Malware Analysis Report

2024-10-16 03:39

Sample ID 240916-mm5yyashlk
Target Backdoor.Win32.Berbew.AA.MTB-4bc64c8af938f5fd093f9a1d9e8ad6fcfdaef698c51079f1e209d456d7510bd5N
SHA256 4bc64c8af938f5fd093f9a1d9e8ad6fcfdaef698c51079f1e209d456d7510bd5
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bc64c8af938f5fd093f9a1d9e8ad6fcfdaef698c51079f1e209d456d7510bd5

Threat Level: Known bad

The file Backdoor.Win32.Berbew.AA.MTB-4bc64c8af938f5fd093f9a1d9e8ad6fcfdaef698c51079f1e209d456d7510bd5N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 10:35

Reported

2024-09-16 10:37

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhdhefpc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efedga32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khnapkjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djlfma32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqolji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iakino32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Igebkiof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkojbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fahhnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gecpnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gglbfg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnmiag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fahhnn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifolhann.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blfapfpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifmocb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Keioca32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fglfgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gncnmane.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfhfhbce.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jimdcqom.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbhebfck.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdhleh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eoebgcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fkqlgc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gonale32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmmdin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hqiqjlga.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dahkok32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaagcpdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hoqjqhjf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Inmmbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnhbmpkn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deakjjbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khjgel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eifmimch.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gojhafnb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmkmjoec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hqiqjlga.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khjgel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iediin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdeaelok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdhleh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eppefg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iipejmko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kadica32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhgifgnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbjbge32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elibpg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hoqjqhjf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdgdji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgnokgcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ijcngenj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jefbnacn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bogjaamh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeojcmfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jabponba.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apppkekc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dekdikhc.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Acicla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpkmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apmcefmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Adipfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anadojlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfapfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bogjaamh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbhccm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhbkpgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bolcma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdhleh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdhefpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkbdabog.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqolji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnifd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjhabndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccpeld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjjnhnbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmhjdiap.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgnnab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfckcoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Colpld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehhdkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmppehkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpnladjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dblhmoio.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekdikhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgiaefgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dppigchi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dboeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Demaoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjjga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbabho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deondj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgnjqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlifadkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlfma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnhbmpkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Deakjjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdkef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfcgbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnjoco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dahkok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dahkok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhbdleol.exe N/A
N/A N/A C:\Windows\SysWOW64\Efedga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eicpcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emoldlmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Epnhpglg.exe N/A
N/A N/A C:\Windows\SysWOW64\Edidqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eblelb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejcmmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eifmimch.exe N/A
N/A N/A C:\Windows\SysWOW64\Emaijk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eppefg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnabb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eemnnn32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Acicla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acicla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpkmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpkmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apmcefmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Apmcefmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Adipfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adipfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anadojlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Anadojlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfapfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfapfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bogjaamh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bogjaamh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbhccm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbhccm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhbkpgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhbkpgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bolcma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bolcma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdhleh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdhleh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdhefpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdhefpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkbdabog.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkbdabog.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqolji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqolji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnifd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnifd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjhabndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjhabndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccpeld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccpeld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjjnhnbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjjnhnbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmhjdiap.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmhjdiap.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgnnab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgnnab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfckcoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfckcoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Colpld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Colpld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehhdkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cehhdkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmppehkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmppehkh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Lpfhdddb.dll C:\Windows\SysWOW64\Icncgf32.exe N/A
File created C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Kgcnahoo.exe C:\Windows\SysWOW64\Kdeaelok.exe N/A
File created C:\Windows\SysWOW64\Egjeoijn.dll C:\Windows\SysWOW64\Bhdhefpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Elibpg32.exe C:\Windows\SysWOW64\Ehnfpifm.exe N/A
File created C:\Windows\SysWOW64\Plcpehgf.dll C:\Windows\SysWOW64\Feachqgb.exe N/A
File created C:\Windows\SysWOW64\Eickphoo.dll C:\Windows\SysWOW64\Gamnhq32.exe N/A
File created C:\Windows\SysWOW64\Hifbdnbi.exe C:\Windows\SysWOW64\Hjcaha32.exe N/A
File created C:\Windows\SysWOW64\Iclbpj32.exe C:\Windows\SysWOW64\Iamfdo32.exe N/A
File created C:\Windows\SysWOW64\Jibnop32.exe C:\Windows\SysWOW64\Jefbnacn.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhbkpgbf.exe C:\Windows\SysWOW64\Bbhccm32.exe N/A
File created C:\Windows\SysWOW64\Gocbagqd.dll C:\Windows\SysWOW64\Efedga32.exe N/A
File created C:\Windows\SysWOW64\Lmjcge32.dll C:\Windows\SysWOW64\Edidqf32.exe N/A
File created C:\Windows\SysWOW64\Giaidnkf.exe C:\Windows\SysWOW64\Gajqbakc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe C:\Windows\SysWOW64\Hcjilgdb.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Jplfkjbd.exe N/A
File created C:\Windows\SysWOW64\Blfapfpg.exe C:\Windows\SysWOW64\Ajhddk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djjjga32.exe C:\Windows\SysWOW64\Demaoj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djlfma32.exe C:\Windows\SysWOW64\Dlifadkk.exe N/A
File opened for modification C:\Windows\SysWOW64\Goldfelp.exe C:\Windows\SysWOW64\Gpidki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hfjbmb32.exe C:\Windows\SysWOW64\Hclfag32.exe N/A
File created C:\Windows\SysWOW64\Nedmma32.dll C:\Windows\SysWOW64\Adipfd32.exe N/A
File created C:\Windows\SysWOW64\Fmaeho32.exe C:\Windows\SysWOW64\Fkcilc32.exe N/A
File created C:\Windows\SysWOW64\Gojhafnb.exe C:\Windows\SysWOW64\Glklejoo.exe N/A
File opened for modification C:\Windows\SysWOW64\Giaidnkf.exe C:\Windows\SysWOW64\Gajqbakc.exe N/A
File created C:\Windows\SysWOW64\Mebgijei.dll C:\Windows\SysWOW64\Jbclgf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe C:\Windows\SysWOW64\Ikldqile.exe N/A
File created C:\Windows\SysWOW64\Bnnjlmid.dll C:\Windows\SysWOW64\Dppigchi.exe N/A
File created C:\Windows\SysWOW64\Dnhbmpkn.exe C:\Windows\SysWOW64\Djlfma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eogolc32.exe C:\Windows\SysWOW64\Elibpg32.exe N/A
File created C:\Windows\SysWOW64\Jhgikm32.dll C:\Windows\SysWOW64\Eogolc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Glklejoo.exe C:\Windows\SysWOW64\Fimoiopk.exe N/A
File created C:\Windows\SysWOW64\Jlflfm32.dll C:\Windows\SysWOW64\Kipmhc32.exe N/A
File created C:\Windows\SysWOW64\Ajhddk32.exe C:\Windows\SysWOW64\Apppkekc.exe N/A
File opened for modification C:\Windows\SysWOW64\Colpld32.exe C:\Windows\SysWOW64\Cfckcoen.exe N/A
File created C:\Windows\SysWOW64\Hellqgnm.dll C:\Windows\SysWOW64\Glbaei32.exe N/A
File created C:\Windows\SysWOW64\Hjmlhbbg.exe C:\Windows\SysWOW64\Hgnokgcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikgkei32.exe C:\Windows\SysWOW64\Hiioin32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gncnmane.exe C:\Windows\SysWOW64\Glbaei32.exe N/A
File created C:\Windows\SysWOW64\Igebkiof.exe C:\Windows\SysWOW64\Icifjk32.exe N/A
File created C:\Windows\SysWOW64\Dgcgbb32.dll C:\Windows\SysWOW64\Jcciqi32.exe N/A
File created C:\Windows\SysWOW64\Kmfpmc32.exe C:\Windows\SysWOW64\Kjhcag32.exe N/A
File created C:\Windows\SysWOW64\Pgodelnq.dll C:\Windows\SysWOW64\Kdeaelok.exe N/A
File created C:\Windows\SysWOW64\Canipj32.dll C:\Windows\SysWOW64\Bdhleh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe C:\Windows\SysWOW64\Colpld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe C:\Windows\SysWOW64\Dgnjqe32.exe N/A
File created C:\Windows\SysWOW64\Kmnfciac.dll C:\Windows\SysWOW64\Jbhebfck.exe N/A
File created C:\Windows\SysWOW64\Jplfkjbd.exe C:\Windows\SysWOW64\Jlqjkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Deakjjbk.exe C:\Windows\SysWOW64\Dnhbmpkn.exe N/A
File created C:\Windows\SysWOW64\Ojmklbll.dll C:\Windows\SysWOW64\Ebnabb32.exe N/A
File created C:\Windows\SysWOW64\Fkqlgc32.exe C:\Windows\SysWOW64\Flnlkgjq.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe C:\Windows\SysWOW64\Giaidnkf.exe N/A
File created C:\Windows\SysWOW64\Ifkmqd32.dll C:\Windows\SysWOW64\Jefbnacn.exe N/A
File created C:\Windows\SysWOW64\Mcbdnmap.dll C:\Windows\SysWOW64\Dpnladjl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdgdji32.exe C:\Windows\SysWOW64\Feddombd.exe N/A
File created C:\Windows\SysWOW64\Ffadkgnl.dll C:\Windows\SysWOW64\Ghbljk32.exe N/A
File created C:\Windows\SysWOW64\Abqcpo32.dll C:\Windows\SysWOW64\Kbjbge32.exe N/A
File created C:\Windows\SysWOW64\Djjjga32.exe C:\Windows\SysWOW64\Demaoj32.exe N/A
File created C:\Windows\SysWOW64\Dahkok32.exe C:\Windows\SysWOW64\Dnjoco32.exe N/A
File created C:\Windows\SysWOW64\Qndhjl32.dll C:\Windows\SysWOW64\Efljhq32.exe N/A
File created C:\Windows\SysWOW64\Kcadppco.dll C:\Windows\SysWOW64\Kjhcag32.exe N/A
File opened for modification C:\Windows\SysWOW64\Khldkllj.exe C:\Windows\SysWOW64\Kenhopmf.exe N/A
File created C:\Windows\SysWOW64\Hcjdjiqp.dll C:\Windows\SysWOW64\Fmohco32.exe N/A
File created C:\Windows\SysWOW64\Inojhc32.exe C:\Windows\SysWOW64\Ijcngenj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Lbjofi32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhkopj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ifolhann.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Elkofg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcnoejch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlifadkk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Edidqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fefqdl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gcedad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igebkiof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpgionie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kageia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deakjjbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eeojcmfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hklhae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hfjbmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqolji32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnhgha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmhjdiap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glbaei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdbpekam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjcaha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jibnop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjjaikoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccpeld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlqjkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcdkef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejcmmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbclgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dahkok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Feddombd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fimoiopk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dblhmoio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eppefg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Feachqgb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghbljk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gglbfg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfabnl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fahhnn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijcngenj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Demaoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikldqile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjhabndo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Inojhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmohco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Goldfelp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adipfd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apppkekc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dboeco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hclfag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfcgbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebnabb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmimcbja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adfbpega.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccnifd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iebldo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Giaidnkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iocgfhhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhbdleol.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll" C:\Windows\SysWOW64\Jefbnacn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gpidki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadfhdil.dll" C:\Windows\SysWOW64\Eeojcmfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elkofg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gamnhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacoff32.dll" C:\Windows\SysWOW64\Gaojnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Inojhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfglml32.dll" C:\Windows\SysWOW64\Bqolji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gonale32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iebldo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" C:\Windows\SysWOW64\Jcciqi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnmiag32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kenhopmf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpgionie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" C:\Windows\SysWOW64\Emaijk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eoebgcol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ioeclg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajhddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliqn32.dll" C:\Windows\SysWOW64\Glpepj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafklo32.dll" C:\Windows\SysWOW64\Dfcgbb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Igceej32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmfocnjg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaagcpdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiioin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifmocb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmfcop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll" C:\Windows\SysWOW64\Klecfkff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Blfapfpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eeojcmfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iikkon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" C:\Windows\SysWOW64\Jmdgipkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjhabndo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hqiqjlga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" C:\Windows\SysWOW64\Eppefg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgciff32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijaaae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acicla32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Boifga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgqlafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll" C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhbje32.dll" C:\Windows\SysWOW64\Cjhabndo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deondj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ikgkei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" C:\Windows\SysWOW64\Khjgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll" C:\Windows\SysWOW64\Kgcnahoo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bqolji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkekhpob.dll" C:\Windows\SysWOW64\Fpbnjjkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jibnop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll" C:\Windows\SysWOW64\Gncnmane.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhkopj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flnlkgjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjdjiqp.dll" C:\Windows\SysWOW64\Fmohco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gojhafnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hifbdnbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll" C:\Windows\SysWOW64\Jabponba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bogjaamh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efedga32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Giaidnkf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdmepgce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadbpdla.dll" C:\Windows\SysWOW64\Cgnnab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" C:\Windows\SysWOW64\Hgciff32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2760 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Adfbpega.exe C:\Windows\SysWOW64\Acicla32.exe
PID 2960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Adfbpega.exe C:\Windows\SysWOW64\Acicla32.exe
PID 2960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Adfbpega.exe C:\Windows\SysWOW64\Acicla32.exe
PID 2960 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Adfbpega.exe C:\Windows\SysWOW64\Acicla32.exe
PID 2812 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Acicla32.exe C:\Windows\SysWOW64\Akpkmo32.exe
PID 2812 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Acicla32.exe C:\Windows\SysWOW64\Akpkmo32.exe
PID 2812 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Acicla32.exe C:\Windows\SysWOW64\Akpkmo32.exe
PID 2812 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Acicla32.exe C:\Windows\SysWOW64\Akpkmo32.exe
PID 2612 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Akpkmo32.exe C:\Windows\SysWOW64\Apmcefmf.exe
PID 2612 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Akpkmo32.exe C:\Windows\SysWOW64\Apmcefmf.exe
PID 2612 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Akpkmo32.exe C:\Windows\SysWOW64\Apmcefmf.exe
PID 2612 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Akpkmo32.exe C:\Windows\SysWOW64\Apmcefmf.exe
PID 2676 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Apmcefmf.exe C:\Windows\SysWOW64\Adipfd32.exe
PID 2676 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Apmcefmf.exe C:\Windows\SysWOW64\Adipfd32.exe
PID 2676 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Apmcefmf.exe C:\Windows\SysWOW64\Adipfd32.exe
PID 2676 wrote to memory of 2088 N/A C:\Windows\SysWOW64\Apmcefmf.exe C:\Windows\SysWOW64\Adipfd32.exe
PID 2088 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Adipfd32.exe C:\Windows\SysWOW64\Anadojlo.exe
PID 2088 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Adipfd32.exe C:\Windows\SysWOW64\Anadojlo.exe
PID 2088 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Adipfd32.exe C:\Windows\SysWOW64\Anadojlo.exe
PID 2088 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Adipfd32.exe C:\Windows\SysWOW64\Anadojlo.exe
PID 1064 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Anadojlo.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 1064 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Anadojlo.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 1064 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Anadojlo.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 1064 wrote to memory of 3020 N/A C:\Windows\SysWOW64\Anadojlo.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 3020 wrote to memory of 588 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Ajhddk32.exe
PID 3020 wrote to memory of 588 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Ajhddk32.exe
PID 3020 wrote to memory of 588 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Ajhddk32.exe
PID 3020 wrote to memory of 588 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Ajhddk32.exe
PID 588 wrote to memory of 264 N/A C:\Windows\SysWOW64\Ajhddk32.exe C:\Windows\SysWOW64\Blfapfpg.exe
PID 588 wrote to memory of 264 N/A C:\Windows\SysWOW64\Ajhddk32.exe C:\Windows\SysWOW64\Blfapfpg.exe
PID 588 wrote to memory of 264 N/A C:\Windows\SysWOW64\Ajhddk32.exe C:\Windows\SysWOW64\Blfapfpg.exe
PID 588 wrote to memory of 264 N/A C:\Windows\SysWOW64\Ajhddk32.exe C:\Windows\SysWOW64\Blfapfpg.exe
PID 264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Blfapfpg.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Blfapfpg.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Blfapfpg.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 264 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Blfapfpg.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 2132 wrote to memory of 816 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bogjaamh.exe
PID 2132 wrote to memory of 816 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bogjaamh.exe
PID 2132 wrote to memory of 816 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bogjaamh.exe
PID 2132 wrote to memory of 816 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bogjaamh.exe
PID 816 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Bogjaamh.exe C:\Windows\SysWOW64\Bfabnl32.exe
PID 816 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Bogjaamh.exe C:\Windows\SysWOW64\Bfabnl32.exe
PID 816 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Bogjaamh.exe C:\Windows\SysWOW64\Bfabnl32.exe
PID 816 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Bogjaamh.exe C:\Windows\SysWOW64\Bfabnl32.exe
PID 2160 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Bfabnl32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 2160 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Bfabnl32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 2160 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Bfabnl32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 2160 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Bfabnl32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 2520 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bbhccm32.exe
PID 2520 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bbhccm32.exe
PID 2520 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bbhccm32.exe
PID 2520 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bbhccm32.exe
PID 1100 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Bbhccm32.exe C:\Windows\SysWOW64\Bhbkpgbf.exe
PID 1100 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Bbhccm32.exe C:\Windows\SysWOW64\Bhbkpgbf.exe
PID 1100 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Bbhccm32.exe C:\Windows\SysWOW64\Bhbkpgbf.exe
PID 1100 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Bbhccm32.exe C:\Windows\SysWOW64\Bhbkpgbf.exe
PID 1604 wrote to memory of 964 N/A C:\Windows\SysWOW64\Bhbkpgbf.exe C:\Windows\SysWOW64\Bolcma32.exe
PID 1604 wrote to memory of 964 N/A C:\Windows\SysWOW64\Bhbkpgbf.exe C:\Windows\SysWOW64\Bolcma32.exe
PID 1604 wrote to memory of 964 N/A C:\Windows\SysWOW64\Bhbkpgbf.exe C:\Windows\SysWOW64\Bolcma32.exe
PID 1604 wrote to memory of 964 N/A C:\Windows\SysWOW64\Bhbkpgbf.exe C:\Windows\SysWOW64\Bolcma32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Adfbpega.exe

C:\Windows\system32\Adfbpega.exe

C:\Windows\SysWOW64\Acicla32.exe

C:\Windows\system32\Acicla32.exe

C:\Windows\SysWOW64\Akpkmo32.exe

C:\Windows\system32\Akpkmo32.exe

C:\Windows\SysWOW64\Apmcefmf.exe

C:\Windows\system32\Apmcefmf.exe

C:\Windows\SysWOW64\Adipfd32.exe

C:\Windows\system32\Adipfd32.exe

C:\Windows\SysWOW64\Anadojlo.exe

C:\Windows\system32\Anadojlo.exe

C:\Windows\SysWOW64\Apppkekc.exe

C:\Windows\system32\Apppkekc.exe

C:\Windows\SysWOW64\Ajhddk32.exe

C:\Windows\system32\Ajhddk32.exe

C:\Windows\SysWOW64\Blfapfpg.exe

C:\Windows\system32\Blfapfpg.exe

C:\Windows\SysWOW64\Bjjaikoa.exe

C:\Windows\system32\Bjjaikoa.exe

C:\Windows\SysWOW64\Bogjaamh.exe

C:\Windows\system32\Bogjaamh.exe

C:\Windows\SysWOW64\Bfabnl32.exe

C:\Windows\system32\Bfabnl32.exe

C:\Windows\SysWOW64\Boifga32.exe

C:\Windows\system32\Boifga32.exe

C:\Windows\SysWOW64\Bbhccm32.exe

C:\Windows\system32\Bbhccm32.exe

C:\Windows\SysWOW64\Bhbkpgbf.exe

C:\Windows\system32\Bhbkpgbf.exe

C:\Windows\SysWOW64\Bolcma32.exe

C:\Windows\system32\Bolcma32.exe

C:\Windows\SysWOW64\Bdhleh32.exe

C:\Windows\system32\Bdhleh32.exe

C:\Windows\SysWOW64\Bhdhefpc.exe

C:\Windows\system32\Bhdhefpc.exe

C:\Windows\SysWOW64\Bkbdabog.exe

C:\Windows\system32\Bkbdabog.exe

C:\Windows\SysWOW64\Bqolji32.exe

C:\Windows\system32\Bqolji32.exe

C:\Windows\SysWOW64\Ccnifd32.exe

C:\Windows\system32\Ccnifd32.exe

C:\Windows\SysWOW64\Cjhabndo.exe

C:\Windows\system32\Cjhabndo.exe

C:\Windows\SysWOW64\Cdmepgce.exe

C:\Windows\system32\Cdmepgce.exe

C:\Windows\SysWOW64\Ccpeld32.exe

C:\Windows\system32\Ccpeld32.exe

C:\Windows\SysWOW64\Cjjnhnbl.exe

C:\Windows\system32\Cjjnhnbl.exe

C:\Windows\SysWOW64\Cmhjdiap.exe

C:\Windows\system32\Cmhjdiap.exe

C:\Windows\SysWOW64\Cgnnab32.exe

C:\Windows\system32\Cgnnab32.exe

C:\Windows\SysWOW64\Cfckcoen.exe

C:\Windows\system32\Cfckcoen.exe

C:\Windows\SysWOW64\Colpld32.exe

C:\Windows\system32\Colpld32.exe

C:\Windows\SysWOW64\Cehhdkjf.exe

C:\Windows\system32\Cehhdkjf.exe

C:\Windows\SysWOW64\Cmppehkh.exe

C:\Windows\system32\Cmppehkh.exe

C:\Windows\SysWOW64\Dpnladjl.exe

C:\Windows\system32\Dpnladjl.exe

C:\Windows\SysWOW64\Dblhmoio.exe

C:\Windows\system32\Dblhmoio.exe

C:\Windows\SysWOW64\Dekdikhc.exe

C:\Windows\system32\Dekdikhc.exe

C:\Windows\SysWOW64\Dgiaefgg.exe

C:\Windows\system32\Dgiaefgg.exe

C:\Windows\SysWOW64\Dppigchi.exe

C:\Windows\system32\Dppigchi.exe

C:\Windows\SysWOW64\Dboeco32.exe

C:\Windows\system32\Dboeco32.exe

C:\Windows\SysWOW64\Demaoj32.exe

C:\Windows\system32\Demaoj32.exe

C:\Windows\SysWOW64\Djjjga32.exe

C:\Windows\system32\Djjjga32.exe

C:\Windows\SysWOW64\Dbabho32.exe

C:\Windows\system32\Dbabho32.exe

C:\Windows\SysWOW64\Deondj32.exe

C:\Windows\system32\Deondj32.exe

C:\Windows\SysWOW64\Dgnjqe32.exe

C:\Windows\system32\Dgnjqe32.exe

C:\Windows\SysWOW64\Dlifadkk.exe

C:\Windows\system32\Dlifadkk.exe

C:\Windows\SysWOW64\Djlfma32.exe

C:\Windows\system32\Djlfma32.exe

C:\Windows\SysWOW64\Dnhbmpkn.exe

C:\Windows\system32\Dnhbmpkn.exe

C:\Windows\SysWOW64\Deakjjbk.exe

C:\Windows\system32\Deakjjbk.exe

C:\Windows\SysWOW64\Dcdkef32.exe

C:\Windows\system32\Dcdkef32.exe

C:\Windows\SysWOW64\Dfcgbb32.exe

C:\Windows\system32\Dfcgbb32.exe

C:\Windows\SysWOW64\Dnjoco32.exe

C:\Windows\system32\Dnjoco32.exe

C:\Windows\SysWOW64\Dahkok32.exe

C:\Windows\system32\Dahkok32.exe

C:\Windows\SysWOW64\Dahkok32.exe

C:\Windows\system32\Dahkok32.exe

C:\Windows\SysWOW64\Dhbdleol.exe

C:\Windows\system32\Dhbdleol.exe

C:\Windows\SysWOW64\Efedga32.exe

C:\Windows\system32\Efedga32.exe

C:\Windows\SysWOW64\Eicpcm32.exe

C:\Windows\system32\Eicpcm32.exe

C:\Windows\SysWOW64\Emoldlmc.exe

C:\Windows\system32\Emoldlmc.exe

C:\Windows\SysWOW64\Epnhpglg.exe

C:\Windows\system32\Epnhpglg.exe

C:\Windows\SysWOW64\Edidqf32.exe

C:\Windows\system32\Edidqf32.exe

C:\Windows\SysWOW64\Eblelb32.exe

C:\Windows\system32\Eblelb32.exe

C:\Windows\SysWOW64\Ejcmmp32.exe

C:\Windows\system32\Ejcmmp32.exe

C:\Windows\SysWOW64\Eifmimch.exe

C:\Windows\system32\Eifmimch.exe

C:\Windows\SysWOW64\Emaijk32.exe

C:\Windows\system32\Emaijk32.exe

C:\Windows\SysWOW64\Eppefg32.exe

C:\Windows\system32\Eppefg32.exe

C:\Windows\SysWOW64\Ebnabb32.exe

C:\Windows\system32\Ebnabb32.exe

C:\Windows\SysWOW64\Eemnnn32.exe

C:\Windows\system32\Eemnnn32.exe

C:\Windows\SysWOW64\Eihjolae.exe

C:\Windows\system32\Eihjolae.exe

C:\Windows\SysWOW64\Elgfkhpi.exe

C:\Windows\system32\Elgfkhpi.exe

C:\Windows\SysWOW64\Eoebgcol.exe

C:\Windows\system32\Eoebgcol.exe

C:\Windows\SysWOW64\Ebqngb32.exe

C:\Windows\system32\Ebqngb32.exe

C:\Windows\SysWOW64\Efljhq32.exe

C:\Windows\system32\Efljhq32.exe

C:\Windows\SysWOW64\Eeojcmfi.exe

C:\Windows\system32\Eeojcmfi.exe

C:\Windows\SysWOW64\Ehnfpifm.exe

C:\Windows\system32\Ehnfpifm.exe

C:\Windows\SysWOW64\Elibpg32.exe

C:\Windows\system32\Elibpg32.exe

C:\Windows\SysWOW64\Eogolc32.exe

C:\Windows\system32\Eogolc32.exe

C:\Windows\SysWOW64\Eeagimdf.exe

C:\Windows\system32\Eeagimdf.exe

C:\Windows\SysWOW64\Eimcjl32.exe

C:\Windows\system32\Eimcjl32.exe

C:\Windows\SysWOW64\Elkofg32.exe

C:\Windows\system32\Elkofg32.exe

C:\Windows\SysWOW64\Eojlbb32.exe

C:\Windows\system32\Eojlbb32.exe

C:\Windows\SysWOW64\Fahhnn32.exe

C:\Windows\system32\Fahhnn32.exe

C:\Windows\SysWOW64\Feddombd.exe

C:\Windows\system32\Feddombd.exe

C:\Windows\SysWOW64\Fdgdji32.exe

C:\Windows\system32\Fdgdji32.exe

C:\Windows\SysWOW64\Flnlkgjq.exe

C:\Windows\system32\Flnlkgjq.exe

C:\Windows\SysWOW64\Fkqlgc32.exe

C:\Windows\system32\Fkqlgc32.exe

C:\Windows\SysWOW64\Fmohco32.exe

C:\Windows\system32\Fmohco32.exe

C:\Windows\SysWOW64\Fefqdl32.exe

C:\Windows\system32\Fefqdl32.exe

C:\Windows\SysWOW64\Fdiqpigl.exe

C:\Windows\system32\Fdiqpigl.exe

C:\Windows\SysWOW64\Fkcilc32.exe

C:\Windows\system32\Fkcilc32.exe

C:\Windows\SysWOW64\Fmaeho32.exe

C:\Windows\system32\Fmaeho32.exe

C:\Windows\SysWOW64\Famaimfe.exe

C:\Windows\system32\Famaimfe.exe

C:\Windows\SysWOW64\Fdkmeiei.exe

C:\Windows\system32\Fdkmeiei.exe

C:\Windows\SysWOW64\Fhgifgnb.exe

C:\Windows\system32\Fhgifgnb.exe

C:\Windows\SysWOW64\Fgjjad32.exe

C:\Windows\system32\Fgjjad32.exe

C:\Windows\SysWOW64\Fmdbnnlj.exe

C:\Windows\system32\Fmdbnnlj.exe

C:\Windows\SysWOW64\Fpbnjjkm.exe

C:\Windows\system32\Fpbnjjkm.exe

C:\Windows\SysWOW64\Fcqjfeja.exe

C:\Windows\system32\Fcqjfeja.exe

C:\Windows\SysWOW64\Fglfgd32.exe

C:\Windows\system32\Fglfgd32.exe

C:\Windows\SysWOW64\Fmfocnjg.exe

C:\Windows\system32\Fmfocnjg.exe

C:\Windows\SysWOW64\Fccglehn.exe

C:\Windows\system32\Fccglehn.exe

C:\Windows\SysWOW64\Feachqgb.exe

C:\Windows\system32\Feachqgb.exe

C:\Windows\SysWOW64\Fimoiopk.exe

C:\Windows\system32\Fimoiopk.exe

C:\Windows\SysWOW64\Glklejoo.exe

C:\Windows\system32\Glklejoo.exe

C:\Windows\SysWOW64\Gojhafnb.exe

C:\Windows\system32\Gojhafnb.exe

C:\Windows\SysWOW64\Gcedad32.exe

C:\Windows\system32\Gcedad32.exe

C:\Windows\SysWOW64\Gecpnp32.exe

C:\Windows\system32\Gecpnp32.exe

C:\Windows\SysWOW64\Ghbljk32.exe

C:\Windows\system32\Ghbljk32.exe

C:\Windows\SysWOW64\Gpidki32.exe

C:\Windows\system32\Gpidki32.exe

C:\Windows\SysWOW64\Goldfelp.exe

C:\Windows\system32\Goldfelp.exe

C:\Windows\SysWOW64\Gajqbakc.exe

C:\Windows\system32\Gajqbakc.exe

C:\Windows\SysWOW64\Giaidnkf.exe

C:\Windows\system32\Giaidnkf.exe

C:\Windows\SysWOW64\Ghdiokbq.exe

C:\Windows\system32\Ghdiokbq.exe

C:\Windows\SysWOW64\Glpepj32.exe

C:\Windows\system32\Glpepj32.exe

C:\Windows\SysWOW64\Gonale32.exe

C:\Windows\system32\Gonale32.exe

C:\Windows\SysWOW64\Gamnhq32.exe

C:\Windows\system32\Gamnhq32.exe

C:\Windows\SysWOW64\Gehiioaj.exe

C:\Windows\system32\Gehiioaj.exe

C:\Windows\SysWOW64\Ghgfekpn.exe

C:\Windows\system32\Ghgfekpn.exe

C:\Windows\SysWOW64\Glbaei32.exe

C:\Windows\system32\Glbaei32.exe

C:\Windows\SysWOW64\Gncnmane.exe

C:\Windows\system32\Gncnmane.exe

C:\Windows\SysWOW64\Gaojnq32.exe

C:\Windows\system32\Gaojnq32.exe

C:\Windows\SysWOW64\Gekfnoog.exe

C:\Windows\system32\Gekfnoog.exe

C:\Windows\SysWOW64\Gglbfg32.exe

C:\Windows\system32\Gglbfg32.exe

C:\Windows\SysWOW64\Gnfkba32.exe

C:\Windows\system32\Gnfkba32.exe

C:\Windows\SysWOW64\Gaagcpdl.exe

C:\Windows\system32\Gaagcpdl.exe

C:\Windows\SysWOW64\Hhkopj32.exe

C:\Windows\system32\Hhkopj32.exe

C:\Windows\SysWOW64\Hgnokgcc.exe

C:\Windows\system32\Hgnokgcc.exe

C:\Windows\SysWOW64\Hjmlhbbg.exe

C:\Windows\system32\Hjmlhbbg.exe

C:\Windows\SysWOW64\Hnhgha32.exe

C:\Windows\system32\Hnhgha32.exe

C:\Windows\SysWOW64\Hadcipbi.exe

C:\Windows\system32\Hadcipbi.exe

C:\Windows\SysWOW64\Hdbpekam.exe

C:\Windows\system32\Hdbpekam.exe

C:\Windows\SysWOW64\Hgqlafap.exe

C:\Windows\system32\Hgqlafap.exe

C:\Windows\SysWOW64\Hklhae32.exe

C:\Windows\system32\Hklhae32.exe

C:\Windows\SysWOW64\Hmmdin32.exe

C:\Windows\system32\Hmmdin32.exe

C:\Windows\SysWOW64\Hqiqjlga.exe

C:\Windows\system32\Hqiqjlga.exe

C:\Windows\SysWOW64\Hddmjk32.exe

C:\Windows\system32\Hddmjk32.exe

C:\Windows\SysWOW64\Hgciff32.exe

C:\Windows\system32\Hgciff32.exe

C:\Windows\SysWOW64\Hgciff32.exe

C:\Windows\system32\Hgciff32.exe

C:\Windows\SysWOW64\Hjaeba32.exe

C:\Windows\system32\Hjaeba32.exe

C:\Windows\SysWOW64\Hqkmplen.exe

C:\Windows\system32\Hqkmplen.exe

C:\Windows\SysWOW64\Hcjilgdb.exe

C:\Windows\system32\Hcjilgdb.exe

C:\Windows\SysWOW64\Hfhfhbce.exe

C:\Windows\system32\Hfhfhbce.exe

C:\Windows\SysWOW64\Hjcaha32.exe

C:\Windows\system32\Hjcaha32.exe

C:\Windows\SysWOW64\Hifbdnbi.exe

C:\Windows\system32\Hifbdnbi.exe

C:\Windows\SysWOW64\Hqnjek32.exe

C:\Windows\system32\Hqnjek32.exe

C:\Windows\SysWOW64\Hoqjqhjf.exe

C:\Windows\system32\Hoqjqhjf.exe

C:\Windows\SysWOW64\Hclfag32.exe

C:\Windows\system32\Hclfag32.exe

C:\Windows\SysWOW64\Hfjbmb32.exe

C:\Windows\system32\Hfjbmb32.exe

C:\Windows\SysWOW64\Hiioin32.exe

C:\Windows\system32\Hiioin32.exe

C:\Windows\SysWOW64\Ikgkei32.exe

C:\Windows\system32\Ikgkei32.exe

C:\Windows\SysWOW64\Iocgfhhc.exe

C:\Windows\system32\Iocgfhhc.exe

C:\Windows\SysWOW64\Icncgf32.exe

C:\Windows\system32\Icncgf32.exe

C:\Windows\SysWOW64\Ifmocb32.exe

C:\Windows\system32\Ifmocb32.exe

C:\Windows\SysWOW64\Iikkon32.exe

C:\Windows\system32\Iikkon32.exe

C:\Windows\SysWOW64\Imggplgm.exe

C:\Windows\system32\Imggplgm.exe

C:\Windows\SysWOW64\Ioeclg32.exe

C:\Windows\system32\Ioeclg32.exe

C:\Windows\SysWOW64\Ibcphc32.exe

C:\Windows\system32\Ibcphc32.exe

C:\Windows\SysWOW64\Ifolhann.exe

C:\Windows\system32\Ifolhann.exe

C:\Windows\SysWOW64\Iebldo32.exe

C:\Windows\system32\Iebldo32.exe

C:\Windows\SysWOW64\Ikldqile.exe

C:\Windows\system32\Ikldqile.exe

C:\Windows\SysWOW64\Ibfmmb32.exe

C:\Windows\system32\Ibfmmb32.exe

C:\Windows\SysWOW64\Iediin32.exe

C:\Windows\system32\Iediin32.exe

C:\Windows\SysWOW64\Iipejmko.exe

C:\Windows\system32\Iipejmko.exe

C:\Windows\SysWOW64\Igceej32.exe

C:\Windows\system32\Igceej32.exe

C:\Windows\SysWOW64\Ijaaae32.exe

C:\Windows\system32\Ijaaae32.exe

C:\Windows\SysWOW64\Inmmbc32.exe

C:\Windows\system32\Inmmbc32.exe

C:\Windows\SysWOW64\Iakino32.exe

C:\Windows\system32\Iakino32.exe

C:\Windows\SysWOW64\Icifjk32.exe

C:\Windows\system32\Icifjk32.exe

C:\Windows\SysWOW64\Igebkiof.exe

C:\Windows\system32\Igebkiof.exe

C:\Windows\SysWOW64\Ijcngenj.exe

C:\Windows\system32\Ijcngenj.exe

C:\Windows\SysWOW64\Inojhc32.exe

C:\Windows\system32\Inojhc32.exe

C:\Windows\SysWOW64\Iamfdo32.exe

C:\Windows\system32\Iamfdo32.exe

C:\Windows\SysWOW64\Iclbpj32.exe

C:\Windows\system32\Iclbpj32.exe

C:\Windows\SysWOW64\Jjfkmdlg.exe

C:\Windows\system32\Jjfkmdlg.exe

C:\Windows\SysWOW64\Jmdgipkk.exe

C:\Windows\system32\Jmdgipkk.exe

C:\Windows\SysWOW64\Jcnoejch.exe

C:\Windows\system32\Jcnoejch.exe

C:\Windows\SysWOW64\Jmfcop32.exe

C:\Windows\system32\Jmfcop32.exe

C:\Windows\SysWOW64\Jabponba.exe

C:\Windows\system32\Jabponba.exe

C:\Windows\SysWOW64\Jcqlkjae.exe

C:\Windows\system32\Jcqlkjae.exe

C:\Windows\SysWOW64\Jbclgf32.exe

C:\Windows\system32\Jbclgf32.exe

C:\Windows\SysWOW64\Jjjdhc32.exe

C:\Windows\system32\Jjjdhc32.exe

C:\Windows\SysWOW64\Jimdcqom.exe

C:\Windows\system32\Jimdcqom.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jpgmpk32.exe

C:\Windows\system32\Jpgmpk32.exe

C:\Windows\SysWOW64\Jcciqi32.exe

C:\Windows\system32\Jcciqi32.exe

C:\Windows\SysWOW64\Jfaeme32.exe

C:\Windows\system32\Jfaeme32.exe

C:\Windows\SysWOW64\Jmkmjoec.exe

C:\Windows\system32\Jmkmjoec.exe

C:\Windows\SysWOW64\Jlnmel32.exe

C:\Windows\system32\Jlnmel32.exe

C:\Windows\SysWOW64\Jnmiag32.exe

C:\Windows\system32\Jnmiag32.exe

C:\Windows\SysWOW64\Jbhebfck.exe

C:\Windows\system32\Jbhebfck.exe

C:\Windows\SysWOW64\Jefbnacn.exe

C:\Windows\system32\Jefbnacn.exe

C:\Windows\SysWOW64\Jibnop32.exe

C:\Windows\system32\Jibnop32.exe

C:\Windows\SysWOW64\Jlqjkk32.exe

C:\Windows\system32\Jlqjkk32.exe

C:\Windows\SysWOW64\Jplfkjbd.exe

C:\Windows\system32\Jplfkjbd.exe

C:\Windows\SysWOW64\Kbjbge32.exe

C:\Windows\system32\Kbjbge32.exe

C:\Windows\SysWOW64\Keioca32.exe

C:\Windows\system32\Keioca32.exe

C:\Windows\SysWOW64\Kidjdpie.exe

C:\Windows\system32\Kidjdpie.exe

C:\Windows\SysWOW64\Klcgpkhh.exe

C:\Windows\system32\Klcgpkhh.exe

C:\Windows\SysWOW64\Kjeglh32.exe

C:\Windows\system32\Kjeglh32.exe

C:\Windows\SysWOW64\Kbmome32.exe

C:\Windows\system32\Kbmome32.exe

C:\Windows\SysWOW64\Kekkiq32.exe

C:\Windows\system32\Kekkiq32.exe

C:\Windows\SysWOW64\Khjgel32.exe

C:\Windows\system32\Khjgel32.exe

C:\Windows\SysWOW64\Klecfkff.exe

C:\Windows\system32\Klecfkff.exe

C:\Windows\SysWOW64\Kjhcag32.exe

C:\Windows\system32\Kjhcag32.exe

C:\Windows\SysWOW64\Kmfpmc32.exe

C:\Windows\system32\Kmfpmc32.exe

C:\Windows\SysWOW64\Kenhopmf.exe

C:\Windows\system32\Kenhopmf.exe

C:\Windows\SysWOW64\Khldkllj.exe

C:\Windows\system32\Khldkllj.exe

C:\Windows\SysWOW64\Kkjpggkn.exe

C:\Windows\system32\Kkjpggkn.exe

C:\Windows\SysWOW64\Kmimcbja.exe

C:\Windows\system32\Kmimcbja.exe

C:\Windows\SysWOW64\Kadica32.exe

C:\Windows\system32\Kadica32.exe

C:\Windows\SysWOW64\Kpgionie.exe

C:\Windows\system32\Kpgionie.exe

C:\Windows\SysWOW64\Khnapkjg.exe

C:\Windows\system32\Khnapkjg.exe

C:\Windows\SysWOW64\Kfaalh32.exe

C:\Windows\system32\Kfaalh32.exe

C:\Windows\SysWOW64\Kipmhc32.exe

C:\Windows\system32\Kipmhc32.exe

C:\Windows\SysWOW64\Kageia32.exe

C:\Windows\system32\Kageia32.exe

C:\Windows\SysWOW64\Kdeaelok.exe

C:\Windows\system32\Kdeaelok.exe

C:\Windows\SysWOW64\Kgcnahoo.exe

C:\Windows\system32\Kgcnahoo.exe

C:\Windows\SysWOW64\Kkojbf32.exe

C:\Windows\system32\Kkojbf32.exe

C:\Windows\SysWOW64\Lmmfnb32.exe

C:\Windows\system32\Lmmfnb32.exe

C:\Windows\SysWOW64\Lplbjm32.exe

C:\Windows\system32\Lplbjm32.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 140

Network

N/A

Files

memory/2760-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Adfbpega.exe

MD5 3a9b1436c4d681b0c4379e78f4779537
SHA1 a7d8cef8a1cf240013c91dc472068c41380a369a
SHA256 1df74a2928d437e59feaa1a8a2c40ea7d4b4ff5a72185cf1999cf328e545575f
SHA512 b140c8175d8a760895e8025c58a97f1beb1a3830a3126b00cbcd19eb78219f872b7573191de25fb7d03de197222043ec654d1a1b790a1119ded1e09fef958c6c

memory/2960-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-13-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Acicla32.exe

MD5 f6ad9c165b67f26ead4ab8e6c5ed2e0f
SHA1 9802c879a5d87a62276ab6fdfd8e5f6e5a266dbe
SHA256 f3b807776e3b61ee369544043be2a4f2fd753cdeb09c20176e1f92688e1c28c8
SHA512 e037070625844d052d539a08ae906cd62579697d6c47eacf7eb5f4e93ad7d0af7519ccedff14915b3224ac92d3111566c6604abbb2494cdf9fe0d37b5f4cb8aa

memory/2960-32-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2760-12-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2812-40-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Akpkmo32.exe

MD5 e6b514fdd8a7d35ff0a9bf17115cc357
SHA1 bd61cdd8d932e73e0ed69d0d1fbc84ab1a3176c9
SHA256 46408730b322ea32775fbbd1480e301cb73f619229e3f2ffb28ba18c85b1e56b
SHA512 2009332ac31b521b1e49ff33317c674bfb776e7af7f7b1cf412bab2e576de90161edfcd31a6edc826355417f4e0333d5489694bd56ae893d5c0d93b07197da2f

memory/2812-35-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Apmcefmf.exe

MD5 f5ba3d714334d230138876f43e4f8a6a
SHA1 a322aa2b7bcd62d7ea223e40aa0f514d0e3c8e13
SHA256 64bf56aeb80fd18031055ab84b52bbfe6b1a18b75388743f54b884d8ad9f133f
SHA512 799baf646546d7331e13722ed957a0a84a9f562a7d6c448041ce9278d83a1fafd31ee9b1ad61959538cb8b7c9c3c327209acd54d5cdfa27eae823de8e1478ef2

memory/2676-54-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Adipfd32.exe

MD5 19b294df8ac2eba40b2f70440db81e52
SHA1 2af089d3b347c83bccb9d3f55ece8b0e78e45f7e
SHA256 12e0f1e3b180f09f8887542eebeabd30cd8e82a01e8046cb66b39e91f50dd67a
SHA512 d814f5fafd6a5c15bb1a5cae105e5ce3981b3f805f4e01aadfc06b20294b13a1b42d4d4eff0aea1e62201d298722083bf43bfca298fb725cec373973eb4b10f7

memory/2088-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2960-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-69-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2760-67-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2676-62-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2088-79-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Anadojlo.exe

MD5 e5a5d3fc2f9a4fd18bcc939a889039aa
SHA1 7a87da5c91cee6b8ae96b349537e735f84c48171
SHA256 ceab5a62e2cdf393699f9dbf24797969bf071d23827fe4919ada100ce39e1e18
SHA512 531ec242079e1f1646244352ab243f683dfeb7300298a978df50e8e77a174abe9587a56f08fc1a244a81043b0660214c64ac582445463795935d3f105cd48303

\Windows\SysWOW64\Apppkekc.exe

MD5 5dbe39dd1cd693c0c016720b9e529ff9
SHA1 4599ab046a6ad672a3b2d1da748136ac384bdb29
SHA256 fba73911c6dbeafe75aa49f826dca601334b0f69d37ba93ccc45ebd783f499c0
SHA512 93d5963d3d53de4093022eba9d6226ef57bdbc091880e306124fde1fa2dc21e72565ba6617ba07f7043df5cea43a8d808a5303ef2110684fe853d12b7b50c519

memory/1064-92-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2676-100-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1064-98-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2612-97-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Ajhddk32.exe

MD5 df64da5522410965903f3af89a7c7150
SHA1 f0146d9a293fc5dcf341ac5adc9b84e468e8880a
SHA256 2d9b6396f28209f4b2c55007984207eb3a0f0d06a3b27633f1446ffcb9daf798
SHA512 037ca0c20deb9cb9ec7d1da8c09098a87cc5637e518c898c14d31f231227f37207d608415d9534c97b17c473c42c0a5085c590301996c5d6e02332707244bab4

memory/264-131-0x0000000000400000-0x0000000000433000-memory.dmp

memory/588-130-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/588-129-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2088-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Blfapfpg.exe

MD5 89d92ab7be1d921889b93acd7f779fbc
SHA1 af8afa613469fc450f08429b4ffba8c7be5efaa6
SHA256 11ae6394b4d902e11437074a4ccd99275464efe7de33d71700a6d30a9fcc08c8
SHA512 2bb23a2eba028aff07b3209606b3d0b8c1eabd7203c1c4d7dd436b471ff2b9b5ec1242667231a3a3f3942c8bfca9ddbc9861969f83ae27baab986884dea62ce9

memory/588-120-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3020-113-0x0000000000300000-0x0000000000333000-memory.dmp

memory/3020-112-0x0000000000300000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Bjjaikoa.exe

MD5 226177ad1e5bec7fedc4d5abb902be38
SHA1 137aacea0878f80413f31eec0733444089aa3a83
SHA256 7e962a9557eab9f73df77114fd0cf67e06854b42587b87b64bbb28b29bf218b6
SHA512 b3666cc6d994a6c3bc9e0a4c00e4b8847803abff367fb990e0f48a5868bc17f51da1f891b4d3649d462d29b5157b536c6bf04e5151e16f5f9b8ef953ce559f6c

memory/264-140-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2088-138-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1064-145-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bogjaamh.exe

MD5 e43ee4ca3eacbc39d498de0ed9c3b87b
SHA1 126426b4e9135c71367361eceae790d7c9ffb365
SHA256 78ce542bc718bcd1433baff9e9f069e478df35b641286f1a69a4a25e172508ac
SHA512 d48b6454d60e7b362749b4419666c699945ddb3ce961cc9dbbd4d571a7acc8ad90915e04d77e756010a4222ff273699aacd7a0a9198629816574d0194ce349b5

memory/3020-158-0x0000000000400000-0x0000000000433000-memory.dmp

memory/816-160-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bfabnl32.exe

MD5 58e711c4079fed16cb38d8ed53f5c4c3
SHA1 253d2380f733cbdd619fe6d7b2c88cbf3f89682f
SHA256 810f49cf652b4d32786e93bffd4e6038f0899cb441c5365290ddbb092e57dded
SHA512 4d08f9a2d1759377eaf57ca1c60a0ec3f8b4948a79911a50999f1bde35f14c02d759f78808864341860d75123784d04ae10577a54cf6fcc67657a6148b45e650

memory/816-169-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/3020-167-0x0000000000300000-0x0000000000333000-memory.dmp

memory/264-178-0x0000000000400000-0x0000000000433000-memory.dmp

memory/588-177-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/588-176-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/588-172-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Boifga32.exe

MD5 7565642c29021e197b4dd0e0fa06eb5e
SHA1 cd4f457bd0126e782afb1a6a1ead349bf885fdff
SHA256 986c43c84c767e7f401ff74286162b234acd7b105f2de3069b9feae51c466ffd
SHA512 775306c3f42e615efec1410c823b1c6174ec13d90d909dfb6c9d838bb6fecbf1a36076b6ed554db199331fd9f515280be44c7ad9a1f659b08238c14fb39417eb

memory/2160-185-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2520-200-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2132-198-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bbhccm32.exe

MD5 ecf091b2bcbc8d1a31195f45c389f470
SHA1 ffbb6c3b534338075196b33c33ba3a82c77fbd36
SHA256 b4b6993a9eedea2872eec91b6b2e0d49ee9cc775ba571fd7de8665a6f2deffb0
SHA512 7baba31e826418a2103782022958988e7424662ce9340fb3a15118377ac8308934e95779b9e64e3bb2d37f3a5e447a535e35f7a2c0f952c787bddb4a9e5a6b17

memory/1100-208-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2520-206-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2132-205-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Bhbkpgbf.exe

MD5 7fd04a0c443f20baabdfaf9e5e299ca4
SHA1 fef03cd9ca1ffa1d70aaa1dfc81ae77261f0112d
SHA256 41902719500da3f388882ce0501e7e558f89acdc1eb52cb09ea303b84e9eb6eb
SHA512 8b58633702f5eae38b11cb7d996cd33b9afd664d30e705acc9c743a3cecf02e5b9260ff80da5e98b01c625ba5e3056401c044a53a167dd5fd5747c4a54b42cdf

memory/1604-223-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1100-222-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/816-221-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-231-0x0000000000290000-0x00000000002C3000-memory.dmp

\Windows\SysWOW64\Bolcma32.exe

MD5 4fe963bd1ccaf8bc179b017ed2b1a2a5
SHA1 47a740faa07c12a6234b1d5740a6473b6ea776f8
SHA256 5900b4dc138381b8e7008b0b7da8d9cb79d22b80bac7d539b03a70f61ac81909
SHA512 d515a9f92226c755cc1b3c665790066450c92dce93f6226f3c1c82dec10d0f04bebf01d9a2000ec0f9e88fd8b5c11a035d962e4241e95e22f1297dfff14e3378

memory/964-239-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-237-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2160-236-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2520-250-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bdhleh32.exe

MD5 3d8f3acb65df0dff10386b36990df4cf
SHA1 7020f4491b53c9d4132b2591b47a1656e8a59072
SHA256 e5902cf88613247b026fcdf613ca4a60aab3aa02ece25e38c89af609a9263b7c
SHA512 a48d25c9f2e531a0f15079d9be8b99ce955182afdbc84bc6674985fc1c4c03468b03332391bb015184e0fc4937a71ef5693ba9ba6e8ce8a38b1dbb3966393ff1

memory/964-246-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1100-259-0x0000000000400000-0x0000000000433000-memory.dmp

memory/468-257-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2520-256-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1604-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1100-262-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Bhdhefpc.exe

MD5 0864d0f8831290a8098ca0d08c618090
SHA1 05a86ed06736c3718e504211417fefe530a9b82d
SHA256 889b241ffd7074b9ba4e5ad6dec5ab11e61223b9b86a6d4fb5020a5d375c4abf
SHA512 caa11a112ff588333fae8f8db0806fd0453bbc6e5b58000ec8b98d60d7a815af92b83fa75064d81c79040a9157a0ad28245e566aa026e6dab641053c40915ee7

memory/1216-269-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Bkbdabog.exe

MD5 f0f74a2ea2d55ccec862f25cf42d3e32
SHA1 ffb92e1369507d860e7cc93c7c0793de2082d7dd
SHA256 79a6939415af4c3f9ab0f027eab038a03f999703b66b888cffba52bb0d402ff7
SHA512 60c4a25ce1ac42bf1aedd91dbea73f18d89ab6c28b1c215872550f2e749e9df7294d4b3b531e0f4e864d561f458787bc5cbbac2e30f9f68dc8d1902d5d482949

memory/2396-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1604-273-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/964-285-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2396-286-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Bqolji32.exe

MD5 1275ac2981ec3b7780732da3bc912891
SHA1 7c724e1971a188db2b125ddd9cb2ed1c87c91d6c
SHA256 6941ad811e4723ac7fbfd4bb9ae7ee0a919176e328dd868258798fa857e705b3
SHA512 40789f4824a4e2305c92ce92b59f4a51969269038d9354c4a9a9b509801868afb47de0c40282679f78acb2c8784f1ed7b121f8dfec6a233d7a60d798671ca72e

memory/964-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2396-281-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ccnifd32.exe

MD5 7cbd8711ef4075ca3ab528a4d7e5d8af
SHA1 3033abeb256bd2d62c670910ec8b02251d7e8f55
SHA256 153e9bd54238ef822de3a0d41b61686adf2f7e05423d4ae4ca94f03133030a12
SHA512 1623a3bfc5b4728930cc413a34fbe9dd9290bd7c73bc21e9461f88b6814b369812e6bdd2d267ad1f741044f01782ddd7a30034d5d06a2c2071e2588d4094188a

memory/296-297-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2100-296-0x0000000000250000-0x0000000000283000-memory.dmp

memory/468-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2012-310-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1216-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/296-308-0x0000000000250000-0x0000000000283000-memory.dmp

memory/296-307-0x0000000000250000-0x0000000000283000-memory.dmp

memory/468-306-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Cjhabndo.exe

MD5 2bbcbca49103cb14a2f459552255a6f1
SHA1 08786a95155b00ebb410d7100a90b12459b7a53a
SHA256 eea4fc3af786c714b492789b3b349033bbdb31cdc4d79dc4aeb7147bb377dea6
SHA512 bdabfed8e794f992c997c8c9f21b375d0487e7788919f73d6c2fd45af7c08535bef842c0504ed7241db7262f5fb8daadbd315d4148f1a8f1ac8ca27167c2cb90

memory/2396-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/640-320-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2012-319-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Cdmepgce.exe

MD5 8e1323a022cdfc2cec0200b470da57e4
SHA1 218b8a9c20236614227070a37ead6e16ae8f4afb
SHA256 54a1ceb8a1111725ee2dab2df61c25d27b1b67508e90409261fa1ec5c037e52a
SHA512 21de74e14b901a08a78ccc68d88e9e6746fcf89365c1ae8278cb70362465e527b6c6e44e791ed9db997a680a14fd74065dc1cad6bc45b0659e6147d7f8f4c6fe

C:\Windows\SysWOW64\Ccpeld32.exe

MD5 12f1876288f80895a76367036c9c0c1c
SHA1 538163b04b4a4cec592e8b3ccad3810ee1febca6
SHA256 52555e70707704075581700c3867323cc88874c8f09fa2e96b85be561586b875
SHA512 a015b340051391a980e8d038393c2bcaed01faaa0539c22e04ebc5b349359eb57d26ba222d4f540b13ecbf8aa37036a3b21836bf3efb1d366dc8ddfb7f895158

memory/640-328-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2396-327-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2100-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2704-333-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cjjnhnbl.exe

MD5 c224e8c17ddab6ddb49daa491eb183e2
SHA1 3b933e92fb4f08f75091a1d77b80d158bd76b7f5
SHA256 55e799f736975023d35edec186f11747c5b6113f89187cb5353357a625567964
SHA512 9f8995caeba72ff50c713bd7824ea6af92d8bf415261c9d10f4d722b2b3a7e1ed1f929ee95a207a7ba6058929f3aea436f913161535188942f956227d3ae3df5

memory/296-344-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2100-343-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2680-342-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-350-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/296-349-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Cmhjdiap.exe

MD5 619e439193d65b88acc91751fecfa554
SHA1 2b1d996fb62316a6dd632807be1420acb0ba33b7
SHA256 2707aebef4dc13b7536a1d7d04e7a6ebe30b2e9af24e048fd16e29cfbe4f0db0
SHA512 31588203b6e1fd89dbefa153c4cc84a081ca0a4dccb6e73bd8b883ae7335a80bbae706bb9d481e6e4c7a62ef91254d4ea252abf3b6ab28df1071f1e2062c0b9d

memory/2012-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2544-357-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-356-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/296-355-0x0000000000250000-0x0000000000283000-memory.dmp

memory/640-368-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2544-369-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2012-367-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Cgnnab32.exe

MD5 159da07e5b8b509707acb8310e3bfb30
SHA1 f95a710b1417f23575b1c91f489675948620981e
SHA256 615874af94f474576c7aff63b8acc56a3b4bf61acb9fc00a12d84844345aed1e
SHA512 0a2670c34e518e9beb7e41ec8fc633d8bb8ac62c73134db805b75c33a12de6764c6811ec79a277a0793e473cc08fd70e54292614b460582e272f63cbfbc59865

memory/2260-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-376-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2680-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2704-382-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2704-381-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2704-380-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cfckcoen.exe

MD5 8121705bc531815479c852d5948d61dc
SHA1 88d91e8f7775aef050fac738b03e16144a01a8c7
SHA256 bd30800d8dafa32cbf4334373aff794097559274a22c07c53772d9a6eac9f84b
SHA512 d4c08a5b6b6f0d8a285412322df1a303a1a5283693791b0db0a7383e96a71de24743b6f6f79237c05febbe2c12f0620f5c92ad5e8b5cfef948e85d0730e52bcc

C:\Windows\SysWOW64\Colpld32.exe

MD5 85c797e6415df901a2423c8db623b408
SHA1 021612eed62bcefd4b9ea3153f4edde1d3f6c2fc
SHA256 3a1c6471c8622502980096b5fe4b65f7876a7d91bc7f900497f66375b71c3b74
SHA512 0e22cb109b7d5a8ee2d4d7bb5b47d6cfaba0454ba2febe215c438905963f5f6635e7a624c328a8d23ea0ea1e5e6e0eb2f643e699387496c9b79d935bfaa021d6

C:\Windows\SysWOW64\Cehhdkjf.exe

MD5 2c267f627303b09eda8db4ca64947135
SHA1 9ccc505740d75e1d899f59a4fd3c84378808fee1
SHA256 55c7afb625c4a9b8012581e3a4f31e6173bf74dcf0cdc7860e2c912808b10570
SHA512 b98efbf17df32d2d81425d28d90dbc03668cc43bfd9979556052c509bdbd29f8e93518525db9407b29a571417a116a0dc1c11516e60d0aefd849267c763eee46

C:\Windows\SysWOW64\Cmppehkh.exe

MD5 0076b9f8551f91300006b85b8e9e78ee
SHA1 c214920f8fae789393e930a89baa06ec11dcc9cb
SHA256 1d388337d244af2bc13889abefeefa1e1692337d60f72cd18995d2167707b78b
SHA512 2c1c0ecadb7ae12c12115cfefcadec109fae49c90d5c09b9133220efed2e7a3b22a4483f43806780852043c92958795bb58563a031ec1f5d023f823e4d2d4eec

C:\Windows\SysWOW64\Dpnladjl.exe

MD5 c0d77e3e2827f5d290a8db5ab7f2fde6
SHA1 248318a2036afba8fca9fa52e270c5ecfc0127de
SHA256 533b7addaf88c0769b702c307377f20d85f0fd9ff1c775a3cdd0af3b6b203492
SHA512 4b1d6794877a97984c3eda04007654d35f7b394d905320af84335d3fc6490a2234d59894575374bce4868091c107158e1c49a376b8470e1982aa41001f6b93cf

C:\Windows\SysWOW64\Dblhmoio.exe

MD5 e69896b7a746544ce1a50348757e1d91
SHA1 1bacee2eb0cf03ce7a171f90008a500b9dd6dacd
SHA256 a9b02efc2370d2521d3fca801f47a2d4b3ef35ebd9d5d33237772d094f7b0d21
SHA512 991e7964e023cc4038be7f0bb3839ba5b27fd89ec9d1e74008cb0dd0f6d10caec0e14c4626c0ac75a52ac45eeb973c9069ba20831020ed4c58bfc6e1c9717089

C:\Windows\SysWOW64\Dekdikhc.exe

MD5 cae30e490a79f1f436c301b02dbf3af1
SHA1 0cca9e8f2f82b4eab575a2ecdc5ea890db214371
SHA256 5e7200fc4e7d4adfdb6f3c6a3ee563973f3bff69d52a0eb901a257fc59e53c6c
SHA512 bb338c2950d4b48e64d4e63d0de11462a9aae423fdf4cd766fbd3308bf1af52cf83a665b3b590d29b0cd919765ad7684e96bb7517fc2473b3188262096b85184

C:\Windows\SysWOW64\Dgiaefgg.exe

MD5 22a191c8f97dce69fe39ea580ce60244
SHA1 88f19125ecf2dfdcff79180c30e231f0c5b776d5
SHA256 f8a04c9f50ef5a0abe6fe823255d810c8a7e59c517d77e537edf617e2877d240
SHA512 e81aa9629b102f80a41fa65039cc430917f2cdaeff8afb4550a2ee3d30397048a16242b0b1fa1b505f02f60194fe74996b589088ac68e9779782037711b0d23f

C:\Windows\SysWOW64\Dppigchi.exe

MD5 ee73c9c73a43afc39e8ed4de20652e62
SHA1 049188efbaa217839882b96673168d6deedb8621
SHA256 c8ffa45899235a8c9e9f6993f8fe3f983309906d62c1dfb63484ed9dc55c2c96
SHA512 a6afd76340a7077d2755b4cec7e497b95a4b703ff0a5ace2babc92099d8ddc7eab23ed45738dc04d0d65bbc33afd4c07375e05f176580955017736c05a153ff1

C:\Windows\SysWOW64\Dboeco32.exe

MD5 8af40ae6c360d8c6f2fd315f749c0280
SHA1 d6ae409eb0cd2c99a20b0055ef7f636b22dcace2
SHA256 9a76758b72a90291c8941e8244c306d95323089814437f08b590f9ef2b1edcf6
SHA512 4a393e4e6c6a8cdc8a88dcc29782affd87bd5a1c07de377af20fb4f66c88acb1ed6d860634d03039a1d25e66cfbec23f6d9e62158683232eb57edba841eeb7d7

C:\Windows\SysWOW64\Demaoj32.exe

MD5 b7409b30fe8d6be616528264917068ae
SHA1 af07318b28f1e00a5af21df688e800e78f880145
SHA256 6da2aeae44d37fc74995661b2df2bb970b3bd35810c847d825e8030b797ba318
SHA512 cff541a54eb1bcc9cc788e481655c77d2c5c5d648524dc67c7108263ce85cd7dd97cefdf8dd03f67a4cc878f5d4b53266d58a020d4995e5f61a9f2b521537d86

C:\Windows\SysWOW64\Djjjga32.exe

MD5 72cbd5236f33821b12031a96df9899ab
SHA1 ae4bdedb36032f06ecb019fa7358d72ce9d827e0
SHA256 f535d9a03c0662093cc1ec618cc48ab382009478032afce3ddcf5c991ba8146c
SHA512 d335e0f72d1fe7b74b8ef935c5e05fbb3950310f725afd7ff73bc2fc20daddee1bd7d2693f5b5a3be80646124feb3de378d35714f33deedfa1fe3025a91015ee

C:\Windows\SysWOW64\Dbabho32.exe

MD5 af748763b93e07539dd79d8412ede863
SHA1 c42936fb032bd3e2cdd33951e522c7a333e879db
SHA256 705d1dfe1bf041b4229f32f760dadbdc52ab153c72f6789a3c50e956d7f6179a
SHA512 7e1e75235635d55820403ee936cff371ca34519f21b0fe6a33caecdd296b39edadb52c4f844eb8203e8c2accd9252a9b0063cccc1c3d62e81f7d2ab4646dd631

C:\Windows\SysWOW64\Deondj32.exe

MD5 c7874b0ae0842cd8629f6f2bd5dc3a45
SHA1 5ca29e32ac2b6e79f57ee99f6e14667dc3ad9ce2
SHA256 3cf1884fbdadae29fc9fcb3214238e2d83fd31322e69ddcb38d93a7ea84c2cfd
SHA512 a6569b3c1f6f09c102e5860a840fa7b50e51e44352f2f31f002709d8142e78d787a10ff362490d895ad64cb3d12e3bffb9736b2b2d5e700259fa1605cd4063d9

C:\Windows\SysWOW64\Dgnjqe32.exe

MD5 91d174a075b7d9f15fe4a1109141404c
SHA1 14632a1578b2e4db4afb4c79d65ca66bdcbd8ce0
SHA256 e940ae771a9cd601a30775797acabf6e980c5a8b4734e60a3ee8e55c2787737a
SHA512 175ce4ea3edff41ec1c764656212877a93f02f7cf861c29a65418814cf23cb76711a5c3aa5f2f936ddda336a77fcca4072ca7c0ff8849c254c373223dff9f538

C:\Windows\SysWOW64\Dlifadkk.exe

MD5 ada52ba1d149e161d73e9e060f08536a
SHA1 a7ea79bb678553f6aeeb5de28fc6b9a4fa9282ae
SHA256 35b8ddd57c8ffbe719ba21fffabc199417cd4a94e9bca191e25b7d6f742cc2fa
SHA512 5895fd23fb07debb92c078922283e1ea8091c91e61b5258df19cce781ff38762d293a27a557a884437f3f1e709773ecc57153d78e0be31141f3aa4f64512d466

C:\Windows\SysWOW64\Djlfma32.exe

MD5 6a220b734b4d051f3b8a33d7010c132f
SHA1 e26bfa35d46eff62e2075dbb1432dc029ae47e97
SHA256 823a118bf2d0ddc248b1083d185dcbfb0a392d1cda4792653ec2949f0554ef87
SHA512 4b231e5276ed3aedcde39d163c816cf7a4f185a125fcf5800aafe3bffac9ebd845d2427a7cd84b66a3a532b12ebe59e6aedeb6b5a645490bbb8079fa39cd174e

C:\Windows\SysWOW64\Dnhbmpkn.exe

MD5 ccbec767602c53274f82c56db3da9c69
SHA1 7ba437568d3a856aa0149f720bb1a9bd3adccc3d
SHA256 603b1c250bde3565dcdcd14336534425b22a7ae1a2e012b65034cee413fe4895
SHA512 a002484b48b86dbaea1946577a9e24bd46ca0a59205dfba23daef6465b18d33c12e0ad459f18456bb729f9f6f8304ab80ac3098755ecbbf5659689a4bf88e68a

C:\Windows\SysWOW64\Deakjjbk.exe

MD5 d89fde2b6afd38dfbf95c15f4daff5c8
SHA1 22bb8e2b0d59d20cc91507adfb942371711b7687
SHA256 2459805d62de2116cac1d447aea337dc5c3f91bb1ea8e747df2250cbc989701c
SHA512 94d6ad9d17b49804a792be3767c25acc4afbc912556ec22fd67c3342cba8f93e1e3942267c20f6b668714ebd2bf4cb8f9896501b231182080579a41b65916190

C:\Windows\SysWOW64\Dcdkef32.exe

MD5 ad865e2b1f1236b82b19ae9ac6326665
SHA1 9f242e97b8521ade2ff266f9cfacbbdc62e5d097
SHA256 3dd6d2691cebe25d9df842a067f8f62f12b56bfa64fc984deb2c6fe6d429cda5
SHA512 3675675f9a7db4afba3403385ef6559afc47d793b0762cdce7cba6b56c93cf4aaa0b7f57c1a5da7619f527b81c963f678772fe56d3575c358d31e399e63997b4

C:\Windows\SysWOW64\Dfcgbb32.exe

MD5 d04e8db57d4bfd5f294f5b7d753b9553
SHA1 7b49a90aa64ed1db09aae22a80029732668f0ce3
SHA256 cf10de17d10e1b8c51fff95f5b980a88cc7f162dfc2ad015e1aaed8f50b8b83e
SHA512 fe6686ca08d6f75b4e9821efd72bd235879560966225c4e9e7900f0523d16d4f60fd1fb19b21f9e77c84bf9c7f6ae5a6a4f45f27cdbcc85f725e3308cbb7f0ec

C:\Windows\SysWOW64\Dnjoco32.exe

MD5 c43ba5cdfad97cf26318b62d8a6836d1
SHA1 a58c0aad81879061a86e9565f42d906823fa03f8
SHA256 2615a87e94d14591e05a684a7b8b471c9fd4bb759a944191a014e90d2ba850c5
SHA512 e024d247f9a8edbfc3abbab78351774cd524b854b0fd018fd73b76b7e58ab60051bd1320f426943345ed5f3dd17d08ed561696d493eaee6001f3c40045bc6a9d

C:\Windows\SysWOW64\Dahkok32.exe

MD5 34ad81f736d0823a48cd3d50508a21e9
SHA1 55a8c3a64dd6762bae101bacbc762016e8dcb58e
SHA256 f545a176de3f24ccf0ae5fe24508d547ed397c51549a8e61a314e104f3526c6d
SHA512 728ab9eb900809b26e42bc940959387fec067e634bc2172709d352849a8a58264b0411b6b17af56da4e6fd60f64b968c9a2dae6940bddc5f0d019ecc3b3292fb

C:\Windows\SysWOW64\Dhbdleol.exe

MD5 56d4c11a79fd3cd0ee0e91a23772295b
SHA1 c61bfb08b72fcaea7203fbcf499b8ae09f18ce55
SHA256 b1983f8cdd244cce15bfe21cd9157df8d74146d6a6fa518f81ce45171fce7e74
SHA512 16bc8a0af10827544e8d1727c0f25ac13cf5a61f91b6a98cbede12312d5ea38711dc45369bf958fe8bd62963fa4f725820915e79b0702532a3df7c5778ce0b68

C:\Windows\SysWOW64\Efedga32.exe

MD5 e0882b0bbc75b5fdd64b4878710757ec
SHA1 c0620764a0e5164cce7964fd2d40868d58bb43ba
SHA256 20747a860233040c9acc9660632002d793c4d804013fc3a2a50076b556ff4420
SHA512 9335228120e18a1b39d69f158aa20401f82ddf17f5ae9e91d160c953af6c5662575f9a5e7b9df7b71ef9282b27554ddc6a4de254bfc487e195c56e18e788598c

C:\Windows\SysWOW64\Eicpcm32.exe

MD5 92d5ea3d5cb64a83af7a7816fdd3e7be
SHA1 ef70205f55cfc8a239495b22f76630dac6eb65b1
SHA256 6bcae6b357b164cd48f2066a474743f7474deabbf39d6a870a2be8e337643397
SHA512 bf6cc06561af1b755fa6b3eff9bfd1c6a0186e85c844b8e160ef9503d7b2ab0fb849e18d06a4469a55ac09e1f8e207b4e118f5c429c53ec8c318867a01ddcf6e

C:\Windows\SysWOW64\Emoldlmc.exe

MD5 0584969dec3539b480485f8f13f6b7f5
SHA1 fa9e67132b0055eda8dabe3cdd305cf4ad709e13
SHA256 0ccde6505f0a9210c08871e06a0f9b5d55da8bbb076b5b0f2ea9e93a7b9e356f
SHA512 4e581b73ed9de6062da06b0b64f3120977d251919c073ff291f37433bde3b0caa9d41aa0eded12f934f261b1f976af0f4bfd48047870489b75dbbf9aeda2ac3b

C:\Windows\SysWOW64\Epnhpglg.exe

MD5 dadeea799eefc1212b85148806f5a4d7
SHA1 603d76a89802719d1e258b42040f8fa1a9310d5c
SHA256 ae7bc403bcfbda3d1e0e5c31655080e426e84eb0150facac796ae31a664283b8
SHA512 c5f3ff0f267b1657d3e798390004cd490687ec41237f0790fd3248e75e343435c707325022b956a19567160bb1b2093deb745e12714edd89d1f3a9b5a13bfddd

C:\Windows\SysWOW64\Edidqf32.exe

MD5 84dfb7bedfd178a312386718eb4c1aba
SHA1 9f3f7758d1e52ed209f8ab0b388632f6009c31df
SHA256 83aac10e59e0ad443ef50abafafc32ab53170dcbe2fd9e381ed23d40b6bf68f0
SHA512 8713aebe711f8aa6fbb3adb87239b6fab54541562ab0122c2f09bd27477a50ef562067c635a8a7b937234687e702d3c304d579c752e00e06f050f29bf9e35a37

C:\Windows\SysWOW64\Eblelb32.exe

MD5 55b9d3c3d8a7b545d2968a4f4a2968ae
SHA1 51ceeaf80cc4e7be5a3c8daa0f7cadddfec5a9a0
SHA256 5bb4b648ebcd455c486a580adb1e2084a4bd39f428485699f75ce2c7edfef7d8
SHA512 308d3601e31e5b3265d81eccaa2919aea45f21735cf24d33ec37ab5182e277dff686c4aed6f79df20daf24ee68853cc3ecb8f675983026f509e6f554b919f51c

C:\Windows\SysWOW64\Ejcmmp32.exe

MD5 1a74a8b8f2721cb385ff7a06dd8b570e
SHA1 f308a550ef6acc5703dc5394bc50d1fb40faafa6
SHA256 d760a57937943932398dce24abe999225415c85f6046daad192b462d7b7d1889
SHA512 2306e81d3a5d8a6e120b9113f72d15598b0efcb037467f813e048072990d87ca15c318b02006d7541036e1a27e61ed07754c481bc44f1d11688b3e6e602e4c3b

C:\Windows\SysWOW64\Eifmimch.exe

MD5 fd2dc4ebee70e2d554d4981c362fa77a
SHA1 f4f1ee20bb8f6277f5efbd7e855733341917d3b7
SHA256 ae5a945ca6b9cfc105816f1747c9cd28dc0e06313ce199e062ae640bfb1d8402
SHA512 cc6a080de9b50d5597de3688d90208225372f1654cc66182aedd9098c349dd0a277d45aff042faa7de7da6822635a0be8b21811a4388cb7d973c5e9332b28aec

C:\Windows\SysWOW64\Emaijk32.exe

MD5 6bf5b024a0fc52b3aeb13a85a3d4bc72
SHA1 56bec25166650475d400314ed3dcdf2d954f60c4
SHA256 e32c84f64697e889c815b9c5d3249656f3e679cca75a05b9a80a8b42e864a3dc
SHA512 512c1a2f94a0a8c516f7717e2e1d18a9365b06c2076dccc5c67401e1fa92d719d77dd54b13be6b939f5bf0ef79d0a211ffbd4c5cdfbaa9a03a21bc388abd9a90

C:\Windows\SysWOW64\Eppefg32.exe

MD5 55c527de361612949a3ef87906833a0f
SHA1 b5b74201244af8fc2cb5987a8d82aa872495d651
SHA256 db20db99e9f0d7e350b9452ebe88a3f782fe635e9122626286674d11d26c7373
SHA512 28c4ef8a775e804b0259276d7c56cf2e6d4580dc62015c3fb79e788a627586b51077458a365221167c53e913ad456b893a7bd9fe4c0b5d396dc8e68ddb2a196a

C:\Windows\SysWOW64\Ebnabb32.exe

MD5 1aba8cc318f173d3c0c312b386b552a1
SHA1 597f90435e0acc11c46e627025e08c67d08bd3b1
SHA256 68b046f3487832cf9b94ad732ea0fa55b0483fa9c74d18d08656d36f1f4261e9
SHA512 88a72086d412f44466e81856b618eedfc8d23fd1078c24588d83d68870bd305f6fa5ec104be84a073e8ee6c3a9ae687eb6262628270c3544688e51c4187a27af

C:\Windows\SysWOW64\Eemnnn32.exe

MD5 627395ddba34a0ae933345a61d47a4c4
SHA1 389c6158a41fa776e7fbc0125374c71ed65f4850
SHA256 2e3f4b6cd36d733520defff76f05d47dbd1448687b1a6fda5b99d118c59ca7c7
SHA512 6612cbef7b4a07857a57edd45e65fa3ea0c53af123622d5b76a86ed8fbaede6bca917880fa03cf986ab52f4c8f6860b79bf4fa222e08dd0dbf7bb4e109023267

C:\Windows\SysWOW64\Eihjolae.exe

MD5 5866268c594eb28bc0cc6dcb5a1c33e3
SHA1 fdc62bc0eb0c423baa5801a65785fdb29a03e44e
SHA256 ce7e01971b178bc080bc90a18393aab14cf02e85a87e063646c0faccb786fc93
SHA512 bcc75451dce6ff73786fe166b9d8f03277671f2c14537d4301062a9068f768db6b5eda2690deb55109d44ebe7affc74e383f5071cd0e206a6a6fb030b7f131fb

C:\Windows\SysWOW64\Elgfkhpi.exe

MD5 d4c0521fa3f2dc21c2f8121a2af724b5
SHA1 ec67976bad3f2a1c03cbb0cc23f7d8b0a61e3c4a
SHA256 796ad314fca2d516c80be2564eb582786dae018ebc7da90122a398ada74f1a80
SHA512 5c98fca683787fb0be9c958da5681f310df16de405da916b9b4cd68d5030bb80c1e96c448613d0dad1dbd77357e9f2b1eff854f87fd84475f141a94758e43cc8

C:\Windows\SysWOW64\Eoebgcol.exe

MD5 59e7e9002e1f265260640372b3862d20
SHA1 e725d96814e4118a9354119edea0d3a5b0bdf643
SHA256 40b7410c83d967e96eee3f66bcdc5c6e2ffc01496067999da0be7bedb679261e
SHA512 61b8dbd8d76a45580f80adcaceef785e91f342ff635cd28133000d79e8f325467c25e696ebc39195b0af1381c0416d9e325a25b3c461f4dfaf3420e522ef64f5

C:\Windows\SysWOW64\Ebqngb32.exe

MD5 18c931bf6964dcfb911390bf1f8d2504
SHA1 5a2c07aaa8aebc253b34c49fd9f054c95e6e23e8
SHA256 c6d78051d409b41b177a185a88cff2c4a8869e645f469faafd793db3b1943233
SHA512 4ca2523fd641f29808897d074159cdaab21816df07574e5a3fbf020d7d627816ae8619cdaae687009da1cf47da4f1c43998e642736dd4244d747621d7c021aff

C:\Windows\SysWOW64\Efljhq32.exe

MD5 8b9dedfea3679b6f3a87416bff478541
SHA1 0afd1092cb150231598176fd5c89fac470e0d5c1
SHA256 d7a57583a24059d2e97ca0d8930b3eeb81e0125f03d8456cbdfb1a7626995856
SHA512 20a0af02e4234fb512050955307879b892754f8e9751135df9512d33fe7d24795a6d0e28662d6b8ae5159863ca281efcf71813ea4d3d46fa04123553d4b9e5b7

C:\Windows\SysWOW64\Eeojcmfi.exe

MD5 42258aef85a238b1e849ba0aae61d799
SHA1 87111a90095b2930481f9596513b45394771f1c2
SHA256 c91afb9578c5c7363dc9e3ebe73856ee500370813ccd246b9ee7a0895dc322c8
SHA512 0d508c93ebe97b56195895e3954dbdc296817a1af7f3108f57a3782b0d0919b93038ef677e194ea38d46901997b025e35414e23b95d874462f68673b422c1361

C:\Windows\SysWOW64\Ehnfpifm.exe

MD5 5c5d8fa236ef20be130725f68c195be5
SHA1 ad53f76692d5b15d0a474ae12255e66b3c659148
SHA256 b8eb1d6219c06f44bc2861f316d4737a1e8d877967363b832ee28912105d95ea
SHA512 217cc22035dcdb5d7208ab96ba0b92014ec6babf897d689f1c5fc0d8cc07681349a286448875dbbe49cc48923a76908dcd5938d6d519b1ac4d044e7aaf5cedba

C:\Windows\SysWOW64\Elibpg32.exe

MD5 52e7f8a9ee8e3dfadf224091fd1e405c
SHA1 a696c6c1862a316c59964633f21a58f29b1d6603
SHA256 a648c5471b83f5fd7eebe08e3c5e426163169fd752ba613e1f8a5bbdc18cde06
SHA512 4a1c6bd72d795ab4b82826064a9afea683be44ccf45d0242919221e2cf6342889978ea7eaafff7a3755af566da3b525b41bf38fa4d8a947d70c373360c4fe068

C:\Windows\SysWOW64\Eogolc32.exe

MD5 22e32c0638d6d42ef7bdc4224d9e1bc9
SHA1 7e2a8eda05578796c36429cbde93b502ccd50328
SHA256 a5755b5eda6cac414c3c68ea6460e8b3750ca59e472fb97024d971126b7a092f
SHA512 61510ed8e32eabdd0b1c3405b81b3cc10045eda9417626572099dd077f78492a71c8d95b7fa52d7037f3e00b643bed38902b30dd548267cfa31c57bc1b022140

C:\Windows\SysWOW64\Eeagimdf.exe

MD5 1e045dffacdcf2dfa17ad7d41c70ff53
SHA1 cb3bfb5163c668573c470dff0ccf494f46477a4a
SHA256 5d1826d5a755ec763b11d4d1cf71f0993f09c424b2ce105ffa86f6a19570a397
SHA512 d5c426b6a2d6df2a03b25ee96d797b38d19f73737e7579b5e995cb19eb09813aef95660b7e5eb29e1d66faec1f43e0b9c1370e8a82c290b810ef446ac355c6fe

C:\Windows\SysWOW64\Eimcjl32.exe

MD5 12609eaa7c51f2a82020fec44eeabd71
SHA1 036b449e593be72be5c487c392417883d0b1ad68
SHA256 da2f9c056d4d7b1183db7267638584d4621d9c906e90fbbaaf6f388466c25048
SHA512 8331392a98e67e73793e380490a872b2327a74985453087ad87d8bdfa299f81bd61cac4dba4b939d9a88138c3edce3a415ca19fbf7fb5957d51c3e9ae2eab2a5

C:\Windows\SysWOW64\Elkofg32.exe

MD5 104977b1b93acbf37b644c6fb4622bfe
SHA1 582c83aa64d94176d02771b1f0eb894e78a4f46d
SHA256 a487ebc30928a558b235474ac65e7caffbd039e8ea5d6423bfcc7d8bed148104
SHA512 cabf2d2a8bfb07b00a828f83b353be26ac79f79741000bba75094a89559e674977eaf9a07380e3176d3d960f034dbde08b9fa4e251cee3f1629c2538e046f769

C:\Windows\SysWOW64\Eojlbb32.exe

MD5 c54fcab6bec2638bcf49555061c4569e
SHA1 cd5641afc4452b98c43947c923d80a060ddff449
SHA256 21fa9a0645d18ca090221981634a5a49f0b9539ab962b6fd4901298c3d6286bb
SHA512 5888e99d93b36cb67846f3079b9a7d4a80c00c3a6eddd98276a37901b57092a2d59f8502b38f32b66de3ed5ef61ab474e8a422bc60f5259067b63254f3fd4a31

C:\Windows\SysWOW64\Fahhnn32.exe

MD5 6291d24bd109c948dd2d426cde122fca
SHA1 9ff570b16a24bf0b7b54fb8fd4fb1bd7cb20b956
SHA256 93c42891dc6f9a7fb3232a07f2d9468be4281fe0ff9132347e17ccb63e5c6a02
SHA512 8163171c2f3a9c8272a3d0ee02cb7bd516efbfd1a75e584671399345bf32533d9b233518234f02798840f4108eaadbfede1d5699d4e3abe0d9006b61e4a1fd80

C:\Windows\SysWOW64\Feddombd.exe

MD5 c63db00066f6d955e7f204be77e1bced
SHA1 534df9a3625d2f9037e4bd9ea3d05a8366a38c04
SHA256 d79873b5d6f8e11631c253f5b3e22ec9b42647f757c85a0318a2d814c72dd257
SHA512 f3f184dfc227823160b035cab7e51a84c542dd7be263e6333e8911e25934d2e4956a541c52ac80900b3bfc07caa21799bbb69d0af9d6da777bd2561794dfd855

C:\Windows\SysWOW64\Fdgdji32.exe

MD5 94ec92813b5cf97c068f4f4aad545f63
SHA1 228fc8a9caf26be95120a9e5b165b544bb4b6ddf
SHA256 4599f05d52eeb2f66fda8a1f8184b1993c7463d627750cd6d3014740d16b2b44
SHA512 ac088a4fbae4a97bf14eaa8fb37c308c1ae05fc24d6a63b064ea8092a7879d58e84b802017585eafa192ea2156af5e2e661786195a8ad0fa1f4cdc4d56909f2b

C:\Windows\SysWOW64\Flnlkgjq.exe

MD5 59329548b56d1467f699bfc496f31221
SHA1 fb407d7cff0ecc62d66808121ab25bb57b51bb2b
SHA256 4acc010edaa85864caac45ab1ad51797feaedbb465cbfbf9bfeb5410d2aaa1d9
SHA512 5b4af627b9608423aae6169ba2d7a3cbec85d4d48287a056b970f27a43d274fa8172c89ddd3f1562eaab30c34cb89f420f1a0608ae054928ac118314d2f07b0c

C:\Windows\SysWOW64\Fkqlgc32.exe

MD5 a216994946c08439589c06880bfce4e7
SHA1 3a6dd54ffc6d2faa50c537d657c22dd71543f4d5
SHA256 dd0dc6401f36545b847429e2c5cf09a55be31e1f01bb7f59f11f89508394ac59
SHA512 4745524f1428de62e35d80cb56de0fe9e05f150a710965d3536cacb05eeae222772f93a110dae1073b13a9f91b4d71a071e7820dcc43c2029d70f0004cef6c80

C:\Windows\SysWOW64\Fmohco32.exe

MD5 0e03e877508bfd5f8c268581cacb3772
SHA1 7e9f337a75cda6b0cc09d3b09956c25e0f88b297
SHA256 237c6cb2723d914f89157e9f9df5d08d01d78dca4779e5759f224b940888d7b4
SHA512 39edb228486d2b5b658b0bde951f4ba8a254d0044e7e467613d369d57f0d2e7f78b32800cab89fe06c3095dbed77c00a72afb9eca9b688c29e1d258e94d810f8

C:\Windows\SysWOW64\Fdiqpigl.exe

MD5 b5c57b91fb82601fe6a04a819869bbe2
SHA1 fe1c0688292e264f1342bd98e187708eeba4d917
SHA256 034281257f7453584c032d8e292c0cb430820174c3538de5ed246914486d1485
SHA512 505714f195e293067883b80f1d8c5c5a4ae37365ef4eed455cc5846e6a7cf2494f1004c264dcb9e6ec9cdd80b15532d015d45c1d340df667ea6f95bba2919dd8

C:\Windows\SysWOW64\Fefqdl32.exe

MD5 3b10e4bed3d10ebb5f9707d0310df97e
SHA1 8cc881dfb019ca922d05e14425549b152932477e
SHA256 9c5d67fecca3eef3ca58d307446fc9fba2ca90f87cce44efbf1e85994cb387a1
SHA512 77b3882a42eb40bb9e711e5dd49584a9a988e3bf38cce4a90cba229ccfbd36608121ed09c4eadc29d2e38428f8eacc50ec9cca3e39cb89de3ee52af95a4e7b71

C:\Windows\SysWOW64\Fkcilc32.exe

MD5 d6f95ec833e01a5e344d7a003965f8c2
SHA1 6d438904f491a07c524d3c40609f56c6e2ef594b
SHA256 322f96048b15ff912370bae567d3b9793d6a704cccdcba0e07818c61bafb9b88
SHA512 650d98cb6ee26121ab266f30e2e8ddc4b55e0875afb0f614a608386e49976452698a3f2ad140965c770a4947a9476fb85cf6e114ccba60e0732d8f4ab8798934

C:\Windows\SysWOW64\Fmaeho32.exe

MD5 5dcb0c92c8be3cb12309ab539cd14f10
SHA1 1af8961884c58ded7b261f20c51b45d81c9a25cf
SHA256 43f52df9f331c291fac41ee37444d4089e38c5affe7496e1e0575244904a17de
SHA512 6c9ee0d7b67ee61071872ab206d938fc8d16cfc86b1dc49a0334aad688b40be54cd6609a860e80570ce14cdf9812ba0f238946fc6fedf2e0df1df3b284e973b3

C:\Windows\SysWOW64\Famaimfe.exe

MD5 eb1ae2a653bdecd2d58dc9b82e3636bc
SHA1 87cc682c884f09a34cc1af91488ef48f6226c991
SHA256 4f2f0c5e19e7badcdafc487fca7fd91e305f27305554b1879a7cfc0ba6dcf18f
SHA512 dbb138a94274987a97a57ad9a9209bff13eb185381885c116d1fc87250b2d513da55a2fe5b022174db04ae71f1bc249563696be5d65a2d8537d85d500204421f

C:\Windows\SysWOW64\Fdkmeiei.exe

MD5 216d5c2bf6f2a8e376e214db5cf727f9
SHA1 fd091458bfba4fd43fbe05e564937b3f77395dd2
SHA256 b8f2862bdddb0fb3717b4b588765ac9260b57512a9efeadfc87702ec2848b523
SHA512 906fd46536ea0b6ae3a389a99cdb478a2c9fc6a9598d6e549d6fe94e8c249a89cb9d9e19b2dee60a21df77be79374996399baa9596277ac76990c4e1ebab353e

C:\Windows\SysWOW64\Fhgifgnb.exe

MD5 023357146814e1c99ab362a23b76daa1
SHA1 6bc99ef8c8339b4f9512c04c00316f8dea6d47ac
SHA256 346747908996d62f5b1aa14f8fd53b110ca38906a875b53db0eb479517eba68e
SHA512 cb6fb4ca78e03d3a93b5deb7ce00477af7abaeec88f26be9b5b9404566463b83f7bf5f662a36c58df4eedb803363559f7f579629a7bffd64dc159343c8ac3320

C:\Windows\SysWOW64\Fgjjad32.exe

MD5 c77b9d5b818e7dcb3382b06e185296ad
SHA1 3c70c6b926d903c11370e79baff4ef53d2d1f11b
SHA256 8144b1c139dd2ddd9d3cf6c00783e0748b55025c3790bbfbc655ddcb2e2cea7f
SHA512 4f30d15f513a436c4680475197a9f68281e4e86c470d98d3e01198ff32304695b78a3815bb596198b6728369ff36350a2b6e400fbe819edb7902ec4d3140a634

C:\Windows\SysWOW64\Fmdbnnlj.exe

MD5 245ea970f6375f49cdbb57d7296c92da
SHA1 64319d4b2064ff0512355e533b4897fd5892b80e
SHA256 467aa0598c00ddd3bb8a1624745ccbbbb08fb9e7d7b8fc57cdaa38e19f2b003f
SHA512 e480361bb75826d37fea1549bd38642361dca807a4105278cf9236648d53df355bbc3c06d05fb3af4d5dc62c2d9a7542b42eb1d21f686051dc569c7d02b23be3

C:\Windows\SysWOW64\Fpbnjjkm.exe

MD5 c7e32486c41c0de75e84911d357bca75
SHA1 5bd2500193470747b9a7bcf3c377745ba0c43e8b
SHA256 8a2c4608c7a9f4796f3cea7c6663b291a400b89fd856867b0d46bf8ad4765125
SHA512 529fc2e5ef196261d2f3779b87fec291af380fca5cecfc666cd98f1c451ac0985ab07a82f1504d64089d851e92f1a8be84d3d0bce7ad7769298a34dd71dc3c9f

C:\Windows\SysWOW64\Fcqjfeja.exe

MD5 4e51c56342fbbaa795bf932da2248ddd
SHA1 6544ee53ee719a767b9fd3dc15ee3f9c3e4dab0c
SHA256 8aea151c7d6f53e45baeed8f4304ea9f061e9ceab4105c54f654541c06ddaaa1
SHA512 8247ea1587b6c58a46e604f21f7205fcb4286ecdc593a9b868258437c699c1f0fcc61ce6f412ddf3724e480bbae28ebd4a1a80a4767b64184f4f0673a124ee9c

C:\Windows\SysWOW64\Fglfgd32.exe

MD5 b0d7678d6d935b8e093a013f88b2522b
SHA1 2164f1269f660abda76cc76e9a3571e3139c5ba4
SHA256 79cb64fb07fb2488b0e40eeb06f18e4b12f11bf142cbbba0d90a86a0c0023cda
SHA512 6de1b3714a6d2f2dd6b55be351e79e2150f20291ad6241e677b6cdd3c40a37c5df70d7d6523219ba7142d0270a81b04430c5006a1228be5b4fdf99a560012df8

C:\Windows\SysWOW64\Fmfocnjg.exe

MD5 65a06171cdcf0c740f74978aad70b8ab
SHA1 d676d8ce1b6a1a9621bd204f8d1f62e8d7975930
SHA256 fbff580a5c484ad1b5808cfe0daa2638eb44d3b448b2837de715776ad49af7ba
SHA512 7bfdd485afe0d870c76527f44a9f7e8622e367687512c811577d48c0a997af505c635706a778508db89ac5bf3d2a97e933735b037def698b17a05d3d8d1c2aa3

C:\Windows\SysWOW64\Fccglehn.exe

MD5 12f468f1287052530c4df7731376f68e
SHA1 1f4c61a6ac84cd2cfc64a41e0405c3b4311c8eb5
SHA256 33561e11c5d46fea165d78131ee25b87d506be3e99ac995d577a5e04b8db233f
SHA512 c61ec1120fc4b7a35da244f70c2a826678a2336ff98f0d2067773a47cc0eafe25b0c783c9aae8ba70286300eec748a7ec1050b7e08e0fae8e7c5d9a4fcc68810

C:\Windows\SysWOW64\Feachqgb.exe

MD5 606f1d2e8264dca0ad04d144eb65f248
SHA1 b4175cc601d17d546220a3b147ad161a1cb5f575
SHA256 dd49888a1fba2744863510e4826be35f8824260d127ba4067bb079aa9dd4eb79
SHA512 61d7484895c714a13ef5fd3a0bed22ddcd233742c6b868e9f04b94892607e5dcd5438577b450bdfd3e2479c0c47bff222bddb0d12d33979708fc95afc2150c18

C:\Windows\SysWOW64\Fimoiopk.exe

MD5 913294ba502cafc14fd014de1d7fe097
SHA1 20d27f464d036e8bb8efbde255af55143a90da69
SHA256 184bffff9570ca0686905fa16751b7ab4d704acbd1ba551b7e2c455bc85d41d3
SHA512 688fa5202082990e4c5918d11faceb2b8f45f386741b7083a170a69a9a8faa374fa31b1964a8fbf3e0f10377140c1b5d87a6b780398368f2e4921fb61415377e

C:\Windows\SysWOW64\Glklejoo.exe

MD5 0ed14400e086e903942d8b649b641041
SHA1 9f13c6f10d36be78621415344468580f3ca0a1ac
SHA256 485eeb510f5e53e62eceba59f6565b9afd21be08d16923ceefc581028f38f66e
SHA512 0057e9b5901f93ae295968fb854ed2f6d3102790310154be1560c58260bbc1ec836017502106f1e5b02f0bf79cabfe85638787d6f7a7342b9364ddafcf5fc963

C:\Windows\SysWOW64\Gojhafnb.exe

MD5 015b8784689710764a0aa8052ead3874
SHA1 0c54edd6f7100d75bdd5ab6d0503622cb23d0cde
SHA256 c296edb0ffc0285cfbc869f1d4463edcba25b223ac3797f793d78eb828e33feb
SHA512 04a0ad9937b2f22c92287dd07078616fee3efa6a6a4f835e53c242619cc0d567beedde3901f6a6b099c12dde4f26490d7b9895c112400216e3afb38649275180

C:\Windows\SysWOW64\Gcedad32.exe

MD5 e628286fefaba8bc4f49f51157ba3e81
SHA1 ee0efecd8c7cfeb526f63a42890560791963ae53
SHA256 f9218ed22d38096adc1bac3d371114eca7037df1838f7d3bfba0aabb587e39ea
SHA512 7d74c1c3b2de35e0bbbed18b4b0133884b6b7a2fbb684dcf59e1b308ecf848972e7e5d77dad0cf15a3dad5a1aa8193415f310fe796ab5c03404ec0bcb302e879

C:\Windows\SysWOW64\Gecpnp32.exe

MD5 26ce6ef8c0b7369d0867a11e4283ca3f
SHA1 62b4f8153ef07b3bbc6c06702569573bb7a087c5
SHA256 1a08ccce7702c0748eecf7290545f1631cb8109b27e9779d73f00595945b7d22
SHA512 00456c4e3bd67a6a7e9c1569cdf6f17cf2370dbbef54a1d4590a748fcc0e46347ffbcc65d061bb6382d676625d10822f8946ea225d2870c926a6eda5d4f44390

C:\Windows\SysWOW64\Ghbljk32.exe

MD5 9647a5c7782b9e4814b72b3a2ee6a222
SHA1 e5885662485d9c6b83190266aebf1ee657b741dc
SHA256 e30049ddcb73c94f81f3e8a4ab87e15457b1d27b541f9051912c89f87aa39ef0
SHA512 7bea141548bb43e0ec1b7d0979f9abb4b6a40eb7b8acb0306caa66e4e2e5e4e406fd616445b03dbb3ae4ad24df4b91563d44133ebab0ec3287934821b97c139c

C:\Windows\SysWOW64\Gpidki32.exe

MD5 87dc30f75320414a41c3208994cc2055
SHA1 e876a918ca92e8c250f24428d3216d6765fe8194
SHA256 cc94ee75ec9a90e101c3da69b86930c2399833b6be7e9d09ec4c74e7dc2681e7
SHA512 38f187cc85f7f6d07f76b0969e1bab415abfa3330e0f3b38c52032b39ec22db2423b30dd336024e21bf2cd6c5982460e8fe6893b79cd3141c1b374966bb24cca

C:\Windows\SysWOW64\Goldfelp.exe

MD5 7474ecf210082d0efa1864056a1fcb1c
SHA1 06f70df84d74beeceaa3e93280c69cf814081175
SHA256 234325752fb1bdf22373456d3ac4591d9345460a1173b34d943250041c2ef314
SHA512 63cf2cf6a29d868023a6afbf084909c937cbb5e569972f0ed0d4f903d32bd48164e15a8c3425c49747e54ec776a837066af3f27e4f49f06ae6e20bccfc3dc0cd

C:\Windows\SysWOW64\Gajqbakc.exe

MD5 9dc5af4b0876003300a61cb68e4774ba
SHA1 8308c58f8f871172357fe93a143b04d151ae9ff0
SHA256 4e6367c914d3f40b77098ef74431b344f2c94505c2cd1d3aa33609311172ab75
SHA512 e9c1e4cd6d8d86eb48a9d53524a629456e35245893e5fbfb321b8b207f625e97d8dc29414ccf84e4d2187b0d3626e0d4e47f64f2e9275c4fbe4f7dbee787bc57

C:\Windows\SysWOW64\Giaidnkf.exe

MD5 47551eac59d1fd21cdf1f22749b3f923
SHA1 7fdd2d6fd1db27caa08bfa65bf8e39536104cc8a
SHA256 0e951d29b7d1618c7b8d3f17d1ee4b56a1c92fe3c7d0f5054078042c499faa8d
SHA512 6e119d4ddd25edfb0e614655266281ef3ecf85ca791ccb75384dc62e0a3d839ef67a999feb16dd985f2dbd56a853a288105b066873f67efd26005a23cde23c57

C:\Windows\SysWOW64\Ghdiokbq.exe

MD5 ae673c21d50d7aaf5aa546f1f2d53be6
SHA1 368891d219d8481df8c673abe4b991712fbc2521
SHA256 6b86cce3c6df5e771b215ed1365bf067fdb747cb884c7d1c9188efc1ff39edc7
SHA512 1fcc1bcfe39a7c699276490e79579d13009209de3001f98b11f7f3de8c07db36025a26b8af00c785fadf35a748d431f1e564e4682e80b972365a33887729d77c

C:\Windows\SysWOW64\Glpepj32.exe

MD5 a16d129f4fa6eb8c3638768c9be675fe
SHA1 367632babc6984cbddf5d66e34e81b5d5e13a01b
SHA256 cb9344371db5988cf150ea8bfef0e592df38a21dea9f02d061084b2c29eea143
SHA512 f3191c4a54a61bd31a04b7ddd4437578d59b8b03a1e464c356d13cdbdc38ad6d15381303ac3e2825731c9e4775901d04744f42a9b91cbe597040867c447f0482

C:\Windows\SysWOW64\Gonale32.exe

MD5 bb22ea772489f03096e0d0b8e5f60b59
SHA1 dc24f786fa7013d25fd85c2c20bf3de99594a8cd
SHA256 4cc62abb71e8d7ed44c033a547e09c91874e3124477870c37c152de055ba5968
SHA512 134219e1613552da39f77329227e3acefba4eeff5234323b7551453bbcbfb4f0b46fe6bf6ff711f91ca14834818e827be79a303be8f149b93fa53c05cd347c7f

C:\Windows\SysWOW64\Gamnhq32.exe

MD5 3837452940b40e76ef6a37bd3963a53b
SHA1 9a3b72aaea999d8e3763751d36a16617e84747d4
SHA256 b5aa2ed6dba2cf0bb75fff2fde0469d373d0723161fd1cfd0144111fbddac18d
SHA512 e92c5f058b0ffad29e5017e5b107267f2b8fa4803fdd253b89a91b1e05dabcef3161ec1c7c765d8f95445432186602529556ad56132cd4d06674ca55b708d581

C:\Windows\SysWOW64\Gehiioaj.exe

MD5 7b71c210279fec46ff6ddf6db36ab960
SHA1 87ff0f051c43b785e6214d62eecad26ea2e64bff
SHA256 273fb9e151c4fb2e294b00e6e8939d8da9367899b1ff1811c667df57ed53ccc6
SHA512 4c9bef8d791462735a73df8f150b473404d3a17fae54f5dd0ae7184f075fa75bcb170d2f2c645043daac0799ef1f523d58101413b624d27e0c970d7b3e954074

C:\Windows\SysWOW64\Ghgfekpn.exe

MD5 37c1c64153940e5cb4b948c3b00f8002
SHA1 4882e1a62e7ac3b3f7d1e2ea92febdf7d5c8691b
SHA256 822b041cd1d724985bede681176201f1f9492ca3d0aa6c23e4ddb640f77dfb59
SHA512 76f81a7e003dc435beaa977e423404fada937974f05e70efb8a574878a002d61555e4a3d4b835885e82df86c310fa6a98c1d71fc7b3ad1c59bb8b096e6910a37

C:\Windows\SysWOW64\Glbaei32.exe

MD5 ca0bdecf27194eba7fb7738145d92362
SHA1 e9c70699bef72c242e45c888e2d58eeb24930196
SHA256 3b411d4d4b11b46aa9f0b11e031833922e0c89bbf270a0976c338562365f3c30
SHA512 5758c711439f947f42001198485fc667285e2d36bafebdcdd4dd955b06b1a03e447ad6a37419ee6bb55cf02e73a53bcf42ea24c7b6db0faeef0eec4b65e75ec1

C:\Windows\SysWOW64\Gncnmane.exe

MD5 2a5807143c4d65e9d105baf1859d65cd
SHA1 94ecca0ae7577244af531c613c0f0b94d8182774
SHA256 ffbec3a6aee48f0d465476ff0dadc4d9c8a5a593e16b12cb14ad3daef6ca0136
SHA512 a783be129b8a2b1d405bc6b6f5e16b951f2c7eddee845ac5a99213c6e1a22e5f972df935201d38f28b53d7fa716fa466a2c1cb8eeaa02e92106e3cc3f8e59b02

C:\Windows\SysWOW64\Gaojnq32.exe

MD5 6dcacc462325865c7bd51c4cbec585fc
SHA1 f2c63f6c841f67df9088227427f8af40066ad04e
SHA256 d31767e6d92b1f3d798edbc68f8b5b4d03f58e44684f3bc6ef84e79a2732eb83
SHA512 678aed5dbf3181af423ef592eef893df7882b9a10d450161839bdbf84937c8ae25efe7d136fe333cd63273d7adfe27b37eec2a070133fee48a7a24ddce3cda3b

C:\Windows\SysWOW64\Gekfnoog.exe

MD5 c249c924f534adc9fb32d6fa982f2f9e
SHA1 c667b9cb53c8b56588079ef9a1433cc9fb672217
SHA256 541e42264106f862a9518014df8fd70a99d128d6347d96b774571de0fdfd3b5c
SHA512 5432cd3ed301564892b831d06e5734931712c7758c60ecdfbec4ffd9ae7b04393395436481f53a68cf3bf1773e3b99c08abdebcaa15b3987807e482c6b24e8d8

C:\Windows\SysWOW64\Gglbfg32.exe

MD5 d17846b5d28f3029e9d6087422409cd6
SHA1 eaec5e97ab03a59ff9b62f37ee511d2b6b24aac2
SHA256 a55e74152ddd6a05d36b7669431a73c067142b883195b196faf5a46f3b070bc2
SHA512 298e42552e81c6741bdd374c51a586ef1b63d275970c8119c109e149debd2650a969a60947ba4b0b47ee686882f19dce3dbd28158d59c02ca8919d452955b3f8

C:\Windows\SysWOW64\Gnfkba32.exe

MD5 f83fe183cbc1aaa570717641cf14e688
SHA1 9d2338f84afa996de705f8e6b8c71957648f38dd
SHA256 e6582c3d68dbb6120d4ea10997802c404b46bdd186814b0f8df69dc78b6a787c
SHA512 693e9f49eda48e11d5669ab89cc96e5c3b36dd653918cbc571b89c22f6a543b714a039979c357e545b3f627d3440a690a33bd6d8828ed16f206fbfeb7fffd37a

C:\Windows\SysWOW64\Gaagcpdl.exe

MD5 9b965587bbaf1ef70585535cc4e37db9
SHA1 672a469a5dee471dfaa891508d9f7e80452ab584
SHA256 e2546ef7b98af9edf9c3bfb87d32f846d897173240b5cb1aa45827c99fe1d278
SHA512 e409f70498f43a6788a66b22f3ce2011869f4232808f8ca9516c537f1831e8b46b38ba67648a28e94b5db2db2df8286c3ea267cde1b218b7d3b03e7f2b2aa39e

C:\Windows\SysWOW64\Hhkopj32.exe

MD5 4fb8bdd7de84639cb6cb8cc72f57cb3c
SHA1 6107403ce706dbdf0dd683572934cf727f795111
SHA256 7cea3f9d6566973d9461cfa79ea9c1c03297a1eee2adede0c7a5840a622e9085
SHA512 6e2174d8ddcb926a6603ae755fe7e00e148754712e12bbde9666ac165ac743c075846482d3aeec7f8447ab4fdb097762590758972360e82db7bcdbf1934b6fca

C:\Windows\SysWOW64\Hgnokgcc.exe

MD5 e84c5cdca6e70d8814773e506bb07c26
SHA1 5686d6c300245d4ae5c1d1fdad0059219c36a2c7
SHA256 e1ef27b5aa814bf556abc997b2e174878aaa58d207702a858f3501319c0f11f1
SHA512 4faebf7ae026ad7d19206bcbc1411bc51078a563bd96ccfa2a235784a4cabc3fd2786f0ad5d42e8b319d5a2bb3b61dd00382ac07470d29d4eac4fb4d18a81f4b

C:\Windows\SysWOW64\Hjmlhbbg.exe

MD5 9eb71098a24d8b18a4ccd8ecc83e2dff
SHA1 4b91193c9240df7c005a783619866c0e12933a59
SHA256 9d6fb96cb9e7bd4d9a1b412d7f91b0eb1d296fd171512de9cd9452b17e72383b
SHA512 751f90f523ccead3e5f0bd3a1c0dca378b7e80139fb14f526a4b5da6e1529bd560578936b4620753f4292bb5798deb67507d11158b4f6fdc737abf30e5d750e5

C:\Windows\SysWOW64\Hnhgha32.exe

MD5 2fda294c0f6d1b38d9bb516a253870ea
SHA1 9f4685b24eb266ea3c32aa8afdca52ba0b24ff61
SHA256 19924f14489f1c371015ed6a2fcdedcb6c9d64f62a42f6bedb3bfdb27ac423cd
SHA512 93b3eb5edd96cf7145a8e748bd02791bf1be925ff82c302c78ce34d4e8aa7ee2566996b27aa6e3bf0040d509c2919f6ae40e0ac7ff42d55500479afa5116adc9

C:\Windows\SysWOW64\Hadcipbi.exe

MD5 3c7f55822760b0622b9d3a4bc4885bf5
SHA1 5f54769bf3aefd8ff5e74b6033c9e4471e3bbe04
SHA256 38fa3d7a18000490260d21a531bcc3989d43c8d8194ffdb3f8fef59a67af7214
SHA512 61d6f0182dc4d28e7c8c00ba3d3612dc4e661ae3c5021556926cc9c7ec7c25a808ccf60614573d21d957d83de85e42c81ceef53084627ef883982b2eaa181a8c

C:\Windows\SysWOW64\Hdbpekam.exe

MD5 75f0c80db4296b23098383a2580d405d
SHA1 aad1cc46ce8ec0a4c0a11cce2b52fb6c6edb37e3
SHA256 e4b397579f5a2e03ff9a047e6dbb2a81869546b4c66985dbad1f238cd3921dd1
SHA512 e1da98e12929762b00770fb3aa129777fd5f5f18e3d069ee8af892e58d48814998603f1849c464a7c9f3168fed0531fc54a33eb5f723c48d9bbf77e8da6423b0

C:\Windows\SysWOW64\Hgqlafap.exe

MD5 d7bb1bc489d2745d55d32ffbd40339e4
SHA1 1f72d29831f41bedab50ae7c51b7a5f9f6cf265f
SHA256 ead31feccd3e2a01df373faab64f90343171a5226d87fe483abe19960470eb4f
SHA512 40d8f9d14742e550f413eb1d54798855231efa13b308b48b976d80f229706b280bb226c7625d449561cc14c9e857a420cc67c3998bdc1bd005f2c7abc4a452dd

C:\Windows\SysWOW64\Hklhae32.exe

MD5 c1ed9539a75a12dce7ade7d361f95aa5
SHA1 0835599bf95fdfb1306da34a00aa3fc9fc1f7638
SHA256 044920387f697839b0b6889255fd4d4f93a574be19576b7e1214add076bae5a1
SHA512 a2ff35769cdf3e32896f97661956c4a98f9ea402a8b52a73e31a3145efa8adce47ed633bccb353830ed38056961051082f93f2458a19227512f2bf4253a64845

C:\Windows\SysWOW64\Hmmdin32.exe

MD5 0f08b7498f2d0dea47a40fbddfc6c7c4
SHA1 97db228b27bba44013ab79c9e45a618e7ab130e0
SHA256 aedb020885628096f9b3e563fabca7344f832b85c91c378868e063315ca7c02c
SHA512 255c03f1aa90a7eac9b020d4ca6c5ac2682b06d1b0a77c3c751f66107ffeb17829ef7a20aaef7f429ab9cc0d08eafccf9fdc7f01ee461bca3a4618a2374b8f58

C:\Windows\SysWOW64\Hqiqjlga.exe

MD5 f5927e4bba92cc46ae5fff643ce5d2e8
SHA1 58a9a43709e22f2a4a0e32c917a960118215aab3
SHA256 7a48728859b59e812d23db5eb9100de4d1bb8f1cfceda4b9440500b6f5ddfe78
SHA512 02c33d88a13c00d96f0dc417547151753eff4718a6be12f5207a1b1954077b5be4401d18dec77211b3ed5c6cd452e199ba765778c616be21d2a80e6c2c0e464a

C:\Windows\SysWOW64\Hddmjk32.exe

MD5 2dca16755bbe9574f29bf73ba4635ca3
SHA1 f152120e50cd6323c406def0a6bae0af60cfa13e
SHA256 1739d1c1f3f69f7110dda113b50f4afcca359558482b205671310cb7eb6e2072
SHA512 f35bdd95ca02eaa06eab4d99f6261cdf4cd80cba089db76bf17c017bb6b7d2329274f055d66ed98ac5659a542e5fdc236ce5bcfb2fcb6a11a7f0ef55daa0e91b

C:\Windows\SysWOW64\Hgciff32.exe

MD5 4c4517e36c4da7f9b145492db7348f3e
SHA1 da4ab01d2ac4c99fc94b2e17ae4169e4a7db2141
SHA256 f2b61ba1e849b554b09793e6b1ee5a81aa3f5c0dfd8f9d6fb01fcc38220ac941
SHA512 a550cd8b7b8af22311e81284a8875a53902067919fa1e5387a0cf270dea06f5aaaf1d2dfad04a6ed1f2084745f6fe057d5b965cd05fed1204e7b90099741500d

C:\Windows\SysWOW64\Hjaeba32.exe

MD5 e8e1e69eac6d803c2758d94cc3ba178d
SHA1 ed6677975c3cc96260b910cf66939cab7351ffe4
SHA256 b7facd1fc3e3dbb534863c78be06486f021c3d9160e6912acb3f80d69fbd6c52
SHA512 290114b7208ddeefca73d5f72b1e0680a329baf261da9fa9bf5d2f1c44751d6e28c8366d3828bd98b2c8eb9c0c8b24e5091035a9007675a1442a7e9e5d0bb478

C:\Windows\SysWOW64\Hqkmplen.exe

MD5 d25a06fd34ad6aa1b7ba73cff74637a8
SHA1 5657ed21361f35f738f61ee1747e2694a49d2c07
SHA256 68f21d59d84adefdc6e730a6d0b685d9b342bebc5994f915fe61d81c220347f5
SHA512 a681293a7543f158dea386610e64fbde7522592e61f64d079043fe4525a6dca13b35e6957ccb03a453511430ca3a5754c637030ac5420880b391f7076d62a666

C:\Windows\SysWOW64\Hcjilgdb.exe

MD5 96171f38ec9ed90cbd83f9735a5bb353
SHA1 bbfbfc056a4adfa22cfdfaaabbcb7fcedc33abe1
SHA256 7da0cc972de600e7bc32ce7aa0fcea4a9333810df3bcdd25b94f9609e7d60d11
SHA512 45bcf2de64e84b4b3bcc3ed693a50a330e7c960a25074ebd19fe0e9c1068ac74c2db442892a0b6e38435f095a87851e043a27e0b10ef036f59fb8c32c6dfd11d

C:\Windows\SysWOW64\Hfhfhbce.exe

MD5 9a301f7649262c7cba718cc5148819ec
SHA1 53df70e6bd0267333e75148378ed6085becb97c6
SHA256 2a83d42cd6297e0581ed2fc251ec1ca8de1fdad6cb2db43568e9eeac23dd7933
SHA512 ada3e05a1281cb189fdfa9a16d6e39cbdee9e383d04941517d501c3e4a3d93766968ecdd00455834931d35c78843d51e7de85388052eafe13f9af43e8ebd8b05

C:\Windows\SysWOW64\Hjcaha32.exe

MD5 a75df1c47330b053666450e7445b59f0
SHA1 c3f2f22ea1b365dc7d44489cc16c198f4f5b9b05
SHA256 23023c710b29d61a768e2b46572d592fd06c90e9d65b74318e78a88d70b867a3
SHA512 006e424ba44eb2413f1784f72a3c6702b26bc846cfdf8e2633639cfcac661555b6684ca333b0d368e9e33fd73452501e6f3fdbb44758dd9b2e84e0f8bea6dec5

C:\Windows\SysWOW64\Hifbdnbi.exe

MD5 b10f1d0797b153d43a57b6f7a7264b6a
SHA1 c8cd49934479365eaeaf1355a74c30bde843637e
SHA256 0c17d025588b567c3188a0c2cddaf49816f97bf0c01d18fa5abb9f43cea86625
SHA512 773d17acb10ec633bceea7d233638d9e9b528ec1f6d2ebeb19a3d9c87c166adaf9df8c9c117626d5768cf966016767a5d128be0690e24354f4d1eb11005a027d

C:\Windows\SysWOW64\Hqnjek32.exe

MD5 40412da892510b5ecf4b1a35514592d7
SHA1 558aa678799c763afab1c10653f853815278bc90
SHA256 fd396cb77ad2b63b700c1dad2f632c9ed2f9eb74d336683ce51af8f1d02190ea
SHA512 a67d569ddcdba0be40ef922a186fa22ae3d0d6e238130bf2c1a6f6404c6096a10534106f597bba4cb36c5aec35ac03474e36fdd0fa70475719b45cb119741022

C:\Windows\SysWOW64\Hoqjqhjf.exe

MD5 cf0a2de8b84e717f88c9927f56b2f65e
SHA1 cc49eb249b8a083a085cf39be9de116156c3683d
SHA256 a06353848d5f57ad9623ad2c1ba7c90bfa9a4e3256ec3c00628d031c6b3534c8
SHA512 f25a8214cad2ed638f0af3b4ebf08f10a4288f1eb62aeaf71cafa730022dfc4ea6777a5ce9b779afb964a3de4cfbbad00edec1a41af4cb0c9f362fd2df56b15f

C:\Windows\SysWOW64\Hclfag32.exe

MD5 3f00f92ff70bdd2661edeb610a12e527
SHA1 4c65bc5b77d55966eb74e624b06c42d3aa3f4398
SHA256 a59e7defcde3399841c3027e53b5d30dc2e0306a4e1c6d8bae175e44859536d6
SHA512 ca53d3d530a5184a27eb731b7849dd1fbec01a844652754cb7d6fe3d929784b762ef5e0d0dde9545b0cf1ac7fe123ae3894e2f0db72bde34c3ec9e45677b72e8

C:\Windows\SysWOW64\Hfjbmb32.exe

MD5 9cf23b75b842a05abcd1b40741dd2a74
SHA1 a9fbeb09474db8413e6c57d0b531eab7a3e030ad
SHA256 ad9082fc8a5b2ca6fdb334d7a4a626e08ffc1054ba16c73962ccc3fb17218730
SHA512 11a16b294ee320c9b730cd0faf90f296977c50616c1d0601b984201cfa4cc745ce31670c867087b9099aed0b9830dfc98e9b54a0b48cc737b34384adce8f5441

C:\Windows\SysWOW64\Hiioin32.exe

MD5 85de793bb2db796bf13eab90a5d398af
SHA1 5c15a61513819c5a0b557375586c6ef305955559
SHA256 3a2d147427b4005eee8de8079310674530f6de0f56f819208e26c61ffd440e9c
SHA512 07375fc4764aba6785b8d3906190d6e46da41307f085d04d605aaeb60469aa5cd36ff7ce7ce9ea0b3155b977d5093c913729d812e219bcf704dedd943f95cf20

C:\Windows\SysWOW64\Ikgkei32.exe

MD5 8ccfa2c1ee050132b3d29cf9cb31fe54
SHA1 cd5386097a986ad3f90134c8abefa02e57f74ee5
SHA256 561ab44acbf6135390f62dee2cd8dab570a5787828cbcb30226e4338108c94ee
SHA512 e048143a9b6b2faa0d7bbe6244df6409b5b0235da394d60ad141e9598f60e7f84e8033a816a6b648b09021de219b0473a56d72e0abff3cde2e836b18f0b771f6

C:\Windows\SysWOW64\Iocgfhhc.exe

MD5 e49840757b268a3502583ef0244334b0
SHA1 1208916754b7edf3abdbb75dfcf2c5d1b2b94c76
SHA256 ab6254b594504f8d0a07f4f3aca54d0f4ff57cc865c8f8777fd2579e56fe096c
SHA512 eefcd78587c11b4deaab624a035703ea482b179369746bd83d9694ec1b4d832872af5278a217b6648c6065cd24c8b70d0615bcc8a343f0e152c182942949dae9

C:\Windows\SysWOW64\Icncgf32.exe

MD5 63853a1a41a89e1257f3bca90dc9c1e6
SHA1 31eaf35fa3d0c0aaaba7734d1d924080629fc54d
SHA256 906e85593b6dd705512b6fd94ec5b3d0162452288c71e23b79141bd9861825e7
SHA512 5cfcc0b8d5fd3245194aabf4de023a1d5d76a1645eb9d154f5bd8e2ff2afbb17b838cf46f173c00a5baaae2514d17feabe166ffa1ffe2fe9e3868f3b489933b0

C:\Windows\SysWOW64\Ifmocb32.exe

MD5 9c4d3f244bb68a602b83506c6c4f8d52
SHA1 33b4f69b7c788628eca82507cd0cb0d812f45f9d
SHA256 202bd4f13227cc9ee20cabba758633bfcd355685a83fbbfb5e5ba6d5a6c10693
SHA512 00e1d8b06aab278ea5c43be2317d11309e0efe59d979c103d8e0ec56dc6e14170fd0f6476270888733cc95048511131d7d5fae9cd6641d08494a672c913647a2

C:\Windows\SysWOW64\Iikkon32.exe

MD5 b98ab75feb4073188f3463d9dc6cf514
SHA1 7d712b0497e6e311b0eeb52aaafba94cc221c9a3
SHA256 51533cddc917037a35ad61daa8a121407c07f8f62f0cd65fc98461d5b936b11e
SHA512 98e4b88803a5d74ed153154994b39376d427532de4e4e59e943c2cee8eaf98dde79e39cb43555abf31730219ede9700c6a2c9d18b12ba24698bf4ddb3f9b5049

C:\Windows\SysWOW64\Imggplgm.exe

MD5 29765f82b8f6e0ed597fd3911ef37765
SHA1 8676e9360e8d02c249dcffe1f082d6e0df3abfa8
SHA256 b168238612e8dd333e5a0df9be959ce7e2db30df0bc53a5a1c8f500588596bed
SHA512 24ba60af66ec2383fa8dc05c327b17af09a9756201d41a0b0ed370923b0b981b7df648a7ad93e585c2fe86ac03e9a243b07be0279eefea3142a9a0b9b8f1a0a1

C:\Windows\SysWOW64\Ioeclg32.exe

MD5 9b94461fd4c3d39192f463e1909646c2
SHA1 a303f23c651aec955316959f3d7a8857163e7f20
SHA256 14b221a5c2cc48672ece23d853dd7cea8f8c5f6e18a8eb367a5546c9fe753d99
SHA512 a75dbac5833f9dfe647899f45f24e6351e6f8225c1bf8d6ba89bc984943439138a1996804b92926d3f1a2b703bff0008bfb3f72d857ae8757dfb3f55ddec8fae

C:\Windows\SysWOW64\Ibcphc32.exe

MD5 f2e5e6059b4d9a3aa01fb7ac94a0353a
SHA1 1304bdc43da5df7a84c8f124325868473349826b
SHA256 aa249c25d981a1f852b2ae123944b8b1e3b1d6adf8d73e3add7ea5a6b57f6837
SHA512 2da42e8a2e2a4272d7b19603be95885ef40b6f756a5b7af732e0a0b9765c3acbe2abf6a41bb1c972864830435aa291cb0a8685b5170d67510763dfa00c2a2250

C:\Windows\SysWOW64\Ifolhann.exe

MD5 2f2780036f86b612d67050bd008a9644
SHA1 bc68e54ef3166fd9fe0e7bd8ac470e34bca5dc1f
SHA256 8b108c151ab1e98a8ee569c1f74123f963c272daf6f9dc4308266a7c0537f379
SHA512 ca2f888a64dcad39d237bb57a1d684a0a52475e22795f83197ec75b7e74f23c69678dfd5ba0abb6dd10d9a53e7ae6a11a62398883e37e3019bbb39898292c52c

C:\Windows\SysWOW64\Iebldo32.exe

MD5 220346a877431e4c57cd74d44ab0ec7d
SHA1 f07fcc82762744146bacbc914ce27988db35e2b8
SHA256 424918774db06de323f09d44c9d1b4f8d96928a2edb1bb6d580c4128b1dd1baa
SHA512 454579db8121ae11077f51f7f7246026b50e335684c2389f1bfd573f14aa0596d60503723af00671b9a4db2a5b0672b17112e6d697dd79a1f7fde54f7837755c

C:\Windows\SysWOW64\Ikldqile.exe

MD5 103dc554154a81fc4474f113b5173e2e
SHA1 fe66ffecd5b73256c87236af62a793252d96099f
SHA256 1d5962bbb756dd4cf791c75d81c7b895f61696ad8cc780354dcdf3d3cafb3eae
SHA512 e7ebfe1beab224c494b596d6f641c32cbf322abb093cbe2d0d2452e021bb4213f52d7db96c73527df01e02d5cda9ee98c5c8b7d4b03d1a10136a6b8231806b1b

C:\Windows\SysWOW64\Ibfmmb32.exe

MD5 f264433e9358c675b4462624742f6b73
SHA1 7854a1ef9a56b55f3830852045d8c061951189e4
SHA256 45a94f668e3c5a262726b56513470b7124e3361f98045a4b1eb91f71fdfea40d
SHA512 6d20e7175284d983a175697a038f2e00399b05a3f255c3970d377a4ff6c95682e71bc1d796bba186045ebb9bbd79ad567e9ab0bbdc53293f5aa3c146f589cb83

C:\Windows\SysWOW64\Iediin32.exe

MD5 b0e7d719fc3d8159137e8780f6ef6851
SHA1 7abfad69daf1be02a52fd373e5a52c7a20aecd73
SHA256 6c97670ad6ed57cfadf705d6826679a63fb98f6680147768d67c65f64cf9a5ed
SHA512 afe89acf41586a097d9ebe03a5aeea379fb21af7523c7c5ebe1a6b5440e99ffa7f93eb7b459dd935b06e9a6566d743c31f58018a68ffce73cc38fd2adb68a015

C:\Windows\SysWOW64\Iipejmko.exe

MD5 ab712a6ac0b090d4bed1a15d7bcb4546
SHA1 754a443088a8ebbfacf62eeb01c7579648394554
SHA256 7623dfb8e5b7dc69753569f39bb1eaca4aaa97dbc58ef67dcd2ff974e6238058
SHA512 f2c75c58f4f1971bd6cd8018e2b34aa4f1215e7cd213f09301d0247880b772c21d5ffbce8c63272bc26b4d012d03e36ff545adf7db71a70360a286f4b6ff5528

C:\Windows\SysWOW64\Igceej32.exe

MD5 6a1b574249dd65d210ca73776d68c038
SHA1 785db1073afe0dee5eceac0d4873b29cab79deb6
SHA256 35f405895cf1e54c6279ff67227c666bdfff2a3a15c95c8ca518e61ae27e3d40
SHA512 21b0d964847e7bd3b9a9c3482c68a1cc91f03727a7cae760b2fb7308d839675b494599fa48deef73e9ee8190d2f44375d9c4a09667561183f9df492ae7c62904

C:\Windows\SysWOW64\Ijaaae32.exe

MD5 68f271a403118e99a1d53286196b7f53
SHA1 45d8f04746f4afc118ad09459fe245749c873572
SHA256 a03caea1d8f04cfc78f488376c59a152bcd049e54d73b782d449c3607083dba4
SHA512 9dc99a5702a7dead86abdd553938f39560f6ef21c209779955718fd1dffb2582b0561d54d48e95d23400d65398ab33e816ab4ed90368b94ef0480e6f08604828

C:\Windows\SysWOW64\Inmmbc32.exe

MD5 487b28c8628bc3745fab88e618071e92
SHA1 60517a4807812e8cf68747cea6a842c5092c3a06
SHA256 545d30c09b00ab1bc8ef94decf4294ca5db641404dd58d3304c17ac25b33a157
SHA512 346b046d94dcf68eaeb96b2ef61a5aac47ef6ddc3c258e50d3b79348f5ea311ccd62dbfa7608914ea62d956b5a09a60d6354379fd26ae20572578c0c7ace31a0

C:\Windows\SysWOW64\Iakino32.exe

MD5 6259d7d070fbcee90d01a7d08418e334
SHA1 7c47eae9e83abc54a236288b74e93d63a565db21
SHA256 0cb4cea1d3d3a44ddd59ebf379a92f6eb04aaa33c8c0de06818e73d84d1e93a4
SHA512 d6ffc26bc6946c1e2f61e9df43cecc69b5b406549d27480191203e45d363c2b0b3cb06d6a3729ee25d71b5a783fc0da303f4a63d89b63ddcbd86cb5083a9f5a3

C:\Windows\SysWOW64\Icifjk32.exe

MD5 0f9c1daeb944edb2f4dcd16708245b96
SHA1 f3b4043d455dd29257b2304f67ef0f8adb0925e1
SHA256 ad24c6a57f4ad41bf798bb31dbfcd2936d6612b57f34b444720ae6ee052a3199
SHA512 b67154eb7fcf57d7fb80f086dcfd11d3bbced8effbba965963bd9efa4008022e388af08e3e30f011c3fc36e2eb1ba1a88ef6888c8929300fef4e47ddd3fddc5f

C:\Windows\SysWOW64\Igebkiof.exe

MD5 b0763c1364f95bcf39e2b3a8058afb1f
SHA1 59ecfaf727bd39b230ad31227f6a910225019024
SHA256 74f18e4627531c928fd3faf710e2aff065383ae8da5b20a5feddd7ba6b0bfafb
SHA512 5bedfd5599592ebeec986a292a510661ad2db185b71a97fb73382905b7623009ddb2aa681df47173e4f6ab4ca68f67695e3eb1e06ca3c607d7c61e8e48fc403c

C:\Windows\SysWOW64\Ijcngenj.exe

MD5 8dd6b10cf3486c06e837c51d9d8a6c81
SHA1 8f274b7e3469129a2bd520cb3c2aba4a8e1f5091
SHA256 6b0d907bbd557653647b523a7e70a994bd36a3f216a77433fd3b64e207c67c1a
SHA512 8bc8a1de13b15e6caaaf5875c53ca3033257ee2523acf8af87663941611955b93b88a305ce3cd76c992fc2f3fc2ed21389473894e31c9a9ea27f672d56e952ce

C:\Windows\SysWOW64\Inojhc32.exe

MD5 eced77a5e4bd5cb16e46b84345b7846a
SHA1 f6ae6d5115c4289dcc7f37597a1a947c29904b4e
SHA256 7967371da9cb2d879f6c866457fc444d4552dc2de5e6d971af4bb5ac33d3a0ba
SHA512 b6ae62c25bc26324ff74c5e27179185d0dd516dd6553139f81cc6dc11f4cf008220bc62fe976852cb0bf64869570693db426613593c3278fb83959f886b5b12b

C:\Windows\SysWOW64\Iamfdo32.exe

MD5 27643546caeeead82c7d98a0f6541554
SHA1 6585cd2e8bc744ecd4ce6f2b04b90b49819d4d2d
SHA256 dab43b58070d15fd4c4dc5f63843d27edb5e141cc2658314f5164ba56540c218
SHA512 1494479619465239d4a459b1899c88a7c51658d539ddbfcc92b4f076188fe23fd66da2fbf7a71b9a9a3bff2c0ca1f83e57c15f05e0e3001b9137d5df723969b2

C:\Windows\SysWOW64\Iclbpj32.exe

MD5 b7d67c33273f68dee20defc0cdab5827
SHA1 0374b75c9b8052dc416ad5eece986abea58fdd43
SHA256 6558fb1ce46b20b324c1a183491ce3c1347fbf6bf7314cfb96c4770bfe7a81e1
SHA512 382f61b26a62f0c8f287af5b58c5e78026f87e4e7e3152e2e402df38589d12bd86d64505c29a111d20bf85199bb2332422aec37cd8a36aa155a23f9e1fd0789b

C:\Windows\SysWOW64\Jjfkmdlg.exe

MD5 c3f6c6da07c060550575b7b3cf171bd6
SHA1 75b441e35228f26beb7773601f98588a3c7651ff
SHA256 30bde09bc9a03890472ec8e2b46d3be345bc4b51fa3fa1a95b06ec9f9fe2c8c2
SHA512 2eaafeaec2970726133dd06cb2abbbfc9ce67a152d81ad39c9060692fabb0435ab9ba683b680dde209b02ef243a7e951e3e5d63905551ef5e9773958a3fa3b4c

C:\Windows\SysWOW64\Jmdgipkk.exe

MD5 ec20ab8a366a5eefdc34f32f5da44006
SHA1 37549c43b145552866c6c17e764a04e60b0491ce
SHA256 ab7d12337255f54b6835e5277059d0ea16222ae4af84efedf43dccdaa8093c33
SHA512 594a7a8318a3d5d1b13fcc7fe3ace5fe83f9338f86bd19ea439914d06810804ca3010e511d5df57ee2099d68910af2eb5acbebbc987a347c1f3ae77370cba9f3

C:\Windows\SysWOW64\Jcnoejch.exe

MD5 e37cc858a1f939c46116018b416ff18e
SHA1 c384c77c4124d49d1d1194d3ac021b2ad85fb659
SHA256 d15fcd7626db4d6bdb394d6137eee47cd58351d4459757d7cb848f0d89ae76f5
SHA512 37a08c8672285a00ce7d60bcad817d60f4ef355b2915c2132ccf4f1046091c078c39e92b24c04277f6fb6686eb7aaeeaf1e14ed7bcf657580654b0997420e5b1

C:\Windows\SysWOW64\Jmfcop32.exe

MD5 3f3a1be05e9c84d395972cb215f9be60
SHA1 602cc7b8746f96cc023e69fad3cd2619826d353e
SHA256 0535513130f19c1023e850d4a354a7309d157c6dc212b900dc504786ce76b88f
SHA512 1e985ee8e587b89bc64c5527952dc848db414c7ce7ac96fa2e0b429d16ee21f2ad7770a0393382955835b89c0ebc5f2e9930952147bdd8c45f7c577a9b1f0059

C:\Windows\SysWOW64\Jabponba.exe

MD5 3e86f81ee16eca160186d8c1915b2287
SHA1 256c7e28ee7eb904e958e177033bff825ced6ddd
SHA256 dc90ed0ee2e8ed0efbadd88d96cf9f905e66610aaf34e641d5b848639a3802d8
SHA512 cbd8977b5631c2b4daa9d347d00cddd18358d3737458410caf08d4730f83bebfd21d12917875c04fc1cf00f58907cc7e08bc4423766dff11bff3841c66ad8be2

C:\Windows\SysWOW64\Jcqlkjae.exe

MD5 080d8ce3f11b8f86c33a57c6d4e8c811
SHA1 ead08eb581ce28ee44a115088cae0c08c7f41601
SHA256 44f79e102ff153e5d418ab35a5f1edacb10fdb15ff395c36a03cdb73dbb4fe33
SHA512 47664ad29ac422b6984a548395a909c33beb1eaf40d07bc0ea887ee82241efb3febab3a45a53cd4980a2e922837acff820d6503897664692402ec68f8b7fec77

C:\Windows\SysWOW64\Jbclgf32.exe

MD5 813f2e541d15d058c9130a7b6e906edb
SHA1 cd1647c71652e090d2f812a6391e259bba9de077
SHA256 564e421b575b74f7b6083962370093a766879a68ec8fc0036ed10f5ac0160f13
SHA512 9e809a7dfb1feb4b2071d596b84790639b98dc06cd879c8ec026f1a6270db7fd00d845b5e39a2eb578e2854f1ee4a38cc19df21f8910b6225f788bed3e5979d9

C:\Windows\SysWOW64\Jjjdhc32.exe

MD5 2b89ea8844e716303068610f27588ace
SHA1 f5bbbfae409c13658acd5f27570ec57715b09d7e
SHA256 9d172c102ec042327dda9879672798713d16a4b70f7d4173ab8f3247458b5a35
SHA512 2bce8c368846f573f21aa853bacae83d08dd9f98a5504163209beff1635e0d4a576c63824fb1ac88d523ebae53a378e08977965e08ba49e3190a29789b2b2ce3

C:\Windows\SysWOW64\Jimdcqom.exe

MD5 6290969a3118d07c53ee273d1c23a567
SHA1 bbe17ecf58672e5feef1444d9f66ab80cd3db91d
SHA256 ad3ea2db7d896171e92da46a0d104d41b2c4221f22cc905397e36bdbc7398487
SHA512 741040cdafa90bdf12b91c8980c956bcac3db1c8999ba731494c7effbc12d568069f9e327e26a3a29a6edb246dcb0b810957892e21c2141880135dbfbc10bbb7

C:\Windows\SysWOW64\Jllqplnp.exe

MD5 ee06c142fe4b800c2c43ea30cf695e0a
SHA1 994ee5800a80e03050e1321a280b27ea6a9c35e2
SHA256 8650476f4236a31b03692008bcef5676a3f809d7c436034fe3e4e338fca1b13e
SHA512 a1d427d764a3554bf2305ef260659652d0dfc595adf8c288e85c6df8ac3c634fd20ee2d2620df24bdb6c0969125f64a943d8b48dfafd946f916f300788abb047

C:\Windows\SysWOW64\Jpgmpk32.exe

MD5 286d3e6135cd1d51b7d717661e75f313
SHA1 abb4ea13d1e55905b52c8173248bce2ab0fc8417
SHA256 d499fbda48818449c3ba27c47e28f1f8e692e3319e66d9f977e577ecf86c619a
SHA512 fa348516a862d2de65b44fdf0745aa2b4b005d103d92d7541a25f4d73d5a0dc49d92ae68c919c618d657305f924ac2a44fecc2488ae7032d1d0f384a01fe9b64

C:\Windows\SysWOW64\Jcciqi32.exe

MD5 6363f7827a10c5dcada1b308cd7b1b65
SHA1 1a0ed01964f5be3052342e8edb76d1037d9d8197
SHA256 e55f91c6da88fe8fcf89d4039acba5d59718aece919de87186610ee3591f83ae
SHA512 b48641c4ff9176f1e16b383dc54c80ecbe215f729b0568ca17c636c2931b35c1e21bad297ba091129adc17752998961336be60be69de671efd6b5e0eeb1e0506

C:\Windows\SysWOW64\Jfaeme32.exe

MD5 0c2ed306e4555107fe6073d831200bde
SHA1 60434e1856d0e0b4761b0db99a073f97247f100c
SHA256 df11757d6e8b1c262c7b07aa751292e3869282ed1feacb98125c666451af215b
SHA512 feee74af1f415c5dbfac54767445049acc8949f08e93b55de80efc508754d7ad83d61950a4d1b5bf6635064f12564b04254f27c07badce0a09519819490f4352

C:\Windows\SysWOW64\Jmkmjoec.exe

MD5 1c69db1fde6714c428faeb2f6a90665e
SHA1 594f37fabfcabec0e70b34d1c8ec2060254f01c0
SHA256 dfd9c4487f1881d0120a582676cb2062bb319c0bde64b24f30635494c2eaa185
SHA512 1aed9dda82fb9b373c58d1d721cba3f8e0cbdafa2a9f05e9c7f3a3a3a4a38e0392989380007184d68eb641ce392a622ff5c0db988eb05dfdc4de9b584de4bb4a

C:\Windows\SysWOW64\Jlnmel32.exe

MD5 f3868718fc8f50a5df871c6ea34760ce
SHA1 fcd1244cfcf253961c83a462af8c0257c5bed6ac
SHA256 b43751883446837a9453302424ccc0dbee1c8463f6e74f7909c12f747e8d0f88
SHA512 0e3fdfbd142237eacb9d94679f661700fd43f21ae7767fe84b8cea49408dcd07c8d9c41e02aca02427c082581169db66ff28cb928d117c29d908480fe8bebf75

C:\Windows\SysWOW64\Jnmiag32.exe

MD5 f9e6673d4affe6aa2600abcd146d3706
SHA1 e6bdb4ec8ea36df0ea592cfa65ef3d58f520fff6
SHA256 22eaf6cedfb18f131af689979b04c29fd351e8bfbe844fcded22451a4edd3fcd
SHA512 fafbb78617631f1ff289420f4a915f9eb647dc99eeef51b7bc68713bdd54de45a976cd51a3719a63f63eb979006a9765ccfce599047637a68229c2790825428e

C:\Windows\SysWOW64\Jbhebfck.exe

MD5 5af79d6860bff97b9fb9a011d03b0638
SHA1 df94ecb573574b8e63b81594f69844252ff9ef9e
SHA256 b09fd1dff4eb43d4c225b4c535fb00257780e444ca7f68d2b501f20e233582e1
SHA512 cb0d4f5018ad912308fa571da0d1bfb71cc1bb0bbbae5693afb02c944c8f96e2b41db4c58fa6bbd5e5b920886178ad6edf486377bb8c5a7124e4805378f0b675

C:\Windows\SysWOW64\Jefbnacn.exe

MD5 25c34c9ae52b691a7ea10952ec94100c
SHA1 12095de36a4f634fb60a91748a49d1c8ff0803ca
SHA256 3114d58771754522520b28aa84ffaee043f6c79eb12e1e28f0faa00593656ae4
SHA512 d10231d7a9b28de3c1dfd03681a7bdcadf62a0b52fcec3f2202c4794d975d67ebe8699f9c9b6a1886abae6b93bc19abeecb6e824b2983b855a6e0bcb135ab05f

C:\Windows\SysWOW64\Jibnop32.exe

MD5 4533e8e8708ec1f97485cfc625103f9c
SHA1 23b273682bce0421de0b794b2364df4956ab44d8
SHA256 3994b4976f0e7dc29d81315603538ec0d0d69bfbdb700250c1afc8e6fa582921
SHA512 2b6a82289d56d0333dbc4ab19df3884ce1cd028a1e360999f07113569aeae6e55ff7c6f9ac5e8890cea421dd199212a18c485dcaae8c95ac48d47aed0cbe38e7

C:\Windows\SysWOW64\Jlqjkk32.exe

MD5 6d4605e9118a2ae6af180183b609240b
SHA1 ba831d2e35db96dd2d7f217392b619540c0cb184
SHA256 40fd618d0cbbe36c61a67c4fc53a0b593ed9ab675e0e2e0e620d70746e681be5
SHA512 608717baee1e249890d4f9851906ab7482c18dc7043dbf009797e9eb7a97d1883e94998b5732e89c7a7e2466ff5b57eb16b0ad1e580d227f6fc7b6eb31bd17c0

C:\Windows\SysWOW64\Jplfkjbd.exe

MD5 773b4cac7f3d6fc226021e9661e4755c
SHA1 6143f2806374c706ab1b4a19d40e1a091772d760
SHA256 011e1eae504659e173540d257d1e42633155975b787f61c9905988cd7266acce
SHA512 7238fb54d6a5f73381449e634d0e96551a050b68a60e825f720962bff7b169b69481fcc091fdf9241b2bd26fe8c981854b7cd25951cf64c3eec43a55b578217c

C:\Windows\SysWOW64\Kbjbge32.exe

MD5 af812545d181dc8d4c138623a069ff2d
SHA1 13bd3aef2745c38460d99bcca235ded6bfe5e6f9
SHA256 51c01bc59e722e849ec50938d907a6cc2af02f6ae7dee2045b22cdcb10405209
SHA512 4d278db32e9baf457d835f3774b88b5a39ca9f377f518522b45b9511d3551285b5773e5b7df2a252e840c348183123c7c373b986e1b516d9ccd9ec6388ba3963

C:\Windows\SysWOW64\Keioca32.exe

MD5 219f7c6c082906eead98e3795e1346cf
SHA1 396ae9b822ed60638a7f5ac17ba8c59ae9f4904c
SHA256 c62331890f913d89104f5ed4f12cbbd72bb2cb5cc7f4fd10893d5e59865f7099
SHA512 62e7a5315b29d29de03f3251b9c04f98d8b1f820044c8e462f78b565a619ff132fa0ee2e777562bfa50f93dfa8f2e8d9a9da4d21b09079217ac91a382254e8de

C:\Windows\SysWOW64\Kidjdpie.exe

MD5 631b2eefc2795f55d8055582c23c2485
SHA1 0115e31c5220ab67e0b5cb13954118dbf0d10290
SHA256 4084634f739bc5e9646fbf6b259689ed4001a73d6610776361ad4983cbe09970
SHA512 8fafb74e08e129da77c185d8e03a6cc3e759bf65f20a175856e69d261219647ed496a0365da0e2eb0ad95112be4fddac2c1780c480ed93948af905388cb0cead

C:\Windows\SysWOW64\Klcgpkhh.exe

MD5 0b2a07ff8419d31010440738bae37826
SHA1 d7e27448d41b70781401087e9a1cecec953844f8
SHA256 c6a68c323896399806114fa5bdaea8333d116129805ad71d8023d853a078b092
SHA512 d42ece300a3ee783d52aa6d47e0b915c66fec6278aefd9577b9bdf4b7fb6cf8e5befffbed33378291bfc96fbc8ef3f61a349304644e5ba4cb311e6471fccaac4

C:\Windows\SysWOW64\Kjeglh32.exe

MD5 28e01c968c448e28f4f4aa8802ba79b0
SHA1 e66504a3cf978dee222eb070aaec0cbe44427ac5
SHA256 66d702103590000f973f21b8a14698d3e8c32498be251dadcc388eef18fa360d
SHA512 e917a88be80df0a438f8d5d92a5808498b2e1399591d367b34d1cb7b76166cd4463885768471dfc3d60bc375ef80c263b22944ab4ec40dd320654f44387d98f7

C:\Windows\SysWOW64\Kbmome32.exe

MD5 8d4068068e141af2c5fb461403efcdf5
SHA1 2f807ba81b479ab0b98e9a0d32cadd2899f7530a
SHA256 6e6e5a75082826859c941042441c53b037e05c17ccefc6fb563309c7a18d4639
SHA512 720863038b77eb81bbb1ef3b87b13645cfae5274fea0a343d129f4a4975fd4f86307591c081030c007f98650adbcd402656e8d75a75fb16e806addeb95443f23

C:\Windows\SysWOW64\Kekkiq32.exe

MD5 15d9d61435d7782cf6a041f9fb45c3f4
SHA1 6c8c76502b520ca8979820b87ba4cd2d800cf834
SHA256 a1e5d610c39a3fb75c23b1c10f1e68f216091c9eece1934ddf9bf740e5df8640
SHA512 1fad4547cd60d9ed18f5cdd48286dc76116f3a0741cf8bb890f1b56605bb9af86bf29f79b3dd0c3a50fa003db51377a2648373d85c77367b028612d4f458882c

C:\Windows\SysWOW64\Khjgel32.exe

MD5 f1cfb48c6cf6cee72ac545b2b5aa0cef
SHA1 067beadb29e1cfa4e88ea59e1fb3c4af88176b37
SHA256 211e62b506ae36999458d4cf2934cfb18ff379f3108f72681252cb2c4d1db46d
SHA512 9a97ce6cbc2546cbf4f4a0b7d30e7e5e4b2d76da88a199247f254b3b5f7ecca26936be43b81b32c4ce2122d324f4ac92452058aab2782a46837573ee03e9685b

C:\Windows\SysWOW64\Klecfkff.exe

MD5 701d26b00e7e818978c0b8703f5a132e
SHA1 2fce04385824d693e0e8332fef02f8f07300dd77
SHA256 0653dc114ece34a041b87cb0b0609aac764080f85648e4e1c96a0ccbba650a9f
SHA512 70a9bfaeeb6cd11a41940d869704ade0422348d8fb2cc65821d675aea40d82299384c7c1f9609295d00cf551a440dc790514e6b2a1f134805d93037160e58628

C:\Windows\SysWOW64\Kjhcag32.exe

MD5 3039e8d735cede7cae963a3d02c699cf
SHA1 716c785c5e87b513301dfe134c332a2f8a85b829
SHA256 dcc8f220f7603bd6f801e1713741e3b90720f2ff5439762ba3f950df80663b75
SHA512 de28b11a32b81310842bd45f6b15b209e8a8aea758780a69f8791c99c686f351072d07b184e01e980bae11ae9ce0dc6ba56311f47ba44eb8760a7c336267580c

C:\Windows\SysWOW64\Kmfpmc32.exe

MD5 74d14ddd56f95723d989b9f8cccae639
SHA1 35252bb85bb5085d350d8c3d53e55292e97a4188
SHA256 fd654a3624e7a5f7df5544f8b9146b7d226459086b96fe37660438da38c2c836
SHA512 3ec5bf955dc11cbdeec12f2af66aef1a9a273ef47042e667689ad8061807aea6c746a6f3a154b3ad19549b2a9f2e8d3e44b792ec768e420bf223fad2679d4495

C:\Windows\SysWOW64\Kenhopmf.exe

MD5 b394faaf88db4c60115011fe5d81d75c
SHA1 353c3f335fda0f61352f3ee6ee999cb1860fd259
SHA256 3ba5bcfcac566c280bdb5c4a1975edfa99a7822f9b353438a143a6af8ee8348b
SHA512 d631368221eab178565156d49f151d10511811c9093ca3cc884bdcc89e34b8591dbd4cb307dc4b2d834c8b3a6430c116f775f89606451678025ed7844f718c8d

C:\Windows\SysWOW64\Khldkllj.exe

MD5 a9068ddc3634520937694eccf70153c8
SHA1 d0ed57a5d487e76afaee5e5932bb873bf1a61d19
SHA256 3a20ed4793ac3f1153c1a5910e9d63a80a6ce700240477e83ecc76c607f4ce7d
SHA512 c877dbbd118713f80091eeaec875304fee0ea4a0dd60adb2b3d8b34eae8e557b80fe019d37e83580005421266669d05bbf20f14a0c880abc6691286c81c826f0

C:\Windows\SysWOW64\Kkjpggkn.exe

MD5 79689a9e75009223b25594976ea0b567
SHA1 eae4e83d647f982e3164e49002d92b9a814b4f8f
SHA256 2754b33005ef6fbf2b69c66dfe79bb1d91d055b1b452aeaa7fbd3271785b6484
SHA512 e50fd26f058d88c5a5874dcc095a7919347346f0f60c034dda445dc7c416effcf539b68bf0d4ca22969471bd1da5db18469346bcac51298d2165e716ddf0982b

C:\Windows\SysWOW64\Kmimcbja.exe

MD5 d0f65e422ee2544c42a7c06f1099afc1
SHA1 b8a3b219aa7cae4db96bafab5fcb229895b07349
SHA256 1b27b31b1a5a8ebe91d50c36dfc92e16b7500e5295783652404f2606798b484b
SHA512 44cbd5fb2b6f69620a81daa91233a9c6b7858aaba9999ee12e9553807579874860e1734e4f80fcb9a3ea235cd1e19960950c3079b921bf87d23ac0984fcae870

C:\Windows\SysWOW64\Kadica32.exe

MD5 247131ce76a36e88dd32179828297ef4
SHA1 ddbca449df43275e135db31e93f7dafca58e8ec1
SHA256 b7080f2c75f8e5f253678992ab1d182267e7ef132be0bf8ba2ebe3259cf57bd0
SHA512 d3187c33fa4cf315949a31b650f8c394de5badcf4553a153b66d58b285ba6a95a991ba16b531c2305ac550dab966f7569989385014cf2d84981c4fcc0866bd30

C:\Windows\SysWOW64\Kpgionie.exe

MD5 d663ad7982f8c6c102d730fb6b200ebd
SHA1 02248a8d98055e9f99e83290d75902fa5bceccd5
SHA256 ea04b6e0570af02a03bfdd3c079d6350a8eb54600d243bb394bf03032b0ad6e3
SHA512 0f526e491a066832712394ef6f96a810912f1266dcce6f6b6f892fd1adc33343e09a3dd29cb6177e791fe600e755d58d41c19cc02b4c94faedc319a7f3132e65

C:\Windows\SysWOW64\Khnapkjg.exe

MD5 ef9fb3846f56d4c348efa48f4b5b31bc
SHA1 440ced6b623ef987112cf7ddcfe90dd5b2196237
SHA256 27d2481bbac40746f6093cb57c712230f997364226e4cb0c4822f48c80faf2f7
SHA512 337bbc07f84e8240bf061af9e31c6182bff93ee5c1933e87ac9febdcaa731fbeefecb94039f7abb8651e837cf574f0bf01c4134135e8a61bccebe9203f3a5d04

C:\Windows\SysWOW64\Kfaalh32.exe

MD5 1a2d7551aee296329da51ab3eece950e
SHA1 212f93977f535dd0dfe9c6e895649b2e35392ca6
SHA256 bfa31c222882f8e8eb90025ec4cd139096e6b3772cd7277fdf30d7f7366191df
SHA512 56e142d927977cd9782db16c9f19085b323a8fe6a90e405b02bec08e2bdc7f5309a526ee90f1dff097827d7d7af5c55e223c00a9d9dbb96f166660eb9819f95b

C:\Windows\SysWOW64\Kipmhc32.exe

MD5 318b26329ec8b73c0d4475b490795c0a
SHA1 0c9362cc7ecf58411820532cc783912293988a43
SHA256 9039c95ebd2160ba325808085e98633120348f09c7b2a616498ca4c4e1a72001
SHA512 caa199e8416ecc9fc9c58a7d6043423060482d0989a6bbf336beba049a8fb034912c8aad69b2337318f11095933a1e8d42218a03cabcb98864e48fded964be14

C:\Windows\SysWOW64\Kageia32.exe

MD5 1854862e1412f81dde5ad0bf82f97634
SHA1 a1a2595479eb526a8f31db7359a473e526fa411b
SHA256 0deabf45b1d42e23a2c161690f0743ebddd654a78ddb4d11de154e55dd3b66de
SHA512 fbd13daa70fdfd9bc1fe3e4b186011c9ee288c8df64f13440d0d73022d4e0700b4f41ca0196154fc834371c3bf97f57987301259becbb58fd65e4fce043b3505

C:\Windows\SysWOW64\Kdeaelok.exe

MD5 ddc4ed1d60de5b203ee16f07773315f6
SHA1 361fca864ff4756d9ebb64af15c29327c30a20bd
SHA256 25589d6780346e12e3f6f15aeb54187a23a61afed49b4a5446042a3ac1e8e67c
SHA512 0f445d4da97f0fa51e1f781830f3b8113715f5ddcf01b0ef6a1f865d7e5e54c1b9ca85984cec234c1b2d4cd517e7037200401bf2b78e0ded86a280f414c27b74

C:\Windows\SysWOW64\Kgcnahoo.exe

MD5 a0aedd426084aa9737b8a05d5ff35353
SHA1 60ba9f8320c0bcda00e6852bc89459f01a3832d9
SHA256 d1eee222172a1601f496e1cd28dcb13451a013089f38981aaedf085810900a08
SHA512 8b13be7b58d329036d8f7c92e901118cca9b82d3d8a3a8d489f6980a4cdb6e6a8891096ce11b85785d59b25432f28727d57319f82e82342e53be7d3b0e9ed282

C:\Windows\SysWOW64\Kkojbf32.exe

MD5 526b958051c3c76e395db1316a1b5b2a
SHA1 1ef9b3cd920bf23f4869650e1007c6e1fb9247e2
SHA256 d6c7a0502117dcf45a57b00060f2367cc613f76da65c198222ab0d8270a8fb8a
SHA512 d5f6a3918af096dfd36a8337e64c3a8ef8db3cea0539082cb1cde57a3dce41a43dfb85b44ff57397d1ac996f42f832d05a6edfd2a139789217434ad254a42907

C:\Windows\SysWOW64\Lmmfnb32.exe

MD5 53aa20501612cc18b735edf893f9a86c
SHA1 1927f95576f5bce421642c0220457eae1a6cf8b8
SHA256 f0f380324f4893a1cdeffb62abf70c618ec4f654ca179fe0fe53120a063b6511
SHA512 4928a62846272438ff7dd5b86b357ebc4894639e4cc12df4e5768aa63bd51d7a02e125c74257ecf52c2f00567aed8b1f194f4cc4ba8b9d3d4f51f50729c43501

C:\Windows\SysWOW64\Lplbjm32.exe

MD5 68e73e86c29546d0d61e27c336acf3ba
SHA1 70a49d48c99194fe18225217c1d842eba3075e9c
SHA256 a83415c237637bcfc721f118bde401ca632e20a2dc155e0b96c888fe0f8b7e59
SHA512 20bb230cc63f16b0d3151f8c35d2f6221ceeace10ab77c3d7245e729c1b643ec552e6ebbc96aa9dd37b18a797c8f00800a7da09556058eb8335d05e910c97950

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 a065f157c3a1c9ad4b8bd7e2afff0232
SHA1 f597240854a99e39d739d6bc02f4c4b1403e44b5
SHA256 c804894a32579e4a225db3d0d92fc18b3250a46ecae4f81b2a04f67864355b81
SHA512 c84d4f4db0269464183b98526f0ed34de0151e4148276abcdaa86df036c99c1a1c8cf98ea7fcd0a3df5bb82a970da2d735a969ebd2c33df31198954ae253861a

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 10:35

Reported

2024-09-16 10:37

Platform

win10v2004-20240910-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Paeelgnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhhpop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qdaniq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akkffkhk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Monjjgkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Monjjgkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opclldhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phcgcqab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agimkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpkmal32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baannc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnfpinmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Opclldhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ondljl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaenbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdojjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnaaib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opnbae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qhhpop32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amqhbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkgeainn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nflkbanj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oabhfg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdaniq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chkobkod.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfjola32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkgeainn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnmaea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgbefe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngndaccj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmhocd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhmbqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkphhgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cacckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfhbga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofhknodl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdenmbkk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boihcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgphpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdojjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adcjop32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chkobkod.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkndie32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcngpjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npgmpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amcehdod.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjaabq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nglhld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paeelgnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhmbqm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mqimikfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogekbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdbpgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmfcok32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mfqlfb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmkdcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Moipoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgphpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnjqmpgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqimikfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgbefe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaabq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmpmnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Monjjgkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfhbga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcngpjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqmfdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfjola32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmdgikhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngjkfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nflkbanj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfcok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nglhld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnfpinmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Npgmpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngndaccj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhmnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nagiji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npiiffqe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngqagcag.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfcabp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onkidm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oplfkeob.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogcnmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogekbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofhknodl.exe N/A
N/A N/A C:\Windows\SysWOW64\Oanokhdb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Opclldhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogjdmbil.exe N/A
N/A N/A C:\Windows\SysWOW64\Ondljl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabhfg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohlqcagj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjkmomfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Paeelgnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Phonha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmjdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlfqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdenmbkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdjinjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmnbfhal.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcgcqab.exe N/A
N/A N/A C:\Windows\SysWOW64\Palklf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phfcipoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmblagmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhhpop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmeigg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpcecb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhjmdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodeajbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdaniq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akkffkhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaenbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adcjop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aknbkjfh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aagkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahaceo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Boihcf32.exe C:\Windows\SysWOW64\Bphgeo32.exe N/A
File created C:\Windows\SysWOW64\Bkphhgfc.exe C:\Windows\SysWOW64\Bhblllfo.exe N/A
File created C:\Windows\SysWOW64\Dannpknl.dll C:\Windows\SysWOW64\Nnfpinmi.exe N/A
File created C:\Windows\SysWOW64\Adfnba32.dll C:\Windows\SysWOW64\Npgmpf32.exe N/A
File created C:\Windows\SysWOW64\Dgfnagdi.dll C:\Windows\SysWOW64\Nnhmnn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Opnbae32.exe C:\Windows\SysWOW64\Ogcnmc32.exe N/A
File created C:\Windows\SysWOW64\Cedckdaj.dll C:\Windows\SysWOW64\Pjkmomfn.exe N/A
File opened for modification C:\Windows\SysWOW64\Chkobkod.exe C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
File created C:\Windows\SysWOW64\Fnihkq32.dll C:\Windows\SysWOW64\Mgbefe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfjola32.exe C:\Windows\SysWOW64\Nqmfdj32.exe N/A
File created C:\Windows\SysWOW64\Nphihiif.dll C:\Windows\SysWOW64\Oanokhdb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ondljl32.exe C:\Windows\SysWOW64\Ogjdmbil.exe N/A
File created C:\Windows\SysWOW64\Bpkdjofm.exe C:\Windows\SysWOW64\Boihcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Moipoh32.exe C:\Windows\SysWOW64\Mmkdcm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkphhgfc.exe C:\Windows\SysWOW64\Bhblllfo.exe N/A
File created C:\Windows\SysWOW64\Gpojkp32.dll C:\Windows\SysWOW64\Bhblllfo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cncnob32.exe C:\Windows\SysWOW64\Chfegk32.exe N/A
File created C:\Windows\SysWOW64\Akkeajoj.dll C:\Windows\SysWOW64\Mqimikfj.exe N/A
File created C:\Windows\SysWOW64\Ofkhpmpa.dll C:\Windows\SysWOW64\Nflkbanj.exe N/A
File created C:\Windows\SysWOW64\Ckbcpc32.dll C:\Windows\SysWOW64\Pmblagmf.exe N/A
File created C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File created C:\Windows\SysWOW64\Jlkidpke.dll C:\Windows\SysWOW64\Chfegk32.exe N/A
File created C:\Windows\SysWOW64\Qdaniq32.exe C:\Windows\SysWOW64\Qodeajbg.exe N/A
File created C:\Windows\SysWOW64\Cacckp32.exe C:\Windows\SysWOW64\Ckjknfnh.exe N/A
File created C:\Windows\SysWOW64\Omjbpn32.dll C:\Windows\SysWOW64\Dnmaea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgbefe32.exe C:\Windows\SysWOW64\Mqimikfj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqmfdj32.exe C:\Windows\SysWOW64\Mjcngpjh.exe N/A
File created C:\Windows\SysWOW64\Nfjola32.exe C:\Windows\SysWOW64\Nqmfdj32.exe N/A
File created C:\Windows\SysWOW64\Nglhld32.exe C:\Windows\SysWOW64\Nmfcok32.exe N/A
File created C:\Windows\SysWOW64\Kpibgp32.dll C:\Windows\SysWOW64\Ofhknodl.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe C:\Windows\SysWOW64\Bpkdjofm.exe N/A
File created C:\Windows\SysWOW64\Mnjqmpgg.exe C:\Windows\SysWOW64\Mgphpe32.exe N/A
File created C:\Windows\SysWOW64\Monjjgkb.exe C:\Windows\SysWOW64\Mmpmnl32.exe N/A
File created C:\Windows\SysWOW64\Nmdgikhi.exe C:\Windows\SysWOW64\Nfjola32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phonha32.exe C:\Windows\SysWOW64\Paeelgnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaldccip.exe C:\Windows\SysWOW64\Amqhbe32.exe N/A
File created C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Mfhbga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngjkfd32.exe C:\Windows\SysWOW64\Nmdgikhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhmnn32.exe C:\Windows\SysWOW64\Ngndaccj.exe N/A
File created C:\Windows\SysWOW64\Iohmnmmb.dll C:\Windows\SysWOW64\Agimkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpiplm32.exe C:\Windows\SysWOW64\Cnjdpaki.exe N/A
File created C:\Windows\SysWOW64\Ifomef32.dll C:\Windows\SysWOW64\Ogekbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe C:\Windows\SysWOW64\Ondljl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phfcipoo.exe C:\Windows\SysWOW64\Palklf32.exe N/A
File created C:\Windows\SysWOW64\Bphgeo32.exe C:\Windows\SysWOW64\Bmjkic32.exe N/A
File created C:\Windows\SysWOW64\Ekiapmnp.dll C:\Windows\SysWOW64\Cdbpgl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chnlgjlb.exe C:\Windows\SysWOW64\Cdbpgl32.exe N/A
File created C:\Windows\SysWOW64\Ekppjn32.dll C:\Windows\SysWOW64\Dpiplm32.exe N/A
File created C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mgbefe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mgbefe32.exe N/A
File created C:\Windows\SysWOW64\Npiiffqe.exe C:\Windows\SysWOW64\Nagiji32.exe N/A
File created C:\Windows\SysWOW64\Ogekbb32.exe C:\Windows\SysWOW64\Opnbae32.exe N/A
File created C:\Windows\SysWOW64\Pmlfqh32.exe C:\Windows\SysWOW64\Pjmjdm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe C:\Windows\SysWOW64\Ddgibkpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Nglhld32.exe C:\Windows\SysWOW64\Nmfcok32.exe N/A
File created C:\Windows\SysWOW64\Bbikhdcm.dll C:\Windows\SysWOW64\Paeelgnj.exe N/A
File created C:\Windows\SysWOW64\Pmpockdl.dll C:\Windows\SysWOW64\Aknbkjfh.exe N/A
File created C:\Windows\SysWOW64\Cpdgqmnb.exe C:\Windows\SysWOW64\Cnfkdb32.exe N/A
File created C:\Windows\SysWOW64\Dpkmal32.exe C:\Windows\SysWOW64\Dnmaea32.exe N/A
File created C:\Windows\SysWOW64\Nnfpinmi.exe C:\Windows\SysWOW64\Nglhld32.exe N/A
File created C:\Windows\SysWOW64\Pmblagmf.exe C:\Windows\SysWOW64\Phfcipoo.exe N/A
File opened for modification C:\Windows\SysWOW64\Boihcf32.exe C:\Windows\SysWOW64\Bphgeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnfkdb32.exe C:\Windows\SysWOW64\Chiblk32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqmfdj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjaabq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opnbae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogekbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bajqda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogcnmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oabhfg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akkffkhk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnjqmpgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnaaib32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpiplm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nglhld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnfpinmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdbpgl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfjola32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nagiji32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdenmbkk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhjmdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkgeainn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bphgeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfqlfb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ondljl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oplfkeob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baannc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npgmpf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfdjinjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opclldhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npiiffqe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmeigg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qpcecb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adcjop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhmbqm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cncnob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqimikfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chiblk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkqaoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdaniq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amqhbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmhocd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkndie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adkqoohc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cacckp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onkidm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhblllfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngndaccj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paeelgnj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahaceo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Moipoh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oanokhdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhhpop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chkobkod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnmaea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nflkbanj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chfegk32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfhbga32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjcngpjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oanokhdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" C:\Windows\SysWOW64\Bajqda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhblllfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" C:\Windows\SysWOW64\Monjjgkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfjola32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll" C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogjdmbil.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohlqcagj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bphgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Boihcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" C:\Windows\SysWOW64\Cggimh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cacckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agimkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" C:\Windows\SysWOW64\Mgbefe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogekbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohlqcagj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdojjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll" C:\Windows\SysWOW64\Mnjqmpgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqmfdj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nglhld32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nagiji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phonha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahaceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhblllfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll" C:\Windows\SysWOW64\Chkobkod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnmaea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjaabq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npiiffqe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Opclldhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll" C:\Windows\SysWOW64\Phonha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll" C:\Windows\SysWOW64\Adcjop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aokkahlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amcehdod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" C:\Windows\SysWOW64\Bmhocd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmpmnl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfcabp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onkidm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdenmbkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" C:\Windows\SysWOW64\Qhjmdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adkqoohc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll" C:\Windows\SysWOW64\Ogcnmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phonha32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaenbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmblagmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdbpgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaenbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chfegk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mfqlfb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" C:\Windows\SysWOW64\Mmpmnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdmmeo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mfqlfb32.exe
PID 4116 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mfqlfb32.exe
PID 4116 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mfqlfb32.exe
PID 3284 wrote to memory of 4540 N/A C:\Windows\SysWOW64\Mfqlfb32.exe C:\Windows\SysWOW64\Mmkdcm32.exe
PID 3284 wrote to memory of 4540 N/A C:\Windows\SysWOW64\Mfqlfb32.exe C:\Windows\SysWOW64\Mmkdcm32.exe
PID 3284 wrote to memory of 4540 N/A C:\Windows\SysWOW64\Mfqlfb32.exe C:\Windows\SysWOW64\Mmkdcm32.exe
PID 4540 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Mmkdcm32.exe C:\Windows\SysWOW64\Moipoh32.exe
PID 4540 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Mmkdcm32.exe C:\Windows\SysWOW64\Moipoh32.exe
PID 4540 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Mmkdcm32.exe C:\Windows\SysWOW64\Moipoh32.exe
PID 2084 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Moipoh32.exe C:\Windows\SysWOW64\Mgphpe32.exe
PID 2084 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Moipoh32.exe C:\Windows\SysWOW64\Mgphpe32.exe
PID 2084 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Moipoh32.exe C:\Windows\SysWOW64\Mgphpe32.exe
PID 4056 wrote to memory of 1424 N/A C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mnjqmpgg.exe
PID 4056 wrote to memory of 1424 N/A C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mnjqmpgg.exe
PID 4056 wrote to memory of 1424 N/A C:\Windows\SysWOW64\Mgphpe32.exe C:\Windows\SysWOW64\Mnjqmpgg.exe
PID 1424 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Mnjqmpgg.exe C:\Windows\SysWOW64\Mqimikfj.exe
PID 1424 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Mnjqmpgg.exe C:\Windows\SysWOW64\Mqimikfj.exe
PID 1424 wrote to memory of 4396 N/A C:\Windows\SysWOW64\Mnjqmpgg.exe C:\Windows\SysWOW64\Mqimikfj.exe
PID 4396 wrote to memory of 556 N/A C:\Windows\SysWOW64\Mqimikfj.exe C:\Windows\SysWOW64\Mgbefe32.exe
PID 4396 wrote to memory of 556 N/A C:\Windows\SysWOW64\Mqimikfj.exe C:\Windows\SysWOW64\Mgbefe32.exe
PID 4396 wrote to memory of 556 N/A C:\Windows\SysWOW64\Mqimikfj.exe C:\Windows\SysWOW64\Mgbefe32.exe
PID 556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Mgbefe32.exe C:\Windows\SysWOW64\Mjaabq32.exe
PID 556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Mgbefe32.exe C:\Windows\SysWOW64\Mjaabq32.exe
PID 556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Mgbefe32.exe C:\Windows\SysWOW64\Mjaabq32.exe
PID 524 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mmpmnl32.exe
PID 524 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mmpmnl32.exe
PID 524 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Mjaabq32.exe C:\Windows\SysWOW64\Mmpmnl32.exe
PID 2412 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Mmpmnl32.exe C:\Windows\SysWOW64\Monjjgkb.exe
PID 2412 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Mmpmnl32.exe C:\Windows\SysWOW64\Monjjgkb.exe
PID 2412 wrote to memory of 4668 N/A C:\Windows\SysWOW64\Mmpmnl32.exe C:\Windows\SysWOW64\Monjjgkb.exe
PID 4668 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Monjjgkb.exe C:\Windows\SysWOW64\Mfhbga32.exe
PID 4668 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Monjjgkb.exe C:\Windows\SysWOW64\Mfhbga32.exe
PID 4668 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Monjjgkb.exe C:\Windows\SysWOW64\Mfhbga32.exe
PID 2364 wrote to memory of 4460 N/A C:\Windows\SysWOW64\Mfhbga32.exe C:\Windows\SysWOW64\Mjcngpjh.exe
PID 2364 wrote to memory of 4460 N/A C:\Windows\SysWOW64\Mfhbga32.exe C:\Windows\SysWOW64\Mjcngpjh.exe
PID 2364 wrote to memory of 4460 N/A C:\Windows\SysWOW64\Mfhbga32.exe C:\Windows\SysWOW64\Mjcngpjh.exe
PID 4460 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Nqmfdj32.exe
PID 4460 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Nqmfdj32.exe
PID 4460 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Mjcngpjh.exe C:\Windows\SysWOW64\Nqmfdj32.exe
PID 4300 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Nqmfdj32.exe C:\Windows\SysWOW64\Nfjola32.exe
PID 4300 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Nqmfdj32.exe C:\Windows\SysWOW64\Nfjola32.exe
PID 4300 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Nqmfdj32.exe C:\Windows\SysWOW64\Nfjola32.exe
PID 2320 wrote to memory of 508 N/A C:\Windows\SysWOW64\Nfjola32.exe C:\Windows\SysWOW64\Nmdgikhi.exe
PID 2320 wrote to memory of 508 N/A C:\Windows\SysWOW64\Nfjola32.exe C:\Windows\SysWOW64\Nmdgikhi.exe
PID 2320 wrote to memory of 508 N/A C:\Windows\SysWOW64\Nfjola32.exe C:\Windows\SysWOW64\Nmdgikhi.exe
PID 508 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Nmdgikhi.exe C:\Windows\SysWOW64\Ngjkfd32.exe
PID 508 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Nmdgikhi.exe C:\Windows\SysWOW64\Ngjkfd32.exe
PID 508 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Nmdgikhi.exe C:\Windows\SysWOW64\Ngjkfd32.exe
PID 4504 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Ngjkfd32.exe C:\Windows\SysWOW64\Nflkbanj.exe
PID 4504 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Ngjkfd32.exe C:\Windows\SysWOW64\Nflkbanj.exe
PID 4504 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Ngjkfd32.exe C:\Windows\SysWOW64\Nflkbanj.exe
PID 1064 wrote to memory of 4888 N/A C:\Windows\SysWOW64\Nflkbanj.exe C:\Windows\SysWOW64\Nmfcok32.exe
PID 1064 wrote to memory of 4888 N/A C:\Windows\SysWOW64\Nflkbanj.exe C:\Windows\SysWOW64\Nmfcok32.exe
PID 1064 wrote to memory of 4888 N/A C:\Windows\SysWOW64\Nflkbanj.exe C:\Windows\SysWOW64\Nmfcok32.exe
PID 4888 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Nmfcok32.exe C:\Windows\SysWOW64\Nglhld32.exe
PID 4888 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Nmfcok32.exe C:\Windows\SysWOW64\Nglhld32.exe
PID 4888 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Nmfcok32.exe C:\Windows\SysWOW64\Nglhld32.exe
PID 3212 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Nglhld32.exe C:\Windows\SysWOW64\Nnfpinmi.exe
PID 3212 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Nglhld32.exe C:\Windows\SysWOW64\Nnfpinmi.exe
PID 3212 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Nglhld32.exe C:\Windows\SysWOW64\Nnfpinmi.exe
PID 2684 wrote to memory of 4220 N/A C:\Windows\SysWOW64\Nnfpinmi.exe C:\Windows\SysWOW64\Npgmpf32.exe
PID 2684 wrote to memory of 4220 N/A C:\Windows\SysWOW64\Nnfpinmi.exe C:\Windows\SysWOW64\Npgmpf32.exe
PID 2684 wrote to memory of 4220 N/A C:\Windows\SysWOW64\Nnfpinmi.exe C:\Windows\SysWOW64\Npgmpf32.exe
PID 4220 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Npgmpf32.exe C:\Windows\SysWOW64\Ngndaccj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mnjqmpgg.exe

C:\Windows\system32\Mnjqmpgg.exe

C:\Windows\SysWOW64\Mqimikfj.exe

C:\Windows\system32\Mqimikfj.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mjaabq32.exe

C:\Windows\system32\Mjaabq32.exe

C:\Windows\SysWOW64\Mmpmnl32.exe

C:\Windows\system32\Mmpmnl32.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Nmfcok32.exe

C:\Windows\system32\Nmfcok32.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nagiji32.exe

C:\Windows\system32\Nagiji32.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ofhknodl.exe

C:\Windows\system32\Ofhknodl.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Opclldhj.exe

C:\Windows\system32\Opclldhj.exe

C:\Windows\SysWOW64\Ogjdmbil.exe

C:\Windows\system32\Ogjdmbil.exe

C:\Windows\SysWOW64\Ondljl32.exe

C:\Windows\system32\Ondljl32.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pjkmomfn.exe

C:\Windows\system32\Pjkmomfn.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pjmjdm32.exe

C:\Windows\system32\Pjmjdm32.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Qhhpop32.exe

C:\Windows\system32\Qhhpop32.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Aaldccip.exe

C:\Windows\system32\Aaldccip.exe

C:\Windows\SysWOW64\Adkqoohc.exe

C:\Windows\system32\Adkqoohc.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Bmhocd32.exe

C:\Windows\system32\Bmhocd32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bhblllfo.exe

C:\Windows\system32\Bhblllfo.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Cdbpgl32.exe

C:\Windows\system32\Cdbpgl32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5048 -ip 5048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4116-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4116-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Mfqlfb32.exe

MD5 229edd169b919b23f397a19d29a3391d
SHA1 16ece694b05f56ad224bae338a5cc7d1cc0554af
SHA256 3bdcf46d483b0a17da04965693dae2ab0e3c94a170511125b69b06521dc8ca6d
SHA512 04102b29e5425a4e6b5f7a5179ed44cce901c9c51b253b10bc92d8131f3b69560b70aad1b7bdec266942ebb499d166fac9219b387611c55f9ec7a140851daa52

memory/3284-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mmkdcm32.exe

MD5 7fbcffa3e850d38e92f8ab06c9d445b5
SHA1 e568e6b95803d4813585bb20cd531dcdc04352a1
SHA256 bdff187bfb4c24305b4a6b09de8ebe45b158b54445675a577fd240a5a5debb6f
SHA512 60ab2adf8632b9ff210b57988857e539ff00ad482a7433d097b30766c8c48e9f2c6d5d158a1f77bf4b6e955efc364184a8999c4a7bd1bef6a6db1a1ee7b0a43a

memory/4540-16-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Moipoh32.exe

MD5 f11765b4263f62ee8e850431b8593fd1
SHA1 73fb68ea4d053d0a300080bfc1e5263f59cab6a7
SHA256 8cb36bc8eee04b7095e321af3a323b621adc6e0c240470da88b3c7df3deca6ce
SHA512 34b83bb00ba26275b68c5e4a2324d3b353e66a86e298a519db373236ad4993383c256838bc88343138bd77635b405c3b4b6a3c92f7025f60926428b779d432eb

memory/2084-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mgphpe32.exe

MD5 c58d765656e22ca8d49ebe255ef1be89
SHA1 4b2dead3b5056445b4f5ce0542989aa9a2bd1391
SHA256 091be874e053fba8dc86b2920ebfac6e432bdef689d6b7da649b05e8a596941f
SHA512 ced0c393f343e4d06eb596b5f26117e93cd7908e2b405b7622199ecb70d4e61d2b69718139333ccda6180e67a65f222aecfb2471ba5ea57ad80449ce73784b25

memory/4056-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mnjqmpgg.exe

MD5 6550fff7b029834c52835de3f0c2e031
SHA1 0adaca9b420698fa6de88fcdf2d3ec3b638a4231
SHA256 15f8895c6ad496575ab37e60b07719b9846d6790da3cb029b6c2d9cf9f19037b
SHA512 6074d72b508262c76fb966b77037e72b669635ea348c736f0a32ca142ec48121680abcc2231ceee244fc2b906b33ace65da56a9c9675150ab0ea54747bd95fa6

memory/1424-40-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4396-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mqimikfj.exe

MD5 d675c30c7da37ed41bfc61da607d4c95
SHA1 d09e90161f919c3867f7dfa121ab4bbc9360e5ec
SHA256 039ef23cf0828b35abc523cf7a04fedbbfc0c1a85a8ecf97858f5d263959475f
SHA512 6f82015fabcbfef6346d98d8536100a16ff0be8ea487cc501923b01bd15946e0381aa618d7944221b8fe2fe02941b2229b645eda4542a44a7f24e62e3cbf3add

C:\Windows\SysWOW64\Mgbefe32.exe

MD5 a7aa42bfbb5bfbe4b67ea58b480dd433
SHA1 17da3523c393a3202bc2866b274766b1e7502f8f
SHA256 6ee8f276ce6c8b0878f2c7ce4e5e7d092e5044d0eadb71e2dcdc29add3348340
SHA512 a2ed96c6e644ec6ed4e50dc5173b8437ccf6df8f94729ad97d21ec9a2f97b3394848b201e7869a6ac35eb51c3372e797c7874082d40541ed2e768a70b8fa4d0b

memory/556-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mjaabq32.exe

MD5 f489b63baf2514fc3f6e2309ef1a77ab
SHA1 96c9bf629a6e361af947562775583b5900980f05
SHA256 e6130baadb00d5aeb4a840d7ea9727dd68927893de4ab7319f03a818fbc54852
SHA512 6b85754d091d5073ce707982e08ba0c2a9f43170b9be914b1193acb6b0c320b3f29625d829b3c6d62a38ee95b0b3fdb92d75b5c2e42f5e772f1e22e7ce09e5ec

memory/524-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mmpmnl32.exe

MD5 781040f42badc49340f8529da0137c34
SHA1 6cf3191610f31d0cc132eaef0a601bbbe880b9d0
SHA256 f5ecea153e4773dfe5c799a21639e5ec943f5a6af43c331d91ead760a4a6ae38
SHA512 78641e8bd4f3eb0caebe72a2a913d938bd3e1d0b11c1b7a910dcdaeda0d73cf2fb2f13d1f910be7027f61cf8bfacd0b9eb246e1f41f122fd9038742a2308764b

memory/2412-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4116-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Monjjgkb.exe

MD5 a90a513252510b62d05377d9479747a3
SHA1 83c6afec9ef03fca1fce249bc9a64b635b602d0a
SHA256 55c80ec4fc873205da336f38353dac5496e491339ebfc6adc9d8d2b51d04ff77
SHA512 b595fd8650829dc57970fb6edbe77387ae66b191d8f0dbedf38bae794865271bd3946057ffe5961898f28d54352692dd620988f68d77fa5786ee9e4410e14dca

memory/4668-81-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mfhbga32.exe

MD5 480d14a5c7fd4880a964c1b09b909168
SHA1 6775b247bf8f91e6289edfc358bf85d297190664
SHA256 6ce592deb03716c19d0a1d18338f49c8de1c0e2704f32469af646500520ed25b
SHA512 27fc1cc731d4a3e1a8711c6b69559b2612715a1cc48bd48e62ec068612c5fec2877d75f4f671fd1e213326316000a04d56af552aca22942e2043805168e59c5e

memory/3284-90-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2364-94-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mjcngpjh.exe

MD5 d2a42f229a0e9f70a4a14a3ef6e810e5
SHA1 9cdb8889bf8f39cca552ee987f20b307b58d613f
SHA256 28db83d9e99a1d829b9044f09968a73621f8ac5b7035e9507d41a1c94c14fe39
SHA512 f7612b84a59058a9634b8ead5efd210314de6f3054d3f6854db3cfd249c2014ad734a77c54de869dd9568711a0286e686e5c1f93d9ddfbcc13e8020db4ac7a78

memory/4460-99-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4540-98-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nqmfdj32.exe

MD5 1d6046cb5bb4d26ab8f319cdb8d76f51
SHA1 f20bf9a0b8e02a7803eaf745d53734fee11ef3fd
SHA256 81c787101ea13540b6e30bf6b12d69f643ba12ba7dc8cc2cc7b7aa3ef2139498
SHA512 9ceac13792688fac35d70db3290952d099b825d22738f2ce219e806d6d5cf54a2f0079b09f94568694f11e5bd793ac6001eed624b6f7fe667e4086ef084a59dd

memory/2084-107-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4300-109-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nfjola32.exe

MD5 bac3b6a9e428cae843c26769fcfc8a42
SHA1 34468bfd7e98944a6d13e29f71cc340bf75f65fb
SHA256 e95b18802d7929c7233e9a300af7ca34bdadf657ff01e9b0d217d35f770140a7
SHA512 e04ae2c58e3400a298c63042e75baa563758cad3511d7ae110171128c8612b0f0532129f4e7ac601414c4579df8738188965d81202a3ee9b95023c4c3a6ad54e

memory/4056-116-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2320-118-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nmdgikhi.exe

MD5 dfed74d9f3779aed7a870567eec98e29
SHA1 05600070ea0a58277ba1760f0e485770076f5a3c
SHA256 bb9e1e8d9cb6465eb8192bb0ff68bdfa429232bbf51dc173f21c0aac650b686c
SHA512 32a33dc4ad88494be715ae5e1c3c70103577b8a4edf2f55a0de72d3af9001ecd7a92d1398484625361cb5402356e81ed74663317b9ced4741d6f100879fd91ca

memory/508-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1424-125-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngjkfd32.exe

MD5 310e7298bdf274a8ee21df1270644ce3
SHA1 97b1d22aba9c163caca08124cbd49f606417994a
SHA256 8e664dea700f7439a9b6312cee7a978decff3081e697db170c8747d9ecc2bd51
SHA512 b90f8cc22ba0d45df67d0534f08f7b47f4f3d09766cedac0af221fd2579dfe0b909cc0a59eec1d73626d8d1ad4dda06fa60147daee6b69df5f4bd0e156011f69

memory/4504-140-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4396-139-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1064-144-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nflkbanj.exe

MD5 4e43ba9b74dd802bfb6f6f46b49d78bf
SHA1 4b77f9d86ffc603346888992b78f4592e4eee28c
SHA256 d38ed5161622ba479bbd58899331b321f5e1131ea8e87174ffd3c81e648b68b8
SHA512 936ab73153f27c6f0c0439adbd794a4edec68f0a96446e4ce752db471126ab1ae4c03381c0e87baab43cdcee949ca0bbe4a308a491170c96a5247ebb2538e191

memory/556-143-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nmfcok32.exe

MD5 6125ce76658a2a4674b8d27a183ef374
SHA1 7eb690a5191bf2409cafd4037d89e4a3fb1c33e6
SHA256 28ce0d001f3921a41991d1a2cff31688138a38a9240935950d7461b8cda1858b
SHA512 a726df45108753ec9ce5ab32f85a852c74b4289d5c292f3cc6d1fed884e9fbf5ceb1dc31187dc0bb54163fc58ed8224a797d3d4338de511c7284f4eb5ba8a375

memory/4888-153-0x0000000000400000-0x0000000000433000-memory.dmp

memory/524-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nglhld32.exe

MD5 785b48ed64ca021e06609a6bbe64a27f
SHA1 c49fa704cd92e7c1f75da8d3e955aeaefa92dd7e
SHA256 d27624b6c98de016a332bc7464234063bc7a60bd5e896cc83b68748c49755a1a
SHA512 b95cdd81c73373557dbfea05959d18b6e179dad2fb169b8520fb6bb411de59b963bed19ecd08ac78359c40749cd5de613b8913b708d23bce4620582b6e93902c

memory/3212-162-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2412-161-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2684-171-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4668-170-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nnfpinmi.exe

MD5 c1f0e467f7fbcd1d141f491bd1fab41f
SHA1 9ab6683094e21213bdc79c2ebe48a3ceba41f93b
SHA256 4c807e5f373f448b1ac10b2dbf48fd24a10cb3dfebcb0389dea2e61e9c6b30e7
SHA512 dbbd44c5311200f3cc31d91ea22814df107d57a900b1af1b03a96845f6df8282d60a5cbd140272c9fd8e69651f370e106d370232053919f6926455f925cb6e3c

C:\Windows\SysWOW64\Npgmpf32.exe

MD5 e35952e6095a555d0ec0b620b4a0d2a0
SHA1 b3b872f4066ab162ef1d8e277f29c9fb90d57a93
SHA256 81ec12c009d7576817757ca688fa5692549bae1e7d39f13f1feb9f82719f33a0
SHA512 52db4bcfb19ac1d25417f4c0b4a39aaa9c3072b323855cd24db65e9958a731d93f876c49727a6904ba375ed43df5349ede3fea66e177b7a8a8c693f12477f8ea

memory/2364-179-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4220-180-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngndaccj.exe

MD5 2f8ea7e145ab7255988c0663805cc593
SHA1 d218bbafd691f97667fab6ef06a68cc65ec75c61
SHA256 61bdf63424cf88495a998e520e3aa84025a8693d91533ecd8621823242539c20
SHA512 93b79010a3e82f47a2406be319f62eff780d32ec6a4ceb11fa480f27d5e5a7b4635a13061f1a518602a41db3eac07ebf5e60fe5f042629f8242f1b8c3dfb4dc1

memory/4468-189-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4460-188-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nnhmnn32.exe

MD5 a702057abd62a65e4b407c99364f0328
SHA1 ea2de05319772b459fb1ed46184f980f112a621e
SHA256 13a35bf4fae44f4e47db58364b3a6592891974082d9e67e5511f0fdd5d472557
SHA512 0e88f7dcd0c99e16603de65cabd464d7f0ac59cc344e873e2d9d53574c8d06db60e2931dd7b0d61a9091fcabf4299791e226812f264cd90d707154288418b5db

memory/4300-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3916-198-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nagiji32.exe

MD5 49950be260cc69ce06060fb510fa7146
SHA1 0e2fa33194a8e8587ad29fc7ce8aa89d49f1edaf
SHA256 e145413540cff3b1dda27a50d91ed2ff5e01733d512bf6d3498c11fcba36fc19
SHA512 ee8937a70357a9707fe13c8f138a28f7f3097f37bfa005b67cc8829498cab6b83176ea92aa160b5f17d778a0d8cf51f11c05cd80863243eb575a3d3f049dcc01

memory/2536-212-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Npiiffqe.exe

MD5 7fb2320488e34b40072c9a9cfd0616aa
SHA1 bd64978851bb3c6d9e453fff8c8606654dfc9410
SHA256 59b1e6b3931543db596e3a407f49b0657f9b2fca4123fa1c386710b37ce17ab5
SHA512 3d731a93997e1b7856357491cce7388644a4e0c9a992f43be78a8b95cd582418612cecce6fc00dfce513d989b1d49ab5fb34f44e5da66d68ff241c1281553540

memory/436-216-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ngqagcag.exe

MD5 bbb47ca81e035d8ad3300ba55c33291c
SHA1 712ba9e4a311482f85ce5e6b06362b375b6022a6
SHA256 3b5abb428b848f06d39f8a787ad934e7dec8a86a21fe63d933497f6d6c88e636
SHA512 d8773b7f12d6f4f886ce332ebc65e56f8cf944dd64190b1ae934003383c53fa2a43ff75f916960ae96335e09b8a19cd72ffc6355ca4fa05866d147bf611be97f

memory/2080-229-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nfcabp32.exe

MD5 d78217f44d8ac2366c9263e48319cdbe
SHA1 a7527a78957b0b2e18ce6ea3dfde34ff152893b4
SHA256 d7692120437c9c61713ebffaca8ae91584d24af10c4b3c7bdab06b3b1a7facde
SHA512 7839c701705a1388730eda83ccb7a5f89863c73a2a99330b2f1bbbca87d766ed0ca6835098bd334a4f083c3296e79a3d13ac0a7ec008f5a81b82a749f6edda84

memory/644-234-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1064-233-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Onkidm32.exe

MD5 fb5930ca6843a6576b248899ae66169d
SHA1 aa6bd278bcc5313d936ab266617a1874d0cb983d
SHA256 a69eb582fbefd2a5d3c5a7de6d88f40966ef7be0c5a2226398c92b78d3ccc933
SHA512 170f69ef2621b704b9fe06b5fdee65d16c206fa40cbdf4a3c4cdfed737d757df33488037dc5727b31ad19eb2c75c8a60d2a0b54d4fef4c817cda483bde5400b4

memory/508-215-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2320-211-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-243-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4888-242-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oplfkeob.exe

MD5 2945238e61220a2a459ad14ec3f13ea0
SHA1 65c0dfed4cbfcc2cde3c62779e168804a6e49949
SHA256 07773e0c1c98097b43f5698570d0b00e6dbb12cc981ba33ce284d8bb25c1d2c4
SHA512 b69b9473efbc5190de789543f7c436e6aaea90ee1afceba4acb4adfedcd7f424a7d4301bc00e61b0787f82ac449c98c88d29cb42c85e30f73aaa947850657a1a

memory/1468-251-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3212-250-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ogcnmc32.exe

MD5 21e5cd3ce841aa1387a24af9be682fce
SHA1 f037a39971d530702164160e718be11b2b91d484
SHA256 b9b6d1fcebf47a827e46deb33db0cf4a07ced29a5c1605b73c16b846cc2d96e6
SHA512 425183a49482a37b090ac409dbbad04b42d4c6110435f955a040c4a37cb614c8100a192f6e216482254b62a107dfbf4383597f80580c7ead3b5f8c79a8239dc3

memory/4348-260-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2684-259-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Opnbae32.exe

MD5 75120e17f6bdc19393013935b19ee10e
SHA1 48732d12213cb6015410d6c9a601389d47d8c6a7
SHA256 98ac666476d518aaba501c650868ad0595aca3310d2e384b15df765cc9ae3e1d
SHA512 030284775ba7f5d21531c2e3cf05b04691dc7aab014bdf74a68c3534a67abc143525798cc9c37f6e369742e60bc7ac819920ae5c43d3b4e955dfc96b559bb61e

memory/3588-269-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4220-268-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ogekbb32.exe

MD5 4f19c7f0bf9235e6c070197c2bb31e55
SHA1 1d87abcc51a802a87d0c903b3ce9b19eb08380bd
SHA256 0e92179400d68b8e5b67f9f98b8669ad6141a6d985e17e7e7daf0f4bb73763d2
SHA512 36612f0a129510f8fb93158a3600a18cb323d7cbb55e0c0c9786ee2d673a7c4e0b5d31fc83f4abb80b080c559b8a6eb349ef5d9193bf902cd8f05614a7275dc1

memory/924-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4468-278-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2044-286-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3916-285-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oanokhdb.exe

MD5 b54a75ef278d4865dfed871d1214546e
SHA1 c8665edad48aa02829efcf95721993ae84a6b9bd
SHA256 da1c1f9b78195260810fb2c7ce631ac4c1ae052b954942947a79ce496859d22c
SHA512 46d380216f19c2f96f27c21eef432fc90d8b2d4915ae79be3205a8a0780f4a92039130dbd6b8e2d440c83d50eb3086e2f9f749e7270990b2ed32e5d2a4949c0d

memory/4916-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/436-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4092-305-0x0000000000400000-0x0000000000433000-memory.dmp

memory/644-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3292-312-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5056-319-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-318-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1468-325-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5052-326-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4544-333-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4348-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3256-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3588-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/924-346-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4308-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2044-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3344-361-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4916-360-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1640-368-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-367-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1052-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4092-374-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4184-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3292-381-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3268-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5056-388-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Phcgcqab.exe

MD5 5afc5a2e39e173e503dab2a51bca4415
SHA1 fc9f6c3011c1b1fa366fbe072ad22c45054bb3e8
SHA256 1d295f5af2e165acea3ef00bf36a571ef776d017a7d7ff641fbd755515bd56f6
SHA512 d882ad43d3d6671e3b0dd8dd76a3ddfd7dbccd02de6d8ba35e0b089ed0d002b11934bee745158ba60e79e0495ca729d91c9d026f137e1298692ca555e43a93d8

memory/1464-396-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5052-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4544-402-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4016-403-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3576-410-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3256-409-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4924-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-416-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1800-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4308-423-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qdaniq32.exe

MD5 2aaa89921b336b8222da88d1dde4b3cd
SHA1 8f6c7c624c1286dc273bb8e4d404349d410edc0e
SHA256 79409ce14b7612f3e67f85254b845286bf7053eaddf923cc8048e16b5730743d
SHA512 605fbe1db1d7e2852a5b5d410615ecc1c47bfb784fead944d2dc9a98a2ff31c624a514251dcb9e0843285963542b379f39de6773c831bd25f97a6fc2b8220368

C:\Windows\SysWOW64\Aagkhd32.exe

MD5 05e1fa1ec5fdd777a0451c0a0e36def4
SHA1 5c672fbc72b78bf4ab33e78bcf8eec40ab91442b
SHA256 93c361c72203937dad1f714a6a2798ddb0559f6398fa420f69d531957f1b85a5
SHA512 b88612f849fecb0dc46b45b96318eb19f1a706d2ca2cfd534ec511da410e85b5c1fcd871d40f75510c9ded85c2c00a289e4399f4f33c7769eb69ce8f9fa31bfc

C:\Windows\SysWOW64\Bdmmeo32.exe

MD5 2c1924099fa7db0f426051f0037a9241
SHA1 b4d0d7d572c3453f0b66b8a67a73d017b921a29f
SHA256 e5aca89fff4fd1988a0502eb912a4d2fcc54450599b86d311b80e5293ca9cd64
SHA512 0a1b71dea95770964842aadd2ac4616ba7c08c71500bef96a2f23965027c6533730471007f111176028e7a8f4156328e824ceb411e8c0ab9a760ac286bf9828f

C:\Windows\SysWOW64\Baannc32.exe

MD5 f4690918122c9eec229976fc4efb5298
SHA1 73fc5f9897b021fae3176169b7bfadadbd7c924e
SHA256 53d39f16f7ac277b1e088726737f49b7d965b730f29c69a46de3a34ad01c617e
SHA512 277c1d0e350e4869ae06362f6a163b21e255891ceb4bd20b3ca536e3eef33a6d7aa832a7e5d534f949dd5c910e7bd64fc8e6eb0d21a617a2b1b05b65744cce5e

C:\Windows\SysWOW64\Bkphhgfc.exe

MD5 b596485fffa0bd5aebc69d8d82daa517
SHA1 07e85dd8afb7af4b70dc497c590bb737363470e9
SHA256 a164f1e25b6538a49cb5de497f9ade0289ee3f684b5721470604832fc3ed477f
SHA512 2510f6abfe06f5c1328233c161e1d87186fbe86bb345214aca6e50b7ff75c0c09c9e2889a955bedd5f27a33a7e468564b9faca269af02089bf4c9e42a1445488

C:\Windows\SysWOW64\Cncnob32.exe

MD5 bbe8e2aa62cc1d8c5b100e341c46dfc0
SHA1 beea5467685cff9969ffaae775b6f47441fe2939
SHA256 f1bc7ba58d65ba59c589aac02fe268eb5f6ac92ac0144de47c5e21fdb036c69a
SHA512 cfaff6561849c770f9743a71217249232f8694a12368f34bd08f636139692036f994040cf435bc8dc7cc6a65082523f0ad0d7b32827f5d4c0a5d370218103940

C:\Windows\SysWOW64\Cpdgqmnb.exe

MD5 bb09a725b018ef05c37ddc16c9d43150
SHA1 5ddf99ad42c313b8efb89c2eb452f21c3a643560
SHA256 52bc285f7401081803d56cf88d2811c8c2bb5b99292873f17a29ef91458ea0f6
SHA512 8337ec536ff00796ed6ac5864e23262419cbec773bb88a60e5e66a18eb19862f6bf8a584a1ed46c88365bc7d4bad84aa63b0237d5290ed600cb4aefc23eefa20

C:\Windows\SysWOW64\Cacckp32.exe

MD5 65fc58d06ac27294149ded0b6820f7ba
SHA1 1e517f724395bb63d8e1850cf5ce2924663fc97d
SHA256 9061e42cb9b0b7f68a46d29e9fbca20c189e06c45fc52038c5ccebb8c98bad94
SHA512 73e90ee6e5ddfc506504baffc6db6686ac00011eb20f889799b7b258e793c10189829f52825ab23c184c2dd1188d3aab6fbab54560728f352a627a910c9c5a07

C:\Windows\SysWOW64\Dpiplm32.exe

MD5 88fd11254c8f1da24ee98d102e5b7380
SHA1 549948d381596bb3e2b5575c26218459a3683934
SHA256 19d26632d639b9a58afccf89e5d576cccdc18e20e2ca1c49ced9964469608130
SHA512 fc9d3c6c51d460e95f984aa468cdd54a191e22132dd1fb3c50ffe5a119c4506cbeff0854e423b0a6b2de45606fdd8214d6b3bc86a09e2c30e8c60645a2d6f5a8

C:\Windows\SysWOW64\Dkndie32.exe

MD5 9eab8e780675827180254373335145eb
SHA1 ecc291c6bf704e6fb8c0111ff15c84af635d5020
SHA256 c38ece1eea4ff4da11fbd07408c29505485f5233f32ed17c2dc5ecc573f66242
SHA512 469a7565bb3c9ebdadc785f851ab842f60bc3763130f69317ea4818a657e2f716a85e4727fef18b6e1c0d0ab73083d91b361fbeab64da58c58f5ca2d958d772f

C:\Windows\SysWOW64\Dkqaoe32.exe

MD5 8ce4fcddbda1a922677ccfa9adb6f430
SHA1 f6024c23b00e1d9bd66bfe8f80c23fe251446618
SHA256 9bcc0d82335acd1d865153fc388f4e8df1c61648921cad22df3a7fab1a4524c2
SHA512 0fcbd9482a49fd105a0f3dec998495178b720c2e74566fc00e3a9fb2651f278e5901b010269639779119eafea203afc033181fb812bc2a6b36ec2ddd65e82420

memory/5048-796-0x0000000000400000-0x0000000000433000-memory.dmp