Malware Analysis Report

2025-03-15 09:05

Sample ID 240916-tj6vdswhrm
Target Backdoor.Win32.Berbew.pz-65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352N
SHA256 65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pz-65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 16:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 16:06

Reported

2024-09-16 16:08

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bonoflae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acmhepko.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdmddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Achojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chkmkacq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acmhepko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poocpnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bonoflae.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Annbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aniimjbo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amcpie32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Achojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdmddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Annbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpfeppop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poocpnbm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aniimjbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Picnndmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bpfeppop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qijdocfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaloddnn.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Picnndmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbjhgde.exe N/A
N/A N/A C:\Windows\SysWOW64\Poocpnbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qngmgjeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpjakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnfnfgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Annbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackkppma.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmhepko.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajgpbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apdhjq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeqabgoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmhideol.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfeppop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpnmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bajomhbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Biafnecn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bonoflae.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbikgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Behgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmclhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkglameg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmeimhdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chkmkacq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckiigmcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmgechbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cacacg32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Picnndmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Picnndmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbjhgde.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbjhgde.exe N/A
N/A N/A C:\Windows\SysWOW64\Poocpnbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Poocpnbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qijdocfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qngmgjeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qngmgjeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpjakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpjakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnfnfgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnfnfgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Annbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Annbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackkppma.exe N/A
N/A N/A C:\Windows\SysWOW64\Ackkppma.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmhepko.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmhepko.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajgpbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajgpbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apdhjq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apdhjq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeqabgoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeqabgoj.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File created C:\Windows\SysWOW64\Njelgo32.dll C:\Windows\SysWOW64\Amelne32.exe N/A
File created C:\Windows\SysWOW64\Jhgkeald.dll C:\Windows\SysWOW64\Bpfeppop.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cmgechbh.exe N/A
File created C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Pfikmh32.exe N/A
File created C:\Windows\SysWOW64\Qflhbhgg.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Amcpie32.exe C:\Windows\SysWOW64\Agfgqo32.exe N/A
File created C:\Windows\SysWOW64\Bmclhi32.exe C:\Windows\SysWOW64\Bjdplm32.exe N/A
File created C:\Windows\SysWOW64\Kgfkcnlb.dll C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Behgcf32.exe C:\Windows\SysWOW64\Bbikgk32.exe N/A
File created C:\Windows\SysWOW64\Imogmg32.dll C:\Windows\SysWOW64\Pjbjhgde.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Poocpnbm.exe N/A
File opened for modification C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qngmgjeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Annbhi32.exe N/A
File created C:\Windows\SysWOW64\Nodmbemj.dll C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Bdmddc32.exe C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Qniedg32.dll C:\Windows\SysWOW64\Ajpjakhc.exe N/A
File created C:\Windows\SysWOW64\Napoohch.dll C:\Windows\SysWOW64\Achojp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Ajgpbj32.exe N/A
File created C:\Windows\SysWOW64\Pqfjpj32.dll C:\Windows\SysWOW64\Apdhjq32.exe N/A
File created C:\Windows\SysWOW64\Eignpade.dll C:\Windows\SysWOW64\Biafnecn.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Picnndmb.exe N/A
File opened for modification C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Pjbjhgde.exe N/A
File opened for modification C:\Windows\SysWOW64\Achojp32.exe C:\Windows\SysWOW64\Amnfnfgg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Biafnecn.exe C:\Windows\SysWOW64\Bajomhbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckiigmcd.exe C:\Windows\SysWOW64\Chkmkacq.exe N/A
File created C:\Windows\SysWOW64\Gnnffg32.dll C:\Windows\SysWOW64\Ckiigmcd.exe N/A
File created C:\Windows\SysWOW64\Oodajl32.dll C:\Windows\SysWOW64\Pfikmh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amnfnfgg.exe C:\Windows\SysWOW64\Ajpjakhc.exe N/A
File created C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Amcpie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Bpfeppop.exe N/A
File created C:\Windows\SysWOW64\Mmdgdp32.dll C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File created C:\Windows\SysWOW64\Bmeimhdj.exe C:\Windows\SysWOW64\Bkglameg.exe N/A
File opened for modification C:\Windows\SysWOW64\Chkmkacq.exe C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Bmhideol.exe C:\Windows\SysWOW64\Aeqabgoj.exe N/A
File created C:\Windows\SysWOW64\Fdlpjk32.dll C:\Windows\SysWOW64\Cmgechbh.exe N/A
File opened for modification C:\Windows\SysWOW64\Agfgqo32.exe C:\Windows\SysWOW64\Ackkppma.exe N/A
File opened for modification C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bnkbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdmddc32.exe C:\Windows\SysWOW64\Bmclhi32.exe N/A
File created C:\Windows\SysWOW64\Bkglameg.exe C:\Windows\SysWOW64\Bdmddc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qflhbhgg.exe N/A
File created C:\Windows\SysWOW64\Ljhcccai.dll C:\Windows\SysWOW64\Aaheie32.exe N/A
File created C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cmgechbh.exe N/A
File created C:\Windows\SysWOW64\Nlpdbghp.dll C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Plnfdigq.dll C:\Windows\SysWOW64\Poapfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Bmnbjfam.dll C:\Windows\SysWOW64\Acmhepko.exe N/A
File created C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bnkbam32.exe N/A
File created C:\Windows\SysWOW64\Picnndmb.exe C:\Windows\SysWOW64\Pgbafl32.exe N/A
File created C:\Windows\SysWOW64\Jmogdj32.dll C:\Windows\SysWOW64\Qgoapp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Annbhi32.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpfeppop.exe C:\Windows\SysWOW64\Bmhideol.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe C:\Windows\SysWOW64\Ckiigmcd.exe N/A
File created C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Picnndmb.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Pfikmh32.exe N/A
File created C:\Windows\SysWOW64\Acfaeq32.exe C:\Windows\SysWOW64\Aaheie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjdplm32.exe C:\Windows\SysWOW64\Behgcf32.exe N/A
File created C:\Windows\SysWOW64\Cmelgapq.dll C:\Windows\SysWOW64\Qijdocfj.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Aniimjbo.exe N/A
File opened for modification C:\Windows\SysWOW64\Ackkppma.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Amcpie32.exe N/A
File created C:\Windows\SysWOW64\Deokbacp.dll C:\Windows\SysWOW64\Bajomhbl.exe N/A
File created C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Cacacg32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfikmh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aniimjbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckiigmcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkglameg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biafnecn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amelne32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poocpnbm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qijdocfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agfgqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Picnndmb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amcpie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpfeppop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biojif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbikgk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Achojp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Annbhi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cacacg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ackkppma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bonoflae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Behgcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poapfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acmhepko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmhideol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgechbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaheie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgbafl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdmddc32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aniimjbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Biafnecn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amcpie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll" C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Poocpnbm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apdhjq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" C:\Windows\SysWOW64\Bpfeppop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll" C:\Windows\SysWOW64\Qijdocfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" C:\Windows\SysWOW64\Amcpie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" C:\Windows\SysWOW64\Bmclhi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgbafl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckiigmcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qijdocfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" C:\Windows\SysWOW64\Bmhideol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfikmh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bonoflae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ackkppma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll" C:\Windows\SysWOW64\Agfgqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll" C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2852 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2724 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Picnndmb.exe
PID 2724 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Picnndmb.exe
PID 2724 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Picnndmb.exe
PID 2724 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Picnndmb.exe
PID 2440 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Picnndmb.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2440 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Picnndmb.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2440 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Picnndmb.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2440 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Picnndmb.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 1996 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 1996 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 1996 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 1996 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 2676 wrote to memory of 532 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2676 wrote to memory of 532 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2676 wrote to memory of 532 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 2676 wrote to memory of 532 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Poocpnbm.exe
PID 532 wrote to memory of 576 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 532 wrote to memory of 576 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 532 wrote to memory of 576 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 532 wrote to memory of 576 N/A C:\Windows\SysWOW64\Poocpnbm.exe C:\Windows\SysWOW64\Pfikmh32.exe
PID 576 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 576 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 576 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 576 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pmccjbaf.exe
PID 2204 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2204 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2204 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2204 wrote to memory of 2384 N/A C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 2384 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qflhbhgg.exe
PID 2384 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qflhbhgg.exe
PID 2384 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qflhbhgg.exe
PID 2384 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qflhbhgg.exe
PID 2136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Qflhbhgg.exe C:\Windows\SysWOW64\Qijdocfj.exe
PID 2136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Qflhbhgg.exe C:\Windows\SysWOW64\Qijdocfj.exe
PID 2136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Qflhbhgg.exe C:\Windows\SysWOW64\Qijdocfj.exe
PID 2136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\Qflhbhgg.exe C:\Windows\SysWOW64\Qijdocfj.exe
PID 2980 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qngmgjeb.exe
PID 2980 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qngmgjeb.exe
PID 2980 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qngmgjeb.exe
PID 2980 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Qijdocfj.exe C:\Windows\SysWOW64\Qngmgjeb.exe
PID 1780 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Qngmgjeb.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1780 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Qngmgjeb.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1780 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Qngmgjeb.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 1780 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Qngmgjeb.exe C:\Windows\SysWOW64\Qeaedd32.exe
PID 2580 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 2580 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 2580 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 2580 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qgoapp32.exe
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Aniimjbo.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2072 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2116 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2116 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2116 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2116 wrote to memory of 1028 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Acfaeq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Pgbafl32.exe

C:\Windows\system32\Pgbafl32.exe

C:\Windows\SysWOW64\Picnndmb.exe

C:\Windows\system32\Picnndmb.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Pjbjhgde.exe

C:\Windows\system32\Pjbjhgde.exe

C:\Windows\SysWOW64\Poocpnbm.exe

C:\Windows\system32\Poocpnbm.exe

C:\Windows\SysWOW64\Pfikmh32.exe

C:\Windows\system32\Pfikmh32.exe

C:\Windows\SysWOW64\Pmccjbaf.exe

C:\Windows\system32\Pmccjbaf.exe

C:\Windows\SysWOW64\Poapfn32.exe

C:\Windows\system32\Poapfn32.exe

C:\Windows\SysWOW64\Qflhbhgg.exe

C:\Windows\system32\Qflhbhgg.exe

C:\Windows\SysWOW64\Qijdocfj.exe

C:\Windows\system32\Qijdocfj.exe

C:\Windows\SysWOW64\Qngmgjeb.exe

C:\Windows\system32\Qngmgjeb.exe

C:\Windows\SysWOW64\Qeaedd32.exe

C:\Windows\system32\Qeaedd32.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Aniimjbo.exe

C:\Windows\system32\Aniimjbo.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Ajpjakhc.exe

C:\Windows\system32\Ajpjakhc.exe

C:\Windows\SysWOW64\Amnfnfgg.exe

C:\Windows\system32\Amnfnfgg.exe

C:\Windows\SysWOW64\Achojp32.exe

C:\Windows\system32\Achojp32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Annbhi32.exe

C:\Windows\system32\Annbhi32.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Ackkppma.exe

C:\Windows\system32\Ackkppma.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Amcpie32.exe

C:\Windows\system32\Amcpie32.exe

C:\Windows\SysWOW64\Aaolidlk.exe

C:\Windows\system32\Aaolidlk.exe

C:\Windows\SysWOW64\Acmhepko.exe

C:\Windows\system32\Acmhepko.exe

C:\Windows\SysWOW64\Ajgpbj32.exe

C:\Windows\system32\Ajgpbj32.exe

C:\Windows\SysWOW64\Amelne32.exe

C:\Windows\system32\Amelne32.exe

C:\Windows\SysWOW64\Apdhjq32.exe

C:\Windows\system32\Apdhjq32.exe

C:\Windows\SysWOW64\Aeqabgoj.exe

C:\Windows\system32\Aeqabgoj.exe

C:\Windows\SysWOW64\Bmhideol.exe

C:\Windows\system32\Bmhideol.exe

C:\Windows\SysWOW64\Bpfeppop.exe

C:\Windows\system32\Bpfeppop.exe

C:\Windows\SysWOW64\Bfpnmj32.exe

C:\Windows\system32\Bfpnmj32.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bnkbam32.exe

C:\Windows\system32\Bnkbam32.exe

C:\Windows\SysWOW64\Bajomhbl.exe

C:\Windows\system32\Bajomhbl.exe

C:\Windows\SysWOW64\Biafnecn.exe

C:\Windows\system32\Biafnecn.exe

C:\Windows\SysWOW64\Bonoflae.exe

C:\Windows\system32\Bonoflae.exe

C:\Windows\SysWOW64\Bbikgk32.exe

C:\Windows\system32\Bbikgk32.exe

C:\Windows\SysWOW64\Behgcf32.exe

C:\Windows\system32\Behgcf32.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Bmclhi32.exe

C:\Windows\system32\Bmclhi32.exe

C:\Windows\SysWOW64\Bdmddc32.exe

C:\Windows\system32\Bdmddc32.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Bmeimhdj.exe

C:\Windows\system32\Bmeimhdj.exe

C:\Windows\SysWOW64\Cdoajb32.exe

C:\Windows\system32\Cdoajb32.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Ckiigmcd.exe

C:\Windows\system32\Ckiigmcd.exe

C:\Windows\SysWOW64\Cmgechbh.exe

C:\Windows\system32\Cmgechbh.exe

C:\Windows\SysWOW64\Cacacg32.exe

C:\Windows\system32\Cacacg32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 140

Network

N/A

Files

memory/2852-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pgbafl32.exe

MD5 678c78c6e027ec39cca37af1f397cd33
SHA1 5e01327453af718e3b047c5c897c034c96df788a
SHA256 26abd1f8dcf92a74875fca00cbb0a26babcd644bff8bfc9ebfd15d3f1a94c302
SHA512 1a8deaeb19563520a59c40cf3725887e5ecc5ffbbf8cf38793b046cc85d2823f79f7a75dbe28ee4831556bbc078433ff0761564bd2e2f5668026d2081b68dbb4

memory/2724-19-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2852-18-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Picnndmb.exe

MD5 97fd713a545d728a6241260634ab0f3d
SHA1 26d7376f1def770b96cef2994ff3176a0053576b
SHA256 81c28f8ef864a69384a3d783a319ca8cf58ba409a65e86ee790c2b6d33ac1073
SHA512 b19120492a56025e70851084b6c0837f3b1ea7b5559e4339f317316518c4256c9b863c65b61c0c9cfd437aecb944b21db3e7b6391509a3a155f3885b80d44f23

memory/2440-27-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2852-17-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Pbkbgjcc.exe

MD5 6f580d45bc76b29e08476946799fce2f
SHA1 7e47296e37083de1f0e34a2721b27f11b3c367b5
SHA256 197e31d9c8a46e03d6e5748d5fb592df0cc6659c3ebacb506c9d117be9f3546b
SHA512 bf2b7586fd4fba0c7fc0209f75c41384eaef65dc3744120f66febb327d8f38b1ab1d893f363f08f6fe45f73fe57394d4e46d4111eb3dca04a357692aebc828aa

memory/1996-45-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Pjbjhgde.exe

MD5 71bc1be6bb8e126dc80e8a4e124c16c5
SHA1 63f1714892dbf69071a5423d92b4d4319859af22
SHA256 51a3bd5132a19cbf428f32a9290642421851307328f61aa4a39a55dce3371358
SHA512 262305b857e87642ee7c93e4071c7b7c66ec874dc332a936134320d2ac7962340ab848eb5cb756c624d6ddb9db8be7077762ddc29b84523d01cfc21261a0fb31

memory/2676-53-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Poocpnbm.exe

MD5 1b4f5f234caaff1eaa2f23be654b36b5
SHA1 08d635583025f598d5f326b5a8990eabdfdbf3f8
SHA256 41f0995da239a76e08d9718ca2eac83582bc4e19832eaff798cead38fb2717c7
SHA512 5d0b2092248c5d406215edb1d4372a6f3234da64d4cc138a335d63d73004099ba593ef13d82b677a16c0e3f80e1dcdef4b9774cbe2800d9034c70edd26bfe843

memory/2676-61-0x0000000000250000-0x0000000000284000-memory.dmp

memory/532-67-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Pfikmh32.exe

MD5 ae63cda54c8853b85b5515bd59327a88
SHA1 c2ad23a270b5c0b08a0616cc60a555d2798b9d45
SHA256 934384430430c6a0446b2e7ff8375287b49a8018261569631edcf458570baab4
SHA512 e66f3af469cd29622b338cccf91fbf24d8929ae868e3d7f63505a88b681ecbd6c373d83c2928d70f82a373d127164fcc58ba4152f3a13b65195a1406beee408c

memory/576-80-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Pmccjbaf.exe

MD5 22aec672ec10488dc521f474da58b37f
SHA1 d1efcc801dfb84799dd6ab0c5a0906291d19ec8a
SHA256 8aefb9c1141090b7af3ebc3b74dc9f15f24e5fe61e0d65faaca6863ebc587d5c
SHA512 c1fee55e8d09dab183b5e56e433baac9f2631a0624cfd7fb1f8f15e89c12b17ead9e9607925a6a9fdb43f3c87d1b68b923bb2d463015817886ad7853a3cdec0d

memory/576-87-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2204-94-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Poapfn32.exe

MD5 06cf0f42f2b4a42fdc3b0c83b88cfec8
SHA1 b2e5b89da3a8d5dd0a0bf72eafb186eed002b489
SHA256 5baa7d77c98a9a721cfd82c6352b9edefb6e80858695ad86a44a97a3a3acfe25
SHA512 65bd73cf41ed94eab5ba4e91271b16bb401772d9e29a664646ba24b9e42a1928a6b68324335a0e28b5f3a160b8509b1754c53fb8018b0753134dbfff18a4c556

memory/2384-107-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Qflhbhgg.exe

MD5 59d7ccbb1ec5ad0fc8c5d9108a5ea9fc
SHA1 5fc55fa983082375a66f3d42ebd3e1984359a779
SHA256 f052d7d1489556f0dfeff5f442f5a9b3f0cdfd0f67b559dd664544efbb533aca
SHA512 3d0ce54de1ceaa42c70f35d326d6c57ecbaa098b5614c94a1d97e32e9318cb7e5ad0e75a5ca91335d6cebb7588c9b6b8f146454a1c1bb5a2741bf5d92ad21c84

memory/2384-115-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Qijdocfj.exe

MD5 a76e5a4ddef2aa273efa8be3888c3ffd
SHA1 e883c09457540095268b5875c024d2e148f96f80
SHA256 e9554309b84562146c96ae5a6078fb5b8d2682a8de697dec4f4b0a0f2b8ad2ea
SHA512 6820b9e2775f385ca23cb11d248993f9ff36d2bb8cff83fe3e56d56cfabd4aa15747df0e738c0468c07470e11e5285f9b804856bf9c27c7aaa3203b84cd13812

memory/2980-134-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2136-132-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Qngmgjeb.exe

MD5 de362f63662f19fdca71c26c369b3617
SHA1 e1671ee2e5359d51e7587b680922fcb7acba6b0a
SHA256 089255744ec18f3ce3321e49179533fea38e62e65a0603151c64ea5bd18486d6
SHA512 cf8e25d62b6c52b32e21e6cdba3b370f429c67ad5e9ed35f4d329353d8ba6b32df7880b4ba70c1e5cc74bc6078fe7e56d2edb4a9fcd6c061629729a8494b746c

memory/2980-142-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Qeaedd32.exe

MD5 0e004c314dc02740d0fd0081bc607c36
SHA1 01fcc0767a5871871588286fd6754535c29b1b9b
SHA256 297f5b28c4ee00e052bf7c42a71ec7476050619bed3b41113db1da8e66e43296
SHA512 4f8aff7615347e007b4af4ff1fbb6a2d755480deb71ea356f20ba1daa2cdd7d7ceff3333000ff458b1efca4edcf9807f6b1210e894cb0f2362fac26dabce7815

memory/1780-148-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2580-161-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Qgoapp32.exe

MD5 d8cbd4811ef8c90bcaf9af204b4aaa10
SHA1 8e6c4f6d087f02820687de5aadbf082b912d48b7
SHA256 24ce0aeeedb5820729ad1026a1a52f455c0c3a76fcce33098c5c8d4fc4df9dfd
SHA512 0b13301086dbb5da6ee4e9f51477fa0532068edf2fd7cec23609cefa98c99bfcf3126767c92f3fa63ceadb84a6a77c32170777fcd223e7da4579e91894796328

memory/2580-169-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/2952-175-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Aniimjbo.exe

MD5 e920c4ddedfbd82cc5917abf18a197f1
SHA1 8497e38e10082cfc708068ae279abe4e64ce9208
SHA256 ae1802d5f6ee15f23f7d2a8d1618a6f076a5baec630ce2996e315779a7031a8b
SHA512 a5d0792e8ea86f663c013fd5a7a675801eab82800e92cd07a169dcce774e89daa9d57cac1bd2a7225c7a0f5bcd18ef655b2161f128a8300883df463cd08905f7

memory/2072-188-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Aaheie32.exe

MD5 62bef457f4e457c4681b6190ca77424f
SHA1 fcc1b0f5802d0c246047dd1dae574ab66846b5b2
SHA256 87be9a6af8541f6ae149f05e45e68031325971ffd5034c9984daecaeb654b564
SHA512 804054b5bc001109088cf623c108d9261d27dddb198bb7263bdc04d56d7dc2856972a590ede8616cd14750c924ab3fce47d342f3fabc3a5537b2ceba5ca83953

memory/2072-196-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2116-207-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Acfaeq32.exe

MD5 42fa9c08d70d542b86f520e51c7651b6
SHA1 e606c47c6c9b8e7a5eca773bc97846184a6d244e
SHA256 99d65df7bf3ddead2d73ab6a1beb12d096ffd2ac31eb226dca9e729ac594b3ba
SHA512 06a58f1d9d1677c2d8cb866576d0d298c90e6f1b1d53ceebf66c7e90ca10647ce66471d05faf04f4f0eafbea941050b88cdfed4592886472c497536acab2b933

memory/1028-215-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ajpjakhc.exe

MD5 2802d01d30dc0bd92b3c0eab52fde5f8
SHA1 826cceacf846da99681384f0e45bec245ecd3cd1
SHA256 c7968e2179ca38069edc429738cd64edc4d1abce95dd1d34191714d4724f0279
SHA512 b7ff1cfc2256f7731d625bbb4dc9887f7bc438b7169db59e038cd0b5093a7f135b36d341a8659af0586d593b8d7c8e0062f205ccd962bf1a04faf0dc4021aebc

memory/1028-222-0x0000000000250000-0x0000000000284000-memory.dmp

memory/444-230-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3048-235-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Amnfnfgg.exe

MD5 0eb9b034af8ea06ce67fd9f34ddd42c7
SHA1 08280bc345bdca4c75b79c0018839a400782a387
SHA256 871af6e669954c5ce748d1cd7404c34a0a09bdf7feebde179171e308ee72a8e9
SHA512 451da4a3e716e120d499a10da5e0934b2fafe356c6a772c394998c5686eb44fdea227eb9e320e8d3e454e472fd83ee84d03e6c1df6f35423295202a1ebbd788d

memory/3048-241-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Achojp32.exe

MD5 5e2999bc75475e26be717f46b9928262
SHA1 64deb389503608c61a4268d89a5cfaf98929540e
SHA256 df84033122b724fa4d0a19e6b00aa9723148fc470cb794102bfd45396856991f
SHA512 e3b72cf9e5eaf4913eed0720539921e0bcccbbb74b55be47d372cfafb3a6c058aa1af5d3f91fe221c054cefaf0320c1b165b09d96fb2a271511c0f069ef48ccf

memory/1364-251-0x0000000000300000-0x0000000000334000-memory.dmp

memory/1364-249-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Agdjkogm.exe

MD5 ca6d5c4e6345a999de7ebf391553516e
SHA1 d590ae4738d750183c73e23e313c380a364a4c3e
SHA256 a69c76622025fb60b5dc9806f8361e06297217d3cf4d37c002522c920d95f711
SHA512 6765362a55dc58611c98524f49eddc6780ff61fd2967d3b826cca307ad95c80795b60388965e0c100f1f9bdcd4fdfb343e4d0738bd97d1c16961d2b887ec9998

memory/932-260-0x0000000001F60000-0x0000000001F94000-memory.dmp

C:\Windows\SysWOW64\Annbhi32.exe

MD5 29d51c2162020c9fff155f9842e0ff10
SHA1 54a5e38f3227ee1dc6ebb6204f3d0bd284366a89
SHA256 ab8c09a40cdc856272790cb0da669b62bc027ba4c33f6f7418225ca9f8db9f51
SHA512 66811a7b44eaf608802d1b44254d93baedc20af5468a1b98da25f60c6a9838342f963a8e66caeb6240042e80597eb1ebcd71072b260f0aa3a20607bc7608a267

memory/828-264-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 18c4a34e23202306592dcc1763ffc113
SHA1 b26f793901d6e12c0f096a4b5fcf9653ce436514
SHA256 a6d3c1b249277c00af14f45ba13cb9b993aaa971d916d23d517fb818a1efbe8a
SHA512 8b8f0d2e076cbf384dcb2373117cbdc924975d555f66d89ba910162d920758aa8650756f6436fa0dedc2af6755c28d3cd452a01e2645930d21136f7b65e07a64

memory/852-273-0x0000000000400000-0x0000000000434000-memory.dmp

memory/852-279-0x00000000002F0000-0x0000000000324000-memory.dmp

C:\Windows\SysWOW64\Ackkppma.exe

MD5 51a7381379e409d73935274cc3988840
SHA1 2a9c97cc7d5baca0ec6835902b23540debcf2d34
SHA256 66aeb72c152e0e937bbe7f388556a6b909ae5f248a4a6116509b4397353b2a5d
SHA512 37339cd6ab69979074f3b41177a9d9b07bbf798561b0471df5002fc077d4d5be6bed3375125ecf585116e7b524e1478af093a73b2fc3c0ab9c1706dd69376bd3

memory/852-283-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/2356-288-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2356-290-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Agfgqo32.exe

MD5 29de85b3fd9c6d60496fece60896ae01
SHA1 9fb99f961dcb121f78d55c60d49aea8ffbab2d0b
SHA256 95432b64999ae14a306f6b9afc5f1a8758bdff997437c4b3ad37cbd7f024e14f
SHA512 5a050fbff3305fa5589693537e6c604f14e35cc1ab82c0fe2e7bff01a2b0e8d814e6a5bba75e13817e2ab0e1dac6cf64abea00d1093e72b95f8061e864aeadcf

memory/2356-294-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2972-300-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Amcpie32.exe

MD5 3d81ced283acf407cdceb5a04f39e767
SHA1 ccbaa026cf0c1c5199cf17c76bdc978baecc4e87
SHA256 1dcd95d1c5cf283dc5962d976c310f56ddc792ae814cee30d1d867f5ade0d855
SHA512 40b937b6c19e6287a46204068acaf766d959bfabf59efbebb557e617fc3a6558a2cc9589fc6832323caae30d095b50a77626143a476ed75cce12323f831e7631

memory/2560-305-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2972-304-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Aaolidlk.exe

MD5 58ed35db38855b13f69e7a8ab776c73d
SHA1 5f6954bf854d15ac51d38d7f7b7d6c29901e03ef
SHA256 d73599233cde5c5c24e1c27d98313d3a753a13d085db8da035ec0c953b0475dd
SHA512 a81bbd27c9bd1cbe6869848fa601f3ca628874986a63037a763ac9cb2aa6f4a086906728801e535bac34e1b4362fc0efa312e7ddc9aa586abfc49dca103773d7

memory/2920-316-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2560-315-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2920-326-0x00000000005D0000-0x0000000000604000-memory.dmp

C:\Windows\SysWOW64\Acmhepko.exe

MD5 8bd061e25d7ddcaf57c268ef9a493145
SHA1 8f45f17ae5e6978046fb864c8d967eff8f1adf25
SHA256 a36d567458c6188908344c73bddb139c0ffa7cf1fbb5f67dbe9b4c1ad1fcd914
SHA512 c5286c42729a1dfe01077f8dd0e1e7f6d0c6a1414dab5f9d08197c23b0687ec9a273730327b8fb64b032182d3f0a56817ce4d196c48a07a005829dfee1452e9d

memory/2920-322-0x00000000005D0000-0x0000000000604000-memory.dmp

memory/2560-314-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Ajgpbj32.exe

MD5 9af4a13540238d147f6d896ee7c7e479
SHA1 5aeda7a1e2c8dc6dcf12bbf763c844a94dba4fa1
SHA256 ee2ce68fe0487d4a4482a15ee67cebc7e3302156afc281d21b32295be94dd9ac
SHA512 164e4b54ea6f35021613b2b731d58b2419a4574e29590f8881f2093dabe42835cd07155daaf934ac5d036fdfa4b3baf3aa15f1d4a181db62c2eca5601d3fff38

memory/2656-337-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2836-336-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/2836-335-0x0000000000270000-0x00000000002A4000-memory.dmp

memory/2656-347-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2656-346-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Amelne32.exe

MD5 9210787ab862c77de24f598120437d00
SHA1 29fb063c454ff856eaa915eb520412e3e31f500e
SHA256 c8993db3a21f31a4862da67dbcc78efe05543ad4a51141e298a40629e9599375
SHA512 8d56a766a3aa66811a5e62e638f440c9527b328bd787ef880fd7139aa54694f557094e025a9ea637d6a27e6d451f08ea6361ad4a54a2985a102d1e1c964b59e9

memory/348-358-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2168-357-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2852-356-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Apdhjq32.exe

MD5 97a87adec63d5f86b4b2a8303ed6a931
SHA1 16f6fc6b8a91e150311fc36f12037db4ad2d6d52
SHA256 bf9e7835bf75a02e4e65756e3c80b180b45e0fbaf75bf8e9811ebc2a4d44fb67
SHA512 9d22a590603b8dbde7ee3840a7b6cc1b58ecfe800f7c6c31e2ce7ad67473e5ffaf9fac6f63dd8630acbc3005b63d1746cac9e3fcf8e46a95c7410f3a7c98669d

C:\Windows\SysWOW64\Aeqabgoj.exe

MD5 58c31ae47eb8fe1cf69f93c75d285ab9
SHA1 80e57782c74d7b25fc3e686a6c0a4d847ab9fe6f
SHA256 1129beb9d86ccf8e15572bd5b771d95591c4c7f563e2fc6c5ae5ddd874bb7e95
SHA512 db3afadd1aed4d013e3435c09db4e12f65908ad74907a5c90db6386df80812a26997167a9aa3d3aab827513127cdc3968450e7821faf92911f2723452ff135da

memory/348-369-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2440-370-0x0000000000250000-0x0000000000284000-memory.dmp

memory/348-368-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2440-364-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bmhideol.exe

MD5 3c53a72b3453724d4994a5357f4d6fc1
SHA1 7c392ec76b805d9341015dc4b9e0ba1b720489c1
SHA256 b6a0f7169969ae4680c1640e5c543ca1192900be25807f9ef51090b629ff8f4d
SHA512 29318d2f333612ab5e15c675b521d84ade1886515c1a2ce1c4c8aa65679a5b50ce29b61191fc6ce52851b9f701c74a7840dc6be2faca66dcc4857573a8c58436

memory/656-379-0x0000000000400000-0x0000000000434000-memory.dmp

memory/656-384-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2564-380-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2028-391-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2564-390-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Bpfeppop.exe

MD5 387883219586ca678b38cd924056d697
SHA1 128c5dfd0f9c4823ab89fc2de3c1f995e54c7ada
SHA256 288a58e0be4cd14e09e6237b9744d946796d5a9504be10930ef1c6d3b5827c9c
SHA512 0431b5901b91b440288f2e147da0fe3d9d79e807c92015139120a3c99563e724bc7dd1673785859e4110006ec6569802ec5e13d2d7608dfac0bab61f20af899e

C:\Windows\SysWOW64\Bfpnmj32.exe

MD5 ec314677c7198d96bb4094fdd6e10b58
SHA1 24d4f2a8b4534d5db7fc0cc35c6fd38646d2fcac
SHA256 2aef1e112762180df9556cc16bffe402ac7bcdafa61cb13f747c056d71379bb2
SHA512 5a71eead55377510e576c14e602365b5ca9963a9108ac97612562936eb6b71efb176ccf24945063db466b1b3588770f677427f2cd84f553c0449d09f10084ed2

memory/2028-400-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1740-403-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2676-402-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2028-401-0x0000000000260000-0x0000000000294000-memory.dmp

memory/532-412-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Biojif32.exe

MD5 a47dc2a3f5bd1d38b4a6b3675c0deb01
SHA1 09f2843b5532fe44fe5d28f9348e54e7067eb82c
SHA256 2ecde1bfbe167b90559f363794c5776ee981a83dd24c8ec7e5863d3b4381aebb
SHA512 69debcde25bae37d7788981c78b73b52d30480aeba730793b0d97a2881454e56e4adfe2fc645e74cf6ab58fbbb7f9f9da418e393f8a4248417d6236cbb49da66

memory/836-417-0x0000000000400000-0x0000000000434000-memory.dmp

memory/836-419-0x0000000001F30000-0x0000000001F64000-memory.dmp

memory/2292-428-0x0000000000400000-0x0000000000434000-memory.dmp

memory/576-423-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bnkbam32.exe

MD5 fbe1330a5863cf79b5d09872245ad0e6
SHA1 2ed7c7b56b1101e4c360649f119fb30fbd37f6ed
SHA256 5ceb9d65aedd0703d75b7020ac57955827efd808e090213454863a581555e45a
SHA512 90f0dd12f40e3f81e93213e964b0361ec1dab003ce1ce4e03027d1a22077718d6d8598a5453fb298461dde3497f87452c468cdc0c417e48999f4b3bddb6da5d8

C:\Windows\SysWOW64\Bajomhbl.exe

MD5 670fe2510ea88b96a21f2ee8b48e7667
SHA1 6fa69e6aaaadd6c97e7611675f8aa3b351c666d5
SHA256 0fbb4d1ca676ac130f2fbb225442f0384592fbaedab9153a9388bd078a87abf0
SHA512 dd0326fd87f8574755fe721b9b5be514010a9739e6be177b4732d3dd23e8cc8b6c26a99a2e81e42a26d1137ed22ac4adf25a7b954c06ed4e53d4499bd504c86e

memory/3012-438-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2204-433-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1260-446-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2384-445-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3012-444-0x0000000000260000-0x0000000000294000-memory.dmp

memory/3012-443-0x0000000000260000-0x0000000000294000-memory.dmp

C:\Windows\SysWOW64\Biafnecn.exe

MD5 0281db64b7337a7550d1cded38a4d6ec
SHA1 792acbc0806c96d6beed7077a6814171335cc719
SHA256 da4c8a8a7b17ab347ee313f4420b0b99eb41b61c4458604224ed2cddb0c0ec02
SHA512 f79236e98adc6dd9a3c34d556d1e43cd2dc5dca744346d6cf1b6cab1f3617d97e695162aa6449b6d38d488b3bea7fe7200ee828c59194772727159e21fd2901c

memory/2136-452-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bonoflae.exe

MD5 a3bf02811b2300b7319b288b3746476b
SHA1 cc13712812b29513429b82864c55089dd062999c
SHA256 ccd897a40c3d91dedb7c50b59bc8a41026c38c5dce40f9e204618b3c724daf5d
SHA512 feb46073ad7be112b96cbe9b2ed6ee95f500d36daf5ca307899cfd0b03c25f56932e7203029cef3963f8e7efd51c37884feb05753d5a93eebaa686dbbb0758bc

memory/2948-457-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1260-456-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Bbikgk32.exe

MD5 d4b49483bce6395967d9b8c36e1c038b
SHA1 e6f55faff4d6e1f9ad7c2f41b91c5e531a7b7e24
SHA256 eebe801578f9a775b256e9654ded73be15aeaafa83303adc812f475bfd8eec06
SHA512 25c65dc1a558efa42000ca30ebe71e6dfd5c2782814b9f08c559f041f33cb176953ce5d9a4b0aa26ab606a64e790f1b09b648fe59c7de1e7c37c74c96a94a37e

memory/2312-470-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2980-472-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2312-474-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Behgcf32.exe

MD5 0c84a3e85cc211f3e8ff323dfe7b420d
SHA1 bead3219e037705267d59988466f455428cde098
SHA256 ff8b2bc4311f977323e3fe7f46a19fb7b9cab6369f67887fea7e5955ec0ac83b
SHA512 9780660473a0346423e422b17d11e09eaa17869242e0a984edad9a03ba33cb4d173c48f4ef5123c1a7d15fac57006f867080a348928595fee126ba91321736b0

memory/1780-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2980-477-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1316-483-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjdplm32.exe

MD5 f71e7bc9fdf282138342bd70bf1171be
SHA1 6bd84523ed90a91559c9a0a83b4cc54fa8d5d9dc
SHA256 29bfb3f9a336f53d657b61630946833e5e5f607009e0d03be7fb4564003ea212
SHA512 82e16b7ba4ca01195018259ac4a8ffc0d26c6134d3b3752918caed851490e0405abc4ba2c4f3cec3c59c20883d6bd7fa44b287bc04b5645d277459641b6e38cb

memory/2580-489-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1636-490-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1780-488-0x0000000000300000-0x0000000000334000-memory.dmp

C:\Windows\SysWOW64\Bmclhi32.exe

MD5 f7309577dfae0a0d6aa1a270ac72f13d
SHA1 9a2ce9af663e805cde5923a9c1a011721e356319
SHA256 2f33e26a080b70ecca43021404f7be446f09ca10403f236c6045289841c0a96e
SHA512 e4a68dd4c120d7ec7e1f4400256eda06d5a3fefde4cba5cc9773c8f51872fb3ce0a174560bb6abd08b67406e8b29de00383bd7c2862ea2ea1b0bb8ef7e6b06af

memory/2572-503-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2220-509-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bdmddc32.exe

MD5 c362edfa414b03ee70a9a8aebb02874a
SHA1 b0e6ffa0c9277c9c3a7179fffa765a70757637e1
SHA256 572ff919daa87dd7fef94d9d84390231421907bf428b9bebebf94f55e11b855b
SHA512 923af1a445581b6011c671ae2f5ed7e6118867045732c92617ab60d0e3641c070b874800d2a7eef59e45be69f2410674527778b99693dd3549a9a86fcf50f9d6

memory/2952-505-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bkglameg.exe

MD5 b0b4a8f60f02ae0c43ad6da721b0ac9e
SHA1 d9f25420aaf4c906616079c8c282390df34c9877
SHA256 4a1792bd6dc792818dfa7677ac541f4e2e13f84e99a647586f005b9ad542ba25
SHA512 9a0833433db2945b4e03069c7c7090700f1784b7ec62eab90a939aa70fd4fdc43c82b80b052d793c9484bae5cd6c014aabc105a23e658fe489ed260a527a38ff

memory/1556-519-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2072-515-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bmeimhdj.exe

MD5 76ecf0023438debe1c0e720a72d60760
SHA1 2a8f8e7981789e7567f2aa1e9deea6c45dff138a
SHA256 1693f13667177286932d79122605a207bbecd3a9127467421910a59a0a5a1630
SHA512 33c0ba1b46310d856ade9ca40da3102b5157ec671385f770951a110c74492bf63e0154e4adefccde8c72946ef337d5e73198550c1322487d938797196711ea4e

C:\Windows\SysWOW64\Cdoajb32.exe

MD5 ff9fe3b8e7922798dc657491e6db6198
SHA1 22434c367311db98e03ea785e6a34dcdb05aec9c
SHA256 979dbe40ad5f3b7a5e3576557707a1ab1c579d222a9be34a99090aebf560c5b1
SHA512 226a1ab4a93cbe86cd9d0ccd9691b43930184a062bfaec0310e9457d773c96e87d3c8c227f60397827dcc38d49846e804e8f83ca33164beac577ecb5e378b8de

C:\Windows\SysWOW64\Chkmkacq.exe

MD5 13991419fcdf9f817cf51ebb5547195a
SHA1 72225bf79c4ec03fd3193777277718010a5b1339
SHA256 525c6fb5f5d68f1af3a0022b10f0608799ff12a7f1c8c96e84f156e9a20e75db
SHA512 f318b9d20b5b05a02dc52dfd9e3f977549483d1c09abf763ddc6fa4cca16be20651a8c23496afadee6705dbf48b5d6fe793d385734ee4d331aa435d0673c7e62

C:\Windows\SysWOW64\Ckiigmcd.exe

MD5 7d13334f30debba6259d412b30f10308
SHA1 2fd451ea876f9b473c059e94ba77a05765bfd5ba
SHA256 f512b3ef1ee2690360406cfbc01f79eead786713e0281e0fa1c2c7a04795bdd2
SHA512 db90af7b6d7ace6038a99f57d1b8721f92308018568e03e0c292127273c965dc681d83daf316aa816444a9bbe659bd4cf2ae4c3195c8a40795cf5f61f7369a0b

C:\Windows\SysWOW64\Cmgechbh.exe

MD5 179873b867d9499a24ec2c74196b3b05
SHA1 86700d48aba5b14e124a8d882b88ef9c57bc4b95
SHA256 caa580df8d2ac96a3938a565beef27aba09f87b47749898882f2ab2972336ef3
SHA512 c9c05638c045410d6417fd92de71bf490b0ae8980763f7f7f2c25133d522d341b8b0e9d3476f31187fc7e7f6410e0b2aae6b318285e0c4818cc60f22ef474c87

C:\Windows\SysWOW64\Cacacg32.exe

MD5 e9b005f3d56b86e8f0ce9673c5524080
SHA1 d60a59147b99a921d15d8ad65cd82fb891e8d2ef
SHA256 a7f4a7206fe768785470d9e71165f8ed371c9f0cff964b1a7c56c4994f480f9c
SHA512 e609a266a9f71d38da101064fcfcb9cf37ac6969462d103c214023766532f3790f5fbc07ad08d8001ffc6f817f92cca2fc042f7066e3be79723f86b0b260ee78

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 16:06

Reported

2024-09-16 16:08

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpoefk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Migjoaaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlhbal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocbddc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcmabg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmidog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njqmepik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlhbal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olmeci32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olkhmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bclhhnca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlopkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nngokoej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddjejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmiciaaj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pflplnlg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Belebq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmfhig32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agglboim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mchhggno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Menjdbgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aclpap32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nngokoej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjcbbmif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aabmqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mckemg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmpijp32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lgokmgjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmiciaaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lllcen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbfkbhpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Medgncoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlopkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mchhggno.exe N/A
N/A N/A C:\Windows\SysWOW64\Megdccmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmnldp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mckemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Meiaib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmpijp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpoefk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmabg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Migjoaaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmnlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Menjdbgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhbal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npcoakfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmgne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nilcjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nngokoej.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncdgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nebdoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlmllkja.exe N/A
N/A N/A C:\Windows\SysWOW64\Nphhmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngbpidjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Njqmepik.exe N/A
N/A N/A C:\Windows\SysWOW64\Nloiakho.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfgmjqop.exe N/A
N/A N/A C:\Windows\SysWOW64\Njefqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogifjcdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Opakbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocpgod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojjolnaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Olhlhjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocbddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofqpqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olkhmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocdqjceo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcmfodb.exe N/A
N/A N/A C:\Windows\SysWOW64\Olmeci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocgmpccl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojaelm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmoahijl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcijeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjcbbmif.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqmjog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pggbkagp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnakhkol.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcncpbmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pflplnlg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmfhig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfolbmje.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmidog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbmka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfaigm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmkadgpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdbiedpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfcfml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Qddfkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgcbgo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dmjapi32.dll C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Jijjfldq.dll C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File created C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Beglgani.exe N/A
File opened for modification C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mckemg32.exe N/A
File created C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Njqmepik.exe N/A
File opened for modification C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File created C:\Windows\SysWOW64\Belebq32.exe C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File created C:\Windows\SysWOW64\Gdkkfn32.dll C:\Windows\SysWOW64\Lgokmgjm.exe N/A
File created C:\Windows\SysWOW64\Ijfjal32.dll C:\Windows\SysWOW64\Medgncoe.exe N/A
File created C:\Windows\SysWOW64\Pcncpbmd.exe C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File created C:\Windows\SysWOW64\Pqmjog32.exe C:\Windows\SysWOW64\Pjcbbmif.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Amddjegd.exe N/A
File created C:\Windows\SysWOW64\Phiifkjp.dll C:\Windows\SysWOW64\Bmkjkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcmabg32.exe C:\Windows\SysWOW64\Mpoefk32.exe N/A
File created C:\Windows\SysWOW64\Kmfiloih.dll C:\Windows\SysWOW64\Ajkaii32.exe N/A
File created C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File created C:\Windows\SysWOW64\Ghilmi32.dll C:\Windows\SysWOW64\Ceckcp32.exe N/A
File created C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Megdccmb.exe N/A
File created C:\Windows\SysWOW64\Olkhmi32.exe C:\Windows\SysWOW64\Ofqpqo32.exe N/A
File created C:\Windows\SysWOW64\Qmkadgpo.exe C:\Windows\SysWOW64\Pfaigm32.exe N/A
File created C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mbfkbhpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjcbbmif.exe C:\Windows\SysWOW64\Pcijeb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qmkadgpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qddfkd32.exe N/A
File created C:\Windows\SysWOW64\Nedmmlba.dll C:\Windows\SysWOW64\Caebma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Nngokoej.exe N/A
File created C:\Windows\SysWOW64\Ckmllpik.dll C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File created C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Hleecc32.dll C:\Windows\SysWOW64\Mchhggno.exe N/A
File created C:\Windows\SysWOW64\Gcdmai32.dll C:\Windows\SysWOW64\Ocdqjceo.exe N/A
File opened for modification C:\Windows\SysWOW64\Olmeci32.exe C:\Windows\SysWOW64\Ofcmfodb.exe N/A
File created C:\Windows\SysWOW64\Pqpgdfnp.exe C:\Windows\SysWOW64\Pnakhkol.exe N/A
File created C:\Windows\SysWOW64\Gallfmbn.dll C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Nkenegog.dll C:\Windows\SysWOW64\Nilcjp32.exe N/A
File created C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Jjlogcip.dll C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe C:\Windows\SysWOW64\Qfcfml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Belebq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe C:\Windows\SysWOW64\Cnicfe32.exe N/A
File created C:\Windows\SysWOW64\Omocan32.dll C:\Windows\SysWOW64\Cfpnph32.exe N/A
File created C:\Windows\SysWOW64\Amfoeb32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Mlhbal32.exe N/A
File created C:\Windows\SysWOW64\Nebdoa32.exe C:\Windows\SysWOW64\Ncdgcf32.exe N/A
File created C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Meiaib32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nphhmj32.exe C:\Windows\SysWOW64\Nlmllkja.exe N/A
File created C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File created C:\Windows\SysWOW64\Kgngca32.dll C:\Windows\SysWOW64\Qfcfml32.exe N/A
File created C:\Windows\SysWOW64\Bobiobnp.dll C:\Windows\SysWOW64\Dkkcge32.exe N/A
File created C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Nngokoej.exe N/A
File created C:\Windows\SysWOW64\Ingbah32.dll C:\Windows\SysWOW64\Lmiciaaj.exe N/A
File created C:\Windows\SysWOW64\Ifndpaoq.dll C:\Windows\SysWOW64\Njqmepik.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pmoahijl.exe N/A
File created C:\Windows\SysWOW64\Ngbpidjh.exe C:\Windows\SysWOW64\Nphhmj32.exe N/A
File created C:\Windows\SysWOW64\Gdeahgnm.dll C:\Windows\SysWOW64\Amddjegd.exe N/A
File created C:\Windows\SysWOW64\Coffpf32.dll C:\Windows\SysWOW64\Nphhmj32.exe N/A
File created C:\Windows\SysWOW64\Olfdahne.dll C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfgmjqop.exe C:\Windows\SysWOW64\Nloiakho.exe N/A
File created C:\Windows\SysWOW64\Ocpgod32.exe C:\Windows\SysWOW64\Opakbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njefqo32.exe C:\Windows\SysWOW64\Nfgmjqop.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nphhmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcijeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mchhggno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmpijp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njqmepik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocbddc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbfkbhpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajanck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nloiakho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pflplnlg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofqpqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agglboim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpoefk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Banllbdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caebma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcmfodb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcmabg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlopkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pggbkagp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amddjegd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afmhck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmnldp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npcoakfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmidog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ampkof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acjclpcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Belebq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mckemg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Migjoaaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdmnlj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aabmqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll" C:\Windows\SysWOW64\Nebdoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll" C:\Windows\SysWOW64\Ofqpqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" C:\Windows\SysWOW64\Ofcmfodb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddjejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" C:\Windows\SysWOW64\Deokon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngmgne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Olmeci32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojaelm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll" C:\Windows\SysWOW64\Lllcen32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npcoakfp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll" C:\Windows\SysWOW64\Meiaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" C:\Windows\SysWOW64\Njefqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mchhggno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlmllkja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll" C:\Windows\SysWOW64\Mlhbal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" C:\Windows\SysWOW64\Ojaelm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lllcen32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnakhkol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll" C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmiciaaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll" C:\Windows\SysWOW64\Pcbmka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" C:\Windows\SysWOW64\Beglgani.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chcddk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nphhmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" C:\Windows\SysWOW64\Pqmjog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmfhig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkkcge32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Lgokmgjm.exe
PID 4072 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Lgokmgjm.exe
PID 4072 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Lgokmgjm.exe
PID 2100 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 2100 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 2100 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Lgokmgjm.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 4764 wrote to memory of 3992 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4764 wrote to memory of 3992 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4764 wrote to memory of 3992 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 3992 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Mbfkbhpa.exe
PID 3992 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Mbfkbhpa.exe
PID 3992 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Mbfkbhpa.exe
PID 2900 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Mbfkbhpa.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2900 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Mbfkbhpa.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2900 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Mbfkbhpa.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2268 wrote to memory of 3496 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 2268 wrote to memory of 3496 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 2268 wrote to memory of 3496 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 3496 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mchhggno.exe
PID 3496 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mchhggno.exe
PID 3496 wrote to memory of 1376 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mchhggno.exe
PID 1376 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Mchhggno.exe C:\Windows\SysWOW64\Megdccmb.exe
PID 1376 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Mchhggno.exe C:\Windows\SysWOW64\Megdccmb.exe
PID 1376 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Mchhggno.exe C:\Windows\SysWOW64\Megdccmb.exe
PID 3756 wrote to memory of 3660 N/A C:\Windows\SysWOW64\Megdccmb.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 3756 wrote to memory of 3660 N/A C:\Windows\SysWOW64\Megdccmb.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 3756 wrote to memory of 3660 N/A C:\Windows\SysWOW64\Megdccmb.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 3660 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 3660 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 3660 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 4760 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 4760 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 4760 wrote to memory of 4772 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 4772 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe
PID 4772 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe
PID 4772 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe
PID 3416 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 3416 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 3416 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 2848 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mcmabg32.exe
PID 2848 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mcmabg32.exe
PID 2848 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mcmabg32.exe
PID 1652 wrote to memory of 512 N/A C:\Windows\SysWOW64\Mcmabg32.exe C:\Windows\SysWOW64\Migjoaaf.exe
PID 1652 wrote to memory of 512 N/A C:\Windows\SysWOW64\Mcmabg32.exe C:\Windows\SysWOW64\Migjoaaf.exe
PID 1652 wrote to memory of 512 N/A C:\Windows\SysWOW64\Mcmabg32.exe C:\Windows\SysWOW64\Migjoaaf.exe
PID 512 wrote to memory of 3200 N/A C:\Windows\SysWOW64\Migjoaaf.exe C:\Windows\SysWOW64\Mdmnlj32.exe
PID 512 wrote to memory of 3200 N/A C:\Windows\SysWOW64\Migjoaaf.exe C:\Windows\SysWOW64\Mdmnlj32.exe
PID 512 wrote to memory of 3200 N/A C:\Windows\SysWOW64\Migjoaaf.exe C:\Windows\SysWOW64\Mdmnlj32.exe
PID 3200 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Menjdbgj.exe
PID 3200 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Menjdbgj.exe
PID 3200 wrote to memory of 3848 N/A C:\Windows\SysWOW64\Mdmnlj32.exe C:\Windows\SysWOW64\Menjdbgj.exe
PID 3848 wrote to memory of 4432 N/A C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mlhbal32.exe
PID 3848 wrote to memory of 4432 N/A C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mlhbal32.exe
PID 3848 wrote to memory of 4432 N/A C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mlhbal32.exe
PID 4432 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Mlhbal32.exe C:\Windows\SysWOW64\Npcoakfp.exe
PID 4432 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Mlhbal32.exe C:\Windows\SysWOW64\Npcoakfp.exe
PID 4432 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Mlhbal32.exe C:\Windows\SysWOW64\Npcoakfp.exe
PID 2388 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Ngmgne32.exe
PID 2388 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Ngmgne32.exe
PID 2388 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Ngmgne32.exe
PID 2764 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Ngmgne32.exe C:\Windows\SysWOW64\Nilcjp32.exe
PID 2764 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Ngmgne32.exe C:\Windows\SysWOW64\Nilcjp32.exe
PID 2764 wrote to memory of 1644 N/A C:\Windows\SysWOW64\Ngmgne32.exe C:\Windows\SysWOW64\Nilcjp32.exe
PID 1644 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Nilcjp32.exe C:\Windows\SysWOW64\Nngokoej.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Mbfkbhpa.exe

C:\Windows\system32\Mbfkbhpa.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Megdccmb.exe

C:\Windows\system32\Megdccmb.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Migjoaaf.exe

C:\Windows\system32\Migjoaaf.exe

C:\Windows\SysWOW64\Mdmnlj32.exe

C:\Windows\system32\Mdmnlj32.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Npcoakfp.exe

C:\Windows\system32\Npcoakfp.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pnakhkol.exe

C:\Windows\system32\Pnakhkol.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6008 -ip 6008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 216

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4072-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lgokmgjm.exe

MD5 5c3171eccce98201c78670f4626c8c7b
SHA1 dc2ea310f35c71d8c491da4e665d6135340f8e13
SHA256 191edd1334af784bf5821a52878b562b0a0253ada6f556df80e1c6f0a6d4feea
SHA512 9a663964a032c11c4cf7dad8b2339170c997e002c9c246845e5e384138f2bb97f3cc1dd7e6807f3d25de7182003c7683af26340f2d82ec35dc10db6e68a3ab81

memory/2100-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lmiciaaj.exe

MD5 e93a6a5ca52d98738b895fbd1a0731fd
SHA1 54693813f9a7da360ab99b11af2371c4fa5b4545
SHA256 5d6e14f498f0ffd3787d6dcfb1d3b497313aaba39df728e214fab26acf9ca145
SHA512 ff17ea15f02ed1f96f457e06da827ec2438be4f7f4423439d443e02b7642cf579e4de45870a05ee28336facfa0fa62051a6ff683c0a9f09f4fd7bbc75690012e

memory/4764-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lllcen32.exe

MD5 988168685c367f7069b48cf81ff71a7c
SHA1 ac8151b708047280ed43fe8d88bb20547c128d7e
SHA256 49626b9a47f6895b03a658bb496efa2273f464e46f6bed8926ab20c24449af5a
SHA512 2aab886784193b6f96407fd196bbbd2ede8ba7e6d1822d6bc9e804322b71e565537e46548e1bd414c04730bfdf3c3608e6bc6fbe31ddd828ef7ae1786fc76e0c

memory/3992-23-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mbfkbhpa.exe

MD5 95acd99c8e649d835a04592407e81a85
SHA1 efee074768774a1305e0a977d3a226027f342644
SHA256 d547b333a7c1f64286433d6b4e6068c3bdb3ab40829485829f78a2317f195963
SHA512 5fee801c89f01d357116b06052c1de710a7145403c48cb3da0c644e5160cc28ffc79f0f74cb43b8a7cc9a5627305fd188137c424b0a79d50817bdce6366b28d5

memory/2900-31-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Medgncoe.exe

MD5 9bbf2f05d50196fe421cf4ceec8e8b3d
SHA1 5ba0a648193a924edb75b7ce8676b74b8af91926
SHA256 21f5fafed700278445afb433e699e3934fb5333fd8efc68ecbe2a9338236b233
SHA512 d2f260b2c24cffef3409e2ae4c069c7c11ae4f18436a584b82e5aa2bbbfa25dc93409af6e056b20b8879d6a6a46ddea5f44dda0def68ee98e5c6aa951109c298

memory/2268-39-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mlopkm32.exe

MD5 bcecaaebcaab99f3f34d54253ffa7089
SHA1 1fdfbd889f9b7e9c60a10e9bffb8fb9c4d70c6f6
SHA256 33cf2787a27cc84042b686a75e5053749e500c6601f335e63755b73bef3c068e
SHA512 27e3f48b72e70162560eef28a88fc50dd3a68938224d017328294e9c87aa13b4dcc30e398cd31cdc8a62ab52ab96223acec8e25a7e66c588d6ba7752e8cd28ec

C:\Windows\SysWOW64\Mlopkm32.exe

MD5 6cd0cf6c21dba07c209ec1f60f076a0d
SHA1 03d698d91c38d3a34ab210795fb628d84a60c7c4
SHA256 1246e63f2926bf1ae9feb6c1fe9757071160eece745148af84017b7a535109fe
SHA512 6d8dd4e7f169110e3dc0cadf264019f54079774814346f2d405e0bef72586a10e7771c544df53ebd2766785700ddfe477597ac050e2db4c8a353d1661ef2fee5

memory/3496-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mchhggno.exe

MD5 e1249e43fbef0714ddf084f71fa7bd9e
SHA1 0dacb5783affdac7d0b53005b11d3dcdb0cb67fa
SHA256 7b6ad91312cd4fc01b910bfcaebdf95ab10bfc0da0b98f41026fe6736b58b713
SHA512 3a35812ece2c52d2b16a3e97b84c6153113ce91008c786bbaf74b09ba54a6a7cbf6563b755964d47d0f2b3eb91e25ccdccbe64ba029696f36e143abe8f9c6e30

memory/1376-55-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Megdccmb.exe

MD5 33c7fc73bdff3c1a1a8924b45f95eeaf
SHA1 63f4f3e6f1435c48feb742f6d1dd5adcf7624510
SHA256 4413bb8786c21aa0e100d608c6a0aad9e84eb77f3dc3e6cc5cc30f9e8deb154b
SHA512 5003013ba1754c3756cf7ed6b744c38e3494e8b8af9aa4f5cc709c83b3fee0bbcf8fbb0933628885f36b1da7509b5319c0f8ad6cc46a9c56bb863a6868e2a0e6

memory/3756-63-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mmnldp32.exe

MD5 64190a677a042b8a372c4bed3ee2a1ce
SHA1 f2774d3d990741fba01fbb53f5ffd5f5e6343284
SHA256 a7f6579f92131f15cec301951fccb6507a199baa3d3f7b36bd1fe959b4456473
SHA512 ab75b4402a71dd6f4ecd5c655258eb5b949c5e588e8158aac2bee1c104b2ca052d3e90408c9009117b5e30156e03a6db60a5266551c91abc4ddeb0333f741244

memory/3660-71-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mckemg32.exe

MD5 dff7b848ccf0a8c53e7ccdbd726d0b42
SHA1 e65c2b7ba49f21d21b69c3fe5e02755674f2f8df
SHA256 5f76088a48413185d27c2c3da92b7eefb044cf5baa939d9fb95bcbd6ef667cdc
SHA512 ca42f0d3f759970cd226e3ce5a3557e0d298ef5b3280fd5e72449dc32a5e0364021d4b1847c026cf89e6a30cf037bac576fce42f785678e909b4411468e5f18f

memory/4760-79-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Meiaib32.exe

MD5 d36d87e186c36a96e1c349777288d786
SHA1 3a9c74220a97e819fc0e5cc92ae3472ba2742f87
SHA256 7d786a7431601fa38b4d836f8f7d326354c29d75d02610afd434a1c039d5c37a
SHA512 2ce2cf2973718699c771747c48e6c638568a57c6be0fcbc8025d25e8dc2ebf59c2caf3b1af3953f146a8e896bce76036c8c1fba4452c6814202f5beb2536eab8

memory/4772-87-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mmpijp32.exe

MD5 56b672824452b586a118c53248095b96
SHA1 f2d9e535da5a9037e27f88b8a035dd81891600f0
SHA256 b63b99f342ba1c7bad8381ea68ca0140cc75d3fee387aabc3593419c7b09e3aa
SHA512 5645ed61d174248e576867f4c9af4bd1de4aa46f9223e55ea5e28ef8ad595232f4ab98cc5ed9120baedd9fbeb4d7f96bc6b98795c9de29f2ae502a22851baaae

memory/3416-95-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mpoefk32.exe

MD5 460df5b57ff1da1d1db91ad58a1b1e38
SHA1 864e1cead8f5c43a4d8a1add956437b0191b057f
SHA256 4ccea6506bf5c697b9e5e49589c85592b91a51e4080b68d09cf9811930d1d442
SHA512 bbe37fb25636dfc92c016cb4ab52e00745b04faa054c7040f75ecbdc982f156f3c66531fa47b1f4f7d65a2db1fb39331eff03b472722c01aaf3ac47da307b7f4

memory/2848-103-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mcmabg32.exe

MD5 05adf2c331bfdaecc55b8523cced378e
SHA1 7eecbc389b19d538139bea6b54ffa5910cbbc5f6
SHA256 e6668a5dbfedb454be11ba0c8e0f5cd6b68c813f5a537f8470ee277ab3b27a63
SHA512 1e2bd41e67cf6781c088e695cb4907c306129254ab640d12202732e336a29236359d088460a17719271fe1f15055ccaa4d423c82d377faffd5d0d2ff3031fd5a

memory/1652-111-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Migjoaaf.exe

MD5 9b885a3c09fa1949651341e6791ba6a1
SHA1 f5f50904df8be4829ae06d2345f568aefcdb7f1f
SHA256 2a8dc9b3aa0200648ce41c247393751945d8347ae763de0516eedfd4550551f6
SHA512 b2fbe0f02e5ee3405139427b9dacbbcfa7e62ea9e7dc46b5bf5ef4e553ed60539b9018520d0717b36fb8c90623fb457873d2628d3df26c53eec8f871c4fff02c

memory/512-120-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mdmnlj32.exe

MD5 afca76b09a656d3f26acd6f4da29b804
SHA1 c6b68d1b88a5535a51ba1d77dfa6ec1cabd2572c
SHA256 4d3217ff6e9ed5215e16cecc92df233705deee174a94a482ead22dd235e4f6dc
SHA512 7a89a6a2649ed18233f38261070b1c00fff1279cdcc3aefa90faa293f4b8d6bd5cae000ac8fa23f70f7d7585d5ec33989305ea6435ae6fe43d14d3756ccffa5b

memory/3200-128-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Menjdbgj.exe

MD5 a1c9ed13a612cd58f5c10153370ee988
SHA1 5e2c4b138fd59fc0407b1282bfaa23fa741e5b53
SHA256 8ccdbb1334a78be2fd3e308d66491edbb49fb02849cb250381fa630620f62a9d
SHA512 dd347d61ff738c314b7028a77cfa6105df25bcd663f852aacb2b86f95ab896a3674429725e970154040b8e8213a478222e180d453c856d8755527e832afbca27

memory/3848-135-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Npcoakfp.exe

MD5 5f273c799afcf6abe51340738b9ee49d
SHA1 034b5d30928296745c941b3bde2080895d22a57f
SHA256 24c8eed054fbc770e101bcaa60e47099d3df04f6ce099f98e1751678b450e4f2
SHA512 d5b64ae11240a745b469b8b4ceadc20e8aa825e0eb381260c160517e644015600488301a749bfa8c5b5c417788489b2f668ee02e6ffd19d152bb6deac4ad5e2f

memory/4432-144-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Npcoakfp.exe

MD5 abf60bc4e286d140501ca45870fc9583
SHA1 902050f6702316f0114ebe49bad68db9c4564502
SHA256 c1eaa8ab49fc62c9ec6f68385020362dcab7eb22c58aed1368a85643ba89c6a2
SHA512 02449ad0427fd6ee40b2a92dc4748775e1efbeba26755604246e4407422f012e244f25352949a975b9467ec2c925b9715d09481a686c11f6c6310d5211e87064

memory/2388-151-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ngmgne32.exe

MD5 e49d7fde67450e0bd64ebc69e489a8e6
SHA1 08e0082e250831a5733139a3d4341b4ae2ccdf69
SHA256 8753b327de8858c1ad2d4a169c557eaea09a0bebf7f194291ea73d233045611a
SHA512 d46bf41d82eadcdefd69046d69db4d7ddadc6b7895255a31aeb89682a1968e97ff59e98586c319e19506fa062ace949f0377af37efb3e5a559ec2974d9295c3f

memory/2764-159-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nilcjp32.exe

MD5 734154f24ccc78962d43fb9bf092fe81
SHA1 89d3b6fc59107e9d323c0f44baa219897b1f84e4
SHA256 839922ae7472e03c83bf9f1a87c78019cf367d1525e1375908f453256ccfd66b
SHA512 2bb8f66e4f497f6e33dc65cd3f6964fb667ffeba9801d249a57b1e9c2254de6653165be7df087a2f5ba8b7c8fa450889285847a484ca679e5519a363e4b1b249

memory/1644-168-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nngokoej.exe

MD5 48e3e9a6142d10035bfa2f70c20c4589
SHA1 4f31556a546d7f1e682972a9b2bfa472cfb7ca1b
SHA256 a24b0f016b3c822b6216fc6e10c180a1a794e5195356e71eeb33fecaf6fae25e
SHA512 582f7e94c97c0ebf495f5be073611eacc041f2a8e6576f5d366c64900f5a0a61ba35fb701e097943f5982a9279c9d6171646865ff4405397245c5c201dd6fc79

memory/4484-176-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ncdgcf32.exe

MD5 80f15e648e2e4383819cb903c6dc028b
SHA1 f2b1e8d951fd0403114f46d21a7ff3690118cd00
SHA256 cf4b7e53ba85d0132aadd3a08420141eb95af4a481956b9ecfb6595aa9dd912b
SHA512 af56bb70d4eb0a8be17145a5cf1228cb15c88d2323f8f96d6e5ff41e306d8a3452963f137d3ab25fc94127f442bb83191f2327e992ad8e6210063d5ae65ff200

memory/1948-184-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nebdoa32.exe

MD5 072d10850bda412153d214728914c687
SHA1 356f0aaf984fb656eb04d6eca93921724318dd67
SHA256 25aab746b29146c1603d8ef4eb473d56dddf0f07bbcd6d68de476fd3d2c7cbb3
SHA512 65ecc2bc8431f1d66444feee9da61f6a140e52a9b3115e4ef9946b7dcee833564f50fb7c3772aededb4819d1b897ed14a1d3c4776a53bc1111bbb1f4a3d9da53

C:\Windows\SysWOW64\Nlmllkja.exe

MD5 b8c906857c0f6b51fe0a860b5c497975
SHA1 44dcc694065975e59d5340df4b38ef51ad543f56
SHA256 1e32d37d5e08bda236c93eb67a4f08604a090e2bb06a287aa696e736405bb372
SHA512 500da844f84422049005d5caded41c7edd4d70eebcb6b0e69de7ab3cb7a66c1937ef7286ac99c928cf1a14f3c94910233095415839f256cd722ccc698ba15fea

memory/1388-196-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2312-204-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nphhmj32.exe

MD5 f6bb55fccbcfdde377a7205942affac9
SHA1 36fa7246411012977cd1b6dd19839511883f6fc3
SHA256 d628526393ad3d26d0a40b0f5643887b234a365586a23eef0127bd72efba8b5c
SHA512 ce59b5d817c5f9fa761963821d29f205ff2c5714aac8ab5a18ef01527da5a20e158a0d9676faae66c37c6c48e4a82f5aace448dd078d264b44ab1b92a2a7cc9d

memory/2856-207-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ngbpidjh.exe

MD5 f3c75f3a616628f0c77204ecebc44791
SHA1 c5ea8fb913635175d4ff6b5ec293bf1b23290c86
SHA256 0adfe9969dcb140937b757246bd8bab15b785241fbe08509745a9e4242cddf6f
SHA512 da010d0fdbb1635b01a53ab64360416db6b551026afe044d15e516f9727c10df33defa474b7ad13bb36bdf1750ace5e321b4dd8aab04a610d864d1d4052c599a

memory/2364-220-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njqmepik.exe

MD5 cae7436beb9868f663245e67015429aa
SHA1 7a91c3bd479d58af6d4bde4551c36d9847d03764
SHA256 53e6c64fbe3d36d5aaa5a18ead3493c62fa3ccd54fd16c3d6838546542064274
SHA512 6c2ca71a1aac43ab4809439772624863f39719ca1873a6e8d287a20d377419fed5702dae3a28ab786aeed1ba4a6006b5cc72f15213e69a6199efae2b76d47680

memory/3148-224-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nloiakho.exe

MD5 2e63ba062a56b626312ebf8d37c05a79
SHA1 b69318c1f4012634fa7013472e15ef80b536d045
SHA256 6695a10dc047ab6d2511c898f91f844e9e29e0b8fc328eb4621d5920161479a1
SHA512 6124db69ca61374cea286cd63c1afc61a1519f2e381c185833aaca10c4563fa7e1fa4df5a538b51b7654a9611194134d3d29d74549fab8f66efbcba379cd6249

memory/3452-232-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nfgmjqop.exe

MD5 e5905f00f228d67802933a5b28b459dd
SHA1 93cf662f6f5e185c2fed8ebec26dd1b99a780f93
SHA256 540872d904b9680742a6ad8ad0baa9236ff8cc2ce432d8de26f640397987ff45
SHA512 ccf9ee3854d44b0dffc0e3f61d1762987d74d2b5e61ac994d6937621e18db4612e0ba80406c75875da5336a63df410489079cee02a0d56fc84597ebc8740499a

memory/4452-240-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njefqo32.exe

MD5 01b57e924cc0f8668a7fd67c88df064e
SHA1 f79dee3461f263c310d0505d0864837a42b23bf5
SHA256 3150bffcdfb4c78d564445a86b31c9b188c83435fa1c5b4090779d67a59c614b
SHA512 5eb2fc431a376bceb4642dfe809fa9e5091f70ffa50b7f0bb2fde4b6095b2b3465dbb99d50aa99176cb1c9469cffd3ece3f7df3c39fbb68f5ede72f79746ede9

memory/2184-247-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ogifjcdp.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ogifjcdp.exe

MD5 aacd3b5bdd3d50135a8b81d29a519c3d
SHA1 68743fd1c151723af037c5dbfa7c3f518ac1d98a
SHA256 a19a7e70ae182f5469319d8d2d6f4ae439fc731471b60565b766e0befec4c5a8
SHA512 9a27153b245bc072192fbc04e4ad25359b685c88fe33f4987c0f7e7e3e9ddeea2874e525993611d7a7b9bc12c5ceb5991009710cf9977c344f917b360af1abbd

memory/4956-256-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4008-262-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ocpgod32.exe

MD5 43b7c027ccc9f4df58364a6630d1ea84
SHA1 31ab719fb94715237c9f3eb595f4389e7e3afd9a
SHA256 ff303240613ac4cd9d0fdc04e8e9a9d40f4906fb7399cd783556e363f7ed79f7
SHA512 3545de2e4a56b2fbff9f1d962e037a7b9f964ef03878024406d4ca31f465ab13245be3546eda3879f3dfd8b36c8e66f30da0a418d30cd92cae8b086099345544

memory/4192-268-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3996-274-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Olhlhjpd.exe

MD5 63352b2f638d6d8eaf8b44eebe0e01a0
SHA1 96d0760cdaa160d83a40f014fb594396c50caa7a
SHA256 d098736415f94df5b2b210700cf7c7a7eb52bc9a0682448d2189620ec3fb849c
SHA512 a90b687394269a65cefdc4a1f434d9a6747192701488b0d0a144c34ae4c73b1d203ed7c78ed8a66f3a6e6537263e3c0e401cac4faa6491cbc87b48d5e8aa6ad6

memory/2908-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4372-286-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ofqpqo32.exe

MD5 913345d0d558e0887e0cba17ba71e976
SHA1 9bf4b7c1cf8f127c6bfe0f96b1611743a6bc3d0a
SHA256 0c0bfd4f8b5f2ede355fbce9fd54be9ab163c600279cb7a9defff4e7b0d1f613
SHA512 0cdc65d14df57adc449a13b582f8a5c8edb43707b88e9ec32867c545e08d81cde3825a77cc67489a671656fafae965a821f80c94c83f68af1aaa8be7b38d74ab

memory/2328-292-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4240-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/692-304-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5096-310-0x0000000000400000-0x0000000000434000-memory.dmp

memory/900-316-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4808-322-0x0000000000400000-0x0000000000434000-memory.dmp

memory/184-328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3696-334-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pcijeb32.exe

MD5 a1b08ae2c29ab9e0ba106144b417bb51
SHA1 ea286642117690140234198560cf3551c922f3bd
SHA256 e16aff792aff6458c4628e5560e3c74e9c8fce49b258828d3e1a232a828602f2
SHA512 fa2801419f8f2dc013643a4b53f540ce7037da74a41b1158481d0277480f5fa42dc2df43a49251956a8fc779e8275d3ee8943d380f4dacb9652f86836af47bdd

memory/3152-340-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2928-346-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2068-352-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-358-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3628-364-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4244-370-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3548-376-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4640-382-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2704-388-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4524-394-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1272-400-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4980-406-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1084-412-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4712-418-0x0000000000400000-0x0000000000434000-memory.dmp

memory/832-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4312-430-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2972-436-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qddfkd32.exe

MD5 5e5797d47dcf6e0e3e4e2731d726043c
SHA1 7939aa887225973c36b1435e343397e1a376cd13
SHA256 9033e801e7c0726f9049c7b821304d61424d4216f5f455710e810ae2e9102655
SHA512 f577a60ff73563961ed5e53152b1630af36c125cb836e3cb0a281a00be1f810175931ec5e91f30f46bb01ddf918e8eb356bc2f56f0eb3a8d0a5a9f413ae55d75

memory/4612-442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/748-452-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4356-454-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4932-460-0x0000000000400000-0x0000000000434000-memory.dmp

memory/208-466-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 4b075d50113c5deddd4f4fcb3df8dddf
SHA1 4838183108570dffae6a5fa92eec0ca044ce4432
SHA256 65adc7d370042225921666f5b18a3c2263ad7ccc8ec1a4c3a7720b5749dd34d6
SHA512 a1978f1a99449917aab2ed914d3923e3785d2cef019344189eb74faf80de6743915d16d51d31eaaf2796a4a58b67ab644e79e96d312a1febd334657c8c217831

memory/3464-472-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4792-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1236-484-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1072-494-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3956-496-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3216-502-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2796-508-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Afmhck32.exe

MD5 ccd6bcd762b032e58b31603846e091f9
SHA1 88c8758ac4a57513c2ad93fc5dd6e4c390220385
SHA256 3a1703b6f923a86b8f46908dec0aa1d13fb9876074c3ff743fa8f7a0e9ee2ca5
SHA512 0f27ceb5c243ba62b2ec9a9677a67cfd737ed777d827ee3c74cfb628a7c70b563537ebf4a8332b439ea85944638587c25a1b421b709d6f46131ecf75f6edc910

memory/1456-514-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2320-520-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2136-526-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aglemn32.exe

MD5 6cad6d4ef71ec45ba5f3630c304c27be
SHA1 9ec1e6bcfd1d2fe636b8371afbb39791fc3fd611
SHA256 ff452249881f6e502485894f79dcc5e89aa3b5d537cb1efde5a3906c4f2b700d
SHA512 60a0d37c06beb6c7862f83d622414ac7b8e396519eecf96bdcb94e094a4e6d9433d759bc9cea47f2debb641630eff7b3cd7b0557f41fdfa408a2eaa758569472

memory/1604-532-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2892-538-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aepefb32.exe

MD5 ed8b77c3d8274986f58cf0868195059b
SHA1 4392f979ba031591b7cb58bb8d458fb155928c91
SHA256 55d6d3eb5624423f8ecff6795e65075b2c412705a82b86ca54e8d694bda046d1
SHA512 f832a65f8556879f1ada379a9b4c3120af444db209c07354760105ba0d39f6af413e215dd343e6d8a751f0ec506e47d597d24daf458fc251bb38d383659c84cd

memory/4072-544-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4512-545-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2100-551-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4908-552-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bmkjkd32.exe

MD5 b7e823b7606515732cf90bd7bae1fb90
SHA1 09f5c4c2654ca175bb6afb09a2feccc48bf91891
SHA256 ab9f11ec55a64b80bf52c61afa13a665f3692540c69e78dd80cebeafdc5b14a6
SHA512 0b144d3ed4e6285da1cb76be4c4e1f9fcffd8f48636c61ff21ffd7d87915066bdbbe0c083ab6d1703a0ceb83117de9123b2f8a4f648fc77e2ec7dcc8b1584dbd

memory/4764-558-0x0000000000400000-0x0000000000434000-memory.dmp

memory/244-559-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3992-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4384-566-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2900-572-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4656-573-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Baicac32.exe

MD5 6825d66d15afe17b02f118d4870ced13
SHA1 b3c9f4aa8c259a88eac7d47f3ad9bcaadc0b049f
SHA256 b80758bbc698647040d00549edd770f46dce61c14ca2e6688f601a21e9aeb021
SHA512 a0554eb931962719e1eba28014ebf97e577582f4660c16d95cee758d83588a7404cb46ea018c61ab90b03bba90c31e241aafdf7a8aa3290518e84f7af3e0511e

memory/2268-579-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3032-580-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3496-586-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2540-587-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1376-593-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3356-594-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bnpppgdj.exe

MD5 8d8ea2af952f3dfc615fe52c91850059
SHA1 25d2f09b86d638dbd80f13bec272a02466405675
SHA256 d27747477a3d66aefc07741c24ccbd9f061fd1dc4125043511e1f4b7950fca2d
SHA512 646e7a5c0aa977e27179f8c1de03840e3d20187fb56adadb878fbf9b7fc9cc080a7574c584894b00dab15a5dd8454e5a5c878f5bf6a144ca1a6abd5df1d24bf9

C:\Windows\SysWOW64\Bnbmefbg.exe

MD5 abc71b02e9d3bfaca874173ceb4396f3
SHA1 2cbe269f67f84bcf84f9706ae8ea5d1e6564ca7e
SHA256 ca70db092450022b8e56806ae3e9953940adf3ff8de21546b19491948b5d60aa
SHA512 3cd48fcd4c95c7235af904eb9c6f3d9813c732940483cae2091fc279b5ad8b153ca71d28d175dd7ece4ffca99bf69ea68c30695d0d684442de5588f346b116d3

C:\Windows\SysWOW64\Cmgjgcgo.exe

MD5 d86e282b65472469b433b2214cc05c21
SHA1 0b8d1e1f2568644380dd08f3579921e469e276f6
SHA256 79ae1b5f349594b15bad149206c31b6b95b51f9084a7a19d423f5eb3a0d8c255
SHA512 e9b9bf5733f1889592ce21342e59144658c2ba4c82d26dafb5aa7d0eda81b05c02af7b8428c6e7efbfcaa540a6af63b3e2b33c7dce5f8de775e545e3ab0b3c5a

C:\Windows\SysWOW64\Cdcoim32.exe

MD5 9fbd968171efeb5210eff77b00bed55f
SHA1 c185bd4a312bf17eac75831dbf78af53ff728672
SHA256 ad4f34624b6f66826725c52f8ad022ff389c62ae5886e5579b877e1b96968c70
SHA512 a80902fa2d700794f5f4027dd770e9c820faa3797ffbc8b6c6ef8f829152dc3ae679226d6534e5d2adc9c7d37a83194b3415a950cfa6449be04f2d110f611ff5

C:\Windows\SysWOW64\Ceckcp32.exe

MD5 b07972989f152f7ad2b42a2002b46d3c
SHA1 d66d8275d81705b49e29bd20186078ad97a93300
SHA256 80b94119b1b2bf21d9e8c1028b84594c4ed2696236d858889b6bcb7badd6c1ad
SHA512 5434219311da2fa516bdf1201b369edd9141c50d956158fd874449843be070a3d5e50c0ac7309b58532918ba8ba70ca86a32d5e5c4561ffa52ab140113497a5a

C:\Windows\SysWOW64\Ddjejl32.exe

MD5 52180bd7c1e8a4ee87bb00ee90cbea03
SHA1 dab4a713f3360a13a2f0984a3cebe2a964579a76
SHA256 c237e9413fa9014fd48b619ef5f507220f1319db22c2e99589ef5d3490523f01
SHA512 25c6d4824ecd4a1f4f72e835a5580046890d04d9a4264f379c1dcd7fc3934c7043c0719da006a8a760360fe95837937dbbdb77fb6544a03122774ca96b339faa

C:\Windows\SysWOW64\Dmcibama.exe

MD5 58ad49ad6fb8d0885ceaae1a4a894408
SHA1 6544f9bc8d6a23c9c105c614ebe4879afb002075
SHA256 3ae43bc61d0a23213b53615fad1713ebe47e45e09ada729f93bb0dc3ee1e5356
SHA512 55ef9d78dcd485571ae46711f90cc042de38b83454087009164142ebdef43d502bc0c68470939297490890119d31736d1ec7de91878128280f39573e634642e8

C:\Windows\SysWOW64\Ddmaok32.exe

MD5 7a203c40c67186b0f805821e77d54040
SHA1 91848e0b94a5e090f8e435cc8b9d773a06ff63cd
SHA256 a1cdc2c7b2072b1a430a72985b4970a935b26f6916aca6e816e2006eb857e4b7
SHA512 0a03081ea80952c98c2edfe3593d7868b852e142f3c0aa9db508b6db179a8d751f132b0719641164751ccc7eb6d377e8133369a0f10d474fa10859ec9c929d58

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 94c9814e1409a382824bd9eba8b03027
SHA1 36c76efd055ad9bdc8d6e8e007eadc640a41ae50
SHA256 3217d943c24acc8e7dddff6fbf9f7800e147953897523beae88b3bbab35e7ee3
SHA512 f981b0c4b7b3b4e6601e11a269acfc8aac0c37aa521efde56bc72393f476eb7d8a52b9c7162584faf76a4eaf9518fafaf2bdd962b9abb7c990e79bd65b9306b6

C:\Windows\SysWOW64\Dddhpjof.exe

MD5 eb483aaf1f4e041e5448590b59c1817c
SHA1 3d95e636e384c5d809830367e39f36b16362080d
SHA256 cb3e9e65e541352dd54242cb67cc26bf6cde167f67c0c15adb8f58070724c69e
SHA512 04b89b82ca88566eeaf8f4dc1411a65fddcfb1546f6da0aadb25cde01a53220622bdc4e83293dc9ff4b153d280b08fcf9bf7d83d9c7514d0a874e82f65b671db