ef282425dceb6b835424f6c079b8e9
SHA256 4231ad7773cbe49dac486e76e2158bb5aa211e01c54da840c1af6887b7c56bc5
SHA512 669a5c621f5f65d70035c07fd18216a7e11724f5f85d30028553ec2a0c5bf3168fb673317a9bdf0fb0a46ad0241938228de3a40312ec5a70fc4785b265e9aa37

memory/4296-145-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 bf0933dbd8c3aaa59ef2cb3702d3bb88
SHA1 9b320703031cbc8af04745462b73916786925b7a
SHA256 9e4953040ef90214e95497f79722e12875297406965ef6bd395072ba993cec91
SHA512 12f093d868b7801f8277b44ad75d53bc8ba9389335b3562a83be3a86ea303cd42588a2ea8c2f210ce465e67614c49eb128b302b1112792f6881de624f99484a0

memory/3684-152-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mdmnlj32.exe

MD5 1bd5808084aa4bc3890daf9aadc97396
SHA1 d9cb97721f2cde7f13483a0f714e27f7c20163d7
SHA256 caf280fb43d1516a61a0c36a50e3e5646d0ba685d62b150c8d146ed6ca54cc18
SHA512 f91195370cb47952471bb8e44d47092892cf51ff0f308fd09e741921e12e19d06fc3aee50f03b563a9080b5f51ecee297d8a29ad0e2df3e346dd3216e88edc2c

memory/4992-160-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mgkjhe32.exe

MD5 990027acf2425da0cd199b1eb68ff082
SHA1 faaa1c0be41d3caf0f88f6a234a6feda208c515b
SHA256 65e29413f81958e72d13a1cbd51314478548f30f7d1a3e5aaf98c93817aeda25
SHA512 a1c4ccbf088348524b653e4da1b51f4aa42af66d46298026b9611fce72e9d1ea0fa4caf819feff00b6c9e8c00a26e53fff6d03fbefa7ebd3fafd95c4c10ef610

memory/2228-168-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mlhbal32.exe

MD5 f07b708620fc664552628e28521c3cc2
SHA1 17082cbbc0b6e42e0922a6eaaeaf2a2e689cb0d7
SHA256 b1445f67cccd654c408d2e431ac67a79c054899358a76e73ce0e8cef57b86dea
SHA512 509cd3f73c6c30bf759a10748ef3b3ce0b0ff422b11fe79e3e3f837c5d5ada348db4678173fd23866d78f9814dfdabd473361172b1b431e9164089d939d1367d

memory/4884-176-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ngmgne32.exe

MD5 d6ac6b2fd01b7533213fa9a12c8f8a4d
SHA1 915cbee4fec772cbe1922b395f900e6bc2896888
SHA256 831c4d3ac7a39b62c4aa327ba5169c7594b151ae6b7be5f6ff0d684b5c48ba39
SHA512 69979c1ef004293f1b0fc802517b76335f874c39b5ed42bbb7bb2457fd1db832499bbdcd66b8291b7c105c623269e0b20972718e08528d4bef125ce525812d3b

memory/2592-184-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Npfkgjdn.exe

MD5 f54848b035e15d51d5f189c918b856c0
SHA1 595bd8c4ebab09cd925a938135e1bea053c991f4
SHA256 2ed652fbbf7b36de668afdb94b7607f88aad86df3b2a38b575305091801f850e
SHA512 8dabd67c0f1c1948b7094111285dd51101a4e36155d31d6fe6efd799c92058670ab7fccbf85c7d93771c3b299495345b582b326e81b434a70d524f5c8500c63d

memory/4280-193-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ncdgcf32.exe

MD5 010ffd14862f96d638da6b96d34707c2
SHA1 6f3397b961fdb41e4087492fe726126faa1deb85
SHA256 216a5fa4bcd25ee2d18e55810cfb9ba699fa45d23cf092f2432f0784512bd31c
SHA512 5451ebb17bb99dc8701d20f4bab263424bc2c3e329d526389d46c30776b3446dc41e695ee3c856b825d5995e4824373e9a983a07291016ac97cf5c3e48f4bde7

memory/2888-200-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nlmllkja.exe

MD5 b818e162e6fd4631214eecb571baff4e
SHA1 9edea68262f47d9441ffe9eaa80d0a87999046b5
SHA256 9e60289a1b87d2b984a514a47b1295075723a26af9f9ab54b51001f9632bb682
SHA512 3f42804005134aa379fe446b84e579a271ad220bd679f5af37bd397ebbec06ac3dae7bdb39cbdff2a471fc9572ec54b22cd0ea3266f2525ec59537d4a977a71d

memory/4932-208-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ndcdmikd.exe

MD5 2d5dc76a66c15cf944a1bd3a6ab00d3a
SHA1 267897d734184bb75906b8920d90499939be121f
SHA256 6ae173c7f7ba8b444c324fc92ea2efc23db3d9042734c31aa7abaecb020954cb
SHA512 1926f52b0c33bae0ce2622a5a4f92a239238fc170cc8864bc0c450a9a77669df6eb2776884a6d41427776475763b49264d3a2efa8c5cbeef3b10820a6c182f26

memory/3100-216-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Neeqea32.exe

MD5 311d7407e6c3f720ae3e89f509a632f4
SHA1 2b73e7104c4a679854064acf3cccf9761cb62fef
SHA256 b64ca0346f4349c3271ee6079a81e8d12f8404fc704a85791d94d84db062d371
SHA512 f7f7f57d853a4962acd4f9eb256420b9960ae564951f3d60b99a7ceb4676da10e82daaa8fb87f966a1196031f12f16ba22a3453585ec00bbb1d5083f1e572eac

memory/3564-224-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nnlhfn32.exe

MD5 32fe9d4e842fabfe4181fbff37828cea
SHA1 f14be765520da14f8c42f2d932c9d6fd1101f5a0
SHA256 d7bf52d118d4a7a3cf41014bdd03ae7439ea97fe55a32eff9369d8d2d106afb5
SHA512 f83573d51591b2002ccf53533a6c7941467c27acfc21b8a5c7e0f46cc5fb4a3c5aba7609a16229072fe37d665cf4d6181052887d8b6aabe465906df8ee185441

memory/1020-232-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nfgmjqop.exe

MD5 13013aa8f5586c63ea6b09ce42c03907
SHA1 cda7406ef3a17968548a82c67ca6103574aa34f5
SHA256 7fc6f2019af0c606bfcec07320331d13a72dc71821641a2d5efd0f5fd6db5e1e
SHA512 fb1be628a6556e165f260a5e54dd6e046148aba199d8077418531961551b69a2a07a5cb88174b98fd953d90e19e34d7972580056b247873eb154d5f1a81d6187

memory/4228-245-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nnneknob.exe

MD5 940381385c22659cc9b7b4a7a742e4ec
SHA1 3aec2e78403810d3908e65943cf9326a81de36c1
SHA256 3f0c80a7f1b93daa5eee251f62dd26f7d7b0dcc94187bcec4f4cb8b88dcec175
SHA512 3d5d65e29436e79bce342f24d341571d31b012620df2542d4eaf71900490f68e93fe5d911e80260a145f68340e0c0c2b8778f36d025a23ec89ab2de370b3b502

memory/1772-248-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ndhmhh32.exe

MD5 00e1aef2b36556d48e7f21e77172380f
SHA1 74301df74b9d07701ea63487213aa842ca95c991
SHA256 b401a12cdc8f5b0aefb916f3854738f720c95b1df51609eac3a3fe1e0e7efae6
SHA512 972688ba3a05e2c6ec7115c6be3cdca90496b45e34969f5303e523db1d5e8d6292385d62d17f540140b7b6c482e2b29ed01cebf569ac6028e0a2dd180e29bd63

memory/4828-261-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2080-263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3940-269-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4300-275-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3036-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4060-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2856-293-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2148-299-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Olkhmi32.exe

MD5 2144a018d6643fe39ae776b73e221b0c
SHA1 f274ef23daa4a64992b9849cdb693fbbf3b31a95
SHA256 e85ac45900b9b57516266e0e9e0a2ae29c941387a16b3e801b522295e152d0a8
SHA512 dfc299bb2aa034f6217ca1a6719b867fa39d567449fbcd4b68a581ab3fe23bef8229df3f56ee6880ef04181a259b30ee326f7c3f64386fbaf6aed27f155c67e9

memory/4264-305-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4184-311-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3812-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1944-323-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ofeilobp.exe

MD5 dc9ca8869866eba3fbba96522d462049
SHA1 ef93044cd9411520e12c6b42cf4cbbc39f82d2eb
SHA256 d26046fe134578fa74a22306e23360262958fb81d36acba1083065996cbfb2d4
SHA512 05bfe314f2613ab14b992015bfa1bb58b50b28954465fa268c43d08f7063dd541e799f33052bc5769530fe7c9772d9ae58efae58a129444a61e252487ff51702

memory/3120-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3136-335-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4924-341-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3808-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4688-353-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pflplnlg.exe

MD5 24a57971b35a47f03bcdd5a01b0f399b
SHA1 65da4aa9241ecba93d0ef1999b750758dfacd760
SHA256 d74d559644c612cf14b49607833ff056ec8fe0c94dbcefde0fd0eda87e73b5f0
SHA512 1de7564944711fcda38c149175aabc405cfe17f852a4b12fbdb7ddf7635c1e2e6db57a75fddf52d4bfdda17c53069f08e32b4c4b0edd6ff98f66549ac1a4c84c

memory/3024-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3144-365-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4004-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5072-377-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3924-387-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2056-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1684-395-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qqfmde32.exe

MD5 74055f0f8f07b09575f567db643f1269
SHA1 b706b55a07098255dc443b7ce369e1a64a1a1759
SHA256 f2d5157d6dde88495fbe2b8603fcde2c808ae2fc70899849d265dbdf17b279d5
SHA512 c7d83a30e690910b474148d41263478ce5bdf061ff1f4ae5b3d0867237b6bb78ca9e920b14d4e994ea4587b1a694a9acab5c4b39b0dc73471579b1e0477c6855

memory/3556-401-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qjoankoi.exe

MD5 533a52435e761700e636190e469894d3
SHA1 4f70f4d6e37bc01f56e25270e5d96457863ac1b3
SHA256 6eb79dd8e60220ea727c5aaf65dd2cabff67defb615b9930707f7638493b9fc1
SHA512 d38ebe66f51a65b97d4229a86760ccdbebf5c0691e844cc3e17603448e984f1c99ba9065977dd2810959854934d0ebef586c695f6134f6ac5f73fb6f5faf7cdd

memory/4484-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1112-413-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4336-419-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajanck32.exe

MD5 3bb936fe95fd1945f02450371611beba
SHA1 658c8ff6bd60baa17cb360f4a5723189e988eeda
SHA256 e1153af926648fd3cc3b0db2e7f830e642823fd3d4f2cc6ea552ce409bcf9e08
SHA512 53a36f0caa8303afcc349ee002da845f8dba2d4e29de0b7b64342e16206e41a4d6f3947a275b8a4cafbc1c60f31a2f123c1430a657bce16a43454dfecf310d31

memory/4768-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4080-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4388-437-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4188-447-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3804-449-0x0000000000400000-0x0000000000440000-memory.dmp

memory/8-455-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2512-461-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1672-467-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1848-473-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2684-479-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aglemn32.exe

MD5 4824f095e6c398d6947b9eec0c5f79c4
SHA1 c7b3abc8f0e1cba15521448840e5e81acf40bb4d
SHA256 717677ed220589879bf2a35d91d65532aaf145ce63530541e0815b594820ac1e
SHA512 556276ac8fbbfe962adb475eac89bd45bfc300c8845ab9b2cb3e81d4055635b0e513914794218e39a3c624972fbab1266716478b7e42097822215c30d1bf1d84

memory/4428-485-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1208-491-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2568-497-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2196-503-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bmkjkd32.exe

MD5 db88d8bea48c7313ba1bf5b12a9ed398
SHA1 c9e472e25cc9ff0e67138ec6d602927aebeb23e0
SHA256 e1fb896c718bdba18c2685ba3de2046a9acc59213aac1ad5c822be5d734bc853
SHA512 1dc1dbe21ea15fd9ec386f48ad488068d33b197d2d57de0020a2dc23075ddaad82377593f9c79313121b4b518e91489162026da637d0fe77b91ce978ed38567f

memory/3688-509-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2896-515-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bjokdipf.exe

MD5 880804e680e4d56bae3af28d0081cce2
SHA1 ad6df31f7fda2103418737dbb756d37648adb7c4
SHA256 68e04ce72084cf01ba07882f7a2d1de7f98e472f9a232124ff704ce95f7e6b37
SHA512 cf85019a07504c7014e049729e7a1d00ea827e560030c7d5546fbcd5ab4474130c4e54e6e734e2e28f0401547ad4cf37fdc8e0e276fb538268cc9a1d1d8ceeb1

memory/3312-525-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3996-527-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2560-533-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bjagjhnc.exe

MD5 5132174da5d7dfdc3e3c188a5922395e
SHA1 99aba03207a97594ab4058c55fc45575a8d06da6
SHA256 d05cbde9c5d02557e10275c2d7630a1a6c005abc921ddea64ca7fef5cd84a489
SHA512 77eab5e5920d3404a12fcd0d7cd2cf8107638fce04629064ef6d3f27ca8dfad34e45508dd53e86f9823abc0de2277d43c65a9f959c8d9df00dc07836568662ac

memory/4220-539-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1860-540-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3192-550-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1716-552-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1080-558-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3096-561-0x0000000000400000-0x0000000000440000-memory.dmp

memory/948-565-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1984-566-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3044-572-0x0000000000400000-0x0000000000440000-memory.dmp

memory/380-575-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3464-579-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4968-580-0x0000000000400000-0x0000000000440000-memory.dmp

memory/460-586-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4476-591-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4320-594-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3764-593-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cdabcm32.exe

MD5 b8855f196838cc0cfd07aed295e42abd
SHA1 5ffd94170f3b7d570b410180db6adbd226f1fe8a
SHA256 d71d35643948271ad3ef9302b8143b8ec72ee87b8f7f5fc068eea5e414abddd3
SHA512 12c5c2c05f6c27beb369f00f9e5c17893784da0f5943db32c8025299b3d47b27c10deef7a324aa8e2d0f9249a19892e18735e24cccfeb7b6e90ef73e142ae6ad

C:\Windows\SysWOW64\Chokikeb.exe

MD5 fb40f5d82f2768a2d3ef64a888c4f5da
SHA1 585913574b95c289f36412e6ba09b71a3abdccfe
SHA256 49fc90e0bdf0b1d4c50dfc02218b2c61da0f86fc60c2cd01d6804012c3c14a50
SHA512 16537a313553916e78d01627f07f00edb9b9ea2a0d6be38d3afe5978933e1acb7e26ce4acfe166d285e1f1fb2ca20c5833c2f6612a7fd760b9ba95890f210195

C:\Windows\SysWOW64\Dmcibama.exe

MD5 199ee54f147e5386810d8a924101ec2f
SHA1 5d62a65bd0e74d6e7de3d818ba43d4f21e3d7861
SHA256 2664a7c9f5239e804998a75f76ec79224be92c6bebba0721e7ab3586fd700da8
SHA512 a55338e3d293d3e5bef7a40e547a012160d308ddcbd6a1b6cff26879a7f0563509c7437f68d41ee4302564155161cc744209df51f47a449ba4df758e43859657

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e