Analysis Overview
SHA256
65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352
Threat Level: Known bad
The file Backdoor.Win32.Berbew.pz-65ec09fa8c2ad3c079cb20c86d09f313002057156d3135c8789538917dc63352N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-16 16:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-16 16:06
Reported
2024-09-16 16:08
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qngmgjeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Picnndmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Pjbjhgde.exe | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| File created | C:\Windows\SysWOW64\Njelgo32.dll | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhgkeald.dll | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cacacg32.exe | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmccjbaf.exe | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qflhbhgg.exe | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amcpie32.exe | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmclhi32.exe | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgfkcnlb.dll | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Behgcf32.exe | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imogmg32.dll | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfikmh32.exe | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qeaedd32.exe | C:\Windows\SysWOW64\Qngmgjeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nodmbemj.dll | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmddc32.exe | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qniedg32.dll | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| File created | C:\Windows\SysWOW64\Napoohch.dll | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amelne32.exe | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqfjpj32.dll | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eignpade.dll | C:\Windows\SysWOW64\Biafnecn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Picnndmb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Poocpnbm.exe | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Achojp32.exe | C:\Windows\SysWOW64\Amnfnfgg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnkbam32.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Biafnecn.exe | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckiigmcd.exe | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnnffg32.dll | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Oodajl32.dll | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amnfnfgg.exe | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaolidlk.exe | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfpnmj32.exe | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmdgdp32.dll | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmeimhdj.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chkmkacq.exe | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmhideol.exe | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdlpjk32.dll | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agfgqo32.exe | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bajomhbl.exe | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdmddc32.exe | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkglameg.exe | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qijdocfj.exe | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljhcccai.dll | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacacg32.exe | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlpdbghp.dll | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| File created | C:\Windows\SysWOW64\Plnfdigq.dll | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmnbjfam.dll | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| File created | C:\Windows\SysWOW64\Bajomhbl.exe | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Picnndmb.exe | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmogdj32.dll | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Annbhi32.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpfeppop.exe | C:\Windows\SysWOW64\Bmhideol.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmgechbh.exe | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Picnndmb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmccjbaf.exe | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjdplm32.exe | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmelgapq.dll | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaheie32.exe | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ackkppma.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaolidlk.exe | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Deokbacp.dll | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Cacacg32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chkmkacq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biafnecn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amnfnfgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Picnndmb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cacacg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qngmgjeb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmhideol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aniimjbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Biafnecn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" | C:\Windows\SysWOW64\Qngmgjeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll" | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Poocpnbm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" | C:\Windows\SysWOW64\Bpfeppop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll" | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll" | C:\Windows\SysWOW64\Ajpjakhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" | C:\Windows\SysWOW64\Amnfnfgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qijdocfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" | C:\Windows\SysWOW64\Bmhideol.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll" | C:\Windows\SysWOW64\Agfgqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll" | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnkbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qeaedd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amnfnfgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Pgbafl32.exe
C:\Windows\system32\Pgbafl32.exe
C:\Windows\SysWOW64\Picnndmb.exe
C:\Windows\system32\Picnndmb.exe
C:\Windows\SysWOW64\Pbkbgjcc.exe
C:\Windows\system32\Pbkbgjcc.exe
C:\Windows\SysWOW64\Pjbjhgde.exe
C:\Windows\system32\Pjbjhgde.exe
C:\Windows\SysWOW64\Poocpnbm.exe
C:\Windows\system32\Poocpnbm.exe
C:\Windows\SysWOW64\Pfikmh32.exe
C:\Windows\system32\Pfikmh32.exe
C:\Windows\SysWOW64\Pmccjbaf.exe
C:\Windows\system32\Pmccjbaf.exe
C:\Windows\SysWOW64\Poapfn32.exe
C:\Windows\system32\Poapfn32.exe
C:\Windows\SysWOW64\Qflhbhgg.exe
C:\Windows\system32\Qflhbhgg.exe
C:\Windows\SysWOW64\Qijdocfj.exe
C:\Windows\system32\Qijdocfj.exe
C:\Windows\SysWOW64\Qngmgjeb.exe
C:\Windows\system32\Qngmgjeb.exe
C:\Windows\SysWOW64\Qeaedd32.exe
C:\Windows\system32\Qeaedd32.exe
C:\Windows\SysWOW64\Qgoapp32.exe
C:\Windows\system32\Qgoapp32.exe
C:\Windows\SysWOW64\Aniimjbo.exe
C:\Windows\system32\Aniimjbo.exe
C:\Windows\SysWOW64\Aaheie32.exe
C:\Windows\system32\Aaheie32.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Ajpjakhc.exe
C:\Windows\system32\Ajpjakhc.exe
C:\Windows\SysWOW64\Amnfnfgg.exe
C:\Windows\system32\Amnfnfgg.exe
C:\Windows\SysWOW64\Achojp32.exe
C:\Windows\system32\Achojp32.exe
C:\Windows\SysWOW64\Agdjkogm.exe
C:\Windows\system32\Agdjkogm.exe
C:\Windows\SysWOW64\Annbhi32.exe
C:\Windows\system32\Annbhi32.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Ackkppma.exe
C:\Windows\system32\Ackkppma.exe
C:\Windows\SysWOW64\Agfgqo32.exe
C:\Windows\system32\Agfgqo32.exe
C:\Windows\SysWOW64\Amcpie32.exe
C:\Windows\system32\Amcpie32.exe
C:\Windows\SysWOW64\Aaolidlk.exe
C:\Windows\system32\Aaolidlk.exe
C:\Windows\SysWOW64\Acmhepko.exe
C:\Windows\system32\Acmhepko.exe
C:\Windows\SysWOW64\Ajgpbj32.exe
C:\Windows\system32\Ajgpbj32.exe
C:\Windows\SysWOW64\Amelne32.exe
C:\Windows\system32\Amelne32.exe
C:\Windows\SysWOW64\Apdhjq32.exe
C:\Windows\system32\Apdhjq32.exe
C:\Windows\SysWOW64\Aeqabgoj.exe
C:\Windows\system32\Aeqabgoj.exe
C:\Windows\SysWOW64\Bmhideol.exe
C:\Windows\system32\Bmhideol.exe
C:\Windows\SysWOW64\Bpfeppop.exe
C:\Windows\system32\Bpfeppop.exe
C:\Windows\SysWOW64\Bfpnmj32.exe
C:\Windows\system32\Bfpnmj32.exe
C:\Windows\SysWOW64\Biojif32.exe
C:\Windows\system32\Biojif32.exe
C:\Windows\SysWOW64\Bnkbam32.exe
C:\Windows\system32\Bnkbam32.exe
C:\Windows\SysWOW64\Bajomhbl.exe
C:\Windows\system32\Bajomhbl.exe
C:\Windows\SysWOW64\Biafnecn.exe
C:\Windows\system32\Biafnecn.exe
C:\Windows\SysWOW64\Bonoflae.exe
C:\Windows\system32\Bonoflae.exe
C:\Windows\SysWOW64\Bbikgk32.exe
C:\Windows\system32\Bbikgk32.exe
C:\Windows\SysWOW64\Behgcf32.exe
C:\Windows\system32\Behgcf32.exe
C:\Windows\SysWOW64\Bjdplm32.exe
C:\Windows\system32\Bjdplm32.exe
C:\Windows\SysWOW64\Bmclhi32.exe
C:\Windows\system32\Bmclhi32.exe
C:\Windows\SysWOW64\Bdmddc32.exe
C:\Windows\system32\Bdmddc32.exe
C:\Windows\SysWOW64\Bkglameg.exe
C:\Windows\system32\Bkglameg.exe
C:\Windows\SysWOW64\Bmeimhdj.exe
C:\Windows\system32\Bmeimhdj.exe
C:\Windows\SysWOW64\Cdoajb32.exe
C:\Windows\system32\Cdoajb32.exe
C:\Windows\SysWOW64\Chkmkacq.exe
C:\Windows\system32\Chkmkacq.exe
C:\Windows\SysWOW64\Ckiigmcd.exe
C:\Windows\system32\Ckiigmcd.exe
C:\Windows\SysWOW64\Cmgechbh.exe
C:\Windows\system32\Cmgechbh.exe
C:\Windows\SysWOW64\Cacacg32.exe
C:\Windows\system32\Cacacg32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 140
Network
Files
memory/2852-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Pgbafl32.exe
| MD5 | 678c78c6e027ec39cca37af1f397cd33 |
| SHA1 | 5e01327453af718e3b047c5c897c034c96df788a |
| SHA256 | 26abd1f8dcf92a74875fca00cbb0a26babcd644bff8bfc9ebfd15d3f1a94c302 |
| SHA512 | 1a8deaeb19563520a59c40cf3725887e5ecc5ffbbf8cf38793b046cc85d2823f79f7a75dbe28ee4831556bbc078433ff0761564bd2e2f5668026d2081b68dbb4 |
memory/2724-19-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2852-18-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Picnndmb.exe
| MD5 | 97fd713a545d728a6241260634ab0f3d |
| SHA1 | 26d7376f1def770b96cef2994ff3176a0053576b |
| SHA256 | 81c28f8ef864a69384a3d783a319ca8cf58ba409a65e86ee790c2b6d33ac1073 |
| SHA512 | b19120492a56025e70851084b6c0837f3b1ea7b5559e4339f317316518c4256c9b863c65b61c0c9cfd437aecb944b21db3e7b6391509a3a155f3885b80d44f23 |
memory/2440-27-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2852-17-0x0000000000250000-0x0000000000284000-memory.dmp
\Windows\SysWOW64\Pbkbgjcc.exe
| MD5 | 6f580d45bc76b29e08476946799fce2f |
| SHA1 | 7e47296e37083de1f0e34a2721b27f11b3c367b5 |
| SHA256 | 197e31d9c8a46e03d6e5748d5fb592df0cc6659c3ebacb506c9d117be9f3546b |
| SHA512 | bf2b7586fd4fba0c7fc0209f75c41384eaef65dc3744120f66febb327d8f38b1ab1d893f363f08f6fe45f73fe57394d4e46d4111eb3dca04a357692aebc828aa |
memory/1996-45-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Pjbjhgde.exe
| MD5 | 71bc1be6bb8e126dc80e8a4e124c16c5 |
| SHA1 | 63f1714892dbf69071a5423d92b4d4319859af22 |
| SHA256 | 51a3bd5132a19cbf428f32a9290642421851307328f61aa4a39a55dce3371358 |
| SHA512 | 262305b857e87642ee7c93e4071c7b7c66ec874dc332a936134320d2ac7962340ab848eb5cb756c624d6ddb9db8be7077762ddc29b84523d01cfc21261a0fb31 |
memory/2676-53-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Poocpnbm.exe
| MD5 | 1b4f5f234caaff1eaa2f23be654b36b5 |
| SHA1 | 08d635583025f598d5f326b5a8990eabdfdbf3f8 |
| SHA256 | 41f0995da239a76e08d9718ca2eac83582bc4e19832eaff798cead38fb2717c7 |
| SHA512 | 5d0b2092248c5d406215edb1d4372a6f3234da64d4cc138a335d63d73004099ba593ef13d82b677a16c0e3f80e1dcdef4b9774cbe2800d9034c70edd26bfe843 |
memory/2676-61-0x0000000000250000-0x0000000000284000-memory.dmp
memory/532-67-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Pfikmh32.exe
| MD5 | ae63cda54c8853b85b5515bd59327a88 |
| SHA1 | c2ad23a270b5c0b08a0616cc60a555d2798b9d45 |
| SHA256 | 934384430430c6a0446b2e7ff8375287b49a8018261569631edcf458570baab4 |
| SHA512 | e66f3af469cd29622b338cccf91fbf24d8929ae868e3d7f63505a88b681ecbd6c373d83c2928d70f82a373d127164fcc58ba4152f3a13b65195a1406beee408c |
memory/576-80-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Pmccjbaf.exe
| MD5 | 22aec672ec10488dc521f474da58b37f |
| SHA1 | d1efcc801dfb84799dd6ab0c5a0906291d19ec8a |
| SHA256 | 8aefb9c1141090b7af3ebc3b74dc9f15f24e5fe61e0d65faaca6863ebc587d5c |
| SHA512 | c1fee55e8d09dab183b5e56e433baac9f2631a0624cfd7fb1f8f15e89c12b17ead9e9607925a6a9fdb43f3c87d1b68b923bb2d463015817886ad7853a3cdec0d |
memory/576-87-0x0000000000280000-0x00000000002B4000-memory.dmp
memory/2204-94-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Poapfn32.exe
| MD5 | 06cf0f42f2b4a42fdc3b0c83b88cfec8 |
| SHA1 | b2e5b89da3a8d5dd0a0bf72eafb186eed002b489 |
| SHA256 | 5baa7d77c98a9a721cfd82c6352b9edefb6e80858695ad86a44a97a3a3acfe25 |
| SHA512 | 65bd73cf41ed94eab5ba4e91271b16bb401772d9e29a664646ba24b9e42a1928a6b68324335a0e28b5f3a160b8509b1754c53fb8018b0753134dbfff18a4c556 |
memory/2384-107-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Qflhbhgg.exe
| MD5 | 59d7ccbb1ec5ad0fc8c5d9108a5ea9fc |
| SHA1 | 5fc55fa983082375a66f3d42ebd3e1984359a779 |
| SHA256 | f052d7d1489556f0dfeff5f442f5a9b3f0cdfd0f67b559dd664544efbb533aca |
| SHA512 | 3d0ce54de1ceaa42c70f35d326d6c57ecbaa098b5614c94a1d97e32e9318cb7e5ad0e75a5ca91335d6cebb7588c9b6b8f146454a1c1bb5a2741bf5d92ad21c84 |
memory/2384-115-0x00000000002D0000-0x0000000000304000-memory.dmp
C:\Windows\SysWOW64\Qijdocfj.exe
| MD5 | a76e5a4ddef2aa273efa8be3888c3ffd |
| SHA1 | e883c09457540095268b5875c024d2e148f96f80 |
| SHA256 | e9554309b84562146c96ae5a6078fb5b8d2682a8de697dec4f4b0a0f2b8ad2ea |
| SHA512 | 6820b9e2775f385ca23cb11d248993f9ff36d2bb8cff83fe3e56d56cfabd4aa15747df0e738c0468c07470e11e5285f9b804856bf9c27c7aaa3203b84cd13812 |
memory/2980-134-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2136-132-0x0000000000250000-0x0000000000284000-memory.dmp
\Windows\SysWOW64\Qngmgjeb.exe
| MD5 | de362f63662f19fdca71c26c369b3617 |
| SHA1 | e1671ee2e5359d51e7587b680922fcb7acba6b0a |
| SHA256 | 089255744ec18f3ce3321e49179533fea38e62e65a0603151c64ea5bd18486d6 |
| SHA512 | cf8e25d62b6c52b32e21e6cdba3b370f429c67ad5e9ed35f4d329353d8ba6b32df7880b4ba70c1e5cc74bc6078fe7e56d2edb4a9fcd6c061629729a8494b746c |
memory/2980-142-0x0000000000250000-0x0000000000284000-memory.dmp
\Windows\SysWOW64\Qeaedd32.exe
| MD5 | 0e004c314dc02740d0fd0081bc607c36 |
| SHA1 | 01fcc0767a5871871588286fd6754535c29b1b9b |
| SHA256 | 297f5b28c4ee00e052bf7c42a71ec7476050619bed3b41113db1da8e66e43296 |
| SHA512 | 4f8aff7615347e007b4af4ff1fbb6a2d755480deb71ea356f20ba1daa2cdd7d7ceff3333000ff458b1efca4edcf9807f6b1210e894cb0f2362fac26dabce7815 |
memory/1780-148-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2580-161-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Qgoapp32.exe
| MD5 | d8cbd4811ef8c90bcaf9af204b4aaa10 |
| SHA1 | 8e6c4f6d087f02820687de5aadbf082b912d48b7 |
| SHA256 | 24ce0aeeedb5820729ad1026a1a52f455c0c3a76fcce33098c5c8d4fc4df9dfd |
| SHA512 | 0b13301086dbb5da6ee4e9f51477fa0532068edf2fd7cec23609cefa98c99bfcf3126767c92f3fa63ceadb84a6a77c32170777fcd223e7da4579e91894796328 |
memory/2580-169-0x00000000002F0000-0x0000000000324000-memory.dmp
memory/2952-175-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Aniimjbo.exe
| MD5 | e920c4ddedfbd82cc5917abf18a197f1 |
| SHA1 | 8497e38e10082cfc708068ae279abe4e64ce9208 |
| SHA256 | ae1802d5f6ee15f23f7d2a8d1618a6f076a5baec630ce2996e315779a7031a8b |
| SHA512 | a5d0792e8ea86f663c013fd5a7a675801eab82800e92cd07a169dcce774e89daa9d57cac1bd2a7225c7a0f5bcd18ef655b2161f128a8300883df463cd08905f7 |
memory/2072-188-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Aaheie32.exe
| MD5 | 62bef457f4e457c4681b6190ca77424f |
| SHA1 | fcc1b0f5802d0c246047dd1dae574ab66846b5b2 |
| SHA256 | 87be9a6af8541f6ae149f05e45e68031325971ffd5034c9984daecaeb654b564 |
| SHA512 | 804054b5bc001109088cf623c108d9261d27dddb198bb7263bdc04d56d7dc2856972a590ede8616cd14750c924ab3fce47d342f3fabc3a5537b2ceba5ca83953 |
memory/2072-196-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2116-207-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Acfaeq32.exe
| MD5 | 42fa9c08d70d542b86f520e51c7651b6 |
| SHA1 | e606c47c6c9b8e7a5eca773bc97846184a6d244e |
| SHA256 | 99d65df7bf3ddead2d73ab6a1beb12d096ffd2ac31eb226dca9e729ac594b3ba |
| SHA512 | 06a58f1d9d1677c2d8cb866576d0d298c90e6f1b1d53ceebf66c7e90ca10647ce66471d05faf04f4f0eafbea941050b88cdfed4592886472c497536acab2b933 |
memory/1028-215-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ajpjakhc.exe
| MD5 | 2802d01d30dc0bd92b3c0eab52fde5f8 |
| SHA1 | 826cceacf846da99681384f0e45bec245ecd3cd1 |
| SHA256 | c7968e2179ca38069edc429738cd64edc4d1abce95dd1d34191714d4724f0279 |
| SHA512 | b7ff1cfc2256f7731d625bbb4dc9887f7bc438b7169db59e038cd0b5093a7f135b36d341a8659af0586d593b8d7c8e0062f205ccd962bf1a04faf0dc4021aebc |
memory/1028-222-0x0000000000250000-0x0000000000284000-memory.dmp
memory/444-230-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3048-235-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Amnfnfgg.exe
| MD5 | 0eb9b034af8ea06ce67fd9f34ddd42c7 |
| SHA1 | 08280bc345bdca4c75b79c0018839a400782a387 |
| SHA256 | 871af6e669954c5ce748d1cd7404c34a0a09bdf7feebde179171e308ee72a8e9 |
| SHA512 | 451da4a3e716e120d499a10da5e0934b2fafe356c6a772c394998c5686eb44fdea227eb9e320e8d3e454e472fd83ee84d03e6c1df6f35423295202a1ebbd788d |
memory/3048-241-0x00000000002E0000-0x0000000000314000-memory.dmp
C:\Windows\SysWOW64\Achojp32.exe
| MD5 | 5e2999bc75475e26be717f46b9928262 |
| SHA1 | 64deb389503608c61a4268d89a5cfaf98929540e |
| SHA256 | df84033122b724fa4d0a19e6b00aa9723148fc470cb794102bfd45396856991f |
| SHA512 | e3b72cf9e5eaf4913eed0720539921e0bcccbbb74b55be47d372cfafb3a6c058aa1af5d3f91fe221c054cefaf0320c1b165b09d96fb2a271511c0f069ef48ccf |
memory/1364-251-0x0000000000300000-0x0000000000334000-memory.dmp
memory/1364-249-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Agdjkogm.exe
| MD5 | ca6d5c4e6345a999de7ebf391553516e |
| SHA1 | d590ae4738d750183c73e23e313c380a364a4c3e |
| SHA256 | a69c76622025fb60b5dc9806f8361e06297217d3cf4d37c002522c920d95f711 |
| SHA512 | 6765362a55dc58611c98524f49eddc6780ff61fd2967d3b826cca307ad95c80795b60388965e0c100f1f9bdcd4fdfb343e4d0738bd97d1c16961d2b887ec9998 |
memory/932-260-0x0000000001F60000-0x0000000001F94000-memory.dmp
C:\Windows\SysWOW64\Annbhi32.exe
| MD5 | 29d51c2162020c9fff155f9842e0ff10 |
| SHA1 | 54a5e38f3227ee1dc6ebb6204f3d0bd284366a89 |
| SHA256 | ab8c09a40cdc856272790cb0da669b62bc027ba4c33f6f7418225ca9f8db9f51 |
| SHA512 | 66811a7b44eaf608802d1b44254d93baedc20af5468a1b98da25f60c6a9838342f963a8e66caeb6240042e80597eb1ebcd71072b260f0aa3a20607bc7608a267 |
memory/828-264-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Aaloddnn.exe
| MD5 | 18c4a34e23202306592dcc1763ffc113 |
| SHA1 | b26f793901d6e12c0f096a4b5fcf9653ce436514 |
| SHA256 | a6d3c1b249277c00af14f45ba13cb9b993aaa971d916d23d517fb818a1efbe8a |
| SHA512 | 8b8f0d2e076cbf384dcb2373117cbdc924975d555f66d89ba910162d920758aa8650756f6436fa0dedc2af6755c28d3cd452a01e2645930d21136f7b65e07a64 |
memory/852-273-0x0000000000400000-0x0000000000434000-memory.dmp
memory/852-279-0x00000000002F0000-0x0000000000324000-memory.dmp
C:\Windows\SysWOW64\Ackkppma.exe
| MD5 | 51a7381379e409d73935274cc3988840 |
| SHA1 | 2a9c97cc7d5baca0ec6835902b23540debcf2d34 |
| SHA256 | 66aeb72c152e0e937bbe7f388556a6b909ae5f248a4a6116509b4397353b2a5d |
| SHA512 | 37339cd6ab69979074f3b41177a9d9b07bbf798561b0471df5002fc077d4d5be6bed3375125ecf585116e7b524e1478af093a73b2fc3c0ab9c1706dd69376bd3 |
memory/852-283-0x00000000002F0000-0x0000000000324000-memory.dmp
memory/2356-288-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2356-290-0x00000000002D0000-0x0000000000304000-memory.dmp
C:\Windows\SysWOW64\Agfgqo32.exe
| MD5 | 29de85b3fd9c6d60496fece60896ae01 |
| SHA1 | 9fb99f961dcb121f78d55c60d49aea8ffbab2d0b |
| SHA256 | 95432b64999ae14a306f6b9afc5f1a8758bdff997437c4b3ad37cbd7f024e14f |
| SHA512 | 5a050fbff3305fa5589693537e6c604f14e35cc1ab82c0fe2e7bff01a2b0e8d814e6a5bba75e13817e2ab0e1dac6cf64abea00d1093e72b95f8061e864aeadcf |
memory/2356-294-0x00000000002D0000-0x0000000000304000-memory.dmp
memory/2972-300-0x00000000002D0000-0x0000000000304000-memory.dmp
C:\Windows\SysWOW64\Amcpie32.exe
| MD5 | 3d81ced283acf407cdceb5a04f39e767 |
| SHA1 | ccbaa026cf0c1c5199cf17c76bdc978baecc4e87 |
| SHA256 | 1dcd95d1c5cf283dc5962d976c310f56ddc792ae814cee30d1d867f5ade0d855 |
| SHA512 | 40b937b6c19e6287a46204068acaf766d959bfabf59efbebb557e617fc3a6558a2cc9589fc6832323caae30d095b50a77626143a476ed75cce12323f831e7631 |
memory/2560-305-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2972-304-0x00000000002D0000-0x0000000000304000-memory.dmp
C:\Windows\SysWOW64\Aaolidlk.exe
| MD5 | 58ed35db38855b13f69e7a8ab776c73d |
| SHA1 | 5f6954bf854d15ac51d38d7f7b7d6c29901e03ef |
| SHA256 | d73599233cde5c5c24e1c27d98313d3a753a13d085db8da035ec0c953b0475dd |
| SHA512 | a81bbd27c9bd1cbe6869848fa601f3ca628874986a63037a763ac9cb2aa6f4a086906728801e535bac34e1b4362fc0efa312e7ddc9aa586abfc49dca103773d7 |
memory/2920-316-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2560-315-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2920-326-0x00000000005D0000-0x0000000000604000-memory.dmp
C:\Windows\SysWOW64\Acmhepko.exe
| MD5 | 8bd061e25d7ddcaf57c268ef9a493145 |
| SHA1 | 8f45f17ae5e6978046fb864c8d967eff8f1adf25 |
| SHA256 | a36d567458c6188908344c73bddb139c0ffa7cf1fbb5f67dbe9b4c1ad1fcd914 |
| SHA512 | c5286c42729a1dfe01077f8dd0e1e7f6d0c6a1414dab5f9d08197c23b0687ec9a273730327b8fb64b032182d3f0a56817ce4d196c48a07a005829dfee1452e9d |
memory/2920-322-0x00000000005D0000-0x0000000000604000-memory.dmp
memory/2560-314-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Ajgpbj32.exe
| MD5 | 9af4a13540238d147f6d896ee7c7e479 |
| SHA1 | 5aeda7a1e2c8dc6dcf12bbf763c844a94dba4fa1 |
| SHA256 | ee2ce68fe0487d4a4482a15ee67cebc7e3302156afc281d21b32295be94dd9ac |
| SHA512 | 164e4b54ea6f35021613b2b731d58b2419a4574e29590f8881f2093dabe42835cd07155daaf934ac5d036fdfa4b3baf3aa15f1d4a181db62c2eca5601d3fff38 |
memory/2656-337-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2836-336-0x0000000000270000-0x00000000002A4000-memory.dmp
memory/2836-335-0x0000000000270000-0x00000000002A4000-memory.dmp
memory/2656-347-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2656-346-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Amelne32.exe
| MD5 | 9210787ab862c77de24f598120437d00 |
| SHA1 | 29fb063c454ff856eaa915eb520412e3e31f500e |
| SHA256 | c8993db3a21f31a4862da67dbcc78efe05543ad4a51141e298a40629e9599375 |
| SHA512 | 8d56a766a3aa66811a5e62e638f440c9527b328bd787ef880fd7139aa54694f557094e025a9ea637d6a27e6d451f08ea6361ad4a54a2985a102d1e1c964b59e9 |
memory/348-358-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2168-357-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2852-356-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Apdhjq32.exe
| MD5 | 97a87adec63d5f86b4b2a8303ed6a931 |
| SHA1 | 16f6fc6b8a91e150311fc36f12037db4ad2d6d52 |
| SHA256 | bf9e7835bf75a02e4e65756e3c80b180b45e0fbaf75bf8e9811ebc2a4d44fb67 |
| SHA512 | 9d22a590603b8dbde7ee3840a7b6cc1b58ecfe800f7c6c31e2ce7ad67473e5ffaf9fac6f63dd8630acbc3005b63d1746cac9e3fcf8e46a95c7410f3a7c98669d |
C:\Windows\SysWOW64\Aeqabgoj.exe
| MD5 | 58c31ae47eb8fe1cf69f93c75d285ab9 |
| SHA1 | 80e57782c74d7b25fc3e686a6c0a4d847ab9fe6f |
| SHA256 | 1129beb9d86ccf8e15572bd5b771d95591c4c7f563e2fc6c5ae5ddd874bb7e95 |
| SHA512 | db3afadd1aed4d013e3435c09db4e12f65908ad74907a5c90db6386df80812a26997167a9aa3d3aab827513127cdc3968450e7821faf92911f2723452ff135da |
memory/348-369-0x00000000002D0000-0x0000000000304000-memory.dmp
memory/2440-370-0x0000000000250000-0x0000000000284000-memory.dmp
memory/348-368-0x00000000002D0000-0x0000000000304000-memory.dmp
memory/2440-364-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bmhideol.exe
| MD5 | 3c53a72b3453724d4994a5357f4d6fc1 |
| SHA1 | 7c392ec76b805d9341015dc4b9e0ba1b720489c1 |
| SHA256 | b6a0f7169969ae4680c1640e5c543ca1192900be25807f9ef51090b629ff8f4d |
| SHA512 | 29318d2f333612ab5e15c675b521d84ade1886515c1a2ce1c4c8aa65679a5b50ce29b61191fc6ce52851b9f701c74a7840dc6be2faca66dcc4857573a8c58436 |
memory/656-379-0x0000000000400000-0x0000000000434000-memory.dmp
memory/656-384-0x0000000000250000-0x0000000000284000-memory.dmp
memory/2564-380-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2028-391-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2564-390-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Bpfeppop.exe
| MD5 | 387883219586ca678b38cd924056d697 |
| SHA1 | 128c5dfd0f9c4823ab89fc2de3c1f995e54c7ada |
| SHA256 | 288a58e0be4cd14e09e6237b9744d946796d5a9504be10930ef1c6d3b5827c9c |
| SHA512 | 0431b5901b91b440288f2e147da0fe3d9d79e807c92015139120a3c99563e724bc7dd1673785859e4110006ec6569802ec5e13d2d7608dfac0bab61f20af899e |
C:\Windows\SysWOW64\Bfpnmj32.exe
| MD5 | ec314677c7198d96bb4094fdd6e10b58 |
| SHA1 | 24d4f2a8b4534d5db7fc0cc35c6fd38646d2fcac |
| SHA256 | 2aef1e112762180df9556cc16bffe402ac7bcdafa61cb13f747c056d71379bb2 |
| SHA512 | 5a71eead55377510e576c14e602365b5ca9963a9108ac97612562936eb6b71efb176ccf24945063db466b1b3588770f677427f2cd84f553c0449d09f10084ed2 |
memory/2028-400-0x0000000000260000-0x0000000000294000-memory.dmp
memory/1740-403-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2676-402-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2028-401-0x0000000000260000-0x0000000000294000-memory.dmp
memory/532-412-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Biojif32.exe
| MD5 | a47dc2a3f5bd1d38b4a6b3675c0deb01 |
| SHA1 | 09f2843b5532fe44fe5d28f9348e54e7067eb82c |
| SHA256 | 2ecde1bfbe167b90559f363794c5776ee981a83dd24c8ec7e5863d3b4381aebb |
| SHA512 | 69debcde25bae37d7788981c78b73b52d30480aeba730793b0d97a2881454e56e4adfe2fc645e74cf6ab58fbbb7f9f9da418e393f8a4248417d6236cbb49da66 |
memory/836-417-0x0000000000400000-0x0000000000434000-memory.dmp
memory/836-419-0x0000000001F30000-0x0000000001F64000-memory.dmp
memory/2292-428-0x0000000000400000-0x0000000000434000-memory.dmp
memory/576-423-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bnkbam32.exe
| MD5 | fbe1330a5863cf79b5d09872245ad0e6 |
| SHA1 | 2ed7c7b56b1101e4c360649f119fb30fbd37f6ed |
| SHA256 | 5ceb9d65aedd0703d75b7020ac57955827efd808e090213454863a581555e45a |
| SHA512 | 90f0dd12f40e3f81e93213e964b0361ec1dab003ce1ce4e03027d1a22077718d6d8598a5453fb298461dde3497f87452c468cdc0c417e48999f4b3bddb6da5d8 |
C:\Windows\SysWOW64\Bajomhbl.exe
| MD5 | 670fe2510ea88b96a21f2ee8b48e7667 |
| SHA1 | 6fa69e6aaaadd6c97e7611675f8aa3b351c666d5 |
| SHA256 | 0fbb4d1ca676ac130f2fbb225442f0384592fbaedab9153a9388bd078a87abf0 |
| SHA512 | dd0326fd87f8574755fe721b9b5be514010a9739e6be177b4732d3dd23e8cc8b6c26a99a2e81e42a26d1137ed22ac4adf25a7b954c06ed4e53d4499bd504c86e |
memory/3012-438-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2204-433-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1260-446-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2384-445-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3012-444-0x0000000000260000-0x0000000000294000-memory.dmp
memory/3012-443-0x0000000000260000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Biafnecn.exe
| MD5 | 0281db64b7337a7550d1cded38a4d6ec |
| SHA1 | 792acbc0806c96d6beed7077a6814171335cc719 |
| SHA256 | da4c8a8a7b17ab347ee313f4420b0b99eb41b61c4458604224ed2cddb0c0ec02 |
| SHA512 | f79236e98adc6dd9a3c34d556d1e43cd2dc5dca744346d6cf1b6cab1f3617d97e695162aa6449b6d38d488b3bea7fe7200ee828c59194772727159e21fd2901c |
memory/2136-452-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bonoflae.exe
| MD5 | a3bf02811b2300b7319b288b3746476b |
| SHA1 | cc13712812b29513429b82864c55089dd062999c |
| SHA256 | ccd897a40c3d91dedb7c50b59bc8a41026c38c5dce40f9e204618b3c724daf5d |
| SHA512 | feb46073ad7be112b96cbe9b2ed6ee95f500d36daf5ca307899cfd0b03c25f56932e7203029cef3963f8e7efd51c37884feb05753d5a93eebaa686dbbb0758bc |
memory/2948-457-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1260-456-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Bbikgk32.exe
| MD5 | d4b49483bce6395967d9b8c36e1c038b |
| SHA1 | e6f55faff4d6e1f9ad7c2f41b91c5e531a7b7e24 |
| SHA256 | eebe801578f9a775b256e9654ded73be15aeaafa83303adc812f475bfd8eec06 |
| SHA512 | 25c65dc1a558efa42000ca30ebe71e6dfd5c2782814b9f08c559f041f33cb176953ce5d9a4b0aa26ab606a64e790f1b09b648fe59c7de1e7c37c74c96a94a37e |
memory/2312-470-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2980-472-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2312-474-0x0000000000250000-0x0000000000284000-memory.dmp
C:\Windows\SysWOW64\Behgcf32.exe
| MD5 | 0c84a3e85cc211f3e8ff323dfe7b420d |
| SHA1 | bead3219e037705267d59988466f455428cde098 |
| SHA256 | ff8b2bc4311f977323e3fe7f46a19fb7b9cab6369f67887fea7e5955ec0ac83b |
| SHA512 | 9780660473a0346423e422b17d11e09eaa17869242e0a984edad9a03ba33cb4d173c48f4ef5123c1a7d15fac57006f867080a348928595fee126ba91321736b0 |
memory/1780-478-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2980-477-0x0000000000250000-0x0000000000284000-memory.dmp
memory/1316-483-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bjdplm32.exe
| MD5 | f71e7bc9fdf282138342bd70bf1171be |
| SHA1 | 6bd84523ed90a91559c9a0a83b4cc54fa8d5d9dc |
| SHA256 | 29bfb3f9a336f53d657b61630946833e5e5f607009e0d03be7fb4564003ea212 |
| SHA512 | 82e16b7ba4ca01195018259ac4a8ffc0d26c6134d3b3752918caed851490e0405abc4ba2c4f3cec3c59c20883d6bd7fa44b287bc04b5645d277459641b6e38cb |
memory/2580-489-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1636-490-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1780-488-0x0000000000300000-0x0000000000334000-memory.dmp
C:\Windows\SysWOW64\Bmclhi32.exe
| MD5 | f7309577dfae0a0d6aa1a270ac72f13d |
| SHA1 | 9a2ce9af663e805cde5923a9c1a011721e356319 |
| SHA256 | 2f33e26a080b70ecca43021404f7be446f09ca10403f236c6045289841c0a96e |
| SHA512 | e4a68dd4c120d7ec7e1f4400256eda06d5a3fefde4cba5cc9773c8f51872fb3ce0a174560bb6abd08b67406e8b29de00383bd7c2862ea2ea1b0bb8ef7e6b06af |
memory/2572-503-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2220-509-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bdmddc32.exe
| MD5 | c362edfa414b03ee70a9a8aebb02874a |
| SHA1 | b0e6ffa0c9277c9c3a7179fffa765a70757637e1 |
| SHA256 | 572ff919daa87dd7fef94d9d84390231421907bf428b9bebebf94f55e11b855b |
| SHA512 | 923af1a445581b6011c671ae2f5ed7e6118867045732c92617ab60d0e3641c070b874800d2a7eef59e45be69f2410674527778b99693dd3549a9a86fcf50f9d6 |
memory/2952-505-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bkglameg.exe
| MD5 | b0b4a8f60f02ae0c43ad6da721b0ac9e |
| SHA1 | d9f25420aaf4c906616079c8c282390df34c9877 |
| SHA256 | 4a1792bd6dc792818dfa7677ac541f4e2e13f84e99a647586f005b9ad542ba25 |
| SHA512 | 9a0833433db2945b4e03069c7c7090700f1784b7ec62eab90a939aa70fd4fdc43c82b80b052d793c9484bae5cd6c014aabc105a23e658fe489ed260a527a38ff |
memory/1556-519-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2072-515-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bmeimhdj.exe
| MD5 | 76ecf0023438debe1c0e720a72d60760 |
| SHA1 | 2a8f8e7981789e7567f2aa1e9deea6c45dff138a |
| SHA256 | 1693f13667177286932d79122605a207bbecd3a9127467421910a59a0a5a1630 |
| SHA512 | 33c0ba1b46310d856ade9ca40da3102b5157ec671385f770951a110c74492bf63e0154e4adefccde8c72946ef337d5e73198550c1322487d938797196711ea4e |
C:\Windows\SysWOW64\Cdoajb32.exe
| MD5 | ff9fe3b8e7922798dc657491e6db6198 |
| SHA1 | 22434c367311db98e03ea785e6a34dcdb05aec9c |
| SHA256 | 979dbe40ad5f3b7a5e3576557707a1ab1c579d222a9be34a99090aebf560c5b1 |
| SHA512 | 226a1ab4a93cbe86cd9d0ccd9691b43930184a062bfaec0310e9457d773c96e87d3c8c227f60397827dcc38d49846e804e8f83ca33164beac577ecb5e378b8de |
C:\Windows\SysWOW64\Chkmkacq.exe
| MD5 | 13991419fcdf9f817cf51ebb5547195a |
| SHA1 | 72225bf79c4ec03fd3193777277718010a5b1339 |
| SHA256 | 525c6fb5f5d68f1af3a0022b10f0608799ff12a7f1c8c96e84f156e9a20e75db |
| SHA512 | f318b9d20b5b05a02dc52dfd9e3f977549483d1c09abf763ddc6fa4cca16be20651a8c23496afadee6705dbf48b5d6fe793d385734ee4d331aa435d0673c7e62 |
C:\Windows\SysWOW64\Ckiigmcd.exe
| MD5 | 7d13334f30debba6259d412b30f10308 |
| SHA1 | 2fd451ea876f9b473c059e94ba77a05765bfd5ba |
| SHA256 | f512b3ef1ee2690360406cfbc01f79eead786713e0281e0fa1c2c7a04795bdd2 |
| SHA512 | db90af7b6d7ace6038a99f57d1b8721f92308018568e03e0c292127273c965dc681d83daf316aa816444a9bbe659bd4cf2ae4c3195c8a40795cf5f61f7369a0b |
C:\Windows\SysWOW64\Cmgechbh.exe
| MD5 | 179873b867d9499a24ec2c74196b3b05 |
| SHA1 | 86700d48aba5b14e124a8d882b88ef9c57bc4b95 |
| SHA256 | caa580df8d2ac96a3938a565beef27aba09f87b47749898882f2ab2972336ef3 |
| SHA512 | c9c05638c045410d6417fd92de71bf490b0ae8980763f7f7f2c25133d522d341b8b0e9d3476f31187fc7e7f6410e0b2aae6b318285e0c4818cc60f22ef474c87 |
C:\Windows\SysWOW64\Cacacg32.exe
| MD5 | e9b005f3d56b86e8f0ce9673c5524080 |
| SHA1 | d60a59147b99a921d15d8ad65cd82fb891e8d2ef |
| SHA256 | a7f4a7206fe768785470d9e71165f8ed371c9f0cff964b1a7c56c4994f480f9c |
| SHA512 | e609a266a9f71d38da101064fcfcb9cf37ac6969462d103c214023766532f3790f5fbc07ad08d8001ffc6f817f92cca2fc042f7066e3be79723f86b0b260ee78 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-16 16:06
Reported
2024-09-16 16:08
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Migjoaaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfgmjqop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocdqjceo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcmabg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocgmpccl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmidog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qmkadgpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Olmeci32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmiciaaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mchhggno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Menjdbgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aclpap32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjcbbmif.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojjolnaq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmpijp32.exe | N/A |
Berbew
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Dmjapi32.dll | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| File created | C:\Windows\SysWOW64\Jijjfldq.dll | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfhhoi32.exe | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Meiaib32.exe | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nloiakho.exe | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ambgef32.exe | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Belebq32.exe | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdkkfn32.dll | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijfjal32.dll | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcncpbmd.exe | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqmjog32.exe | C:\Windows\SysWOW64\Pjcbbmif.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aeklkchg.exe | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| File created | C:\Windows\SysWOW64\Phiifkjp.dll | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcmabg32.exe | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmfiloih.dll | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmkjkd32.exe | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghilmi32.dll | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmefhako.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmnldp32.exe | C:\Windows\SysWOW64\Megdccmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Olkhmi32.exe | C:\Windows\SysWOW64\Ofqpqo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmkadgpo.exe | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Beglgani.exe | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Medgncoe.exe | C:\Windows\SysWOW64\Mbfkbhpa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjcbbmif.exe | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qdbiedpa.exe | C:\Windows\SysWOW64\Qmkadgpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgcbgo32.exe | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nedmmlba.dll | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncdgcf32.exe | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckmllpik.dll | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmcibama.exe | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Dddhpjof.exe | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hleecc32.dll | C:\Windows\SysWOW64\Mchhggno.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcdmai32.dll | C:\Windows\SysWOW64\Ocdqjceo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Olmeci32.exe | C:\Windows\SysWOW64\Ofcmfodb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqpgdfnp.exe | C:\Windows\SysWOW64\Pnakhkol.exe | N/A |
| File created | C:\Windows\SysWOW64\Gallfmbn.dll | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddjejl32.exe | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmefhako.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkenegog.dll | C:\Windows\SysWOW64\Nilcjp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acjclpcf.exe | C:\Windows\SysWOW64\Ampkof32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjlogcip.dll | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qmmnjfnl.exe | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chjaol32.exe | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmlcbbcj.exe | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Omocan32.dll | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amfoeb32.dll | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npcoakfp.exe | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nebdoa32.exe | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmpijp32.exe | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nphhmj32.exe | C:\Windows\SysWOW64\Nlmllkja.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfcfml32.exe | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgngca32.dll | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobiobnp.dll | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncdgcf32.exe | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| File created | C:\Windows\SysWOW64\Ingbah32.dll | C:\Windows\SysWOW64\Lmiciaaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifndpaoq.dll | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcijeb32.exe | C:\Windows\SysWOW64\Pmoahijl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngbpidjh.exe | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdeahgnm.dll | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| File created | C:\Windows\SysWOW64\Coffpf32.dll | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Olfdahne.dll | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfgmjqop.exe | C:\Windows\SysWOW64\Nloiakho.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocpgod32.exe | C:\Windows\SysWOW64\Opakbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njefqo32.exe | C:\Windows\SysWOW64\Nfgmjqop.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mchhggno.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmpijp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mbfkbhpa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nloiakho.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofqpqo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofcmfodb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcmabg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Npcoakfp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmidog32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ampkof32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Migjoaaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdmnlj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll" | C:\Windows\SysWOW64\Nebdoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll" | C:\Windows\SysWOW64\Ofqpqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" | C:\Windows\SysWOW64\Ofcmfodb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Olmeci32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll" | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Npcoakfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll" | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mchhggno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nlmllkja.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll" | C:\Windows\SysWOW64\Mlhbal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pnakhkol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll" | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll" | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lmiciaaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll" | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" | C:\Windows\SysWOW64\Pqmjog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lmiciaaj.exe
C:\Windows\system32\Lmiciaaj.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Mbfkbhpa.exe
C:\Windows\system32\Mbfkbhpa.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mlopkm32.exe
C:\Windows\system32\Mlopkm32.exe
C:\Windows\SysWOW64\Mchhggno.exe
C:\Windows\system32\Mchhggno.exe
C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
C:\Windows\SysWOW64\Mmpijp32.exe
C:\Windows\system32\Mmpijp32.exe
C:\Windows\SysWOW64\Mpoefk32.exe
C:\Windows\system32\Mpoefk32.exe
C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
C:\Windows\SysWOW64\Migjoaaf.exe
C:\Windows\system32\Migjoaaf.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
C:\Windows\SysWOW64\Mlhbal32.exe
C:\Windows\system32\Mlhbal32.exe
C:\Windows\SysWOW64\Npcoakfp.exe
C:\Windows\system32\Npcoakfp.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
C:\Windows\SysWOW64\Nngokoej.exe
C:\Windows\system32\Nngokoej.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
C:\Windows\SysWOW64\Nlmllkja.exe
C:\Windows\system32\Nlmllkja.exe
C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Nloiakho.exe
C:\Windows\system32\Nloiakho.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
C:\Windows\SysWOW64\Opakbi32.exe
C:\Windows\system32\Opakbi32.exe
C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
C:\Windows\SysWOW64\Ocdqjceo.exe
C:\Windows\system32\Ocdqjceo.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pggbkagp.exe
C:\Windows\system32\Pggbkagp.exe
C:\Windows\SysWOW64\Pnakhkol.exe
C:\Windows\system32\Pnakhkol.exe
C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
C:\Windows\SysWOW64\Pmidog32.exe
C:\Windows\system32\Pmidog32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qmmnjfnl.exe
C:\Windows\system32\Qmmnjfnl.exe
C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6008 -ip 6008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4072-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lgokmgjm.exe
| MD5 | 5c3171eccce98201c78670f4626c8c7b |
| SHA1 | dc2ea310f35c71d8c491da4e665d6135340f8e13 |
| SHA256 | 191edd1334af784bf5821a52878b562b0a0253ada6f556df80e1c6f0a6d4feea |
| SHA512 | 9a663964a032c11c4cf7dad8b2339170c997e002c9c246845e5e384138f2bb97f3cc1dd7e6807f3d25de7182003c7683af26340f2d82ec35dc10db6e68a3ab81 |
memory/2100-8-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lmiciaaj.exe
| MD5 | e93a6a5ca52d98738b895fbd1a0731fd |
| SHA1 | 54693813f9a7da360ab99b11af2371c4fa5b4545 |
| SHA256 | 5d6e14f498f0ffd3787d6dcfb1d3b497313aaba39df728e214fab26acf9ca145 |
| SHA512 | ff17ea15f02ed1f96f457e06da827ec2438be4f7f4423439d443e02b7642cf579e4de45870a05ee28336facfa0fa62051a6ff683c0a9f09f4fd7bbc75690012e |
memory/4764-16-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lllcen32.exe
| MD5 | 988168685c367f7069b48cf81ff71a7c |
| SHA1 | ac8151b708047280ed43fe8d88bb20547c128d7e |
| SHA256 | 49626b9a47f6895b03a658bb496efa2273f464e46f6bed8926ab20c24449af5a |
| SHA512 | 2aab886784193b6f96407fd196bbbd2ede8ba7e6d1822d6bc9e804322b71e565537e46548e1bd414c04730bfdf3c3608e6bc6fbe31ddd828ef7ae1786fc76e0c |
memory/3992-23-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mbfkbhpa.exe
| MD5 | 95acd99c8e649d835a04592407e81a85 |
| SHA1 | efee074768774a1305e0a977d3a226027f342644 |
| SHA256 | d547b333a7c1f64286433d6b4e6068c3bdb3ab40829485829f78a2317f195963 |
| SHA512 | 5fee801c89f01d357116b06052c1de710a7145403c48cb3da0c644e5160cc28ffc79f0f74cb43b8a7cc9a5627305fd188137c424b0a79d50817bdce6366b28d5 |
memory/2900-31-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Medgncoe.exe
| MD5 | 9bbf2f05d50196fe421cf4ceec8e8b3d |
| SHA1 | 5ba0a648193a924edb75b7ce8676b74b8af91926 |
| SHA256 | 21f5fafed700278445afb433e699e3934fb5333fd8efc68ecbe2a9338236b233 |
| SHA512 | d2f260b2c24cffef3409e2ae4c069c7c11ae4f18436a584b82e5aa2bbbfa25dc93409af6e056b20b8879d6a6a46ddea5f44dda0def68ee98e5c6aa951109c298 |
memory/2268-39-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mlopkm32.exe
| MD5 | bcecaaebcaab99f3f34d54253ffa7089 |
| SHA1 | 1fdfbd889f9b7e9c60a10e9bffb8fb9c4d70c6f6 |
| SHA256 | 33cf2787a27cc84042b686a75e5053749e500c6601f335e63755b73bef3c068e |
| SHA512 | 27e3f48b72e70162560eef28a88fc50dd3a68938224d017328294e9c87aa13b4dcc30e398cd31cdc8a62ab52ab96223acec8e25a7e66c588d6ba7752e8cd28ec |
C:\Windows\SysWOW64\Mlopkm32.exe
| MD5 | 6cd0cf6c21dba07c209ec1f60f076a0d |
| SHA1 | 03d698d91c38d3a34ab210795fb628d84a60c7c4 |
| SHA256 | 1246e63f2926bf1ae9feb6c1fe9757071160eece745148af84017b7a535109fe |
| SHA512 | 6d8dd4e7f169110e3dc0cadf264019f54079774814346f2d405e0bef72586a10e7771c544df53ebd2766785700ddfe477597ac050e2db4c8a353d1661ef2fee5 |
memory/3496-47-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mchhggno.exe
| MD5 | e1249e43fbef0714ddf084f71fa7bd9e |
| SHA1 | 0dacb5783affdac7d0b53005b11d3dcdb0cb67fa |
| SHA256 | 7b6ad91312cd4fc01b910bfcaebdf95ab10bfc0da0b98f41026fe6736b58b713 |
| SHA512 | 3a35812ece2c52d2b16a3e97b84c6153113ce91008c786bbaf74b09ba54a6a7cbf6563b755964d47d0f2b3eb91e25ccdccbe64ba029696f36e143abe8f9c6e30 |
memory/1376-55-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Megdccmb.exe
| MD5 | 33c7fc73bdff3c1a1a8924b45f95eeaf |
| SHA1 | 63f4f3e6f1435c48feb742f6d1dd5adcf7624510 |
| SHA256 | 4413bb8786c21aa0e100d608c6a0aad9e84eb77f3dc3e6cc5cc30f9e8deb154b |
| SHA512 | 5003013ba1754c3756cf7ed6b744c38e3494e8b8af9aa4f5cc709c83b3fee0bbcf8fbb0933628885f36b1da7509b5319c0f8ad6cc46a9c56bb863a6868e2a0e6 |
memory/3756-63-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mmnldp32.exe
| MD5 | 64190a677a042b8a372c4bed3ee2a1ce |
| SHA1 | f2774d3d990741fba01fbb53f5ffd5f5e6343284 |
| SHA256 | a7f6579f92131f15cec301951fccb6507a199baa3d3f7b36bd1fe959b4456473 |
| SHA512 | ab75b4402a71dd6f4ecd5c655258eb5b949c5e588e8158aac2bee1c104b2ca052d3e90408c9009117b5e30156e03a6db60a5266551c91abc4ddeb0333f741244 |
memory/3660-71-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mckemg32.exe
| MD5 | dff7b848ccf0a8c53e7ccdbd726d0b42 |
| SHA1 | e65c2b7ba49f21d21b69c3fe5e02755674f2f8df |
| SHA256 | 5f76088a48413185d27c2c3da92b7eefb044cf5baa939d9fb95bcbd6ef667cdc |
| SHA512 | ca42f0d3f759970cd226e3ce5a3557e0d298ef5b3280fd5e72449dc32a5e0364021d4b1847c026cf89e6a30cf037bac576fce42f785678e909b4411468e5f18f |
memory/4760-79-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Meiaib32.exe
| MD5 | d36d87e186c36a96e1c349777288d786 |
| SHA1 | 3a9c74220a97e819fc0e5cc92ae3472ba2742f87 |
| SHA256 | 7d786a7431601fa38b4d836f8f7d326354c29d75d02610afd434a1c039d5c37a |
| SHA512 | 2ce2cf2973718699c771747c48e6c638568a57c6be0fcbc8025d25e8dc2ebf59c2caf3b1af3953f146a8e896bce76036c8c1fba4452c6814202f5beb2536eab8 |
memory/4772-87-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mmpijp32.exe
| MD5 | 56b672824452b586a118c53248095b96 |
| SHA1 | f2d9e535da5a9037e27f88b8a035dd81891600f0 |
| SHA256 | b63b99f342ba1c7bad8381ea68ca0140cc75d3fee387aabc3593419c7b09e3aa |
| SHA512 | 5645ed61d174248e576867f4c9af4bd1de4aa46f9223e55ea5e28ef8ad595232f4ab98cc5ed9120baedd9fbeb4d7f96bc6b98795c9de29f2ae502a22851baaae |
memory/3416-95-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mpoefk32.exe
| MD5 | 460df5b57ff1da1d1db91ad58a1b1e38 |
| SHA1 | 864e1cead8f5c43a4d8a1add956437b0191b057f |
| SHA256 | 4ccea6506bf5c697b9e5e49589c85592b91a51e4080b68d09cf9811930d1d442 |
| SHA512 | bbe37fb25636dfc92c016cb4ab52e00745b04faa054c7040f75ecbdc982f156f3c66531fa47b1f4f7d65a2db1fb39331eff03b472722c01aaf3ac47da307b7f4 |
memory/2848-103-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mcmabg32.exe
| MD5 | 05adf2c331bfdaecc55b8523cced378e |
| SHA1 | 7eecbc389b19d538139bea6b54ffa5910cbbc5f6 |
| SHA256 | e6668a5dbfedb454be11ba0c8e0f5cd6b68c813f5a537f8470ee277ab3b27a63 |
| SHA512 | 1e2bd41e67cf6781c088e695cb4907c306129254ab640d12202732e336a29236359d088460a17719271fe1f15055ccaa4d423c82d377faffd5d0d2ff3031fd5a |
memory/1652-111-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Migjoaaf.exe
| MD5 | 9b885a3c09fa1949651341e6791ba6a1 |
| SHA1 | f5f50904df8be4829ae06d2345f568aefcdb7f1f |
| SHA256 | 2a8dc9b3aa0200648ce41c247393751945d8347ae763de0516eedfd4550551f6 |
| SHA512 | b2fbe0f02e5ee3405139427b9dacbbcfa7e62ea9e7dc46b5bf5ef4e553ed60539b9018520d0717b36fb8c90623fb457873d2628d3df26c53eec8f871c4fff02c |
memory/512-120-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Mdmnlj32.exe
| MD5 | afca76b09a656d3f26acd6f4da29b804 |
| SHA1 | c6b68d1b88a5535a51ba1d77dfa6ec1cabd2572c |
| SHA256 | 4d3217ff6e9ed5215e16cecc92df233705deee174a94a482ead22dd235e4f6dc |
| SHA512 | 7a89a6a2649ed18233f38261070b1c00fff1279cdcc3aefa90faa293f4b8d6bd5cae000ac8fa23f70f7d7585d5ec33989305ea6435ae6fe43d14d3756ccffa5b |
memory/3200-128-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Menjdbgj.exe
| MD5 | a1c9ed13a612cd58f5c10153370ee988 |
| SHA1 | 5e2c4b138fd59fc0407b1282bfaa23fa741e5b53 |
| SHA256 | 8ccdbb1334a78be2fd3e308d66491edbb49fb02849cb250381fa630620f62a9d |
| SHA512 | dd347d61ff738c314b7028a77cfa6105df25bcd663f852aacb2b86f95ab896a3674429725e970154040b8e8213a478222e180d453c856d8755527e832afbca27 |
memory/3848-135-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Npcoakfp.exe
| MD5 | 5f273c799afcf6abe51340738b9ee49d |
| SHA1 | 034b5d30928296745c941b3bde2080895d22a57f |
| SHA256 | 24c8eed054fbc770e101bcaa60e47099d3df04f6ce099f98e1751678b450e4f2 |
| SHA512 | d5b64ae11240a745b469b8b4ceadc20e8aa825e0eb381260c160517e644015600488301a749bfa8c5b5c417788489b2f668ee02e6ffd19d152bb6deac4ad5e2f |
memory/4432-144-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Npcoakfp.exe
| MD5 | abf60bc4e286d140501ca45870fc9583 |
| SHA1 | 902050f6702316f0114ebe49bad68db9c4564502 |
| SHA256 | c1eaa8ab49fc62c9ec6f68385020362dcab7eb22c58aed1368a85643ba89c6a2 |
| SHA512 | 02449ad0427fd6ee40b2a92dc4748775e1efbeba26755604246e4407422f012e244f25352949a975b9467ec2c925b9715d09481a686c11f6c6310d5211e87064 |
memory/2388-151-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ngmgne32.exe
| MD5 | e49d7fde67450e0bd64ebc69e489a8e6 |
| SHA1 | 08e0082e250831a5733139a3d4341b4ae2ccdf69 |
| SHA256 | 8753b327de8858c1ad2d4a169c557eaea09a0bebf7f194291ea73d233045611a |
| SHA512 | d46bf41d82eadcdefd69046d69db4d7ddadc6b7895255a31aeb89682a1968e97ff59e98586c319e19506fa062ace949f0377af37efb3e5a559ec2974d9295c3f |
memory/2764-159-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nilcjp32.exe
| MD5 | 734154f24ccc78962d43fb9bf092fe81 |
| SHA1 | 89d3b6fc59107e9d323c0f44baa219897b1f84e4 |
| SHA256 | 839922ae7472e03c83bf9f1a87c78019cf367d1525e1375908f453256ccfd66b |
| SHA512 | 2bb8f66e4f497f6e33dc65cd3f6964fb667ffeba9801d249a57b1e9c2254de6653165be7df087a2f5ba8b7c8fa450889285847a484ca679e5519a363e4b1b249 |
memory/1644-168-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nngokoej.exe
| MD5 | 48e3e9a6142d10035bfa2f70c20c4589 |
| SHA1 | 4f31556a546d7f1e682972a9b2bfa472cfb7ca1b |
| SHA256 | a24b0f016b3c822b6216fc6e10c180a1a794e5195356e71eeb33fecaf6fae25e |
| SHA512 | 582f7e94c97c0ebf495f5be073611eacc041f2a8e6576f5d366c64900f5a0a61ba35fb701e097943f5982a9279c9d6171646865ff4405397245c5c201dd6fc79 |
memory/4484-176-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ncdgcf32.exe
| MD5 | 80f15e648e2e4383819cb903c6dc028b |
| SHA1 | f2b1e8d951fd0403114f46d21a7ff3690118cd00 |
| SHA256 | cf4b7e53ba85d0132aadd3a08420141eb95af4a481956b9ecfb6595aa9dd912b |
| SHA512 | af56bb70d4eb0a8be17145a5cf1228cb15c88d2323f8f96d6e5ff41e306d8a3452963f137d3ab25fc94127f442bb83191f2327e992ad8e6210063d5ae65ff200 |
memory/1948-184-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nebdoa32.exe
| MD5 | 072d10850bda412153d214728914c687 |
| SHA1 | 356f0aaf984fb656eb04d6eca93921724318dd67 |
| SHA256 | 25aab746b29146c1603d8ef4eb473d56dddf0f07bbcd6d68de476fd3d2c7cbb3 |
| SHA512 | 65ecc2bc8431f1d66444feee9da61f6a140e52a9b3115e4ef9946b7dcee833564f50fb7c3772aededb4819d1b897ed14a1d3c4776a53bc1111bbb1f4a3d9da53 |
C:\Windows\SysWOW64\Nlmllkja.exe
| MD5 | b8c906857c0f6b51fe0a860b5c497975 |
| SHA1 | 44dcc694065975e59d5340df4b38ef51ad543f56 |
| SHA256 | 1e32d37d5e08bda236c93eb67a4f08604a090e2bb06a287aa696e736405bb372 |
| SHA512 | 500da844f84422049005d5caded41c7edd4d70eebcb6b0e69de7ab3cb7a66c1937ef7286ac99c928cf1a14f3c94910233095415839f256cd722ccc698ba15fea |
memory/1388-196-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2312-204-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nphhmj32.exe
| MD5 | f6bb55fccbcfdde377a7205942affac9 |
| SHA1 | 36fa7246411012977cd1b6dd19839511883f6fc3 |
| SHA256 | d628526393ad3d26d0a40b0f5643887b234a365586a23eef0127bd72efba8b5c |
| SHA512 | ce59b5d817c5f9fa761963821d29f205ff2c5714aac8ab5a18ef01527da5a20e158a0d9676faae66c37c6c48e4a82f5aace448dd078d264b44ab1b92a2a7cc9d |
memory/2856-207-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ngbpidjh.exe
| MD5 | f3c75f3a616628f0c77204ecebc44791 |
| SHA1 | c5ea8fb913635175d4ff6b5ec293bf1b23290c86 |
| SHA256 | 0adfe9969dcb140937b757246bd8bab15b785241fbe08509745a9e4242cddf6f |
| SHA512 | da010d0fdbb1635b01a53ab64360416db6b551026afe044d15e516f9727c10df33defa474b7ad13bb36bdf1750ace5e321b4dd8aab04a610d864d1d4052c599a |
memory/2364-220-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Njqmepik.exe
| MD5 | cae7436beb9868f663245e67015429aa |
| SHA1 | 7a91c3bd479d58af6d4bde4551c36d9847d03764 |
| SHA256 | 53e6c64fbe3d36d5aaa5a18ead3493c62fa3ccd54fd16c3d6838546542064274 |
| SHA512 | 6c2ca71a1aac43ab4809439772624863f39719ca1873a6e8d287a20d377419fed5702dae3a28ab786aeed1ba4a6006b5cc72f15213e69a6199efae2b76d47680 |
memory/3148-224-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nloiakho.exe
| MD5 | 2e63ba062a56b626312ebf8d37c05a79 |
| SHA1 | b69318c1f4012634fa7013472e15ef80b536d045 |
| SHA256 | 6695a10dc047ab6d2511c898f91f844e9e29e0b8fc328eb4621d5920161479a1 |
| SHA512 | 6124db69ca61374cea286cd63c1afc61a1519f2e381c185833aaca10c4563fa7e1fa4df5a538b51b7654a9611194134d3d29d74549fab8f66efbcba379cd6249 |
memory/3452-232-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Nfgmjqop.exe
| MD5 | e5905f00f228d67802933a5b28b459dd |
| SHA1 | 93cf662f6f5e185c2fed8ebec26dd1b99a780f93 |
| SHA256 | 540872d904b9680742a6ad8ad0baa9236ff8cc2ce432d8de26f640397987ff45 |
| SHA512 | ccf9ee3854d44b0dffc0e3f61d1762987d74d2b5e61ac994d6937621e18db4612e0ba80406c75875da5336a63df410489079cee02a0d56fc84597ebc8740499a |
memory/4452-240-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Njefqo32.exe
| MD5 | 01b57e924cc0f8668a7fd67c88df064e |
| SHA1 | f79dee3461f263c310d0505d0864837a42b23bf5 |
| SHA256 | 3150bffcdfb4c78d564445a86b31c9b188c83435fa1c5b4090779d67a59c614b |
| SHA512 | 5eb2fc431a376bceb4642dfe809fa9e5091f70ffa50b7f0bb2fde4b6095b2b3465dbb99d50aa99176cb1c9469cffd3ece3f7df3c39fbb68f5ede72f79746ede9 |
memory/2184-247-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ogifjcdp.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Ogifjcdp.exe
| MD5 | aacd3b5bdd3d50135a8b81d29a519c3d |
| SHA1 | 68743fd1c151723af037c5dbfa7c3f518ac1d98a |
| SHA256 | a19a7e70ae182f5469319d8d2d6f4ae439fc731471b60565b766e0befec4c5a8 |
| SHA512 | 9a27153b245bc072192fbc04e4ad25359b685c88fe33f4987c0f7e7e3e9ddeea2874e525993611d7a7b9bc12c5ceb5991009710cf9977c344f917b360af1abbd |
memory/4956-256-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4008-262-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ocpgod32.exe
| MD5 | 43b7c027ccc9f4df58364a6630d1ea84 |
| SHA1 | 31ab719fb94715237c9f3eb595f4389e7e3afd9a |
| SHA256 | ff303240613ac4cd9d0fdc04e8e9a9d40f4906fb7399cd783556e363f7ed79f7 |
| SHA512 | 3545de2e4a56b2fbff9f1d962e037a7b9f964ef03878024406d4ca31f465ab13245be3546eda3879f3dfd8b36c8e66f30da0a418d30cd92cae8b086099345544 |
memory/4192-268-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3996-274-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Olhlhjpd.exe
| MD5 | 63352b2f638d6d8eaf8b44eebe0e01a0 |
| SHA1 | 96d0760cdaa160d83a40f014fb594396c50caa7a |
| SHA256 | d098736415f94df5b2b210700cf7c7a7eb52bc9a0682448d2189620ec3fb849c |
| SHA512 | a90b687394269a65cefdc4a1f434d9a6747192701488b0d0a144c34ae4c73b1d203ed7c78ed8a66f3a6e6537263e3c0e401cac4faa6491cbc87b48d5e8aa6ad6 |
memory/2908-280-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4372-286-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ofqpqo32.exe
| MD5 | 913345d0d558e0887e0cba17ba71e976 |
| SHA1 | 9bf4b7c1cf8f127c6bfe0f96b1611743a6bc3d0a |
| SHA256 | 0c0bfd4f8b5f2ede355fbce9fd54be9ab163c600279cb7a9defff4e7b0d1f613 |
| SHA512 | 0cdc65d14df57adc449a13b582f8a5c8edb43707b88e9ec32867c545e08d81cde3825a77cc67489a671656fafae965a821f80c94c83f68af1aaa8be7b38d74ab |
memory/2328-292-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4240-298-0x0000000000400000-0x0000000000434000-memory.dmp
memory/692-304-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5096-310-0x0000000000400000-0x0000000000434000-memory.dmp
memory/900-316-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4808-322-0x0000000000400000-0x0000000000434000-memory.dmp
memory/184-328-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3696-334-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Pcijeb32.exe
| MD5 | a1b08ae2c29ab9e0ba106144b417bb51 |
| SHA1 | ea286642117690140234198560cf3551c922f3bd |
| SHA256 | e16aff792aff6458c4628e5560e3c74e9c8fce49b258828d3e1a232a828602f2 |
| SHA512 | fa2801419f8f2dc013643a4b53f540ce7037da74a41b1158481d0277480f5fa42dc2df43a49251956a8fc779e8275d3ee8943d380f4dacb9652f86836af47bdd |
memory/3152-340-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2928-346-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2068-352-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5036-358-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3628-364-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4244-370-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3548-376-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4640-382-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2704-388-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4524-394-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1272-400-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4980-406-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1084-412-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4712-418-0x0000000000400000-0x0000000000434000-memory.dmp
memory/832-424-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4312-430-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2972-436-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Qddfkd32.exe
| MD5 | 5e5797d47dcf6e0e3e4e2731d726043c |
| SHA1 | 7939aa887225973c36b1435e343397e1a376cd13 |
| SHA256 | 9033e801e7c0726f9049c7b821304d61424d4216f5f455710e810ae2e9102655 |
| SHA512 | f577a60ff73563961ed5e53152b1630af36c125cb836e3cb0a281a00be1f810175931ec5e91f30f46bb01ddf918e8eb356bc2f56f0eb3a8d0a5a9f413ae55d75 |
memory/4612-442-0x0000000000400000-0x0000000000434000-memory.dmp
memory/748-452-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4356-454-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4932-460-0x0000000000400000-0x0000000000434000-memory.dmp
memory/208-466-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Afhohlbj.exe
| MD5 | 4b075d50113c5deddd4f4fcb3df8dddf |
| SHA1 | 4838183108570dffae6a5fa92eec0ca044ce4432 |
| SHA256 | 65adc7d370042225921666f5b18a3c2263ad7ccc8ec1a4c3a7720b5749dd34d6 |
| SHA512 | a1978f1a99449917aab2ed914d3923e3785d2cef019344189eb74faf80de6743915d16d51d31eaaf2796a4a58b67ab644e79e96d312a1febd334657c8c217831 |
memory/3464-472-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4792-478-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1236-484-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1072-494-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3956-496-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3216-502-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2796-508-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Afmhck32.exe
| MD5 | ccd6bcd762b032e58b31603846e091f9 |
| SHA1 | 88c8758ac4a57513c2ad93fc5dd6e4c390220385 |
| SHA256 | 3a1703b6f923a86b8f46908dec0aa1d13fb9876074c3ff743fa8f7a0e9ee2ca5 |
| SHA512 | 0f27ceb5c243ba62b2ec9a9677a67cfd737ed777d827ee3c74cfb628a7c70b563537ebf4a8332b439ea85944638587c25a1b421b709d6f46131ecf75f6edc910 |
memory/1456-514-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2320-520-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2136-526-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Aglemn32.exe
| MD5 | 6cad6d4ef71ec45ba5f3630c304c27be |
| SHA1 | 9ec1e6bcfd1d2fe636b8371afbb39791fc3fd611 |
| SHA256 | ff452249881f6e502485894f79dcc5e89aa3b5d537cb1efde5a3906c4f2b700d |
| SHA512 | 60a0d37c06beb6c7862f83d622414ac7b8e396519eecf96bdcb94e094a4e6d9433d759bc9cea47f2debb641630eff7b3cd7b0557f41fdfa408a2eaa758569472 |
memory/1604-532-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2892-538-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Aepefb32.exe
| MD5 | ed8b77c3d8274986f58cf0868195059b |
| SHA1 | 4392f979ba031591b7cb58bb8d458fb155928c91 |
| SHA256 | 55d6d3eb5624423f8ecff6795e65075b2c412705a82b86ca54e8d694bda046d1 |
| SHA512 | f832a65f8556879f1ada379a9b4c3120af444db209c07354760105ba0d39f6af413e215dd343e6d8a751f0ec506e47d597d24daf458fc251bb38d383659c84cd |
memory/4072-544-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4512-545-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2100-551-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4908-552-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bmkjkd32.exe
| MD5 | b7e823b7606515732cf90bd7bae1fb90 |
| SHA1 | 09f5c4c2654ca175bb6afb09a2feccc48bf91891 |
| SHA256 | ab9f11ec55a64b80bf52c61afa13a665f3692540c69e78dd80cebeafdc5b14a6 |
| SHA512 | 0b144d3ed4e6285da1cb76be4c4e1f9fcffd8f48636c61ff21ffd7d87915066bdbbe0c083ab6d1703a0ceb83117de9123b2f8a4f648fc77e2ec7dcc8b1584dbd |
memory/4764-558-0x0000000000400000-0x0000000000434000-memory.dmp
memory/244-559-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3992-565-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4384-566-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2900-572-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4656-573-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Baicac32.exe
| MD5 | 6825d66d15afe17b02f118d4870ced13 |
| SHA1 | b3c9f4aa8c259a88eac7d47f3ad9bcaadc0b049f |
| SHA256 | b80758bbc698647040d00549edd770f46dce61c14ca2e6688f601a21e9aeb021 |
| SHA512 | a0554eb931962719e1eba28014ebf97e577582f4660c16d95cee758d83588a7404cb46ea018c61ab90b03bba90c31e241aafdf7a8aa3290518e84f7af3e0511e |
memory/2268-579-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3032-580-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3496-586-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2540-587-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1376-593-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3356-594-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Bnpppgdj.exe
| MD5 | 8d8ea2af952f3dfc615fe52c91850059 |
| SHA1 | 25d2f09b86d638dbd80f13bec272a02466405675 |
| SHA256 | d27747477a3d66aefc07741c24ccbd9f061fd1dc4125043511e1f4b7950fca2d |
| SHA512 | 646e7a5c0aa977e27179f8c1de03840e3d20187fb56adadb878fbf9b7fc9cc080a7574c584894b00dab15a5dd8454e5a5c878f5bf6a144ca1a6abd5df1d24bf9 |
C:\Windows\SysWOW64\Bnbmefbg.exe
| MD5 | abc71b02e9d3bfaca874173ceb4396f3 |
| SHA1 | 2cbe269f67f84bcf84f9706ae8ea5d1e6564ca7e |
| SHA256 | ca70db092450022b8e56806ae3e9953940adf3ff8de21546b19491948b5d60aa |
| SHA512 | 3cd48fcd4c95c7235af904eb9c6f3d9813c732940483cae2091fc279b5ad8b153ca71d28d175dd7ece4ffca99bf69ea68c30695d0d684442de5588f346b116d3 |
C:\Windows\SysWOW64\Cmgjgcgo.exe
| MD5 | d86e282b65472469b433b2214cc05c21 |
| SHA1 | 0b8d1e1f2568644380dd08f3579921e469e276f6 |
| SHA256 | 79ae1b5f349594b15bad149206c31b6b95b51f9084a7a19d423f5eb3a0d8c255 |
| SHA512 | e9b9bf5733f1889592ce21342e59144658c2ba4c82d26dafb5aa7d0eda81b05c02af7b8428c6e7efbfcaa540a6af63b3e2b33c7dce5f8de775e545e3ab0b3c5a |
C:\Windows\SysWOW64\Cdcoim32.exe
| MD5 | 9fbd968171efeb5210eff77b00bed55f |
| SHA1 | c185bd4a312bf17eac75831dbf78af53ff728672 |
| SHA256 | ad4f34624b6f66826725c52f8ad022ff389c62ae5886e5579b877e1b96968c70 |
| SHA512 | a80902fa2d700794f5f4027dd770e9c820faa3797ffbc8b6c6ef8f829152dc3ae679226d6534e5d2adc9c7d37a83194b3415a950cfa6449be04f2d110f611ff5 |
C:\Windows\SysWOW64\Ceckcp32.exe
| MD5 | b07972989f152f7ad2b42a2002b46d3c |
| SHA1 | d66d8275d81705b49e29bd20186078ad97a93300 |
| SHA256 | 80b94119b1b2bf21d9e8c1028b84594c4ed2696236d858889b6bcb7badd6c1ad |
| SHA512 | 5434219311da2fa516bdf1201b369edd9141c50d956158fd874449843be070a3d5e50c0ac7309b58532918ba8ba70ca86a32d5e5c4561ffa52ab140113497a5a |
C:\Windows\SysWOW64\Ddjejl32.exe
| MD5 | 52180bd7c1e8a4ee87bb00ee90cbea03 |
| SHA1 | dab4a713f3360a13a2f0984a3cebe2a964579a76 |
| SHA256 | c237e9413fa9014fd48b619ef5f507220f1319db22c2e99589ef5d3490523f01 |
| SHA512 | 25c6d4824ecd4a1f4f72e835a5580046890d04d9a4264f379c1dcd7fc3934c7043c0719da006a8a760360fe95837937dbbdb77fb6544a03122774ca96b339faa |
C:\Windows\SysWOW64\Dmcibama.exe
| MD5 | 58ad49ad6fb8d0885ceaae1a4a894408 |
| SHA1 | 6544f9bc8d6a23c9c105c614ebe4879afb002075 |
| SHA256 | 3ae43bc61d0a23213b53615fad1713ebe47e45e09ada729f93bb0dc3ee1e5356 |
| SHA512 | 55ef9d78dcd485571ae46711f90cc042de38b83454087009164142ebdef43d502bc0c68470939297490890119d31736d1ec7de91878128280f39573e634642e8 |
C:\Windows\SysWOW64\Ddmaok32.exe
| MD5 | 7a203c40c67186b0f805821e77d54040 |
| SHA1 | 91848e0b94a5e090f8e435cc8b9d773a06ff63cd |
| SHA256 | a1cdc2c7b2072b1a430a72985b4970a935b26f6916aca6e816e2006eb857e4b7 |
| SHA512 | 0a03081ea80952c98c2edfe3593d7868b852e142f3c0aa9db508b6db179a8d751f132b0719641164751ccc7eb6d377e8133369a0f10d474fa10859ec9c929d58 |
C:\Windows\SysWOW64\Ddonekbl.exe
| MD5 | 94c9814e1409a382824bd9eba8b03027 |
| SHA1 | 36c76efd055ad9bdc8d6e8e007eadc640a41ae50 |
| SHA256 | 3217d943c24acc8e7dddff6fbf9f7800e147953897523beae88b3bbab35e7ee3 |
| SHA512 | f981b0c4b7b3b4e6601e11a269acfc8aac0c37aa521efde56bc72393f476eb7d8a52b9c7162584faf76a4eaf9518fafaf2bdd962b9abb7c990e79bd65b9306b6 |
C:\Windows\SysWOW64\Dddhpjof.exe
| MD5 | eb483aaf1f4e041e5448590b59c1817c |
| SHA1 | 3d95e636e384c5d809830367e39f36b16362080d |
| SHA256 | cb3e9e65e541352dd54242cb67cc26bf6cde167f67c0c15adb8f58070724c69e |
| SHA512 | 04b89b82ca88566eeaf8f4dc1411a65fddcfb1546f6da0aadb25cde01a53220622bdc4e83293dc9ff4b153d280b08fcf9bf7d83d9c7514d0a874e82f65b671db |