Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
91KB
-
MD5
bcbaf0bcc1e358c7c7bebfb1906a9220
-
SHA1
e743c77beb13f3c68ebcb209310cdcd9d86d3efe
-
SHA256
c986040ded2a37f6ff5d36c8f06aee63a37ec78d93c95f6f584151ce60a45efc
-
SHA512
ba152fa9a8aaa9aa0418832fcb882c979e486509ac7bb13ae34349cc659488b71a432d6ea51e89b1f0d87fa8339c33942c7527336b14ac8c540a6a0fba1bc3bd
-
SSDEEP
1536:GIDYHrsv/srR/LYP0Md+yV9ZqBa/P8N6yUKYhJ7S7NQ0NIsrc:GIkLvwd+UMNYhJEQ0NIsrc
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgklkoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieojgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdhkem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mablfnne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhoeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jadgnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakfeodm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpclce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbponja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefphb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamjda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocnlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgmhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohidbkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbafoge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilphdlqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbejloe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcapicdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkkqmiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiacacpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johggfha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbnfleo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkkqmiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplfcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgeqmjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjoppf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2060 Hiacacpg.exe 244 Hnnljj32.exe 4776 Hehdfdek.exe 3380 Hlblcn32.exe 1032 Haodle32.exe 4168 Hhimhobl.exe 4884 Hnbeeiji.exe 2792 Hihibbjo.exe 1844 Inebjihf.exe 1900 Ieojgc32.exe 2668 Ipdndloi.exe 1968 Iafkld32.exe 3604 Ilkoim32.exe 4376 Ibegfglj.exe 1180 Ihbponja.exe 2884 Iolhkh32.exe 1492 Iefphb32.exe 4292 Ilphdlqh.exe 3128 Iamamcop.exe 544 Jidinqpb.exe 4688 Jlbejloe.exe 3424 Jaonbc32.exe 1872 Jifecp32.exe 4876 Jocnlg32.exe 752 Jbojlfdp.exe 688 Jhkbdmbg.exe 4352 Jadgnb32.exe 4272 Johggfha.exe 5032 Jimldogg.exe 4792 Jojdlfeo.exe 1704 Khbiello.exe 4800 Kamjda32.exe 3540 Koajmepf.exe 2636 Kekbjo32.exe 2152 Kcoccc32.exe 3868 Khlklj32.exe 1156 Kcapicdj.exe 2672 Lljdai32.exe 3412 Lebijnak.exe 1756 Lpgmhg32.exe 1932 Ledepn32.exe 3444 Lakfeodm.exe 1676 Ljbnfleo.exe 1792 Lhenai32.exe 4000 Lplfcf32.exe 3964 Lancko32.exe 4368 Lhgkgijg.exe 4452 Mfkkqmiq.exe 4920 Mjggal32.exe 4824 Mpapnfhg.exe 3384 Mablfnne.exe 808 Mpclce32.exe 4112 Mohidbkl.exe 5088 Mbgeqmjp.exe 2216 Mcfbkpab.exe 884 Mhckcgpj.exe 1680 Momcpa32.exe 2912 Nfgklkoc.exe 1884 Nhegig32.exe 1712 Nckkfp32.exe 2288 Nfihbk32.exe 4228 Nhhdnf32.exe 1744 Nfldgk32.exe 3708 Nmfmde32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjdjokcd.dll Kcoccc32.exe File opened for modification C:\Windows\SysWOW64\Lpgmhg32.exe Lebijnak.exe File opened for modification C:\Windows\SysWOW64\Ledepn32.exe Lpgmhg32.exe File created C:\Windows\SysWOW64\Nckkfp32.exe Nhegig32.exe File opened for modification C:\Windows\SysWOW64\Nfihbk32.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Kofljo32.dll Nckkfp32.exe File created C:\Windows\SysWOW64\Jocnlg32.exe Jifecp32.exe File created C:\Windows\SysWOW64\Jadgnb32.exe Jhkbdmbg.exe File opened for modification C:\Windows\SysWOW64\Nmjfodne.exe Njljch32.exe File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe Pakdbp32.exe File created C:\Windows\SysWOW64\Hlblcn32.exe Hehdfdek.exe File opened for modification C:\Windows\SysWOW64\Hihibbjo.exe Hnbeeiji.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jimldogg.exe File opened for modification C:\Windows\SysWOW64\Kamjda32.exe Khbiello.exe File opened for modification C:\Windows\SysWOW64\Lhgkgijg.exe Lancko32.exe File created C:\Windows\SysWOW64\Njjmni32.exe Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Njljch32.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Pmhbqbae.exe Oikjkc32.exe File created C:\Windows\SysWOW64\Ibegfglj.exe Ilkoim32.exe File created C:\Windows\SysWOW64\Jifecp32.exe Jaonbc32.exe File created C:\Windows\SysWOW64\Glllagck.dll Ljbnfleo.exe File opened for modification C:\Windows\SysWOW64\Nfldgk32.exe Nhhdnf32.exe File created C:\Windows\SysWOW64\Fpnkah32.dll Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Hhimhobl.exe Haodle32.exe File created C:\Windows\SysWOW64\Lpgmhg32.exe Lebijnak.exe File created C:\Windows\SysWOW64\Nmfmde32.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Nmjfodne.exe Njljch32.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Ocgkan32.exe File opened for modification C:\Windows\SysWOW64\Lplfcf32.exe Lhenai32.exe File created C:\Windows\SysWOW64\Mhckcgpj.exe Mcfbkpab.exe File opened for modification C:\Windows\SysWOW64\Lancko32.exe Lplfcf32.exe File created C:\Windows\SysWOW64\Kpbgeaba.dll Mohidbkl.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Ihbponja.exe File created C:\Windows\SysWOW64\Gggikgqe.dll Nmjfodne.exe File opened for modification C:\Windows\SysWOW64\Ipdndloi.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Aglmllpq.dll Ilkoim32.exe File created C:\Windows\SysWOW64\Nfihbk32.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Nbbeml32.exe Nmfmde32.exe File created C:\Windows\SysWOW64\Fpgkbmbm.dll Ncbafoge.exe File opened for modification C:\Windows\SysWOW64\Pakdbp32.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Ajdggc32.dll Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Qgiiak32.dll Ihbponja.exe File created C:\Windows\SysWOW64\Anjcohke.dll Jojdlfeo.exe File created C:\Windows\SysWOW64\Inmdohhp.dll Koajmepf.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe Pjoppf32.exe File created C:\Windows\SysWOW64\Picoja32.dll Iafkld32.exe File opened for modification C:\Windows\SysWOW64\Jhkbdmbg.exe Jbojlfdp.exe File created C:\Windows\SysWOW64\Kamjda32.exe Khbiello.exe File created C:\Windows\SysWOW64\Oonlfo32.exe Omopjcjp.exe File created C:\Windows\SysWOW64\Lfojfj32.dll Hnnljj32.exe File opened for modification C:\Windows\SysWOW64\Haodle32.exe Hlblcn32.exe File created C:\Windows\SysWOW64\Lhgkgijg.exe Lancko32.exe File created C:\Windows\SysWOW64\Gakbde32.dll Hehdfdek.exe File opened for modification C:\Windows\SysWOW64\Johggfha.exe Jadgnb32.exe File created C:\Windows\SysWOW64\Nfgklkoc.exe Momcpa32.exe File opened for modification C:\Windows\SysWOW64\Ocgkan32.exe Oqhoeb32.exe File created C:\Windows\SysWOW64\Pnjiffif.dll Iamamcop.exe File created C:\Windows\SysWOW64\Jlbejloe.exe Jidinqpb.exe File created C:\Windows\SysWOW64\Njljch32.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Oikjkc32.exe Oihmedma.exe File created C:\Windows\SysWOW64\Ilkoim32.exe Iafkld32.exe File created C:\Windows\SysWOW64\Lebijnak.exe Lljdai32.exe File created C:\Windows\SysWOW64\Oqhoeb32.exe Oiagde32.exe File opened for modification C:\Windows\SysWOW64\Ojqcnhkl.exe Ocgkan32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5892 5764 WerFault.exe 180 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johggfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koajmepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojqcnhkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdndloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiello.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpapnfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfihbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omopjcjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafkgphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiagde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbponja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojdlfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooibkpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebjihf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebijnak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafkld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckcgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Berbew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkbdmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihmedma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgohklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcapicdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mablfnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehdfdek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbeeiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihibbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgklkoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lancko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohidbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakdbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlblcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamamcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lakfeodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgkan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkkqmiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhcdb32.dll" Hiacacpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll" Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll" Iefphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Oihmedma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll" Nhhdnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjja32.dll" Jifecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" Hihibbjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcfbkpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfihbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifffn32.dll" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll" Jlbejloe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll" Nfgklkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Pafkgphl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll" Pfhmjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpbai32.dll" Hhimhobl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbafoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhimhobl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inebjihf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll" Mablfnne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcgdhkem.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2060 3484 Backdoor.Win32.Berbew.exe 89 PID 3484 wrote to memory of 2060 3484 Backdoor.Win32.Berbew.exe 89 PID 3484 wrote to memory of 2060 3484 Backdoor.Win32.Berbew.exe 89 PID 2060 wrote to memory of 244 2060 Hiacacpg.exe 90 PID 2060 wrote to memory of 244 2060 Hiacacpg.exe 90 PID 2060 wrote to memory of 244 2060 Hiacacpg.exe 90 PID 244 wrote to memory of 4776 244 Hnnljj32.exe 91 PID 244 wrote to memory of 4776 244 Hnnljj32.exe 91 PID 244 wrote to memory of 4776 244 Hnnljj32.exe 91 PID 4776 wrote to memory of 3380 4776 Hehdfdek.exe 92 PID 4776 wrote to memory of 3380 4776 Hehdfdek.exe 92 PID 4776 wrote to memory of 3380 4776 Hehdfdek.exe 92 PID 3380 wrote to memory of 1032 3380 Hlblcn32.exe 93 PID 3380 wrote to memory of 1032 3380 Hlblcn32.exe 93 PID 3380 wrote to memory of 1032 3380 Hlblcn32.exe 93 PID 1032 wrote to memory of 4168 1032 Haodle32.exe 94 PID 1032 wrote to memory of 4168 1032 Haodle32.exe 94 PID 1032 wrote to memory of 4168 1032 Haodle32.exe 94 PID 4168 wrote to memory of 4884 4168 Hhimhobl.exe 95 PID 4168 wrote to memory of 4884 4168 Hhimhobl.exe 95 PID 4168 wrote to memory of 4884 4168 Hhimhobl.exe 95 PID 4884 wrote to memory of 2792 4884 Hnbeeiji.exe 96 PID 4884 wrote to memory of 2792 4884 Hnbeeiji.exe 96 PID 4884 wrote to memory of 2792 4884 Hnbeeiji.exe 96 PID 2792 wrote to memory of 1844 2792 Hihibbjo.exe 97 PID 2792 wrote to memory of 1844 2792 Hihibbjo.exe 97 PID 2792 wrote to memory of 1844 2792 Hihibbjo.exe 97 PID 1844 wrote to memory of 1900 1844 Inebjihf.exe 98 PID 1844 wrote to memory of 1900 1844 Inebjihf.exe 98 PID 1844 wrote to memory of 1900 1844 Inebjihf.exe 98 PID 1900 wrote to memory of 2668 1900 Ieojgc32.exe 99 PID 1900 wrote to memory of 2668 1900 Ieojgc32.exe 99 PID 1900 wrote to memory of 2668 1900 Ieojgc32.exe 99 PID 2668 wrote to memory of 1968 2668 Ipdndloi.exe 100 PID 2668 wrote to memory of 1968 2668 Ipdndloi.exe 100 PID 2668 wrote to memory of 1968 2668 Ipdndloi.exe 100 PID 1968 wrote to memory of 3604 1968 Iafkld32.exe 101 PID 1968 wrote to memory of 3604 1968 Iafkld32.exe 101 PID 1968 wrote to memory of 3604 1968 Iafkld32.exe 101 PID 3604 wrote to memory of 4376 3604 Ilkoim32.exe 102 PID 3604 wrote to memory of 4376 3604 Ilkoim32.exe 102 PID 3604 wrote to memory of 4376 3604 Ilkoim32.exe 102 PID 4376 wrote to memory of 1180 4376 Ibegfglj.exe 103 PID 4376 wrote to memory of 1180 4376 Ibegfglj.exe 103 PID 4376 wrote to memory of 1180 4376 Ibegfglj.exe 103 PID 1180 wrote to memory of 2884 1180 Ihbponja.exe 104 PID 1180 wrote to memory of 2884 1180 Ihbponja.exe 104 PID 1180 wrote to memory of 2884 1180 Ihbponja.exe 104 PID 2884 wrote to memory of 1492 2884 Iolhkh32.exe 105 PID 2884 wrote to memory of 1492 2884 Iolhkh32.exe 105 PID 2884 wrote to memory of 1492 2884 Iolhkh32.exe 105 PID 1492 wrote to memory of 4292 1492 Iefphb32.exe 106 PID 1492 wrote to memory of 4292 1492 Iefphb32.exe 106 PID 1492 wrote to memory of 4292 1492 Iefphb32.exe 106 PID 4292 wrote to memory of 3128 4292 Ilphdlqh.exe 107 PID 4292 wrote to memory of 3128 4292 Ilphdlqh.exe 107 PID 4292 wrote to memory of 3128 4292 Ilphdlqh.exe 107 PID 3128 wrote to memory of 544 3128 Iamamcop.exe 108 PID 3128 wrote to memory of 544 3128 Iamamcop.exe 108 PID 3128 wrote to memory of 544 3128 Iamamcop.exe 108 PID 544 wrote to memory of 4688 544 Jidinqpb.exe 109 PID 544 wrote to memory of 4688 544 Jidinqpb.exe 109 PID 544 wrote to memory of 4688 544 Jidinqpb.exe 109 PID 4688 wrote to memory of 3424 4688 Jlbejloe.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Hnbeeiji.exeC:\Windows\system32\Hnbeeiji.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Ieojgc32.exeC:\Windows\system32\Ieojgc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Iolhkh32.exeC:\Windows\system32\Iolhkh32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Iamamcop.exeC:\Windows\system32\Iamamcop.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Jlbejloe.exeC:\Windows\system32\Jlbejloe.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Jadgnb32.exeC:\Windows\system32\Jadgnb32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe37⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Mablfnne.exeC:\Windows\system32\Mablfnne.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Nfgklkoc.exeC:\Windows\system32\Nfgklkoc.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe67⤵
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Njljch32.exeC:\Windows\system32\Njljch32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3552 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3292 -
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe79⤵PID:5316
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe80⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Pakdbp32.exeC:\Windows\system32\Pakdbp32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5680 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Pififb32.exeC:\Windows\system32\Pififb32.exe89⤵
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 40090⤵
- Program crash
PID:5892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5764 -ip 57641⤵PID:5828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:81⤵PID:5836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5c0f41763eb3b38103c5ccb39ab389d2e
SHA15081751ee62a90af830f530c105090d394f37e78
SHA2560e9354df7fdd3e412fbf321e28fc380178525957b0ec15ca6236bad352fac62c
SHA512fd1f0a88865d8dbecddd659f7afb25ca8ccbf6dc713129be44262f6bae5d3985d4fcd30e439182ad751fd3263fe36a6d616af1b59df080168878c068bd1ba5c7
-
Filesize
91KB
MD5e4157300f6aff6d7ac19cbfa1f6c1783
SHA109a70dde808713c53b4ecc3cbbee568af8dea676
SHA256ba6e53fd8f4808bb75f32ac13f514c522bb304068b38c79bf109d55e916dc576
SHA5126ad0de293f915b3cc2268eae2ee084077183b9025d0b4549d66690ba810d9b84b6725f8683d56d2430c1d063f2b62da1a5b7eb7f14a71f838fa4cc5daebec857
-
Filesize
91KB
MD5885f58491575c7a8b25eb59ff608e2c9
SHA16609a927e752c28efe51e7206109a3b31ddb2f9f
SHA2566e986cb5d346bfcb343360ff1ed5d79dd139d54fc7e494d6b73209f6e6f0ea2b
SHA512477eccdcf09095fd33a6d6e06c686b2a1cee831412cf744863ca88a018ce0de23169f4b5bd90041a002150c479d211a908f2efbe35c43a1bb22e12b558e4b85b
-
Filesize
91KB
MD521ba9ebde2bc9ab2a4586af8416d35d4
SHA18ec5294bd78471d01d963593c46922d9a384d563
SHA2562348c022ed561e30782d7e3847d4ec0a241ed5cc72827ff3520187dda530ba26
SHA512c11d609803b07778d26b147ca874733557e567d7f59594e8465956a71907f4dbcf846964c6561537dd973735784891f5e8f3e319ef7ea36a6dc188a5c46a6388
-
Filesize
91KB
MD5c76ab1a3012bc663d2442cfac7ddb097
SHA130841afe710415001cf3849f3413265cd183fd60
SHA256a816616207307e0d45a553d097356a8527d5b5e18a546367bb9b5d407c7cfd33
SHA5121ee692dbc63302153c52b8df9c9b66f7918005edbcbe05b00f10f6c8b3f0cf62ee30fe261f081f11319eaaaa7edb525db0f07c4ad80dc124937a5dac7c3037f2
-
Filesize
91KB
MD5c99ff0c8f8fc6e28984af12b7fa97a26
SHA1a69a417b8f82d94223e697577ac60d00f88b2054
SHA25641173ca8d77c99c1d778b951217f9cd1b18dd842dbd56e69db934c79ecdcf521
SHA512c58382407ff32bb2fa82711e29242e29bf5944a04a8903f8d5970af56c28260d50faa574a06d36fa46c4effcdd83240e9522f9f68a6f940e5c9bf09de2b57727
-
Filesize
91KB
MD5c8c835b0c29b7cf0c95d56d50922f1e1
SHA17dac931574adc34be6b51372c03c93c0911233f8
SHA256e825fc48edbcca5a0b54b47700279f6dad43a3036f70d0edb3d69250c58d7c61
SHA512bf6fb46b8b873567a97ada4f90287b2448d5bd34ee09cdee9dd06dc2a91c21464e7a5020d083872cdc3d3e123bac6766679e5e80332ddb8b93dd40517795b320
-
Filesize
91KB
MD578abab5c18c2413a48a8b2991360f1fa
SHA1cbb7ea2cbbcfa583363c979cd146e973807882c6
SHA25694b94a513e368ab3f43e2033d35ddb07fc6b94602428e3994ffeb4dd1a3f5c58
SHA512fb0cc8de0f28183484cc63a71260c0561775be684acb5e24d606334fafc44c4a768d7d13cf41ce916b3091e1cc999265c80a24a84379be91d2dac505d652572d
-
Filesize
91KB
MD54b8acc79bb229872417929b270ff7e52
SHA1cbf17100f4775ccdaacca622b51d1b8c6f47d5a1
SHA25698a73fcf534b765b4ab1594ab791050c61596d0a3b6395f4735d2510bd507c07
SHA51286e3d73515ac52b98c9b42d82af68496dc885ff9c59807dd1afb3084186209f44fc78d7f4e992281d1ca508eea3a28a0f44bb0750d93a71213dea6754d9ba367
-
Filesize
91KB
MD5c6b5a7f4a156a4d333da00b64a26d54d
SHA13ab8595b6deef2ead58d64c34b887a4288927a86
SHA256f9b8c19cb60886969ae8e9e7e74b6ea383976233e6311a0249bb00cd081a469c
SHA51282db071d85f04e2c9ba8eb02ac0acd7c8fa5282fd8f37e842da87daebd14dcd79661bd12e8c1b368cde9449be2bdf8524984a6e45d45e81419fc18991e1ccd0c
-
Filesize
91KB
MD5762ccef16070ad4c02370c55a7d1fc51
SHA1aa755aa9d039ab7beb3ae0480e832bd0f09d8529
SHA2560ea1335e3598162dde69e98e2d9ffba81166933abf3a11328d8b69727e5285b6
SHA512e2f9a31a884f645ef6b46ce4a2936f8264ada9cc6bbc74cfa9933d066ab8a7b4340ade24ceba10fcfe28729cc8945866811feff0eaa53bc9a457367bac419314
-
Filesize
91KB
MD557059367f54c943dc9cef6f0b97283d8
SHA1fbfbe48e2e0e19fb74caae7ff8a92b194a4a93a4
SHA256d97526607a551c103d5fce30095e3fc24bca6fb9e18ec1f4499ed79583b31c4e
SHA512657ef188f535353e0f1f008431d776ee740548721eed7747f88744bac3e95e20b901434952558ac60ca3b2fad06bb64273775b69ececf1ed1c8b124f880f22c5
-
Filesize
91KB
MD5d6071bdb4a2ff295a1714b83e7eae49a
SHA16a888e1392790cd8ca0f2fbb73c30e3aeb9e4540
SHA256a8acc92f22be8afe82d9383ee4999783399cb3610ffd2a3bd0107a112ba0a536
SHA512a02433119b0a7bd3c0572096fed921c35f15a59bd034fec18f97606e7f188c0bbd58490d85314de8d318b53ed743ef73953dabeb2c34b10eb430008b5443c166
-
Filesize
91KB
MD5c25020faa452afc03ab3cfb6a760b3ec
SHA159e15f852e10c7ac5f970a7c054e26f1a0033d88
SHA256001b591126298a542d35d85bb64c764d32313750ff31a7304f29c33a6972ed8b
SHA5121f828bddd053cc6b514646c30d9b3b01f1b344b6de18848f1c11d56fe680e513dfded5f083285991b02b446c002776d1a7710c03e713d5d0727d04e8220d7b5c
-
Filesize
91KB
MD51aff1b0c75e1722a03e22829665c144e
SHA11d4471b0d91a795ae0fefa357198a07c6306b959
SHA256520e82b4bc45177cd757d0ac8c84afcef72e6b16a20f450d849ca4aee96e150d
SHA5120c11d79a4c23c83e4511c2f0821bb8f34de77b67698e47b60351b2977d13667d6422380d56dc471776dab3b9e4a982c52978baef041f510089b356770813cdc4
-
Filesize
91KB
MD5972a69ef0873cfbe9f37f5ac40ec5d67
SHA1ce919f9c826c52448c69a532c44a5c411e06cee5
SHA256bbf7b2344f85e7ce9121b2ad4dabde92b8ad9ba55268f84372e7a942cafd09a9
SHA51205184d32205b891027cea68aafac3b938df7fa8152b1273b7fe9dbf39d363e95fbeeb54b65cbf1e664341eb1af669aba47a11e478cf16f75973ad864c78afa3a
-
Filesize
91KB
MD5a69f8bcff92f94fbb539c2f8edc1dad4
SHA1320df663f534581c2c211b37403b2172677f5e92
SHA2560354fd7aae82e302c18a1814eebf8c53493f025554e5b00bc29ff0cbd90b98a2
SHA51233d5090af937b3566282fcd3fc24d81ea53d1a20f23037cf637eff500eeb215ef89d81c9c67ba5454d705d2193a58bc83a28d51341dcd96fc4eeaaedbab587a9
-
Filesize
91KB
MD569d3f124b0fc880596674b6eed76e151
SHA12a42a4efbe1f0fa9ecf7c7dbd7b8c51d4613ccd0
SHA2566d7be942dc503e88e8520a4a148ae8976550616190d6c3a13da1055aafefa32c
SHA5120305fdb9db2aafd5c10a869903e9eb8492e3da2a34e0c6bc8cce1ebf01251240a790f7f86ac8cde29b521d37d8b401bfb824b591e6511ed00684c7d1f186db04
-
Filesize
91KB
MD566fbb79e6e94bb7d0b8df291907c1fec
SHA1feea99cb107daabb8bc3b29453955294eb2fb0b5
SHA2561cee5b4eda8a83662b6096919bd4671bb08ab897adedb18746cc56b688ab3769
SHA512ff20f716ee98464560461f690e080367b3ec4cfcef8d56c9f9bc08f0f9a624b3438ba0ce0b5352d7ce47a581e735097609103f03efc35ea71ba8b6e1a39c2391
-
Filesize
91KB
MD5c49315ef572604e2def5bd53d6888474
SHA1e8af9631d00fd4f0a6734285b0ebebc81d16af89
SHA256d682e9540cbe012bcd99708fd7f36b01c8c68e2feaabf287bd974624958caacf
SHA512d3028ed79ec93ebd3b211f9c34012beb32162083b889c66b5e8438ab3a5d1dc91934f11688d4b3d96bf80e56d0a87fe98d14c3a73303f01538d119fa12f31a0d
-
Filesize
91KB
MD51c818940df48c54b7110023e4938d1a2
SHA17f7ef379db761646fdf4ac3a9f5f4592ca997d8d
SHA256d3a86567a4bfb86746cfa59da93f04cfeffd6a754b1f0d737d4bb7ad19180c9e
SHA5120eec9419f89f9a4ac08f194eb558cca2b0f249c52f3498f46c3ed5f1fa5c3d63ecf14c71ba23c133a68a72acf1c0136b1f914b1fc125fd5ffa795a87ce0e8f00
-
Filesize
91KB
MD5b0770387e70112f955dfcfbf22c3ec4e
SHA1081c1c3cc2d0b9e2d18bbd87287c240a4f23e5f9
SHA2565b1f3a9a79a371ac143a21d5c7aa3e3e55a8f7c2140cfccca06d88230574caaf
SHA512ffc791580a0a7c315b14c759f06f80e35063b69da34515e18d65e01bc138b1264d2d9877e725d2ab489a9f791208bf4460444aa2993453f66606d64fd240887a
-
Filesize
91KB
MD5c31dfa83e91d2e153d9260846a5d566c
SHA1b98da6d624a34b54f2253f7506564e7188139f0f
SHA2566d20942618d21bbe57d822a9b680cbc50470009a6b1897a4a95c16bd5fb1afaf
SHA512a16e32e5cdfe3284e57c4a6dd95a45f1811df4ee236e99aa764a5833fa2bd026e4bc7771de2f6dbce45c4f4f0f29e054b22f561887b0773349f040096fc7859f
-
Filesize
91KB
MD59477b4461e0715d5d2f3c4304490fc01
SHA164a277c70b7271252e2855574562b8161bfe5a85
SHA2560b98ca24bf815c99165eafadbca5064bc5ecfc19574f14abe4cf7eb9657b5881
SHA5126ce2e4c0d05e949c6649f34baadcf669186815ba7d2f604aedc5caa8ea2f8c012c76efcd10776c1a0d1f68570e64e3bd95e1ce62a7a842eace1cf9459f6e7b83
-
Filesize
91KB
MD5b408956d539e92f3659b7b35c7193aeb
SHA1a5e87cae756ed52ef366a4788eb7114ad11b433e
SHA2565ae47c42f69b2d97a00f5e396c25a92348e3b5d2458bc6bf112841090e3f1cb7
SHA5128bdbd1603e6670a5a2c633d3f7ffbe1f728e6dbd8a764fba7cd71f4b8d05f640cdfc3ac799a6826422e8c267797bead9753c973cbd1667941c875de10df7f122
-
Filesize
91KB
MD503e8d3292bf59412ac681996e243bb2d
SHA18fefc36cf021850b33de4e9376658ef826f82c0f
SHA2561d3a2b98a394526eb6568aa38cb8a6ff1ad668e13cff458cd286ea2e1410b4be
SHA51222e58b18980043dfff700cb54a73d8070822d11fa5b5419dcaafc5a44ae78a019befa693a6e7892eabd815185172b8a04b252d3f2808a13fac58e8d5645232cc
-
Filesize
91KB
MD5a465fc9598da5d8758ab5dc664936061
SHA131d7d46ca6f77236518106c53b0b94151576a042
SHA256e66f3c42c26297ed3cfcfe9bf493f42c2a7bda31150e4ea6a6dcca5e16a87995
SHA512a476e1b9222b38caf9a7ee20e869c0d5cb8e60b344d9c442059ad3228d67851c7980d978830b067b1aab1487ac680ed17be83ba58e791771de926b01691c8d27
-
Filesize
91KB
MD569f4f4511ecbc5f3613e566cfe8c3770
SHA1b9a91b89f7a94dad7db050aa0cb6a322b650c54a
SHA2564eea95f4a103d827b7590bef50882d81151ac279577834d333b084c184231a69
SHA51273a5dddb807fabd5ed766fc675f25e15c35096556a95453b0c700fa93a6b480bb5c9c35eef84ec9e7a400bbcadd0164996d014c5fc28666a83bece5f90f4b05a
-
Filesize
91KB
MD5f44841bf195f779e1d960d8c310e7539
SHA104728528128590858bac73aeab8a261d4b897baf
SHA2564e2ee2724c0d256655387ca6b15672306b16e7135207329ed021628fea5c6b64
SHA512ad67b72c02e100d7e8f6c465cb3775b306408266f484dae6dd24d14e50198ec47d65d2006190549f6425da0340680f915b27d7002e4b26bc1b4a065e3dd4949d
-
Filesize
91KB
MD53571c98db7580a6dba1f1882a0d4b832
SHA10324b56a0697d4cdf2ed58c259ff12cbdd61d997
SHA256932c234ac6f9421566778d40c8159d4dc7e862d498d9c08881b7395b7e7c746e
SHA5127ecc07d5470f68d6b6cc348cc371f6396deeae99e6a4cd9226fc6c39efb546496fd0122ac9d98163184352a749cc52702146e290b769751ad75c74685388a86d
-
Filesize
91KB
MD5a9d83404f2dd16f92f84e798082b5ff6
SHA1272e8a20476db40058dfd321fea32762999bf5cf
SHA2569902150bad393be6e0f999799fbd9ff260e99f2721378e5152cf18aa37b28d53
SHA512d76cf4f68d463cc7880afbd272e4997be487a137164c69a1181e1fd39c973da7f88217f63c96bae7ad84a8ff1f532fcbeb838742b742234906561ac02ce51eea
-
Filesize
91KB
MD5bd0a66d318318b898345ff87f37d3987
SHA12dbc4ee97dc8a7dd4dd562eca86500be43bc6e10
SHA256dbc665f63d19359d47dcf30b6d91a8e5a7d284601c4066e49019c7add72c5734
SHA51204c58779f28ff778bf592f6d4a6088206cc4423e31744c7301bb4402763752c77b56d09ba4a617d8aba5ea68a3adf8c66549879e8077bccb8d8aa366993d3990
-
Filesize
91KB
MD58575f6f25ffa7b663fc29f9188e04f9f
SHA1ff8a13c2d904fac8c4ab8c1e2c1d1d6c39d51995
SHA2566065cca511cecb57f0a8338a1c5cb8efa4b22c4219737aa02bbb0cfa1a674fd8
SHA5128c562b2374a590723e317d9dd9322f72a266c448d2e1b76758503555ffaefae544d476282cbad1d2283cded160e81f79af1604710e6cba615c693a6881282814
-
Filesize
91KB
MD5aa251bc2feab3303caa13e879ccad963
SHA1893508193fbbefd74caa52ac20baeb4e6cf98749
SHA256f4cce373964207c8c5a1a68722da39335dbab4a7170b914af93dfa652a82fdb9
SHA51263d12fc1a5e18f70f557add94348be5d77ea80bd824a5541756acec237e1728564b068183790b0bb9e0fc2dc74daca9b7a4c9a669ea178b984776dea1053bf6c
-
Filesize
91KB
MD57f51ceeb903f0daa53b6bf4f546fceb1
SHA12121755cf3eea7e62eb72d2b7250464427ce7816
SHA2561276a50ddf4633e5d4ee31871e5cde858175b8d550b5135cae37d3166e9448b2
SHA512f8708235dc94653f0ceccd332b4e9bafd1c9ed9fb18df48a033b6354021a021f003895e0a892373937fc6aa1a8f3f68aa45cca5a374e5e8e2763635ed3c915c0
-
Filesize
91KB
MD52a9909681d5f54bbc79afc48157caf36
SHA11eddacfab3c975a3820d61a2ce9ea81640e7a9c1
SHA25648e6dcf7d1eea27ef539cb3adb34ca0b43b569f70f90a18f2da3303f32cac03a
SHA51253eb550468811102c6d714e4797c107a3aee960872d8d1d74731dd3aaf471de8912b116034af741d76f0d1fe3c938101d95c5df84d2a76d722b08abb23caab4d
-
Filesize
91KB
MD5026ddba76b29aabbaf50eb99765f527d
SHA1509e834341d4d43ee78e7a0c2df79af1781f9fe1
SHA25687defabd24395027587e0e3f3b22c1227ed4c7380001a19a3d6349a6e101d0f3
SHA51286f5147dcd0edfcd0429a371a0d124ff87fd55e1523d1c865c00f6b2cad3642498a85aecc8c123e4846f7e7912316340bd67b61f6ef0c77e9a463f9b3c93df73
-
Filesize
64KB
MD5c1d0966b69b5201a29906aec7e42614f
SHA18c3826eee4e53783b2689ab2308e8d942b8daa40
SHA25635cc34748b6782981949a675e02f458281593c7fd3770ae2e0ae229574143b7f
SHA512bb4f5db1c7f269c1dae4bfc919bdc9d1a9d255e7be21d21d960a41f9f640dde2803979df4f267bedd45afbe539a5bb1ff8ace07d8689b43bf94e3d13608d7cf2
-
Filesize
91KB
MD56a6276feb80642592c8982b328ce8009
SHA161cc18af390e3b2eab3af0448abbb1f8cc4fe3fd
SHA256fee9b7fa4b571190dac735088c28de9f6960ebb05995e7fed39797317f1d8130
SHA512d13860b628b2b3adb1f44348c02f3e6522ed883a7a9498c7c1a6694c4800fee0177ab1ef263b53757d770673e07f68cd86b9f372984aa2ac4ed353f32b73910b
-
Filesize
91KB
MD59e8d8586c08ace60372de74a6e9a3b1b
SHA17b31ac23f4ba2d1eeb3c82f6ac69f796c1949ea2
SHA2562868721e23a682969b8063bc39ae2d2f2ab1c9e1568da527ef87e7729fd3a446
SHA5127adbb4f709d08155833b9916f07d089c8b392e70fb4862fe69eaecdaa697595c7e91d9cecdb9f04e9929751bafc100a66a641dfc56f67a9fcaec06b900df1239
-
Filesize
91KB
MD5b56c8be74ed61fb9640943b22c0896dd
SHA17a4cf4124a6fe596fabf463205ab9e37a1a0838e
SHA25609b5e3fbda7a9861569134773931f1d55278b8f6904d239b797016216d2443e2
SHA512bfcd78ee49851815c3c95805cc4fba5997270823b71bfd64b0dbc92041e69d7f56c2d4200831375376ff5cf09c67fc25ff400787da7ec253b52ac9347912fa0b
-
Filesize
91KB
MD51b610e2d6bf52321f4c4869a43ee0348
SHA1471d74470e2cab546307276d35eac3425b58929f
SHA2566f0c1a0831f996f21b0627b4b51f5f7a60caca017cff1b4111543f438337e59f
SHA51281510ac88a73a541796ebb29a3ed59a2dbbbbaeb6da3843f72bee423addd8b4f17fabe0c92856fe4e5ba9dcf9df74a4a8dae3eb1eb177a170cfe248705aaac51
-
Filesize
91KB
MD59d48fcd609cd5c265874af5cad1932f2
SHA1d0d9c8a72c33d9692d4f23f4b324644589005b2e
SHA2560264f784a44dd61bd737e55ebf026f65fd78203f7732b7e54cbfac37d2994684
SHA51262d49fa9739c5dc0756ef039efd1c3336560e7b4a48643ff0f6c30ae561f0b121c1f17a97a531840566b964fcf568863ea9999a2410394d7d822e234011f22eb