Analysis Overview
SHA256
b6bee6007806d3a8687396bcad366205d654364df4ea67f7fab69993661acc0c
Threat Level: Known bad
The file TrojanDownloader.Win32.Berbew.pz-b6bee6007806d3a8687396bcad366205d654364df4ea67f7fab69993661acc0cN was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 15:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 15:53
Reported
2024-09-16 15:55
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
Berbew
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Djdgic32.exe | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cinafkkd.exe | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnkjnb32.exe | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegoqlof.exe | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdkefp32.dll | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cinafkkd.exe | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceebklai.exe | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjonncab.exe | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnkjnb32.exe | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| File created | C:\Windows\SysWOW64\Liempneg.dll | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgloog32.dll | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cegoqlof.exe | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djdgic32.exe | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| File created | C:\Windows\SysWOW64\Eepejpil.dll | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjonncab.exe | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccofjipn.dll | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmbcen32.exe | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nloone32.dll | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmbcen32.exe | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fikbiheg.dll | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oeopijom.dll | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceebklai.exe | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32†Djfdob32.¿xe | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File opened for modification | C:\Windows\system32†Djfdob32.¿xe | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
C:\Windows\SysWOW64\Cinafkkd.exe
C:\Windows\system32\Cinafkkd.exe
C:\Windows\SysWOW64\Cjonncab.exe
C:\Windows\system32\Cjonncab.exe
C:\Windows\SysWOW64\Cnkjnb32.exe
C:\Windows\system32\Cnkjnb32.exe
C:\Windows\SysWOW64\Ceebklai.exe
C:\Windows\system32\Ceebklai.exe
C:\Windows\SysWOW64\Cegoqlof.exe
C:\Windows\system32\Cegoqlof.exe
C:\Windows\SysWOW64\Djdgic32.exe
C:\Windows\system32\Djdgic32.exe
C:\Windows\SysWOW64\Dmbcen32.exe
C:\Windows\system32\Dmbcen32.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 144
Network
Files
memory/1152-0-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Cinafkkd.exe
| MD5 | e1b5812d5d43f0a1ec2ada276bcf8193 |
| SHA1 | 9fee9453f6e53b9fe42c249b7dc081b46adacd97 |
| SHA256 | 18940c6beb3b616e028c37df921829d12ec961d698243be6990cd437b484c1b8 |
| SHA512 | 6ba909c367840f12fd980f5d1999a8bd42428683c583704f8b548ac71ed9c5735681910788b95d506b068ea34c361026b7fc43d2583a8171c9f5bf93486453bd |
memory/2776-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1152-13-0x00000000005D0000-0x0000000000608000-memory.dmp
memory/1152-12-0x00000000005D0000-0x0000000000608000-memory.dmp
C:\Windows\SysWOW64\Cjonncab.exe
| MD5 | 79a0582fa7c3438ac698ed011d45f12d |
| SHA1 | fb6bf7934a30f4b81b1ee16b9c81608a48b9d949 |
| SHA256 | 8459071c2b804e0f34b83252952f1edeb4aa4161818e1990e9f95856f8644a0e |
| SHA512 | f179a8d7bb47d2ddc4c761958971af77ad0c9e5d0197e9b663c4652f82a80aa3bffe5b94c7817934fdff135e91ef167f3d9f9bd48ce13be3ad9fdf9581080ab3 |
memory/2596-45-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Cnkjnb32.exe
| MD5 | 9f436add851f849e109df28aeccf302a |
| SHA1 | 26f9df30f80f44e455af999a9f54d619d236a047 |
| SHA256 | ea02d5bc5e19b2b6e4569796dff65579ee92e24abbebd2de2afaf1e3160e13e3 |
| SHA512 | 7d9574f151b1bc36f7048708bd51c3fd95fe999cfd6b2063e39e3abd3251883f5108fa5584a8f74e7c113e6ee8cdaa100f5a19dfda9d5d5867a90437f2e30ce1 |
memory/2792-38-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Ceebklai.exe
| MD5 | b7859f86835469def53772f09688c670 |
| SHA1 | e158addb78a94aa075a9a241009ca01c52400d79 |
| SHA256 | 8b2b9f5c0f4214876b8b9d6972cf947a1afb8a249e84630f545711b8c9c9fa16 |
| SHA512 | 928e063a8a2811f84f0633cb4945c92013ce55bcd3940e6848c28da68a8a0cc8e52f00e4db1b9748ee2f90951f55817da6f37faefc805c0bcaf2bc237092b75d |
memory/2596-53-0x0000000000250000-0x0000000000288000-memory.dmp
memory/2572-54-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Cegoqlof.exe
| MD5 | 52518916e017ae18e532fb9796b6e709 |
| SHA1 | 39dd778185e8c1366d5a3782059a5bf8a3c003ce |
| SHA256 | f6b41598dc10cc8eda1b88740b15a011f9942963a8cf9678f436d368956b267a |
| SHA512 | c09be0c40bc366e825e24ea762cc2798a8e682c8816d2ec5570699c1b037564972c5f169f2e90e121ca68cc9d6e1be2e490fa89f5bf1071bdcb75dc02e7c4869 |
memory/1656-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2572-66-0x0000000000290000-0x00000000002C8000-memory.dmp
\Windows\SysWOW64\Djdgic32.exe
| MD5 | 8dedf523f25d8b91101f735142e79ac4 |
| SHA1 | ed270b5269a76ab19a8329a3e0ba89a702f58dac |
| SHA256 | e785b0fca859454b5cb35ef3bd4e047bbe13642bc34c328cb9b562ba572ca00c |
| SHA512 | 6a969c89ee6b58f130188f29c8a8bfec45fe137bb5b68edd10efd3f3f4591914110b86d8aaf5f9c56b7019e05a8f7d83de69f9aa0f8d4bdab2ee14597e590749 |
memory/1656-76-0x00000000002E0000-0x0000000000318000-memory.dmp
memory/2912-82-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Dmbcen32.exe
| MD5 | 86a687cd023e9ec780b4b4531b4b6dde |
| SHA1 | 41c10fc150921a88df2445832aeeb2b3ef87f763 |
| SHA256 | bb75320ddc4ccc3fe9258409fdeaef542d2efb872e47da29f3f84195cfdfb419 |
| SHA512 | d64fc84f7aea06905b3b19232a15278140df9a2b65813b8e8cbd2d405eaa4a3aafa577bf4078a5a336ac1dfdcec6da14af24df09b7cd4a6346d33f295d1d15d1 |
memory/2424-95-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2424-103-0x0000000000250000-0x0000000000288000-memory.dmp
\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 120e9ba975fc63b4d7e10b8b29828638 |
| SHA1 | c9a335101a80b671e426abbf08fb0f26d0e5f014 |
| SHA256 | 72718b67bc9bf99b77165c914286bb460d1e5c2854afb9f1891d425a65515743 |
| SHA512 | d645a5c890e0e4d2bc75ae942de06af28ed69dc5fbe12070fed334e60baa5f0a88805f000aa7f9246aef9f9bca32cddb7d67c746ef94ad7155e1df45a010074c |
memory/2424-108-0x0000000000250000-0x0000000000288000-memory.dmp
memory/1152-116-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2776-117-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2572-118-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1656-119-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2912-120-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2424-121-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1676-122-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 15:53
Reported
2024-09-16 15:55
Platform
win10v2004-20240802-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kibgmdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qnhahj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojjolnaq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Onhhamgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldjhpl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pclgkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdeoemeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldoaklml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfhdlh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odmgcgbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnqbanmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnjlpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfckahdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nloiakho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfankifm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpqiemge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nggjdc32.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Lllcen32.exe | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmfpfmmm.dll | C:\Windows\SysWOW64\Ojjolnaq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Onhhamgg.exe | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnlaml32.exe | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgldjcmk.dll | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohbkfake.dll | C:\Windows\SysWOW64\Ojgbfocc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Opdghh32.exe | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agoabn32.exe | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| File created | C:\Windows\SysWOW64\Flgehc32.dll | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpoddikd.dll | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgehcmmm.exe | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddjejl32.exe | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Leihbeib.exe | C:\Windows\SysWOW64\Lffhfh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pflplnlg.exe | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpggmhkg.dll | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdeoemeg.exe | C:\Windows\SysWOW64\Kmkfhc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chmhoe32.dll | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ickfifmb.dll | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bclhhnca.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmgjgcgo.exe | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjkmdp32.dll | C:\Windows\SysWOW64\Npfkgjdn.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnjlpo32.exe | C:\Windows\SysWOW64\Ngpccdlj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnkgeg32.exe | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkmjgool.dll | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngbpidjh.exe | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| File created | C:\Windows\SysWOW64\Deeiam32.dll | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qnhahj32.exe | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aglemn32.exe | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjpgii32.dll | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| File created | C:\Windows\SysWOW64\Aadifclh.exe | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjinkg32.exe | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cojlbcgp.dll | C:\Windows\SysWOW64\Ldjhpl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lpqiemge.exe | C:\Windows\SysWOW64\Lmbmibhb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikkokgea.dll | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oddmdf32.exe | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pgllfp32.exe | C:\Windows\SysWOW64\Pdmpje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bebblb32.exe | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aeiofcji.exe | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Akmfnc32.dll | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjpckf32.exe | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfilim32.dll | C:\Windows\SysWOW64\Pnakhkol.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajanck32.exe | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfggmg32.dll | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmcibama.exe | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhkjej32.exe | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kboeke32.dll | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmemac32.exe | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| File created | C:\Windows\SysWOW64\Imllie32.dll | C:\Windows\SysWOW64\Klljnp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nloiakho.exe | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnbmefbg.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Nedmmlba.dll | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Dchfiejc.dll | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldjhpl32.exe | C:\Windows\SysWOW64\Llcpoo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldanqkki.exe | C:\Windows\SysWOW64\Lljfpnjg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebinhj32.dll | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pnfdcjkg.exe | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qdbiedpa.exe | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdfjifjo.exe | C:\Windows\SysWOW64\Pnlaml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnffqf32.exe | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ogifjcdp.exe | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| File created | C:\Windows\SysWOW64\Dodbbdbb.exe | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdmnlj32.exe | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofcmfodb.exe | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmkfhc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pqdqof32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pclgkb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfkaag32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfckahdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oddmdf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmannhhj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngpccdlj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Onhhamgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnfdcjkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlcifmbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnqbanmo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nilcjp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfankifm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfhdlh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojjolnaq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Leihbeib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnneknob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnjlpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Belebq32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lpcfkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pnlaml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll" | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" | C:\Windows\SysWOW64\Onhhamgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll" | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll" | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pclgkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnfdcjkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kfankifm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lffhfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll" | C:\Windows\SysWOW64\Ldjhpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pdmpje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll" | C:\Windows\SysWOW64\Pqdqof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfankifm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Leihbeib.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lljfpnjg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll" | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll" | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfckahdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdeoemeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll" | C:\Windows\SysWOW64\Kmkfhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Npfkgjdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
C:\Windows\SysWOW64\Kmijbcpl.exe
C:\Windows\system32\Kmijbcpl.exe
C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
C:\Windows\SysWOW64\Kdeoemeg.exe
C:\Windows\system32\Kdeoemeg.exe
C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
C:\Windows\SysWOW64\Kibgmdcn.exe
C:\Windows\system32\Kibgmdcn.exe
C:\Windows\SysWOW64\Kplpjn32.exe
C:\Windows\system32\Kplpjn32.exe
C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
C:\Windows\SysWOW64\Lpqiemge.exe
C:\Windows\system32\Lpqiemge.exe
C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
C:\Windows\SysWOW64\Lpcfkm32.exe
C:\Windows\system32\Lpcfkm32.exe
C:\Windows\SysWOW64\Ldoaklml.exe
C:\Windows\system32\Ldoaklml.exe
C:\Windows\SysWOW64\Lgmngglp.exe
C:\Windows\system32\Lgmngglp.exe
C:\Windows\SysWOW64\Likjcbkc.exe
C:\Windows\system32\Likjcbkc.exe
C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mdhdajea.exe
C:\Windows\system32\Mdhdajea.exe
C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
C:\Windows\SysWOW64\Npfkgjdn.exe
C:\Windows\system32\Npfkgjdn.exe
C:\Windows\SysWOW64\Ngpccdlj.exe
C:\Windows\system32\Ngpccdlj.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Nloiakho.exe
C:\Windows\system32\Nloiakho.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
C:\Windows\SysWOW64\Nnqbanmo.exe
C:\Windows\system32\Nnqbanmo.exe
C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
C:\Windows\SysWOW64\Oddmdf32.exe
C:\Windows\system32\Oddmdf32.exe
C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
C:\Windows\SysWOW64\Pnlaml32.exe
C:\Windows\system32\Pnlaml32.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
C:\Windows\SysWOW64\Pdifoehl.exe
C:\Windows\system32\Pdifoehl.exe
C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
C:\Windows\SysWOW64\Pnakhkol.exe
C:\Windows\system32\Pnakhkol.exe
C:\Windows\SysWOW64\Pmdkch32.exe
C:\Windows\system32\Pmdkch32.exe
C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pgllfp32.exe
C:\Windows\system32\Pgllfp32.exe
C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
C:\Windows\SysWOW64\Ageolo32.exe
C:\Windows\system32\Ageolo32.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5176 -ip 5176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 212
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
Files
memory/2416-0-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kebbafoj.exe
| MD5 | f0be9e216f6076c651fc7f8e5fcd8bbd |
| SHA1 | 86e5ba5dad0d23b6aad2faa2ee1dbfca185fe2be |
| SHA256 | e1deb02c1a8948cbc604b5ec98807d9a83f72731eae4e5476497a5de58070998 |
| SHA512 | 6d4718fc19b625740cef9f7d0f5b7136c061244dd5a5c7a18ec58cda7516ca5eb4cf5e9ffde8188a3919c0b4d45a8d0008c2f0bf3b980603782854b166aa8f5f |
memory/4336-7-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kmijbcpl.exe
| MD5 | ca647fb7a04a4d689d6594dd877756c8 |
| SHA1 | 5ae24aa3c4161f252ff4b6c65609ea09c26478ea |
| SHA256 | 8a00eef9a1508356649e6c7a75a0fffb6e927bc7e46174f8f0fd644f219b900b |
| SHA512 | 20e75237a8d4ce31a926ef343a5c6c5f08cf3aaf78d1417f3bd13f53c7deb6adb53379ddba0b119ea92ba71ee43ba5028c4c2995ced6b214712644c6efa07d56 |
memory/4860-20-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Klljnp32.exe
| MD5 | af9c304706e76806e1af97b8a551f6c6 |
| SHA1 | 037bcf0c326bb93cc43b69cc49508c47ab7f7dcc |
| SHA256 | 0658f96cfe33a06b3cf612748942baa83013dd702eee555cbe13b46869571468 |
| SHA512 | 3bb04d6302e719b0fc1d6011ee219bbb7a3e56b6410a2deee65dae8607c484c9d67eedb63a2d74743d183e83b7e7e95da1f4c0d247d55034e79a1978d6ae7ea1 |
memory/4976-24-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kfankifm.exe
| MD5 | ec38b6b715052a56bde92e3898150bee |
| SHA1 | 79fc9b3f7d05e1b374652c46c7844b68887dd055 |
| SHA256 | bf978efc67d3962220a6ece1f92280c9533e0e1ae81b8f6e4a2ec6c7192638f5 |
| SHA512 | 77bf1ab1d1dab105cd641596ebaf003d81477e0fb913e5a49099a819838965d561823b45d0f8188a190a28d7472e1e4079c0a3e51e1b434a0d5fabc69cb8b6f0 |
memory/2160-31-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kmkfhc32.exe
| MD5 | 0c5379817b0c10f5b248ce2c9ceac178 |
| SHA1 | cb618143be105d3d58ce43986767627a13767f84 |
| SHA256 | aeab860933fd765b3d3c8a0afe969192cf144d2a79ddfba93b5d75b715aee7ee |
| SHA512 | 15c6af16933674cb501e744e0cf5d105ffecd3d6e5a870a742841ec3e68d1b56e4d0480fe3ef1742447c365230e5fb6adf2c4433c30eeba80004b3f2fc8efdcc |
memory/4004-39-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kdeoemeg.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Kdeoemeg.exe
| MD5 | f0093c7d7f2840c9059a3412a3ed41d2 |
| SHA1 | 7bb0a17132973fc9024aa327641f138f4a49359c |
| SHA256 | d990ff3c29fbb4d64c6fdd50f42954bf1342ffa3649bee793fc1d1f518c43994 |
| SHA512 | 3946cdc2dd9eae65957aa81c2e045a7f356dbc9d2e4f32835615e49276f3a4d9381facec36d35c48f00a5c6a14e3406cb8b385bc520363d3312f31c0afbbb4a1 |
memory/4416-48-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kfckahdj.exe
| MD5 | 8c94d1531233713beb379a6a46c63ae2 |
| SHA1 | 329a505588b13c7891f8e0b5b0a0b9d0cf7f9072 |
| SHA256 | 537563373b9b4eb8630a6fb94f61b65fb4dccd3a5bc3c5bc685e47b7ad31da71 |
| SHA512 | 16a914d7aeaf993d2f6ce7ffae6c7bee35a145096f7f3d63f9d1fd12ea57a5e89f0cccf27599d76839e6268dfb01e3313c3d27aebdc94abd6edff79e4bc61a28 |
memory/4120-55-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kibgmdcn.exe
| MD5 | e05caf54b1dd396c3e278be55e471964 |
| SHA1 | a9b27c9cc0dbe121788a6008a99c41949ac01759 |
| SHA256 | 0c5c9ff1b0b0cf1880eb0a2d4798e8f8170587392c201fa20d8749483d568e3b |
| SHA512 | db41795ae6e9cdbf8a675448c93c0a2752821943485c21c433981a6a24d57e357f9375864d3f7630e052ae092339feaa47141d993d539fbacd4b27f7eeb73060 |
memory/1144-63-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kplpjn32.exe
| MD5 | 132bb869cd1000d7f527f4f42b54f898 |
| SHA1 | e5f7bbc4ae72817eb1ba124035609b5c5fe95e19 |
| SHA256 | 68d66334806931a9d79f0eab9c3c8773bc431a06cf2702a1fa3b62be4b258ec6 |
| SHA512 | 8cedeca815d8948d800c5485f8f7cc65ab76bc1b89d236c8cc76533bb0d2970de7a02c6aaa6e0c93f2ee62fbf7f43f4922c3915be4066c0dc2bc83fc9568eecc |
memory/1624-72-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lffhfh32.exe
| MD5 | 73d3c31090b0044976b7a1ad92e715b1 |
| SHA1 | 691c24a0d27f4181cc9bf1773275089b44f4a6f6 |
| SHA256 | d7a60ae12503ee6c48c83b115deaf81780504102e55884389c954f26f856464a |
| SHA512 | 5725ed67b06e517e4232004dc79c2615218c47811523e6df3b0a73d0babbf6b142f794f1ecdfc3df4cc509e61f40d46c591d7ef8f244d839d9160252725259b0 |
memory/4644-80-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Leihbeib.exe
| MD5 | 49ebf9afedffa8620d164b42c30f235d |
| SHA1 | cee0501d7c297075fd3fd33c137e0941e7c05199 |
| SHA256 | c50a21284149fb4fc7ba992eb5a13136d5757c7a10c369c46ea7a0ae7665cb89 |
| SHA512 | 3ad10841bf850503ff7658c856590c29772719014c00a1c0de44a88860f46069893b2a7f85feb6fe298bcc82a0edd77bf2cf15a7a434563cb0d347c8c4be9541 |
memory/1112-87-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2432-96-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Llcpoo32.exe
| MD5 | dafeb091504d425af3a5c8505482f30f |
| SHA1 | 11261548c44a48e96d30cf5fd4b1c3b206756bd5 |
| SHA256 | 563076d57b61180d231ebf7aa83e9eb3d4ed0434d669835d7d07ffe93fb3d187 |
| SHA512 | d0262ce4dedf0afa6c5184108d0cf438bed3f942efc6c275bd4df9c629d781efe6382af47c324c73b787e788bc43d2e044b5122f24550c4326d2f61cc6dfe317 |
C:\Windows\SysWOW64\Ldjhpl32.exe
| MD5 | 75c6276fa43675d9337bb098b8b4582b |
| SHA1 | 392f1af7393ae6e08406c1dbf4b1ee564ae795ad |
| SHA256 | 74f0c31d9765607fa71d0a70a0d50802309b869051715113ddf46b439ad2de46 |
| SHA512 | b81e0d0f3437ad12f7eb43f1e36f99a34f74a41861b6db09cf163c01c1b8ea0350be9c01c1149de69146d8e605e6783f9b98dc8535df39926c5ade5893cb13b6 |
memory/508-103-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lfhdlh32.exe
| MD5 | 2a93d10cf2868439d317668ece7aa8ab |
| SHA1 | a21c057165c2bdeee453cfed095195237af4e24d |
| SHA256 | bf4a27ab5a72693a69782117e45035a5066e1a869b056ae0ba3fae7636ba7e51 |
| SHA512 | e855cc0d9e653071a0afb09df1ab47f84598134eacbf41ea04d34b50e1a738a373afbce42376ba3297ecbd8f031394c55ea4000b4d3b9f13ddc10e9878f9ec90 |
memory/4244-111-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lmbmibhb.exe
| MD5 | c518997488520799ea36dd6954c655dc |
| SHA1 | 4d82600417d38f1b8b47b262bf59b0c9bec97713 |
| SHA256 | 4f3a0e7e258f175e6b27c8bffd5984d44fb017e7851b24dfa6054252610b914f |
| SHA512 | f9c8b9f8c0f01f3a80e6e88c3da231f9b9ce89ff7e0fb2efcb32cf6f425dc6e34f000168410e8d801c4d245b5625ec8dd2beda9987cb87a967a5565b603d06c6 |
memory/5036-120-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lpqiemge.exe
| MD5 | cc4f3aac85dcce397da9ff0ab3d931c3 |
| SHA1 | abaa2438bc7938ade5f041ddd6f516b4d38b90b6 |
| SHA256 | 37d12c70fa36cff59a7e374820bdf5ee170ec6eb597018099ad9a8b3a03a4f95 |
| SHA512 | 3e9eba2c45f513361e71b3bcb700f39858a246a04756970f40086c44365a1df70830f58df0dcd51dac5e6b1389d93057ca82a42efa50bed12a0f58d88e940a40 |
memory/2948-127-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lfkaag32.exe
| MD5 | cb7de8fca24e6312a9f9b79757d7fd48 |
| SHA1 | 12297895a3b32a3e705bd45e3147920444603190 |
| SHA256 | 7f1d414f5ce31276e40c4ab30f8ec39e25abdbd1b589fc863052f581a5be8691 |
| SHA512 | bf9dda93c4f08dfe9c73a34806b0cc7d36b1afaf6cc4c424db54a4de929d7127f3050618e9f73e7e3cb2c14099bcc167c034c6893c21788e90690ee95c2199cf |
memory/3008-135-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lmdina32.exe
| MD5 | c49556ccfb57e5f189c04ae9b0510cd3 |
| SHA1 | e3710124a419b5db639a00afb14c5309081ea818 |
| SHA256 | 154d6229c7e949b8bb3457471979e3aae363074ee866ed4ed6c0f67789f07642 |
| SHA512 | 6ab56c1e9e74a11013c6a4955e48e8ce661982f8b0e30789527b72131c92ed3761171b7bd60e809dd1b2dd0d0d795fe0a30d78c176ae238361c9a59ce055dea8 |
memory/5072-143-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lpcfkm32.exe
| MD5 | 771d8c23ec868c589d9f1df1c06f386b |
| SHA1 | 936d61ed6d4ab98bba46d9c5dd6a456f3d110800 |
| SHA256 | 848c8f2c8d7004636edb66ef208f7e88c4adf40b6ebdf2a91386c985b8564297 |
| SHA512 | 566b92164918d05b655bf05e814bc152a63d07a7cb953a2ccb470cb88f1fe20c69dadc42a4350c7732c57b07367de86021a2124f87d45e418f554241773d1420 |
memory/4144-156-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4604-164-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ldoaklml.exe
| MD5 | 05620fa97183d2863bdd068b0cc6ecc2 |
| SHA1 | 1de95217447e56450d3db8200968f90c0abf918e |
| SHA256 | 1c5280c53f1fdf07a0c514301eb6d4e61986cc8fa1c0f044f5757f2c370d6640 |
| SHA512 | 1873d75ed15df9cc7e2745ce77ffc1bff880e4213b0f0a7b46ba63376f077f5a48ef50c831e58a5d236935a237c3c4799aab60a64b2048ffbb64cdb0049b49cb |
C:\Windows\SysWOW64\Lgmngglp.exe
| MD5 | 159e432f930acb6f3572ead344382ef1 |
| SHA1 | 5b15d86e053155783223fc557c5c097473180371 |
| SHA256 | c7c13036999c2fdf3bef93a7fb8330a20da87b3c1a8527ddbd99dbe49202f98a |
| SHA512 | d1ec0a9e3b80d1c25021e14db3f666d8bbff063a706343cfc6d4e0f0be795fbf2a32c4aea6b4a1f8f63b4e35b21dae4d6b0e0102fcb7216da6ffc1e37f590fa2 |
memory/3796-169-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Likjcbkc.exe
| MD5 | ca57c229c775244a4aebb4a5f1b08598 |
| SHA1 | 3259fc3b632fa8ae1e6cb6bbae19a3a80193bf76 |
| SHA256 | d9c53b7b0a86c569251a52f669199352f94c21ce58b56c7931e25550a8264c74 |
| SHA512 | b0aa3fd9dda98d18dca98d51d6c4e3b9b9677b7a14201f0bede6a9d2722b2a8d514272258be22cf8562444c40be1ee531b0ad45a4b17f8677f3224538c5ca312 |
memory/4932-181-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1772-184-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lljfpnjg.exe
| MD5 | 0f2d56ebae7b2e94568dcb3ad4611f89 |
| SHA1 | e79f8924895fb3666f5124e62a985b3bb1c88c4f |
| SHA256 | 8e478e1b66b10731cef86ce46e6d24e28396ad3c6290640e910545c66911c815 |
| SHA512 | 5d76cde096b302001e85cf49ec0df47b34a8f177ed9a2c729e3e67d803aaf08006c50cdaf46e802e7c2e977938822c096517bcd4cca45385195148de13a84d1f |
C:\Windows\SysWOW64\Ldanqkki.exe
| MD5 | cfa5456042ad91b4b14c4ad88277ba36 |
| SHA1 | 4a5f99a6830c87d33846dd8239517c85156fbf88 |
| SHA256 | a0f1108de0df980ff2d7aed2ff54ee2b05a945b9dab85b4d37625833d9adebe4 |
| SHA512 | 7a316cba3b2374686c301c85a3a66a1f94a4717815e253df825b03627f9c4afa1d3aa88c53ebac32feab2a1b404d125650ed651128479d83b0c278da0d6898ea |
memory/3144-192-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2644-199-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Lgokmgjm.exe
| MD5 | ea639d50994b7b00473b809685af53cd |
| SHA1 | 4e319e5d3b5c0970fdcd48eb61f859487b56cbfd |
| SHA256 | 861820f6676726c8f3efd8953f71cdbdf1a9127a02862cfe3d078299ac748ba0 |
| SHA512 | 8e4411bda89a3c7048847306dec17a7049a128d883b26945923514c2a44033dbad60cbdf641073362c8a217c02b2edf7fbfdff5d680a9716429529ef0f4a5e98 |
C:\Windows\SysWOW64\Lllcen32.exe
| MD5 | d57fdbff7105d86f6b07a86952313fcc |
| SHA1 | 7eed85a95f06a6f5831def8a7fb6a13223ab0f7d |
| SHA256 | 5d52f06c1982019835f4d7852e462420411090f9252384e194877dcdebd4f84a |
| SHA512 | 86952ab397b3edf8532f58868095d7e2e2d3549a4a8471be7510c6b723558771c4e957188e07c6b5ccc3c1d3d9f74f7653869549f4e66473dba45658ccf930eb |
memory/3600-207-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Mdckfk32.exe
| MD5 | 55df68f6465dc7d7eca2372d8668df0a |
| SHA1 | c6653211712dbcc4f5a54d63ba6d2f19eb8a054e |
| SHA256 | def0ed1909ae4f4f7bd3842d5d5bee6e293e49f823e856c5ac51ae827578a726 |
| SHA512 | 82992195282b4ada1f790c6db1d06b325b70a93d9d3b40fb90d987c8c42ff21e2704be1ebe21711ed1b6ce1f802798d81f6b9b7cc9750e09eeaf9f59ef3c1990 |
memory/396-215-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Mmlpoqpg.exe
| MD5 | f3e74b5bd13d81bfbed4c32ff784143b |
| SHA1 | 12c139d76b54e87cdfe81e09da9cbfaab5851e4a |
| SHA256 | c15bc78c335ae3a7c076f0bab2dcabdf626176846e9488b57198c379e1d076cb |
| SHA512 | d1ace3b17fdb6b48d63bc22ab8cbd7c179523c63b29a48724c681875412f1d2c3f7a4843a8e80e1e76d7ca7439d22bd0c309c3338a3199f2f615618cd0dc51d9 |
memory/4652-223-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Mgddhf32.exe
| MD5 | be8b6559ab0e60d3a52bcf7b5bd44c4c |
| SHA1 | 4c833f023e2d37055909ef3f82b863fcb05aa543 |
| SHA256 | 80d218b2467ab79315dd88deda4fde613904f8ea74ef548893b654007ba36df3 |
| SHA512 | d2c212048ec4c08155d7547e870c5f6631365e33e7d2a0247984f07ce923a01a3ab61f51792a6bf0447c9d7133524752b7e71e897a036c039fe59cfe30350e14 |
memory/1976-231-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Mdhdajea.exe
| MD5 | 390b21d6cfc7ef12bbc2b10788b614c0 |
| SHA1 | 9c5694af898359dedf3ca3fe8834cc8ab4215267 |
| SHA256 | da054f3c8986f86b366456d4a980b94b3022c38d9a7bdbf754ad4aae022263d8 |
| SHA512 | e095a88c04b5e8cf28f464bc3da0454f34606ec1974d01f9d16b0b221e5f7233aff33e7e371500bfe87f71cdc2786db713235251d52224424b31064eae6e362e |
memory/1932-239-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2976-247-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Mlcifmbl.exe
| MD5 | bc3b5c4ac6da7008917eeb24ae99af2e |
| SHA1 | d23605c7d17f50b6633c2c5051507e42a48bcd85 |
| SHA256 | a7cbe44fcc4437f7b6cdc023c2b2dbe2cf6c98fa4e268fbfd45d6772b22cceb4 |
| SHA512 | ee32c69a761a2de5d7436607abcd1755af59ecfde7e52d78db747de10b158bf1a7f2cbbc3ea54ffd093d02a6fea44c16f2784505ecb12400ca5646adff43e141 |
memory/5012-255-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Mmbfpp32.exe
| MD5 | ef9066a85e8a7c573bae1d9b751cc018 |
| SHA1 | d854555464975adedfb9bacb6636339bb6a42b22 |
| SHA256 | 4688ef2b95771550cb9c13a91947a401661f95d365fad80e99b9434a54a96914 |
| SHA512 | e4931b5890aac207ee92bc9db20f7d74125f9e8a7c6ab5e11f3627464e0115de9f4a59ba0efd00a4d770ffd647bea38572838c8e2c1409497a8f34a6d68f85e0 |
memory/3192-262-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1764-268-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3116-274-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1260-280-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Npfkgjdn.exe
| MD5 | 962c981d7bd19b148d409d2b90f20a70 |
| SHA1 | 182053462dbe98304a0f1dfab895227f4b560c59 |
| SHA256 | 4759eb3fbf204d5f3f5fa0e0697c80910a5e8f199f9ea435a2e9a9b72b85181b |
| SHA512 | 5d8a1d8bf7c13fcd3e09109a82cdbad499eef3831b5810f737cfadfdf260f994aeb23a28b59242a30237d226bfda0c973bfcfc339cb7a2c958011df5d246cf82 |
memory/3044-286-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4720-292-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Nnjlpo32.exe
| MD5 | 991d65342d74a2df51d49f891d55a092 |
| SHA1 | 8dfb179780a7338addb26680e5d39b69a7f189fe |
| SHA256 | 80643edfbb425e250dc307f530431166f2020432f064e355b439f29c39fd7923 |
| SHA512 | 968277209b5e8d24dc1fef12bb7aba13790ff8079acabc793673f157180876ff3329e64594a79bf1cd0e095e3dfa3eaa72776e475942fc7bb08fa2738ce0da73 |
memory/4264-298-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3304-304-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3352-310-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3396-316-0x0000000000400000-0x0000000000438000-memory.dmp
memory/908-322-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5044-328-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3472-334-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4948-340-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1708-346-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4584-352-0x0000000000400000-0x0000000000438000-memory.dmp
memory/528-358-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5076-364-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1588-370-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ojgbfocc.exe
| MD5 | 37b26c77e9f5b957057e00e1e0833169 |
| SHA1 | cd6d3940c8aea5f03fa96fb62c33d7d054dc5a6a |
| SHA256 | 94be2c06792fad6492970062e00d34573a950b13beeca6d598ffe645f882162a |
| SHA512 | 55856b1955f0f22c3dbc4c8b19e1f3f562b5f0a8e21156b10e17237322003ebf0d1e35f1e7a79acccb68eba5d2ecd744da3190658553e2925bddadb1ed2eefee |
memory/2440-376-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3476-382-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ojjolnaq.exe
| MD5 | 1026c139c535fa8ac250f06fb014611e |
| SHA1 | d8bb27021e37bc5c9b44fb15b8b6078b18adafee |
| SHA256 | 8b65d20e47621f47ace02f232c9ef0402d1a81da027ed5bc967f0f06fbc7eaed |
| SHA512 | 246fd15d0b6c68fe9efa382dbf2283abac02389ddd95c987b6c1831a0521e44f18486b7cd9ed4e0d7a09032ef0a0fbba5171110de69d5cbeff73a7386016eec2 |
memory/3948-388-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3332-394-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Opdghh32.exe
| MD5 | 709e8232169737171778b545f262996d |
| SHA1 | 71913b84768932848bbddc96dc61163ceb6e1561 |
| SHA256 | 63d4f539700a14626738cf7d9114bb9cd27f79308b84d3c812d1292c94e8f3d1 |
| SHA512 | f5645b04650b4a75dcb795f219ee5d23765f50424fbbc1cd9a826170c0192457551aadd151d4ff8da5c1bb954af1adb6a9031a30504a1246c8fb76bc6c3f94e4 |
memory/2400-400-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4568-406-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1240-412-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2000-418-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4280-424-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4756-430-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ofeilobp.exe
| MD5 | 48d56349a8bb6cc6213bdb5fe3ea8ea9 |
| SHA1 | b364073ef8ae1628b3ecf836e33e49eaff958904 |
| SHA256 | b02041daa3dad73496ce9b84aba2fe491fcb8a959a23b37d53a81ea301ed971d |
| SHA512 | a32500b26b59a5f3ca37105a04d1dee67dba2b3e9dd0f8cac4e5aa6b68eef1e24a904c6436e90dc6d7d502c801608f6ac14e868574cf62c10ecf130bde835fa3 |
memory/4380-440-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4816-442-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Pdfjifjo.exe
| MD5 | 6a74010a55ef4b3f1723b25bb81bb3e7 |
| SHA1 | 75eadca375b12753a9b592df7c9dd2a9b0c8ba13 |
| SHA256 | 35861a7e6660992cfb556e65edf5ab14f1dd265563e9063c7438bd070f495aa1 |
| SHA512 | c8a131ed8d8f6febc0f47aa7cb06d4da334063e3b6eed664ed66c074eec85fe2a86f38e18e06b2138c2b7ea17194f8ebed7baf05ee83d487bcbb3adcde6eb59e |
memory/220-448-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3636-454-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2304-460-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Pdifoehl.exe
| MD5 | abca05b4cd01bbcca8bee5bcede21a0c |
| SHA1 | ecad6193e8045648faab80177b8be7aa1f403fcb |
| SHA256 | 2694865ec27d3da0893287250851d09a3baf4c1a2c8e5b8a43a255b80d9355da |
| SHA512 | 8e057a49392192b44143b235ca970ab93bc0e70e882688fa3da790614f5b6c1a3afc0b334e308d6a35ba1203ab861d577f38d3726a4dd4f99f9c226ff581b776 |
memory/4636-466-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4760-472-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3108-478-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2692-484-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5092-490-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3920-496-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Pdmpje32.exe
| MD5 | 92ada8e4fd9becaa6221bc65ae099229 |
| SHA1 | df00f612ae9ed6cf5e32de0ae0ad26dab170c6e4 |
| SHA256 | 0f95305371757cb5a4a88fa1ae46dab08aa6a04610fb9e33c1de690ef64ae1c3 |
| SHA512 | 2b3f3848c9e9c7d3203a57778d6c21c98b134272530b48addc6ea619d21329e182ef3cb4c8e5698c7a0c9cefa4f22660420829998e7cab87822e2d032d6c4a4d |
memory/1220-502-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1076-508-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4952-514-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1416-520-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2552-526-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Qnhahj32.exe
| MD5 | a6943da327fe321f0c0199be6377354c |
| SHA1 | 45010c87b9852442b0842023536d447eabb893e4 |
| SHA256 | 637789bd87fa21f61b9100e65647f4a2df9ea230b8d7deedc9b1521fb59fb6b3 |
| SHA512 | 6b730306311ab4472d5f717fe1a3fb35addc895d51302ff60fb7c139dcdc4c466ea46ce22e5993f04c4184b31ad7ed771cc3db3c9d2529fc3d0b246702d71062 |
memory/4320-532-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4352-538-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5100-545-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2416-544-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Qjoankoi.exe
| MD5 | 849b9266007c41283ac47398c5e02669 |
| SHA1 | 995beece4633ad62ce194bee6eb59696605bbfbd |
| SHA256 | 2045ea4a2ba8ec84d7677297cae8a30744857a93b140688cd1a14b284514fefc |
| SHA512 | 8b87bba90a987cb485ae9fe468ced7ea51b37bec79c24338b8ffd416f714dc841417983ad179f2e4ba30bc8e0cb4f380bf1e6ada1dfb6cb860b4fcf2b90a87fc |
memory/4336-551-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4596-552-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4860-558-0x0000000000400000-0x0000000000438000-memory.dmp
memory/756-559-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3488-566-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4976-565-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2160-572-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4052-577-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4004-579-0x0000000000400000-0x0000000000438000-memory.dmp
memory/812-580-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3360-587-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4416-586-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4120-593-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4572-598-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ajfhnjhq.exe
| MD5 | 885136f2d4f8eadcd5cc0b2c69cde1b1 |
| SHA1 | f683fa321e1d66e12dd77c933488151e09d4c040 |
| SHA256 | 6e21ceb989c6bee52f50f0d2b648e87cf9f177d91ed8da6883774f921dd1a1e4 |
| SHA512 | ce5bd989ad60eccddd99582b16a36f3588af2c1cd1931768e0aa20a15d4e76c7d6f48a330f58c670965eecfd9ea6a3785b8a5b2e6cbdff55ee150224005c5e4b |
C:\Windows\SysWOW64\Aglemn32.exe
| MD5 | dc17a1bca5b521d535545b8039452ff3 |
| SHA1 | 55a0f62255dd21b8a4793bf3cc50d3670f6e7ee8 |
| SHA256 | 7789ad2d7f65908f916d672c5e65fe87b40fafdafe65307b3b64717f1dd32e9c |
| SHA512 | 0c67b248fffae2f7e6f7df990e812101fd2230651de39c30734a25af2c8e3ad1c8933cf8cf3e767a0bc2396bb86a810a725b73ff00d028bd31c039f12f2f150b |
C:\Windows\SysWOW64\Agoabn32.exe
| MD5 | 22c2213293535a0542cb7ecc034d66c2 |
| SHA1 | 1a4e7e5f7adf12942f42d642c8b39fc1717606da |
| SHA256 | 31320632a300fdafc522ea4c25bb6e4bc0b9b9956468dd4658f1a3a4d38d8c53 |
| SHA512 | 3e7739d191b5e68921a706227e8296424e6f7ba2c8254f75d12a7c778687734250dba89b9642e0513f8d3a9d17a6c3e4dc2dbc6e7630fa717ed3f77d8aefbc84 |
C:\Windows\SysWOW64\Bnkgeg32.exe
| MD5 | 158961c7ca9f4481fc7cab2985ce882b |
| SHA1 | 074584ce4f429101ce45bbf200ba4367e4de563a |
| SHA256 | 84283451440088cb8e449cf9a5fbebf558464847eec9e94f25a066ffbc2823b7 |
| SHA512 | ebb171b636647d3b3959c069df5f09e52ccadcca100312042ac435ff10929c1249e547e9f303e09c955fff6a4c3c83f89acc11fc720f646486fedadcf498ff9e |
C:\Windows\SysWOW64\Cjinkg32.exe
| MD5 | 6ffd9036c644ce0aa1708ee78ea40118 |
| SHA1 | bade509d997d2761819e7067deea5fe07c7f8898 |
| SHA256 | 7387f3e3183aa2ffeb1a45b66de582a4a2357045437c8fe22c61e43bd7ac5fbd |
| SHA512 | ef8b9ea13a3218c3ef3a2b0023c4be0762644d1495446e3a616b18b98a0ce3b8e294ea710294b5df938b0050e11f213b0cdb35bc0313175486e2b7263a771964 |
C:\Windows\SysWOW64\Cfpnph32.exe
| MD5 | ad5906a5c4e6d8022ea2dc3f592a1731 |
| SHA1 | d7bdca50e71cb2ca2515d55551d9e2b3731e7a20 |
| SHA256 | e90d3f4e7b23190f006c2ffddc6ba91c0c684c4861448c6f939a08330f915c30 |
| SHA512 | 70a4ed31e2aaadd0c746e475848ef591dce937072278573e3f5e032c0ca4810b55bbf16badced941ebd8fb504b83e3dc4a5ee990f6c961c55fd809ee2b303434 |
C:\Windows\SysWOW64\Cjmgfgdf.exe
| MD5 | 7bc1743e8dec54e2a30fba32138fb789 |
| SHA1 | 475f47971685d52127296b609fc00384b63bb3b8 |
| SHA256 | 759d8279b50ad117197d5acd4788f5db133cd0eecfbcd7814bfcdfd16f6c7188 |
| SHA512 | a7638a7cf3602bd3e74e05a023600123dae4f6557945b39fb93e1ee3c91cefd1bfa44edfcb2ae90840390c20138df66b14e8f49a9980bc1a590d8e011e44277e |
C:\Windows\SysWOW64\Cjpckf32.exe
| MD5 | 13eb94276c027523123ffa7ee61feb01 |
| SHA1 | 7c394a373aaeb7742e11a9fa8ac791f5d891f3dd |
| SHA256 | b6fa50b318c90b86ea86f808a3fde6b28ed0721dc24c5a3976dd18eb426a4390 |
| SHA512 | 9084e16473ccb6fcd2b793d63efb9c8650ffd295dfa199a0620a8957cbc53906ad9fad4511e3926ac0260c17f92e82ab7f8acbc23eed42a8bf4cf5fe61b5022e |
C:\Windows\SysWOW64\Ddjejl32.exe
| MD5 | be0d68c480ff546806d1e57e1c7bee9d |
| SHA1 | 142f0158b4ba5bb90ad393ff3bc718e7dd9cee63 |
| SHA256 | 67e10fa77a01edfcdd75ba56b3d9a14f35cfea08e568744c5248633fd6b5cc9c |
| SHA512 | 6db71c75d7cb9f26fd1002b8852d880add573023c0a003c4d8c1b6c25c8a93a9ed64d1c4088409eb5bac03c05aa735a682f2c36856a8598b68d9e55c2302d11c |
C:\Windows\SysWOW64\Dmcibama.exe
| MD5 | 3d5545f2a0fa973196e932f423c2c936 |
| SHA1 | 70fc3ac5c4675bfdea617546d2f4858c289d9866 |
| SHA256 | 32ad554ec8f851db283a19b81cc3d4925bea97c57e8e08ad3c51a2f74c467fe0 |
| SHA512 | 210c92cf86931b266ff762e266379a15c0e8218c95b8a7d83b2da1d519861caee44f2315e8a99c2bd662d878cf65308b137bdad4f6f2d33930b9516c21d8464a |
C:\Windows\SysWOW64\Dmefhako.exe
| MD5 | d5dd3d478220d809a4f2cc3f9a036754 |
| SHA1 | 2bc184779999d3e604af443d4f4355670a75d4d4 |
| SHA256 | c1f117c29e2496fb9e74588b96acd31e67f409a69a0cc4790de42f8e7c98ee18 |
| SHA512 | f619f0d931b54bf4f4a6ea89fe58860f0c4cac405c078e1bb2cf8058fca09e0a856ca6c7aee39b43403d6b0ea7c988018ea74170a38463a59d6619e1a4978a73 |
C:\Windows\SysWOW64\Ddakjkqi.exe
| MD5 | 0459c375f9a0cb2789bf3025c0d14c69 |
| SHA1 | 75a3cc83f3a077dae39b47bcc7fedfd4399a5d19 |
| SHA256 | e9bb013e93353ccfa4e9e204f9ffcc25e6f189fda55588ff97ba989dcdfabf01 |
| SHA512 | 58de6719efb595dbd35fd4d7a3462882b887898de8a65dc69665f7ab26e3269a82c92c55b8b642784c2ebf34e69dc6647a88891048da5c55a0dd2f1840073560 |
C:\Windows\SysWOW64\Dhocqigp.exe
| MD5 | 6c7bb7db97126c74d09e54d6d0d89f51 |
| SHA1 | 9376db034e6f10e769d9e5daf86b99c57d7de6bc |
| SHA256 | 9eb780b87dd64777c25baf782bba572fa5291c31b3da45bb37d2d13c587b97c2 |
| SHA512 | 4ee0cbeacc4bda44127693fb3f94c342ae552551fd5048d34c0f7db0ba790050baa01da52390e12248f288fc77141b7186a863f535dbf24809ef2ea4771e6342 |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 730e2caf696b95b2a51a6d6394c2aea7 |
| SHA1 | d7643239f545b744ba5f869bd47adaa925fc1e0c |
| SHA256 | 6b9e0a29642d8d9f687569571c59bd609b111da918d79921e771188ff611f67f |
| SHA512 | 8e518066a53284528b04c95c374b6c7dc03f452f2c67a4b5881d328983e6a0ac183816199dda567b18ef08597042ca074035e6de318bb7bb9e0506b06c0a6f5d |