Malware Analysis Report

2025-03-15 09:45

Sample ID 240916-tb4easwenq
Target TrojanDownloader.Win32.Berbew.pz-b6bee6007806d3a8687396bcad366205d654364df4ea67f7fab69993661acc0cN
SHA256 b6bee6007806d3a8687396bcad366205d654364df4ea67f7fab69993661acc0c
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6bee6007806d3a8687396bcad366205d654364df4ea67f7fab69993661acc0c

Threat Level: Known bad

The file TrojanDownloader.Win32.Berbew.pz-b6bee6007806d3a8687396bcad366205d654364df4ea67f7fab69993661acc0cN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:53

Reported

2024-09-16 15:55

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjonncab.exe N/A

Berbew

backdoor berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Cegoqlof.exe N/A
File opened for modification C:\Windows\SysWOW64\Cinafkkd.exe C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Cjonncab.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Ceebklai.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Dmbcen32.exe N/A
File created C:\Windows\SysWOW64\Cinafkkd.exe C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cinafkkd.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Liempneg.dll C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Kgloog32.dll C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File created C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Ceebklai.exe N/A
File opened for modification C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Cegoqlof.exe N/A
File created C:\Windows\SysWOW64\Eepejpil.dll C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cinafkkd.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dmbcen32.exe N/A
File created C:\Windows\SysWOW64\Ccofjipn.dll C:\Windows\SysWOW64\Cegoqlof.exe N/A
File created C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Djdgic32.exe N/A
File created C:\Windows\SysWOW64\Nloone32.dll C:\Windows\SysWOW64\Ceebklai.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Djdgic32.exe N/A
File created C:\Windows\SysWOW64\Fikbiheg.dll C:\Windows\SysWOW64\Djdgic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dmbcen32.exe N/A
File created C:\Windows\SysWOW64\Oeopijom.dll C:\Windows\SysWOW64\Cinafkkd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cnkjnb32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32†Djfdob32.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\system32†Djfdob32.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdgic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceebklai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cegoqlof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djdgic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjonncab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmbcen32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 1152 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 1152 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 1152 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 2776 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Cjonncab.exe
PID 2776 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Cjonncab.exe
PID 2776 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Cjonncab.exe
PID 2776 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Cjonncab.exe
PID 2792 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cnkjnb32.exe
PID 2792 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cnkjnb32.exe
PID 2792 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cnkjnb32.exe
PID 2792 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cnkjnb32.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Ceebklai.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Ceebklai.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Ceebklai.exe
PID 2596 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Ceebklai.exe
PID 2572 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cegoqlof.exe
PID 2572 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cegoqlof.exe
PID 2572 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cegoqlof.exe
PID 2572 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cegoqlof.exe
PID 1656 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Djdgic32.exe
PID 1656 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Djdgic32.exe
PID 1656 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Djdgic32.exe
PID 1656 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Djdgic32.exe
PID 2912 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Dmbcen32.exe
PID 2912 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Dmbcen32.exe
PID 2912 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Dmbcen32.exe
PID 2912 wrote to memory of 2424 N/A C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Dmbcen32.exe
PID 2424 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2424 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2424 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2424 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 1676 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1676 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1676 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1676 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 144

Network

N/A

Files

memory/1152-0-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Cinafkkd.exe

MD5 e1b5812d5d43f0a1ec2ada276bcf8193
SHA1 9fee9453f6e53b9fe42c249b7dc081b46adacd97
SHA256 18940c6beb3b616e028c37df921829d12ec961d698243be6990cd437b484c1b8
SHA512 6ba909c367840f12fd980f5d1999a8bd42428683c583704f8b548ac71ed9c5735681910788b95d506b068ea34c361026b7fc43d2583a8171c9f5bf93486453bd

memory/2776-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1152-13-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/1152-12-0x00000000005D0000-0x0000000000608000-memory.dmp

C:\Windows\SysWOW64\Cjonncab.exe

MD5 79a0582fa7c3438ac698ed011d45f12d
SHA1 fb6bf7934a30f4b81b1ee16b9c81608a48b9d949
SHA256 8459071c2b804e0f34b83252952f1edeb4aa4161818e1990e9f95856f8644a0e
SHA512 f179a8d7bb47d2ddc4c761958971af77ad0c9e5d0197e9b663c4652f82a80aa3bffe5b94c7817934fdff135e91ef167f3d9f9bd48ce13be3ad9fdf9581080ab3

memory/2596-45-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 9f436add851f849e109df28aeccf302a
SHA1 26f9df30f80f44e455af999a9f54d619d236a047
SHA256 ea02d5bc5e19b2b6e4569796dff65579ee92e24abbebd2de2afaf1e3160e13e3
SHA512 7d9574f151b1bc36f7048708bd51c3fd95fe999cfd6b2063e39e3abd3251883f5108fa5584a8f74e7c113e6ee8cdaa100f5a19dfda9d5d5867a90437f2e30ce1

memory/2792-38-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Ceebklai.exe

MD5 b7859f86835469def53772f09688c670
SHA1 e158addb78a94aa075a9a241009ca01c52400d79
SHA256 8b2b9f5c0f4214876b8b9d6972cf947a1afb8a249e84630f545711b8c9c9fa16
SHA512 928e063a8a2811f84f0633cb4945c92013ce55bcd3940e6848c28da68a8a0cc8e52f00e4db1b9748ee2f90951f55817da6f37faefc805c0bcaf2bc237092b75d

memory/2596-53-0x0000000000250000-0x0000000000288000-memory.dmp

memory/2572-54-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Cegoqlof.exe

MD5 52518916e017ae18e532fb9796b6e709
SHA1 39dd778185e8c1366d5a3782059a5bf8a3c003ce
SHA256 f6b41598dc10cc8eda1b88740b15a011f9942963a8cf9678f436d368956b267a
SHA512 c09be0c40bc366e825e24ea762cc2798a8e682c8816d2ec5570699c1b037564972c5f169f2e90e121ca68cc9d6e1be2e490fa89f5bf1071bdcb75dc02e7c4869

memory/1656-68-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2572-66-0x0000000000290000-0x00000000002C8000-memory.dmp

\Windows\SysWOW64\Djdgic32.exe

MD5 8dedf523f25d8b91101f735142e79ac4
SHA1 ed270b5269a76ab19a8329a3e0ba89a702f58dac
SHA256 e785b0fca859454b5cb35ef3bd4e047bbe13642bc34c328cb9b562ba572ca00c
SHA512 6a969c89ee6b58f130188f29c8a8bfec45fe137bb5b68edd10efd3f3f4591914110b86d8aaf5f9c56b7019e05a8f7d83de69f9aa0f8d4bdab2ee14597e590749

memory/1656-76-0x00000000002E0000-0x0000000000318000-memory.dmp

memory/2912-82-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Dmbcen32.exe

MD5 86a687cd023e9ec780b4b4531b4b6dde
SHA1 41c10fc150921a88df2445832aeeb2b3ef87f763
SHA256 bb75320ddc4ccc3fe9258409fdeaef542d2efb872e47da29f3f84195cfdfb419
SHA512 d64fc84f7aea06905b3b19232a15278140df9a2b65813b8e8cbd2d405eaa4a3aafa577bf4078a5a336ac1dfdcec6da14af24df09b7cd4a6346d33f295d1d15d1

memory/2424-95-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2424-103-0x0000000000250000-0x0000000000288000-memory.dmp

\Windows\SysWOW64\Dpapaj32.exe

MD5 120e9ba975fc63b4d7e10b8b29828638
SHA1 c9a335101a80b671e426abbf08fb0f26d0e5f014
SHA256 72718b67bc9bf99b77165c914286bb460d1e5c2854afb9f1891d425a65515743
SHA512 d645a5c890e0e4d2bc75ae942de06af28ed69dc5fbe12070fed334e60baa5f0a88805f000aa7f9246aef9f9bca32cddb7d67c746ef94ad7155e1df45a010074c

memory/2424-108-0x0000000000250000-0x0000000000288000-memory.dmp

memory/1152-116-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2776-117-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2572-118-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1656-119-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2912-120-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2424-121-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1676-122-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:53

Reported

2024-09-16 15:55

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibgmdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnhahj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kplpjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onhhamgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojoign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofeilobp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldjhpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pclgkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngdmod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdeoemeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldoaklml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Opdghh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afmhck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfhdlh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeiofcji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngmgne32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lllcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnjlpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfckahdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldanqkki.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nloiakho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bffkij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfankifm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpqiemge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngmgne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nggjdc32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kebbafoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmijbcpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Klljnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfankifm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmkfhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdeoemeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfckahdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibgmdcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kplpjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lffhfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Leihbeib.exe N/A
N/A N/A C:\Windows\SysWOW64\Llcpoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldjhpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhdlh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmbmibhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpqiemge.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkaag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmdina32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpcfkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldoaklml.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgmngglp.exe N/A
N/A N/A C:\Windows\SysWOW64\Likjcbkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lljfpnjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldanqkki.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgokmgjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lllcen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdckfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgddhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdhdajea.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlcifmbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmbfpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmnlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnebeogl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmgne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nilcjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npfkgjdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpccdlj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnjlpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcdmikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngbpidjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Njqmepik.exe N/A
N/A N/A C:\Windows\SysWOW64\Nloiakho.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndfqbhia.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdmod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnneknob.exe N/A
N/A N/A C:\Windows\SysWOW64\Npmagine.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggjdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnqbanmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Oponmilc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogifjcdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojgbfocc.exe N/A
N/A N/A C:\Windows\SysWOW64\Odmgcgbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojjolnaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Olhlhjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Opdghh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onhhamgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcmfodb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojoign32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddmdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofeilobp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnlaml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdfjifjo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Lgokmgjm.exe N/A
File created C:\Windows\SysWOW64\Bmfpfmmm.dll C:\Windows\SysWOW64\Ojjolnaq.exe N/A
File opened for modification C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Opdghh32.exe N/A
File created C:\Windows\SysWOW64\Pnlaml32.exe C:\Windows\SysWOW64\Ofeilobp.exe N/A
File created C:\Windows\SysWOW64\Kgldjcmk.dll C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Ohbkfake.dll C:\Windows\SysWOW64\Ojgbfocc.exe N/A
File opened for modification C:\Windows\SysWOW64\Opdghh32.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File opened for modification C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File created C:\Windows\SysWOW64\Flgehc32.dll C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
File created C:\Windows\SysWOW64\Hpoddikd.dll C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File created C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dmcibama.exe N/A
File opened for modification C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Lffhfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe C:\Windows\SysWOW64\Pmdkch32.exe N/A
File created C:\Windows\SysWOW64\Lpggmhkg.dll C:\Windows\SysWOW64\Cajlhqjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdeoemeg.exe C:\Windows\SysWOW64\Kmkfhc32.exe N/A
File created C:\Windows\SysWOW64\Chmhoe32.dll C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Ickfifmb.dll C:\Windows\SysWOW64\Aeiofcji.exe N/A
File opened for modification C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cjinkg32.exe N/A
File created C:\Windows\SysWOW64\Qjkmdp32.dll C:\Windows\SysWOW64\Npfkgjdn.exe N/A
File created C:\Windows\SysWOW64\Nnjlpo32.exe C:\Windows\SysWOW64\Ngpccdlj.exe N/A
File created C:\Windows\SysWOW64\Bnkgeg32.exe C:\Windows\SysWOW64\Bfdodjhm.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Ddjejl32.exe N/A
File created C:\Windows\SysWOW64\Ngbpidjh.exe C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File created C:\Windows\SysWOW64\Deeiam32.dll C:\Windows\SysWOW64\Pflplnlg.exe N/A
File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe C:\Windows\SysWOW64\Pcbmka32.exe N/A
File created C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Aabmqd32.exe N/A
File created C:\Windows\SysWOW64\Kjpgii32.dll C:\Windows\SysWOW64\Ofeilobp.exe N/A
File created C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Cjinkg32.exe C:\Windows\SysWOW64\Belebq32.exe N/A
File created C:\Windows\SysWOW64\Cojlbcgp.dll C:\Windows\SysWOW64\Ldjhpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpqiemge.exe C:\Windows\SysWOW64\Lmbmibhb.exe N/A
File created C:\Windows\SysWOW64\Ikkokgea.dll C:\Windows\SysWOW64\Lllcen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oddmdf32.exe C:\Windows\SysWOW64\Ojoign32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgllfp32.exe C:\Windows\SysWOW64\Pdmpje32.exe N/A
File created C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bmkjkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Aqncedbp.exe N/A
File created C:\Windows\SysWOW64\Akmfnc32.dll C:\Windows\SysWOW64\Agoabn32.exe N/A
File created C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cdfkolkf.exe N/A
File created C:\Windows\SysWOW64\Mfilim32.dll C:\Windows\SysWOW64\Pnakhkol.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Qgcbgo32.exe N/A
File created C:\Windows\SysWOW64\Hfggmg32.dll C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File created C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Kboeke32.dll C:\Windows\SysWOW64\Ageolo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File created C:\Windows\SysWOW64\Imllie32.dll C:\Windows\SysWOW64\Klljnp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Njqmepik.exe N/A
File created C:\Windows\SysWOW64\Bnbmefbg.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Nedmmlba.dll C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
File created C:\Windows\SysWOW64\Dchfiejc.dll C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldjhpl32.exe C:\Windows\SysWOW64\Llcpoo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lljfpnjg.exe N/A
File created C:\Windows\SysWOW64\Ebinhj32.dll C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnfdcjkg.exe C:\Windows\SysWOW64\Pgllfp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Pdfjifjo.exe C:\Windows\SysWOW64\Pnlaml32.exe N/A
File created C:\Windows\SysWOW64\Cnffqf32.exe C:\Windows\SysWOW64\Cfpnph32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogifjcdp.exe C:\Windows\SysWOW64\Oponmilc.exe N/A
File created C:\Windows\SysWOW64\Dodbbdbb.exe C:\Windows\SysWOW64\Dhkjej32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Mmbfpp32.exe N/A
File created C:\Windows\SysWOW64\Ofcmfodb.exe C:\Windows\SysWOW64\Oqfdnhfk.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmkfhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojoign32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pclgkb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daekdooc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfkaag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnebeogl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kplpjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bclhhnca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfckahdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oddmdf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmannhhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ageolo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmdina32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aglemn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onhhamgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlcifmbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oponmilc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nilcjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opdghh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afmhck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agoabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfankifm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfhdlh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Leihbeib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnneknob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnjlpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Belebq32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpcfkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnlaml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmdina32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll" C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" C:\Windows\SysWOW64\Onhhamgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll" C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oponmilc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oponmilc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll" C:\Windows\SysWOW64\Bmemac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pclgkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqfmde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" C:\Windows\SysWOW64\Lmdina32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afmhck32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kfankifm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lffhfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll" C:\Windows\SysWOW64\Ldjhpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdmpje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll" C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqijje32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfankifm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldanqkki.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Leihbeib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lljfpnjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" C:\Windows\SysWOW64\Anmjcieo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" C:\Windows\SysWOW64\Lllcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll" C:\Windows\SysWOW64\Qjoankoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfdodjhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfckahdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjoankoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdeoemeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll" C:\Windows\SysWOW64\Kmkfhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opdghh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" C:\Windows\SysWOW64\Aadifclh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Kebbafoj.exe
PID 2416 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Kebbafoj.exe
PID 2416 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Kebbafoj.exe
PID 4336 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Kebbafoj.exe C:\Windows\SysWOW64\Kmijbcpl.exe
PID 4336 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Kebbafoj.exe C:\Windows\SysWOW64\Kmijbcpl.exe
PID 4336 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Kebbafoj.exe C:\Windows\SysWOW64\Kmijbcpl.exe
PID 4860 wrote to memory of 4976 N/A C:\Windows\SysWOW64\Kmijbcpl.exe C:\Windows\SysWOW64\Klljnp32.exe
PID 4860 wrote to memory of 4976 N/A C:\Windows\SysWOW64\Kmijbcpl.exe C:\Windows\SysWOW64\Klljnp32.exe
PID 4860 wrote to memory of 4976 N/A C:\Windows\SysWOW64\Kmijbcpl.exe C:\Windows\SysWOW64\Klljnp32.exe
PID 4976 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Klljnp32.exe C:\Windows\SysWOW64\Kfankifm.exe
PID 4976 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Klljnp32.exe C:\Windows\SysWOW64\Kfankifm.exe
PID 4976 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Klljnp32.exe C:\Windows\SysWOW64\Kfankifm.exe
PID 2160 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Kfankifm.exe C:\Windows\SysWOW64\Kmkfhc32.exe
PID 2160 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Kfankifm.exe C:\Windows\SysWOW64\Kmkfhc32.exe
PID 2160 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Kfankifm.exe C:\Windows\SysWOW64\Kmkfhc32.exe
PID 4004 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Kmkfhc32.exe C:\Windows\SysWOW64\Kdeoemeg.exe
PID 4004 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Kmkfhc32.exe C:\Windows\SysWOW64\Kdeoemeg.exe
PID 4004 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Kmkfhc32.exe C:\Windows\SysWOW64\Kdeoemeg.exe
PID 4416 wrote to memory of 4120 N/A C:\Windows\SysWOW64\Kdeoemeg.exe C:\Windows\SysWOW64\Kfckahdj.exe
PID 4416 wrote to memory of 4120 N/A C:\Windows\SysWOW64\Kdeoemeg.exe C:\Windows\SysWOW64\Kfckahdj.exe
PID 4416 wrote to memory of 4120 N/A C:\Windows\SysWOW64\Kdeoemeg.exe C:\Windows\SysWOW64\Kfckahdj.exe
PID 4120 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Kfckahdj.exe C:\Windows\SysWOW64\Kibgmdcn.exe
PID 4120 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Kfckahdj.exe C:\Windows\SysWOW64\Kibgmdcn.exe
PID 4120 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Kfckahdj.exe C:\Windows\SysWOW64\Kibgmdcn.exe
PID 1144 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Kibgmdcn.exe C:\Windows\SysWOW64\Kplpjn32.exe
PID 1144 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Kibgmdcn.exe C:\Windows\SysWOW64\Kplpjn32.exe
PID 1144 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Kibgmdcn.exe C:\Windows\SysWOW64\Kplpjn32.exe
PID 1624 wrote to memory of 4644 N/A C:\Windows\SysWOW64\Kplpjn32.exe C:\Windows\SysWOW64\Lffhfh32.exe
PID 1624 wrote to memory of 4644 N/A C:\Windows\SysWOW64\Kplpjn32.exe C:\Windows\SysWOW64\Lffhfh32.exe
PID 1624 wrote to memory of 4644 N/A C:\Windows\SysWOW64\Kplpjn32.exe C:\Windows\SysWOW64\Lffhfh32.exe
PID 4644 wrote to memory of 1112 N/A C:\Windows\SysWOW64\Lffhfh32.exe C:\Windows\SysWOW64\Leihbeib.exe
PID 4644 wrote to memory of 1112 N/A C:\Windows\SysWOW64\Lffhfh32.exe C:\Windows\SysWOW64\Leihbeib.exe
PID 4644 wrote to memory of 1112 N/A C:\Windows\SysWOW64\Lffhfh32.exe C:\Windows\SysWOW64\Leihbeib.exe
PID 1112 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Llcpoo32.exe
PID 1112 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Llcpoo32.exe
PID 1112 wrote to memory of 2432 N/A C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Llcpoo32.exe
PID 2432 wrote to memory of 508 N/A C:\Windows\SysWOW64\Llcpoo32.exe C:\Windows\SysWOW64\Ldjhpl32.exe
PID 2432 wrote to memory of 508 N/A C:\Windows\SysWOW64\Llcpoo32.exe C:\Windows\SysWOW64\Ldjhpl32.exe
PID 2432 wrote to memory of 508 N/A C:\Windows\SysWOW64\Llcpoo32.exe C:\Windows\SysWOW64\Ldjhpl32.exe
PID 508 wrote to memory of 4244 N/A C:\Windows\SysWOW64\Ldjhpl32.exe C:\Windows\SysWOW64\Lfhdlh32.exe
PID 508 wrote to memory of 4244 N/A C:\Windows\SysWOW64\Ldjhpl32.exe C:\Windows\SysWOW64\Lfhdlh32.exe
PID 508 wrote to memory of 4244 N/A C:\Windows\SysWOW64\Ldjhpl32.exe C:\Windows\SysWOW64\Lfhdlh32.exe
PID 4244 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Lfhdlh32.exe C:\Windows\SysWOW64\Lmbmibhb.exe
PID 4244 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Lfhdlh32.exe C:\Windows\SysWOW64\Lmbmibhb.exe
PID 4244 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Lfhdlh32.exe C:\Windows\SysWOW64\Lmbmibhb.exe
PID 5036 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Lpqiemge.exe
PID 5036 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Lpqiemge.exe
PID 5036 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Lpqiemge.exe
PID 2948 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lpqiemge.exe C:\Windows\SysWOW64\Lfkaag32.exe
PID 2948 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lpqiemge.exe C:\Windows\SysWOW64\Lfkaag32.exe
PID 2948 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lpqiemge.exe C:\Windows\SysWOW64\Lfkaag32.exe
PID 3008 wrote to memory of 5072 N/A C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Lmdina32.exe
PID 3008 wrote to memory of 5072 N/A C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Lmdina32.exe
PID 3008 wrote to memory of 5072 N/A C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Lmdina32.exe
PID 5072 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Lmdina32.exe C:\Windows\SysWOW64\Lpcfkm32.exe
PID 5072 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Lmdina32.exe C:\Windows\SysWOW64\Lpcfkm32.exe
PID 5072 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Lmdina32.exe C:\Windows\SysWOW64\Lpcfkm32.exe
PID 4144 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Lpcfkm32.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 4144 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Lpcfkm32.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 4144 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Lpcfkm32.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 4604 wrote to memory of 3796 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lgmngglp.exe
PID 4604 wrote to memory of 3796 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lgmngglp.exe
PID 4604 wrote to memory of 3796 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lgmngglp.exe
PID 3796 wrote to memory of 4932 N/A C:\Windows\SysWOW64\Lgmngglp.exe C:\Windows\SysWOW64\Likjcbkc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

C:\Windows\SysWOW64\Kebbafoj.exe

C:\Windows\system32\Kebbafoj.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Lffhfh32.exe

C:\Windows\system32\Lffhfh32.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Llcpoo32.exe

C:\Windows\system32\Llcpoo32.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lfhdlh32.exe

C:\Windows\system32\Lfhdlh32.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mdhdajea.exe

C:\Windows\system32\Mdhdajea.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pnakhkol.exe

C:\Windows\system32\Pnakhkol.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5176 -ip 5176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 212

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp

Files

memory/2416-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kebbafoj.exe

MD5 f0be9e216f6076c651fc7f8e5fcd8bbd
SHA1 86e5ba5dad0d23b6aad2faa2ee1dbfca185fe2be
SHA256 e1deb02c1a8948cbc604b5ec98807d9a83f72731eae4e5476497a5de58070998
SHA512 6d4718fc19b625740cef9f7d0f5b7136c061244dd5a5c7a18ec58cda7516ca5eb4cf5e9ffde8188a3919c0b4d45a8d0008c2f0bf3b980603782854b166aa8f5f

memory/4336-7-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kmijbcpl.exe

MD5 ca647fb7a04a4d689d6594dd877756c8
SHA1 5ae24aa3c4161f252ff4b6c65609ea09c26478ea
SHA256 8a00eef9a1508356649e6c7a75a0fffb6e927bc7e46174f8f0fd644f219b900b
SHA512 20e75237a8d4ce31a926ef343a5c6c5f08cf3aaf78d1417f3bd13f53c7deb6adb53379ddba0b119ea92ba71ee43ba5028c4c2995ced6b214712644c6efa07d56

memory/4860-20-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Klljnp32.exe

MD5 af9c304706e76806e1af97b8a551f6c6
SHA1 037bcf0c326bb93cc43b69cc49508c47ab7f7dcc
SHA256 0658f96cfe33a06b3cf612748942baa83013dd702eee555cbe13b46869571468
SHA512 3bb04d6302e719b0fc1d6011ee219bbb7a3e56b6410a2deee65dae8607c484c9d67eedb63a2d74743d183e83b7e7e95da1f4c0d247d55034e79a1978d6ae7ea1

memory/4976-24-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kfankifm.exe

MD5 ec38b6b715052a56bde92e3898150bee
SHA1 79fc9b3f7d05e1b374652c46c7844b68887dd055
SHA256 bf978efc67d3962220a6ece1f92280c9533e0e1ae81b8f6e4a2ec6c7192638f5
SHA512 77bf1ab1d1dab105cd641596ebaf003d81477e0fb913e5a49099a819838965d561823b45d0f8188a190a28d7472e1e4079c0a3e51e1b434a0d5fabc69cb8b6f0

memory/2160-31-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kmkfhc32.exe

MD5 0c5379817b0c10f5b248ce2c9ceac178
SHA1 cb618143be105d3d58ce43986767627a13767f84
SHA256 aeab860933fd765b3d3c8a0afe969192cf144d2a79ddfba93b5d75b715aee7ee
SHA512 15c6af16933674cb501e744e0cf5d105ffecd3d6e5a870a742841ec3e68d1b56e4d0480fe3ef1742447c365230e5fb6adf2c4433c30eeba80004b3f2fc8efdcc

memory/4004-39-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kdeoemeg.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Kdeoemeg.exe

MD5 f0093c7d7f2840c9059a3412a3ed41d2
SHA1 7bb0a17132973fc9024aa327641f138f4a49359c
SHA256 d990ff3c29fbb4d64c6fdd50f42954bf1342ffa3649bee793fc1d1f518c43994
SHA512 3946cdc2dd9eae65957aa81c2e045a7f356dbc9d2e4f32835615e49276f3a4d9381facec36d35c48f00a5c6a14e3406cb8b385bc520363d3312f31c0afbbb4a1

memory/4416-48-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kfckahdj.exe

MD5 8c94d1531233713beb379a6a46c63ae2
SHA1 329a505588b13c7891f8e0b5b0a0b9d0cf7f9072
SHA256 537563373b9b4eb8630a6fb94f61b65fb4dccd3a5bc3c5bc685e47b7ad31da71
SHA512 16a914d7aeaf993d2f6ce7ffae6c7bee35a145096f7f3d63f9d1fd12ea57a5e89f0cccf27599d76839e6268dfb01e3313c3d27aebdc94abd6edff79e4bc61a28

memory/4120-55-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kibgmdcn.exe

MD5 e05caf54b1dd396c3e278be55e471964
SHA1 a9b27c9cc0dbe121788a6008a99c41949ac01759
SHA256 0c5c9ff1b0b0cf1880eb0a2d4798e8f8170587392c201fa20d8749483d568e3b
SHA512 db41795ae6e9cdbf8a675448c93c0a2752821943485c21c433981a6a24d57e357f9375864d3f7630e052ae092339feaa47141d993d539fbacd4b27f7eeb73060

memory/1144-63-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kplpjn32.exe

MD5 132bb869cd1000d7f527f4f42b54f898
SHA1 e5f7bbc4ae72817eb1ba124035609b5c5fe95e19
SHA256 68d66334806931a9d79f0eab9c3c8773bc431a06cf2702a1fa3b62be4b258ec6
SHA512 8cedeca815d8948d800c5485f8f7cc65ab76bc1b89d236c8cc76533bb0d2970de7a02c6aaa6e0c93f2ee62fbf7f43f4922c3915be4066c0dc2bc83fc9568eecc

memory/1624-72-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lffhfh32.exe

MD5 73d3c31090b0044976b7a1ad92e715b1
SHA1 691c24a0d27f4181cc9bf1773275089b44f4a6f6
SHA256 d7a60ae12503ee6c48c83b115deaf81780504102e55884389c954f26f856464a
SHA512 5725ed67b06e517e4232004dc79c2615218c47811523e6df3b0a73d0babbf6b142f794f1ecdfc3df4cc509e61f40d46c591d7ef8f244d839d9160252725259b0

memory/4644-80-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Leihbeib.exe

MD5 49ebf9afedffa8620d164b42c30f235d
SHA1 cee0501d7c297075fd3fd33c137e0941e7c05199
SHA256 c50a21284149fb4fc7ba992eb5a13136d5757c7a10c369c46ea7a0ae7665cb89
SHA512 3ad10841bf850503ff7658c856590c29772719014c00a1c0de44a88860f46069893b2a7f85feb6fe298bcc82a0edd77bf2cf15a7a434563cb0d347c8c4be9541

memory/1112-87-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2432-96-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Llcpoo32.exe

MD5 dafeb091504d425af3a5c8505482f30f
SHA1 11261548c44a48e96d30cf5fd4b1c3b206756bd5
SHA256 563076d57b61180d231ebf7aa83e9eb3d4ed0434d669835d7d07ffe93fb3d187
SHA512 d0262ce4dedf0afa6c5184108d0cf438bed3f942efc6c275bd4df9c629d781efe6382af47c324c73b787e788bc43d2e044b5122f24550c4326d2f61cc6dfe317

C:\Windows\SysWOW64\Ldjhpl32.exe

MD5 75c6276fa43675d9337bb098b8b4582b
SHA1 392f1af7393ae6e08406c1dbf4b1ee564ae795ad
SHA256 74f0c31d9765607fa71d0a70a0d50802309b869051715113ddf46b439ad2de46
SHA512 b81e0d0f3437ad12f7eb43f1e36f99a34f74a41861b6db09cf163c01c1b8ea0350be9c01c1149de69146d8e605e6783f9b98dc8535df39926c5ade5893cb13b6

memory/508-103-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lfhdlh32.exe

MD5 2a93d10cf2868439d317668ece7aa8ab
SHA1 a21c057165c2bdeee453cfed095195237af4e24d
SHA256 bf4a27ab5a72693a69782117e45035a5066e1a869b056ae0ba3fae7636ba7e51
SHA512 e855cc0d9e653071a0afb09df1ab47f84598134eacbf41ea04d34b50e1a738a373afbce42376ba3297ecbd8f031394c55ea4000b4d3b9f13ddc10e9878f9ec90

memory/4244-111-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lmbmibhb.exe

MD5 c518997488520799ea36dd6954c655dc
SHA1 4d82600417d38f1b8b47b262bf59b0c9bec97713
SHA256 4f3a0e7e258f175e6b27c8bffd5984d44fb017e7851b24dfa6054252610b914f
SHA512 f9c8b9f8c0f01f3a80e6e88c3da231f9b9ce89ff7e0fb2efcb32cf6f425dc6e34f000168410e8d801c4d245b5625ec8dd2beda9987cb87a967a5565b603d06c6

memory/5036-120-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lpqiemge.exe

MD5 cc4f3aac85dcce397da9ff0ab3d931c3
SHA1 abaa2438bc7938ade5f041ddd6f516b4d38b90b6
SHA256 37d12c70fa36cff59a7e374820bdf5ee170ec6eb597018099ad9a8b3a03a4f95
SHA512 3e9eba2c45f513361e71b3bcb700f39858a246a04756970f40086c44365a1df70830f58df0dcd51dac5e6b1389d93057ca82a42efa50bed12a0f58d88e940a40

memory/2948-127-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lfkaag32.exe

MD5 cb7de8fca24e6312a9f9b79757d7fd48
SHA1 12297895a3b32a3e705bd45e3147920444603190
SHA256 7f1d414f5ce31276e40c4ab30f8ec39e25abdbd1b589fc863052f581a5be8691
SHA512 bf9dda93c4f08dfe9c73a34806b0cc7d36b1afaf6cc4c424db54a4de929d7127f3050618e9f73e7e3cb2c14099bcc167c034c6893c21788e90690ee95c2199cf

memory/3008-135-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lmdina32.exe

MD5 c49556ccfb57e5f189c04ae9b0510cd3
SHA1 e3710124a419b5db639a00afb14c5309081ea818
SHA256 154d6229c7e949b8bb3457471979e3aae363074ee866ed4ed6c0f67789f07642
SHA512 6ab56c1e9e74a11013c6a4955e48e8ce661982f8b0e30789527b72131c92ed3761171b7bd60e809dd1b2dd0d0d795fe0a30d78c176ae238361c9a59ce055dea8

memory/5072-143-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lpcfkm32.exe

MD5 771d8c23ec868c589d9f1df1c06f386b
SHA1 936d61ed6d4ab98bba46d9c5dd6a456f3d110800
SHA256 848c8f2c8d7004636edb66ef208f7e88c4adf40b6ebdf2a91386c985b8564297
SHA512 566b92164918d05b655bf05e814bc152a63d07a7cb953a2ccb470cb88f1fe20c69dadc42a4350c7732c57b07367de86021a2124f87d45e418f554241773d1420

memory/4144-156-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4604-164-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ldoaklml.exe

MD5 05620fa97183d2863bdd068b0cc6ecc2
SHA1 1de95217447e56450d3db8200968f90c0abf918e
SHA256 1c5280c53f1fdf07a0c514301eb6d4e61986cc8fa1c0f044f5757f2c370d6640
SHA512 1873d75ed15df9cc7e2745ce77ffc1bff880e4213b0f0a7b46ba63376f077f5a48ef50c831e58a5d236935a237c3c4799aab60a64b2048ffbb64cdb0049b49cb

C:\Windows\SysWOW64\Lgmngglp.exe

MD5 159e432f930acb6f3572ead344382ef1
SHA1 5b15d86e053155783223fc557c5c097473180371
SHA256 c7c13036999c2fdf3bef93a7fb8330a20da87b3c1a8527ddbd99dbe49202f98a
SHA512 d1ec0a9e3b80d1c25021e14db3f666d8bbff063a706343cfc6d4e0f0be795fbf2a32c4aea6b4a1f8f63b4e35b21dae4d6b0e0102fcb7216da6ffc1e37f590fa2

memory/3796-169-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Likjcbkc.exe

MD5 ca57c229c775244a4aebb4a5f1b08598
SHA1 3259fc3b632fa8ae1e6cb6bbae19a3a80193bf76
SHA256 d9c53b7b0a86c569251a52f669199352f94c21ce58b56c7931e25550a8264c74
SHA512 b0aa3fd9dda98d18dca98d51d6c4e3b9b9677b7a14201f0bede6a9d2722b2a8d514272258be22cf8562444c40be1ee531b0ad45a4b17f8677f3224538c5ca312

memory/4932-181-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1772-184-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lljfpnjg.exe

MD5 0f2d56ebae7b2e94568dcb3ad4611f89
SHA1 e79f8924895fb3666f5124e62a985b3bb1c88c4f
SHA256 8e478e1b66b10731cef86ce46e6d24e28396ad3c6290640e910545c66911c815
SHA512 5d76cde096b302001e85cf49ec0df47b34a8f177ed9a2c729e3e67d803aaf08006c50cdaf46e802e7c2e977938822c096517bcd4cca45385195148de13a84d1f

C:\Windows\SysWOW64\Ldanqkki.exe

MD5 cfa5456042ad91b4b14c4ad88277ba36
SHA1 4a5f99a6830c87d33846dd8239517c85156fbf88
SHA256 a0f1108de0df980ff2d7aed2ff54ee2b05a945b9dab85b4d37625833d9adebe4
SHA512 7a316cba3b2374686c301c85a3a66a1f94a4717815e253df825b03627f9c4afa1d3aa88c53ebac32feab2a1b404d125650ed651128479d83b0c278da0d6898ea

memory/3144-192-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2644-199-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Lgokmgjm.exe

MD5 ea639d50994b7b00473b809685af53cd
SHA1 4e319e5d3b5c0970fdcd48eb61f859487b56cbfd
SHA256 861820f6676726c8f3efd8953f71cdbdf1a9127a02862cfe3d078299ac748ba0
SHA512 8e4411bda89a3c7048847306dec17a7049a128d883b26945923514c2a44033dbad60cbdf641073362c8a217c02b2edf7fbfdff5d680a9716429529ef0f4a5e98

C:\Windows\SysWOW64\Lllcen32.exe

MD5 d57fdbff7105d86f6b07a86952313fcc
SHA1 7eed85a95f06a6f5831def8a7fb6a13223ab0f7d
SHA256 5d52f06c1982019835f4d7852e462420411090f9252384e194877dcdebd4f84a
SHA512 86952ab397b3edf8532f58868095d7e2e2d3549a4a8471be7510c6b723558771c4e957188e07c6b5ccc3c1d3d9f74f7653869549f4e66473dba45658ccf930eb

memory/3600-207-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Mdckfk32.exe

MD5 55df68f6465dc7d7eca2372d8668df0a
SHA1 c6653211712dbcc4f5a54d63ba6d2f19eb8a054e
SHA256 def0ed1909ae4f4f7bd3842d5d5bee6e293e49f823e856c5ac51ae827578a726
SHA512 82992195282b4ada1f790c6db1d06b325b70a93d9d3b40fb90d987c8c42ff21e2704be1ebe21711ed1b6ce1f802798d81f6b9b7cc9750e09eeaf9f59ef3c1990

memory/396-215-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Mmlpoqpg.exe

MD5 f3e74b5bd13d81bfbed4c32ff784143b
SHA1 12c139d76b54e87cdfe81e09da9cbfaab5851e4a
SHA256 c15bc78c335ae3a7c076f0bab2dcabdf626176846e9488b57198c379e1d076cb
SHA512 d1ace3b17fdb6b48d63bc22ab8cbd7c179523c63b29a48724c681875412f1d2c3f7a4843a8e80e1e76d7ca7439d22bd0c309c3338a3199f2f615618cd0dc51d9

memory/4652-223-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Mgddhf32.exe

MD5 be8b6559ab0e60d3a52bcf7b5bd44c4c
SHA1 4c833f023e2d37055909ef3f82b863fcb05aa543
SHA256 80d218b2467ab79315dd88deda4fde613904f8ea74ef548893b654007ba36df3
SHA512 d2c212048ec4c08155d7547e870c5f6631365e33e7d2a0247984f07ce923a01a3ab61f51792a6bf0447c9d7133524752b7e71e897a036c039fe59cfe30350e14

memory/1976-231-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Mdhdajea.exe

MD5 390b21d6cfc7ef12bbc2b10788b614c0
SHA1 9c5694af898359dedf3ca3fe8834cc8ab4215267
SHA256 da054f3c8986f86b366456d4a980b94b3022c38d9a7bdbf754ad4aae022263d8
SHA512 e095a88c04b5e8cf28f464bc3da0454f34606ec1974d01f9d16b0b221e5f7233aff33e7e371500bfe87f71cdc2786db713235251d52224424b31064eae6e362e

memory/1932-239-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2976-247-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Mlcifmbl.exe

MD5 bc3b5c4ac6da7008917eeb24ae99af2e
SHA1 d23605c7d17f50b6633c2c5051507e42a48bcd85
SHA256 a7cbe44fcc4437f7b6cdc023c2b2dbe2cf6c98fa4e268fbfd45d6772b22cceb4
SHA512 ee32c69a761a2de5d7436607abcd1755af59ecfde7e52d78db747de10b158bf1a7f2cbbc3ea54ffd093d02a6fea44c16f2784505ecb12400ca5646adff43e141

memory/5012-255-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 ef9066a85e8a7c573bae1d9b751cc018
SHA1 d854555464975adedfb9bacb6636339bb6a42b22
SHA256 4688ef2b95771550cb9c13a91947a401661f95d365fad80e99b9434a54a96914
SHA512 e4931b5890aac207ee92bc9db20f7d74125f9e8a7c6ab5e11f3627464e0115de9f4a59ba0efd00a4d770ffd647bea38572838c8e2c1409497a8f34a6d68f85e0

memory/3192-262-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1764-268-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3116-274-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1260-280-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Npfkgjdn.exe

MD5 962c981d7bd19b148d409d2b90f20a70
SHA1 182053462dbe98304a0f1dfab895227f4b560c59
SHA256 4759eb3fbf204d5f3f5fa0e0697c80910a5e8f199f9ea435a2e9a9b72b85181b
SHA512 5d8a1d8bf7c13fcd3e09109a82cdbad499eef3831b5810f737cfadfdf260f994aeb23a28b59242a30237d226bfda0c973bfcfc339cb7a2c958011df5d246cf82

memory/3044-286-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4720-292-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Nnjlpo32.exe

MD5 991d65342d74a2df51d49f891d55a092
SHA1 8dfb179780a7338addb26680e5d39b69a7f189fe
SHA256 80643edfbb425e250dc307f530431166f2020432f064e355b439f29c39fd7923
SHA512 968277209b5e8d24dc1fef12bb7aba13790ff8079acabc793673f157180876ff3329e64594a79bf1cd0e095e3dfa3eaa72776e475942fc7bb08fa2738ce0da73

memory/4264-298-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3304-304-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3352-310-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3396-316-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-322-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5044-328-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3472-334-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4948-340-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-346-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4584-352-0x0000000000400000-0x0000000000438000-memory.dmp

memory/528-358-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5076-364-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1588-370-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ojgbfocc.exe

MD5 37b26c77e9f5b957057e00e1e0833169
SHA1 cd6d3940c8aea5f03fa96fb62c33d7d054dc5a6a
SHA256 94be2c06792fad6492970062e00d34573a950b13beeca6d598ffe645f882162a
SHA512 55856b1955f0f22c3dbc4c8b19e1f3f562b5f0a8e21156b10e17237322003ebf0d1e35f1e7a79acccb68eba5d2ecd744da3190658553e2925bddadb1ed2eefee

memory/2440-376-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3476-382-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ojjolnaq.exe

MD5 1026c139c535fa8ac250f06fb014611e
SHA1 d8bb27021e37bc5c9b44fb15b8b6078b18adafee
SHA256 8b65d20e47621f47ace02f232c9ef0402d1a81da027ed5bc967f0f06fbc7eaed
SHA512 246fd15d0b6c68fe9efa382dbf2283abac02389ddd95c987b6c1831a0521e44f18486b7cd9ed4e0d7a09032ef0a0fbba5171110de69d5cbeff73a7386016eec2

memory/3948-388-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3332-394-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Opdghh32.exe

MD5 709e8232169737171778b545f262996d
SHA1 71913b84768932848bbddc96dc61163ceb6e1561
SHA256 63d4f539700a14626738cf7d9114bb9cd27f79308b84d3c812d1292c94e8f3d1
SHA512 f5645b04650b4a75dcb795f219ee5d23765f50424fbbc1cd9a826170c0192457551aadd151d4ff8da5c1bb954af1adb6a9031a30504a1246c8fb76bc6c3f94e4

memory/2400-400-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4568-406-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1240-412-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2000-418-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4280-424-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4756-430-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ofeilobp.exe

MD5 48d56349a8bb6cc6213bdb5fe3ea8ea9
SHA1 b364073ef8ae1628b3ecf836e33e49eaff958904
SHA256 b02041daa3dad73496ce9b84aba2fe491fcb8a959a23b37d53a81ea301ed971d
SHA512 a32500b26b59a5f3ca37105a04d1dee67dba2b3e9dd0f8cac4e5aa6b68eef1e24a904c6436e90dc6d7d502c801608f6ac14e868574cf62c10ecf130bde835fa3

memory/4380-440-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4816-442-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Pdfjifjo.exe

MD5 6a74010a55ef4b3f1723b25bb81bb3e7
SHA1 75eadca375b12753a9b592df7c9dd2a9b0c8ba13
SHA256 35861a7e6660992cfb556e65edf5ab14f1dd265563e9063c7438bd070f495aa1
SHA512 c8a131ed8d8f6febc0f47aa7cb06d4da334063e3b6eed664ed66c074eec85fe2a86f38e18e06b2138c2b7ea17194f8ebed7baf05ee83d487bcbb3adcde6eb59e

memory/220-448-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3636-454-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2304-460-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Pdifoehl.exe

MD5 abca05b4cd01bbcca8bee5bcede21a0c
SHA1 ecad6193e8045648faab80177b8be7aa1f403fcb
SHA256 2694865ec27d3da0893287250851d09a3baf4c1a2c8e5b8a43a255b80d9355da
SHA512 8e057a49392192b44143b235ca970ab93bc0e70e882688fa3da790614f5b6c1a3afc0b334e308d6a35ba1203ab861d577f38d3726a4dd4f99f9c226ff581b776

memory/4636-466-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4760-472-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3108-478-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2692-484-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5092-490-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3920-496-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Pdmpje32.exe

MD5 92ada8e4fd9becaa6221bc65ae099229
SHA1 df00f612ae9ed6cf5e32de0ae0ad26dab170c6e4
SHA256 0f95305371757cb5a4a88fa1ae46dab08aa6a04610fb9e33c1de690ef64ae1c3
SHA512 2b3f3848c9e9c7d3203a57778d6c21c98b134272530b48addc6ea619d21329e182ef3cb4c8e5698c7a0c9cefa4f22660420829998e7cab87822e2d032d6c4a4d

memory/1220-502-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1076-508-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4952-514-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1416-520-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2552-526-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Qnhahj32.exe

MD5 a6943da327fe321f0c0199be6377354c
SHA1 45010c87b9852442b0842023536d447eabb893e4
SHA256 637789bd87fa21f61b9100e65647f4a2df9ea230b8d7deedc9b1521fb59fb6b3
SHA512 6b730306311ab4472d5f717fe1a3fb35addc895d51302ff60fb7c139dcdc4c466ea46ce22e5993f04c4184b31ad7ed771cc3db3c9d2529fc3d0b246702d71062

memory/4320-532-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4352-538-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5100-545-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2416-544-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Qjoankoi.exe

MD5 849b9266007c41283ac47398c5e02669
SHA1 995beece4633ad62ce194bee6eb59696605bbfbd
SHA256 2045ea4a2ba8ec84d7677297cae8a30744857a93b140688cd1a14b284514fefc
SHA512 8b87bba90a987cb485ae9fe468ced7ea51b37bec79c24338b8ffd416f714dc841417983ad179f2e4ba30bc8e0cb4f380bf1e6ada1dfb6cb860b4fcf2b90a87fc

memory/4336-551-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4596-552-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4860-558-0x0000000000400000-0x0000000000438000-memory.dmp

memory/756-559-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3488-566-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4976-565-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2160-572-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4052-577-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4004-579-0x0000000000400000-0x0000000000438000-memory.dmp

memory/812-580-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3360-587-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4416-586-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4120-593-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4572-598-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 885136f2d4f8eadcd5cc0b2c69cde1b1
SHA1 f683fa321e1d66e12dd77c933488151e09d4c040
SHA256 6e21ceb989c6bee52f50f0d2b648e87cf9f177d91ed8da6883774f921dd1a1e4
SHA512 ce5bd989ad60eccddd99582b16a36f3588af2c1cd1931768e0aa20a15d4e76c7d6f48a330f58c670965eecfd9ea6a3785b8a5b2e6cbdff55ee150224005c5e4b

C:\Windows\SysWOW64\Aglemn32.exe

MD5 dc17a1bca5b521d535545b8039452ff3
SHA1 55a0f62255dd21b8a4793bf3cc50d3670f6e7ee8
SHA256 7789ad2d7f65908f916d672c5e65fe87b40fafdafe65307b3b64717f1dd32e9c
SHA512 0c67b248fffae2f7e6f7df990e812101fd2230651de39c30734a25af2c8e3ad1c8933cf8cf3e767a0bc2396bb86a810a725b73ff00d028bd31c039f12f2f150b

C:\Windows\SysWOW64\Agoabn32.exe

MD5 22c2213293535a0542cb7ecc034d66c2
SHA1 1a4e7e5f7adf12942f42d642c8b39fc1717606da
SHA256 31320632a300fdafc522ea4c25bb6e4bc0b9b9956468dd4658f1a3a4d38d8c53
SHA512 3e7739d191b5e68921a706227e8296424e6f7ba2c8254f75d12a7c778687734250dba89b9642e0513f8d3a9d17a6c3e4dc2dbc6e7630fa717ed3f77d8aefbc84

C:\Windows\SysWOW64\Bnkgeg32.exe

MD5 158961c7ca9f4481fc7cab2985ce882b
SHA1 074584ce4f429101ce45bbf200ba4367e4de563a
SHA256 84283451440088cb8e449cf9a5fbebf558464847eec9e94f25a066ffbc2823b7
SHA512 ebb171b636647d3b3959c069df5f09e52ccadcca100312042ac435ff10929c1249e547e9f303e09c955fff6a4c3c83f89acc11fc720f646486fedadcf498ff9e

C:\Windows\SysWOW64\Cjinkg32.exe

MD5 6ffd9036c644ce0aa1708ee78ea40118
SHA1 bade509d997d2761819e7067deea5fe07c7f8898
SHA256 7387f3e3183aa2ffeb1a45b66de582a4a2357045437c8fe22c61e43bd7ac5fbd
SHA512 ef8b9ea13a3218c3ef3a2b0023c4be0762644d1495446e3a616b18b98a0ce3b8e294ea710294b5df938b0050e11f213b0cdb35bc0313175486e2b7263a771964

C:\Windows\SysWOW64\Cfpnph32.exe

MD5 ad5906a5c4e6d8022ea2dc3f592a1731
SHA1 d7bdca50e71cb2ca2515d55551d9e2b3731e7a20
SHA256 e90d3f4e7b23190f006c2ffddc6ba91c0c684c4861448c6f939a08330f915c30
SHA512 70a4ed31e2aaadd0c746e475848ef591dce937072278573e3f5e032c0ca4810b55bbf16badced941ebd8fb504b83e3dc4a5ee990f6c961c55fd809ee2b303434

C:\Windows\SysWOW64\Cjmgfgdf.exe

MD5 7bc1743e8dec54e2a30fba32138fb789
SHA1 475f47971685d52127296b609fc00384b63bb3b8
SHA256 759d8279b50ad117197d5acd4788f5db133cd0eecfbcd7814bfcdfd16f6c7188
SHA512 a7638a7cf3602bd3e74e05a023600123dae4f6557945b39fb93e1ee3c91cefd1bfa44edfcb2ae90840390c20138df66b14e8f49a9980bc1a590d8e011e44277e

C:\Windows\SysWOW64\Cjpckf32.exe

MD5 13eb94276c027523123ffa7ee61feb01
SHA1 7c394a373aaeb7742e11a9fa8ac791f5d891f3dd
SHA256 b6fa50b318c90b86ea86f808a3fde6b28ed0721dc24c5a3976dd18eb426a4390
SHA512 9084e16473ccb6fcd2b793d63efb9c8650ffd295dfa199a0620a8957cbc53906ad9fad4511e3926ac0260c17f92e82ab7f8acbc23eed42a8bf4cf5fe61b5022e

C:\Windows\SysWOW64\Ddjejl32.exe

MD5 be0d68c480ff546806d1e57e1c7bee9d
SHA1 142f0158b4ba5bb90ad393ff3bc718e7dd9cee63
SHA256 67e10fa77a01edfcdd75ba56b3d9a14f35cfea08e568744c5248633fd6b5cc9c
SHA512 6db71c75d7cb9f26fd1002b8852d880add573023c0a003c4d8c1b6c25c8a93a9ed64d1c4088409eb5bac03c05aa735a682f2c36856a8598b68d9e55c2302d11c

C:\Windows\SysWOW64\Dmcibama.exe

MD5 3d5545f2a0fa973196e932f423c2c936
SHA1 70fc3ac5c4675bfdea617546d2f4858c289d9866
SHA256 32ad554ec8f851db283a19b81cc3d4925bea97c57e8e08ad3c51a2f74c467fe0
SHA512 210c92cf86931b266ff762e266379a15c0e8218c95b8a7d83b2da1d519861caee44f2315e8a99c2bd662d878cf65308b137bdad4f6f2d33930b9516c21d8464a

C:\Windows\SysWOW64\Dmefhako.exe

MD5 d5dd3d478220d809a4f2cc3f9a036754
SHA1 2bc184779999d3e604af443d4f4355670a75d4d4
SHA256 c1f117c29e2496fb9e74588b96acd31e67f409a69a0cc4790de42f8e7c98ee18
SHA512 f619f0d931b54bf4f4a6ea89fe58860f0c4cac405c078e1bb2cf8058fca09e0a856ca6c7aee39b43403d6b0ea7c988018ea74170a38463a59d6619e1a4978a73

C:\Windows\SysWOW64\Ddakjkqi.exe

MD5 0459c375f9a0cb2789bf3025c0d14c69
SHA1 75a3cc83f3a077dae39b47bcc7fedfd4399a5d19
SHA256 e9bb013e93353ccfa4e9e204f9ffcc25e6f189fda55588ff97ba989dcdfabf01
SHA512 58de6719efb595dbd35fd4d7a3462882b887898de8a65dc69665f7ab26e3269a82c92c55b8b642784c2ebf34e69dc6647a88891048da5c55a0dd2f1840073560

C:\Windows\SysWOW64\Dhocqigp.exe

MD5 6c7bb7db97126c74d09e54d6d0d89f51
SHA1 9376db034e6f10e769d9e5daf86b99c57d7de6bc
SHA256 9eb780b87dd64777c25baf782bba572fa5291c31b3da45bb37d2d13c587b97c2
SHA512 4ee0cbeacc4bda44127693fb3f94c342ae552551fd5048d34c0f7db0ba790050baa01da52390e12248f288fc77141b7186a863f535dbf24809ef2ea4771e6342

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 730e2caf696b95b2a51a6d6394c2aea7
SHA1 d7643239f545b744ba5f869bd47adaa925fc1e0c
SHA256 6b9e0a29642d8d9f687569571c59bd609b111da918d79921e771188ff611f67f
SHA512 8e518066a53284528b04c95c374b6c7dc03f452f2c67a4b5881d328983e6a0ac183816199dda567b18ef08597042ca074035e6de318bb7bb9e0506b06c0a6f5d