Malware Analysis Report

2025-01-23 00:15

Sample ID 240916-r38f8atanb
Target Backdoor.Win32.Berbew.AA.MTB-c419d01e1ab5385dc37893f67dbba18931fd33cbc9ed694e459d7606c1a6c9cfN
SHA256 c419d01e1ab5385dc37893f67dbba18931fd33cbc9ed694e459d7606c1a6c9cf
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c419d01e1ab5385dc37893f67dbba18931fd33cbc9ed694e459d7606c1a6c9cf

Threat Level: Known bad

The file Backdoor.Win32.Berbew.AA.MTB-c419d01e1ab5385dc37893f67dbba18931fd33cbc9ed694e459d7606c1a6c9cfN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 14:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 14:44

Reported

2024-09-16 14:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bccmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aojabdlf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aficjnpm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnfqccna.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bccmmf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbffoabe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgmpibam.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cchbgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afffenbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdiia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afdiondb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akabgebj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Danpemej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfmcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjakccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cepipm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccjoli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cepipm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djdgic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qlgkki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkegah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qlgkki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbffoabe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bffbdadk.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgjccb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlgkki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmpibam.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Accqnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Aomnhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afffenbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Anbkipok.exe N/A
N/A N/A C:\Windows\SysWOW64\Aficjnpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqeqqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bccmmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkjdndjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bniajoic.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfdenafn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqijljfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Boljgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bffbdadk.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbndpmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpkqklh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqlfaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfioia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmbgfkje.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkegah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coacbfii.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbppnbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfkloq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciihklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmedlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cocphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnfqccna.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbblda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cepipm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cileqlmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgoelh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckjamgmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnimiblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbdiia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cebeem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cinafkkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgaaah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckmnbg32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgjccb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgjccb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlgkki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlgkki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmpibam.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmpibam.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Accqnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Accqnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Aomnhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aomnhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afffenbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Afffenbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Anbkipok.exe N/A
N/A N/A C:\Windows\SysWOW64\Anbkipok.exe N/A
N/A N/A C:\Windows\SysWOW64\Aficjnpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Aficjnpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjkhdacm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe C:\Windows\SysWOW64\Bccmmf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Boljgg32.exe C:\Windows\SysWOW64\Bqijljfd.exe N/A
File created C:\Windows\SysWOW64\Jidmcq32.dll C:\Windows\SysWOW64\Cileqlmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Qgmpibam.exe N/A
File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Dqaegjop.dll C:\Windows\SysWOW64\Aficjnpm.exe N/A
File created C:\Windows\SysWOW64\Bqeqqk32.exe C:\Windows\SysWOW64\Bjkhdacm.exe N/A
File created C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File created C:\Windows\SysWOW64\Bmbgfkje.exe C:\Windows\SysWOW64\Bfioia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkegah32.exe C:\Windows\SysWOW64\Bmbgfkje.exe N/A
File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cepipm32.exe N/A
File created C:\Windows\SysWOW64\Adpqglen.dll C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Binbknik.dll C:\Windows\SysWOW64\Ahebaiac.exe N/A
File created C:\Windows\SysWOW64\Pmmgmc32.dll C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Coacbfii.exe C:\Windows\SysWOW64\Bkegah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cbffoabe.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Aqbdkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cepipm32.exe C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Cbffoabe.exe C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File created C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qlgkki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qjklenpa.exe N/A
File created C:\Windows\SysWOW64\Bbjclbek.dll C:\Windows\SysWOW64\Aomnhd32.exe N/A
File created C:\Windows\SysWOW64\Bmpkqklh.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File created C:\Windows\SysWOW64\Nhiejpim.dll C:\Windows\SysWOW64\Paknelgk.exe N/A
File created C:\Windows\SysWOW64\Jpefpo32.dll C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Ihkhkcdl.dll C:\Windows\SysWOW64\Bniajoic.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmedlk32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File created C:\Windows\SysWOW64\Cpmahlfd.dll C:\Windows\SysWOW64\Ccjoli32.exe N/A
File created C:\Windows\SysWOW64\Kbfcnc32.dll C:\Windows\SysWOW64\Ppnnai32.exe N/A
File created C:\Windows\SysWOW64\Khoqme32.dll C:\Windows\SysWOW64\Ahpifj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djdgic32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Pdkiofep.dll C:\Windows\SysWOW64\Bkjdndjo.exe N/A
File created C:\Windows\SysWOW64\Ednoihel.dll C:\Windows\SysWOW64\Cnfqccna.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqeqqk32.exe C:\Windows\SysWOW64\Bjkhdacm.exe N/A
File created C:\Windows\SysWOW64\Dgnenf32.dll C:\Windows\SysWOW64\Bfdenafn.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe C:\Windows\SysWOW64\Bffbdadk.exe N/A
File created C:\Windows\SysWOW64\Aficjnpm.exe C:\Windows\SysWOW64\Anbkipok.exe N/A
File created C:\Windows\SysWOW64\Kmhnlgkg.dll C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Jdpkmjnb.dll C:\Windows\SysWOW64\Bqijljfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe C:\Windows\SysWOW64\Boljgg32.exe N/A
File created C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Ckjamgmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Ckjamgmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qgjccb32.exe N/A
File created C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Bfdenafn.exe N/A
File opened for modification C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Ppnnai32.exe C:\Windows\SysWOW64\Paknelgk.exe N/A
File created C:\Windows\SysWOW64\Dicdjqhf.dll C:\Windows\SysWOW64\Qjklenpa.exe N/A
File created C:\Windows\SysWOW64\Ccofjipn.dll C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
File created C:\Windows\SysWOW64\Aacinhhc.dll C:\Windows\SysWOW64\Aojabdlf.exe N/A
File created C:\Windows\SysWOW64\Paknelgk.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
File created C:\Windows\SysWOW64\Mqdkghnj.dll C:\Windows\SysWOW64\Qgjccb32.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Danpemej.exe N/A
File created C:\Windows\SysWOW64\Cocphf32.exe C:\Windows\SysWOW64\Cmedlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Pkdhln32.dll C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\Opobfpee.dll C:\Windows\SysWOW64\Bjkhdacm.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe C:\Windows\SysWOW64\Ppnnai32.exe N/A
File created C:\Windows\SysWOW64\Aojabdlf.exe C:\Windows\SysWOW64\Ahpifj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe C:\Windows\SysWOW64\Anbkipok.exe N/A
File created C:\Windows\SysWOW64\Dnbamjbm.dll C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
File created C:\Windows\SysWOW64\Cfkloq32.exe C:\Windows\SysWOW64\Cbppnbhm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alihaioe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aficjnpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoagccfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfkloq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cocphf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afffenbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afdiondb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceebklai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akabgebj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danpemej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coacbfii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlgkki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgjccb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfioia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cebeem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnfqccna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdiia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paknelgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anbkipok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cepipm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akcomepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bccmmf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbndpmd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmedlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" C:\Windows\SysWOW64\Accqnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll" C:\Windows\SysWOW64\Aficjnpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbffoabe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qgmpibam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bccmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afdiondb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aficjnpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acfmcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll" C:\Windows\SysWOW64\Bccmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aomnhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" C:\Windows\SysWOW64\Qgmpibam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll" C:\Windows\SysWOW64\Qgjccb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" C:\Windows\SysWOW64\Cbdiia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" C:\Windows\SysWOW64\Qlgkki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bniajoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Paknelgk.exe
PID 2024 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Paknelgk.exe
PID 2024 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Paknelgk.exe
PID 2024 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Paknelgk.exe
PID 1896 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Paknelgk.exe C:\Windows\SysWOW64\Ppnnai32.exe
PID 1896 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Paknelgk.exe C:\Windows\SysWOW64\Ppnnai32.exe
PID 1896 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Paknelgk.exe C:\Windows\SysWOW64\Ppnnai32.exe
PID 1896 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Paknelgk.exe C:\Windows\SysWOW64\Ppnnai32.exe
PID 1708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Ppnnai32.exe C:\Windows\SysWOW64\Pnbojmmp.exe
PID 1708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Ppnnai32.exe C:\Windows\SysWOW64\Pnbojmmp.exe
PID 1708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Ppnnai32.exe C:\Windows\SysWOW64\Pnbojmmp.exe
PID 1708 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Ppnnai32.exe C:\Windows\SysWOW64\Pnbojmmp.exe
PID 2412 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pnbojmmp.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2412 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pnbojmmp.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2412 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pnbojmmp.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2412 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Pnbojmmp.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qgjccb32.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qgjccb32.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qgjccb32.exe
PID 2692 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qgjccb32.exe
PID 2700 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Qgjccb32.exe C:\Windows\SysWOW64\Qkfocaki.exe
PID 2700 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Qgjccb32.exe C:\Windows\SysWOW64\Qkfocaki.exe
PID 2700 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Qgjccb32.exe C:\Windows\SysWOW64\Qkfocaki.exe
PID 2700 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Qgjccb32.exe C:\Windows\SysWOW64\Qkfocaki.exe
PID 1920 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qlgkki32.exe
PID 1920 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qlgkki32.exe
PID 1920 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qlgkki32.exe
PID 1920 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qlgkki32.exe
PID 2604 wrote to memory of 536 N/A C:\Windows\SysWOW64\Qlgkki32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 2604 wrote to memory of 536 N/A C:\Windows\SysWOW64\Qlgkki32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 2604 wrote to memory of 536 N/A C:\Windows\SysWOW64\Qlgkki32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 2604 wrote to memory of 536 N/A C:\Windows\SysWOW64\Qlgkki32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 536 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qgmpibam.exe
PID 536 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qgmpibam.exe
PID 536 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qgmpibam.exe
PID 536 wrote to memory of 1888 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qgmpibam.exe
PID 1888 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 1888 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 1888 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 1888 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 2784 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2784 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2784 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2784 wrote to memory of 1996 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 1996 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 1996 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 1996 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 1996 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Accqnc32.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Accqnc32.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Accqnc32.exe
PID 1664 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Accqnc32.exe
PID 2852 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Accqnc32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2852 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Accqnc32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2852 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Accqnc32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2852 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Accqnc32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2008 wrote to memory of 840 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Ahpifj32.exe
PID 2008 wrote to memory of 840 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Ahpifj32.exe
PID 2008 wrote to memory of 840 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Ahpifj32.exe
PID 2008 wrote to memory of 840 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Ahpifj32.exe
PID 840 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ahpifj32.exe C:\Windows\SysWOW64\Aojabdlf.exe
PID 840 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ahpifj32.exe C:\Windows\SysWOW64\Aojabdlf.exe
PID 840 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ahpifj32.exe C:\Windows\SysWOW64\Aojabdlf.exe
PID 840 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Ahpifj32.exe C:\Windows\SysWOW64\Aojabdlf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Paknelgk.exe

C:\Windows\system32\Paknelgk.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pnbojmmp.exe

C:\Windows\system32\Pnbojmmp.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qgjccb32.exe

C:\Windows\system32\Qgjccb32.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Qlgkki32.exe

C:\Windows\system32\Qlgkki32.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qgmpibam.exe

C:\Windows\system32\Qgmpibam.exe

C:\Windows\SysWOW64\Qjklenpa.exe

C:\Windows\system32\Qjklenpa.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Accqnc32.exe

C:\Windows\system32\Accqnc32.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Afffenbp.exe

C:\Windows\system32\Afffenbp.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Anbkipok.exe

C:\Windows\system32\Anbkipok.exe

C:\Windows\SysWOW64\Aficjnpm.exe

C:\Windows\system32\Aficjnpm.exe

C:\Windows\SysWOW64\Aoagccfn.exe

C:\Windows\system32\Aoagccfn.exe

C:\Windows\SysWOW64\Aqbdkk32.exe

C:\Windows\system32\Aqbdkk32.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bqeqqk32.exe

C:\Windows\system32\Bqeqqk32.exe

C:\Windows\SysWOW64\Bccmmf32.exe

C:\Windows\system32\Bccmmf32.exe

C:\Windows\SysWOW64\Bkjdndjo.exe

C:\Windows\system32\Bkjdndjo.exe

C:\Windows\SysWOW64\Bniajoic.exe

C:\Windows\system32\Bniajoic.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bmpkqklh.exe

C:\Windows\system32\Bmpkqklh.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bmbgfkje.exe

C:\Windows\system32\Bmbgfkje.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cbppnbhm.exe

C:\Windows\system32\Cbppnbhm.exe

C:\Windows\SysWOW64\Cfkloq32.exe

C:\Windows\system32\Cfkloq32.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cnfqccna.exe

C:\Windows\system32\Cnfqccna.exe

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cepipm32.exe

C:\Windows\system32\Cepipm32.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cbdiia32.exe

C:\Windows\system32\Cbdiia32.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Ckmnbg32.exe

C:\Windows\system32\Ckmnbg32.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Cbffoabe.exe

C:\Windows\system32\Cbffoabe.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Cnmfdb32.exe

C:\Windows\system32\Cnmfdb32.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Danpemej.exe

C:\Windows\system32\Danpemej.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 144

Network

N/A

Files

memory/2024-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Paknelgk.exe

MD5 4db896c368013bbcb325bc403ed1193b
SHA1 7a7bbe2295ac8f48524bd89cc635783c83074d08
SHA256 d170baaf88af974c800e119c9fc0ce7cf7b7ccd193214d28116c56bf13c5e5a2
SHA512 e2d60d4874c7507345a0696364d01da7c674a9b04ac3cb02c1e639c83d6c7e46e0b1945a188b568981d59bbdf2aada92fa2796ec28af8e519458cb54f64d8b4e

memory/2024-16-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/2024-18-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/1708-27-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 3e7275a72e174c135ca85298d9ae90d5
SHA1 833be517817dc348f9b512e5d4dc9cfd02a98c37
SHA256 3fd5de0093fb82379f44b83c3fa7f3e7318dfbfec8f1b92003143566e1d7260c
SHA512 d71b124ff58e87d9ae94a0ea851fe7d188539e894784d62fcaad472f599b22fd31159e5ad7d208f9757cd9c31b903367342949490c3bdc7f1976f99b66c19277

memory/1896-20-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1708-34-0x0000000001F50000-0x0000000001F90000-memory.dmp

\Windows\SysWOW64\Pnbojmmp.exe

MD5 648f9bcee5de9d13a36d7184ab2fe9c9
SHA1 a5db3624c06bf543b72a19d4f07cadc8e9f5880a
SHA256 34d7b8df2c04667291da66fecad2942cdcf754f8248fc9fcd944a5b3f8df93ed
SHA512 b89c7c74aefb584d12fdb9f5679bbfeefee4077fc7b1c37a298b87a40c712344611f4adb14f061738c08e902e5d1b8f7fb40fd746dc2ed0ebc354520edf3f6e8

memory/1708-40-0x0000000001F50000-0x0000000001F90000-memory.dmp

\Windows\SysWOW64\Qdlggg32.exe

MD5 1fc1053fbda0212439bae09f0743dbfa
SHA1 f5ef751c0e0b47df0a46e7a95a6dd6ef01926806
SHA256 b31ca19e0e60b63eb21efa6315e4deae281fff5ce3f313f1da674fa13c4bac26
SHA512 a9af5a02e9ef0eac28d8ddf16c591b8210108552d724a4e9bb8c43d6eff7796066f1e2ba4fba5ede6f0711c8562cd8bb7d9968a3053a0599833b7cd9e7c00f2e

memory/2412-50-0x00000000002D0000-0x0000000000310000-memory.dmp

\Windows\SysWOW64\Qgjccb32.exe

MD5 54469a311007dedb1da3073dbf558c4f
SHA1 de9475551acfce95a7fee8fe75910bc3f4203a9e
SHA256 965f4a9c3bb291a9b23d201304ba9c2a149ca82776c00ca3f10aa7b5b04911dd
SHA512 36968547d8917d2bc7d4df4033ac0a12865f23493139890b4f9e7772a14d26e510a9a605b5c05448665fa895a5fb3eb4dc175fc9ef58d719d111c76c98012c20

\Windows\SysWOW64\Qkfocaki.exe

MD5 9764a0de4a1d560ccec3c18473d33241
SHA1 d351b66e9991638db60e5c4f0583b0790284dfad
SHA256 6befb857eb0a17ae7e4a8ad3885003ae21f8b1eac9ba40ab16366e25d33c15dd
SHA512 1e12b102f74804180544c599d8ed256a3936b2bbeed9bdc89c0e18e030f682b47167b6ecfe21ade2c1b673578a983578e9145f9ae4852d321ff669efd72f1eed

memory/1920-80-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2692-66-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/1920-92-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Qlgkki32.exe

MD5 f8dbbf136ebfd7d728e4520a364e3db4
SHA1 f0e6af78d89144dfd6423bd050415edd408bba3d
SHA256 35229cb46eb9cb0d84d9766221833ddeb150e04b94721a23f0a51375a449d554
SHA512 d2e3a97d287c193229c828958ad90e94649cf3d2210ca937e7183f8941cc779b5f1626c4d9aeda43ad5ad2836329f163ffa037f181d46a61be0dce01a62f70d2

memory/2604-94-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 4595f2cca7a2633db722efa4bfeba015
SHA1 e6f8a924bf0f1aad10548ff11fc750d92e5a58f0
SHA256 7b582052dfc37c460613ef88bfbd63433a79e5ae75ece7b9d20920a5b2d07191
SHA512 749ffb2752e8a3cc07b282934f09145f788a1d0f7b1335df2baae524a5f630d8130316202d44aca68a7177162ed5644cbdc18448fc088abd315b2b0eabe5f5d5

memory/2604-102-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Windows\SysWOW64\Qgmpibam.exe

MD5 999083a92f6205e7b9c19bc5f8eaaf95
SHA1 eced82071567c60292c014a83a840fee703066aa
SHA256 9a0f011859e4116ab33161ff0f6fc853e3baaedda4e313213b333c18bc732e70
SHA512 e221b813909ed69ccb06a9c216efe967e75663dc979c099a34fea3d13146f9927262ffcd885ec1e0dd47445fc201700eba33948d26b354008553cbac0b3572a8

\Windows\SysWOW64\Qjklenpa.exe

MD5 5dcfbf6dc3626722f94c45b8a4961fb8
SHA1 799cb1995f3bb9d7f8cd3086257ba6082c9e5d31
SHA256 f204622a8011de919636cf7b8a49ab06c7aa07227466365bcf9818a1319b1742
SHA512 215bfd80a1730f9e08fa705d0ca4cd54776117b1f8c63d66474f518e7ee94ec8be503aa85d99d9f8c0316641985e08c5ea0e7730386e3e0f7440ffc7d5f888e7

memory/1888-121-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2784-134-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Alihaioe.exe

MD5 24f070081f4048cf726303208b194224
SHA1 ec41d2f27f6e6c381993032dc69aa76b52b1bb55
SHA256 9499358ba9241cf9cdef21468dd6c4531f54a7d167d57c291ffcd7a9b2fe2774
SHA512 d39a857ca7183c9dd1638cda36ee0b4fd68e4902b9d5b27c2170ccd135eda265fa241b612da9a83279afe425c6386ba594bbb09750fcc6c493c29149f209b702

memory/1664-174-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Accqnc32.exe

MD5 dc4484ba45882bf5d4accd9eabb1fe0f
SHA1 34e5e51fefd20ec8927fa4b21e50810916219444
SHA256 bc155a4d7fcffe88cbc29b942a02c36d47bba1675bffab7d494de14e1609b165
SHA512 8d0a481ab1420b7e14fb6d5cb4c991e712c822838f816d105db10d2c8051ed5ee672c3017f716e6ea1d9e9c5439380a04b6b1f34f330c7aba89a04be45c5ee40

\Windows\SysWOW64\Ahpifj32.exe

MD5 aed432b5e7a3a589fadc850f269e3d3d
SHA1 7a5bfeeac643298d0fc450a309f4bdfaa7316d4a
SHA256 575a50d28ee12d8599f5227dffd3da86502fc90cbbf754eeb2a5e5fd4a6fb115
SHA512 19de925bffe2dd4dda9a844359ebf3c6536fb2ee1e9cf5a56341d168e5350e64e7915cba8b25cbea1940a5bc589c3063c2ef81e2019015d581f889adaf2a352a

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 40926697cec1696c934c678ca0bb0eb2
SHA1 a1bbc2f95fd70998f47b60c1ace1f8a97bef0b2c
SHA256 72a0604d2fb81131085d026c155c829e688de8c268db1152e6041489fcff992a
SHA512 7305bbbc96298fa374037bfdf4dded7969acd100b1c5cf8dbaf8b752913a998bdf9c28bba6097e999154a6901ea08c643065d539822b64d0158f503379319748

memory/1624-234-0x0000000001F50000-0x0000000001F90000-memory.dmp

memory/1648-252-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2996-298-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Anbkipok.exe

MD5 a886398288c6fe6816ffddc9771dbfdf
SHA1 bae9d700b8cf68b1fed18b48336858fe5c2b9591
SHA256 432fe3a134e2407538eb1f5b0843790bf763fff7a43ee909756df08211942939
SHA512 b9a6722898278ab1e3e626679e733ce5302036b0a36dbe33540dd8b3d8059580860d3b8ecb129a7d171790f4ac55e44f5bec2439443d1ef39f161ba7971adae5

memory/2468-319-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2468-329-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2688-344-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2688-351-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Bkhhhd32.exe

MD5 c16630540ee5d07dc3e56ce8b091fcbe
SHA1 bb05e661cd1dfe89ca13775c459c27fdd6e68593
SHA256 ea4392d069d6055d5c4ae0ad43bd93b1e3e8dd0371a9061cf590c92f50f36ff9
SHA512 8c251a05715c8f52ce4162b065292091b42352b93b8c1661c286a81f102cbe7855761f4c2a27401a32573e1c0a8b53e997746d76241921ab34ac74b9455ac690

C:\Windows\SysWOW64\Bqeqqk32.exe

MD5 b88af259e48e42d4819d8cc81a25783e
SHA1 8ee5e242906044b6e903c68b08a261dc48b0c270
SHA256 60b04ef8b3b0155ea8844b3d3ca4c6c80c1aee78e716862a049c25a75427ee99
SHA512 b093dfbce22ed43a6ae28807b87f02204902824db5f626e307f2ab657575363cef1a1ac55c8fd48c08b4ee2111a73ea04ede5e4b4af0bd83fc687d175eccc518

memory/2412-395-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2868-429-0x0000000000250000-0x0000000000290000-memory.dmp

memory/844-443-0x0000000000400000-0x0000000000440000-memory.dmp

memory/832-453-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 06802afeab28c35b2b859748e786d7f5
SHA1 953dea832f052b560cccb2950e6f0de54ed4fca1
SHA256 df2e4ae177004f098d9e74bce3865eb97e8b2757aaa0b469f82c61b66e734169
SHA512 884737fa6648abf826ee0f496259329c0f25ab4c5a2a80d238fc560ea8d13ebdba5cf0bf92e5b50a97a0f7625ab29ac07430925150301f5b7b0e593c00ad3d49

C:\Windows\SysWOW64\Bmbgfkje.exe

MD5 7212c74eac8fbc3a6e7a2b199e27d9a9
SHA1 ecefc6890c1077582e98cea1e0332474a950a1fd
SHA256 3f5af11bb18ea05c2d1682fb698b61621f2fc0e8c170b94dc98eddaf97af226e
SHA512 8c50a356bf25362e411606324acc264a7a3c96d7cc9af96b3f678ee4e9ce0f8564ec438038a0fcafc2855f288f79a3fe32a85001f41b8753a506f2e9e75a57c7

C:\Windows\SysWOW64\Coacbfii.exe

MD5 e0a2bc4f8485d1f0842cafb66ccd1dff
SHA1 f5078707399c725105669a5aaca4ec9a94652ee0
SHA256 109ba3c20dbc8f972f926bcce8c328e1ab9bcb0bc1b2213ad6abf21c935f9925
SHA512 1e04d9edd7bc66df39a7807f72d0d0e496e38efe6d24cfb51da60d2dc96638f4b12b7fd017a0cd3389485947e93dafecce298409ecab758391f533b441adee3e

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 9963fa45985a91e848ea11dc3beb37e2
SHA1 42fe9181c0fb088a03ec66d2d851b68bca5a0f31
SHA256 b6c37d35b296ddf6802a1c4b49c35bf651a0d32b612f31ff54e4e7e709e14f28
SHA512 d530dc54ec97919e7a9ef2e2918a2f343a94741f1b4f0f3d375b43d95b12e318b8ca504e4409787db9c32c4b9da54c87cbda8d6d9156d2ff9602bb5acf3cf2c7

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 65c23b6275f5af8a5a7631508b083111
SHA1 f86c2a9e5a7c0ec05fecf276d5518d8443a30bbe
SHA256 3121b79b45b8211fd50359992763fdee28182435b2aa83afeb0df349041c9a00
SHA512 692fd531eb04bdbdb0a07090965bcecf43b7c6a70db6e316fca4b101012b57fa72cc9f2bdcdf872ff5f245be39ccfb911acff797487726b384327280fceced27

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 c99440ac1ecf191fcbea673b60ab4048
SHA1 d3d91352b43eb4799d7939f4fb8a1381ce2680d6
SHA256 c9bd81719d8a6d0139a62801f90c34b923ebe6c431f97fc1c2d8dfbfe19b7baf
SHA512 6b5dd85557acc339a7037cb86eb3853491442da200dfd8fe58ff21d02e6e90c53e34385035a25cbfe6c7fdafacd06b89b960d15623827691f48898469b146ab3

C:\Windows\SysWOW64\Cbdiia32.exe

MD5 7b33c2b5dc9765fe0209406f27f807bb
SHA1 2a5251f11a94ace0a958bcbe6077e793815feeee
SHA256 14e72c22f4b823d9c28fed7e26542981c66a75b274636becc7abc0ab715152ef
SHA512 f74b80916cbb4b8a48f9538ac83cb859696d3e7b1a9aaedf2f0af4cb712af41d4bf821dd5f7464d568cc64cb13091a3c559dc6e3966fab3ed988fc1794640a66

C:\Windows\SysWOW64\Cinafkkd.exe

MD5 b1f4227fdeb0d3d8e52b863d8ac99d57
SHA1 55f41f29f3f1e8c9b0f31f9def465c55e3d9960c
SHA256 e055cf3444124bf56af1c4a695b0cde21b2248b617900d8bcec9cd718d926e68
SHA512 1dad41ee84abcaa66b19906a73bc5441347dab38f5c59c1cd7ebd217efb4808921269a38a694128474faa9c19ad59c05ac592fe740d6979d9d2b436c94c5195d

C:\Windows\SysWOW64\Cbffoabe.exe

MD5 23bddb89efdfc29b51e33b14b023aae1
SHA1 078091fba194be28b78b660fc35231beb69c499a
SHA256 665e692d25635540c1c09830682f5dcbe9f229e521b9599ccbe40fa88b1c68cc
SHA512 3f2e63ac4c61cc14b4e70b4d44d9b3390c4488f07c6e614544ac10cf0eb694568aa7a08e0d8f0ac28b1cedf1df14a054a51ac4e40aade72aae674d3d447eabb8

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 0f36b33b747bf2b673bdb51c5b262a96
SHA1 355b3a9c330f86c7ad3b8fc4f60845b1b40e3b44
SHA256 0f64db41aee941c91ec8061548edb48266f1d7456398ae6c25a86f6f8f5c7b53
SHA512 c350a0b9c0814a46bf45ea5e69765c6cb3a863b595f97a6945b33f0a8be7ac1a5890c74be80fcbee814072da28ee304c05120808e4f661d75b89f449b3a55c01

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 445f1568f23dcf7c2c04c7db6bb0e752
SHA1 c6302d1ec4166863c984bbfc20c97b8c5367ac8b
SHA256 aa19a2f0bdc50ac37e6002443559965bc9b4a0d01266212d587cbe65483ed9f0
SHA512 9f9002154ab6d42fc4a272542ce5ab5e063ae6b16dbfe2ab74655b9fc82bdf6f927d01b2a342c6fb5bbc31d617b26785f6c4bf232c0af612adfecce3d29a9ec2

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 5d4191dece51cf71062dc90fe2dd3d55
SHA1 98bae0a26377252d5cb338443202fdd0bea416fd
SHA256 9c0440fea19fd85a16a375ccbc158c5334e4841e376b05615e35fb2832accac0
SHA512 81d0fdb4a7615e5ca9cbe7c546d8a83151949077b6d6b5989cc72fbd79a3917a3f6cd299f1930bc4777aedcd91a9cdd4bac2b7b0d31db7db2aec211f950883a4

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 9fd338aabb9f43e5c548c4b2b26db536
SHA1 fb48e8da695604bdc032c2ac54dfef36ac3dab30
SHA256 c0e8f73261e6bcc6a54bf39d4e48967d1ee290757fec75d424d65a5d3cb737a6
SHA512 ee24854e38e8bcac5ca784dc8bf1977a50cdaa7d98c919a4c5e3f7959aa37e50f393d72e68c472e78a4280ff6bb271f3191abe0e3ad9faa4b874ae9eeebf2853

C:\Windows\SysWOW64\Danpemej.exe

MD5 8aeaa72d195ddcb07f3c2ab3456adeb7
SHA1 c30c79522b60f542a164889da6809aabb7d35869
SHA256 b1947b80a9eefc35df4c303edcf0edfe8310c70d153d4ca82653aac9e425d0da
SHA512 e8d8ea98ec2b0220af6547d65ebbed9292905fa9b61e17646bf1b4e7579e13fc89a5d803e9a6998a7f08b459946914974a6135276dfb72e2d50307f14e77e390

C:\Windows\SysWOW64\Djdgic32.exe

MD5 1e6cc85ec986fcb88e3a0fea3a65be8b
SHA1 52f5c73a3d6765611675e03e67c899ceb928cba0
SHA256 80de0d6d168cd57353271027334ee4d4917b519808515abbdb4d96f8e1e93c6f
SHA512 93d4fff1a5c4efa52de236374b1336dfeed3c7131ce5df7e32b5113b91bcccf045315df48d9ac3181ecf886c84db11b159c7c6a87374b96cf5450761f38964a9

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 7869600271c426bfd03b3652e54202bf
SHA1 4b8ea6b3a4640d3030a3f73be459824d6cc36af4
SHA256 f88b4899820325ef64d47d0f616d985625e6ba7f34b0fb31e1a01208129bbbd6
SHA512 4b51e44c3f27c0f52e2496c2cd54e590df30dc88b54ad718b9c73486cb3975ea56285b0aac8c01504c457f3f592e6cd6062aca9ffb7b6d47f8bcfbf548f4751d

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 ac8b90a9e929629604d6ae5276ffdf4d
SHA1 06d45fc5d768b2f655622ffdf61f6981119ac129
SHA256 e4cf32f2b5e5cf43856143c9c39f7a47eb656d4ee1c73631cb88ed4e77870df5
SHA512 50c1ece7e17c8cb33bac3251b25f72817e30b21cbd2184ffd66291c70a9cecae876383b197b1c7cdf145995d082170bea5dfd176bc85882eab48bde960f36caa

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 61563886036e8ddbab73ffbffc7d57c8
SHA1 5e6bc801a699dd7e252b6b61970358205e98329a
SHA256 3ff067e9a42f99e160b0a7827309923fbdd65242460c65b4e1477b42dd537dd1
SHA512 ca072c07098a674eb66e736beb7edf797763ae8ce1bb0555f5783edaad2a98f38604c627d041b426bde28f6da5e3d504c0c79f65cb74daa686d492ea00546696

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 3d54dcb89cbb593c140bc4d856cadce9
SHA1 87ee61fba7b1ce94a440fd9192e166ccc91e2441
SHA256 dda179e55ee730cf98e255e496aec94675ced3738b039681281dcba539f3ab53
SHA512 4b96488fcc5cc74ae04e3323c44b32d46a6a4900009f568135a6fb9cedc7977932a8ff7abe12be558f8a6b2c4f14aee160dab0a8cd9384a19086b36bdf56ab81

C:\Windows\SysWOW64\Cnmfdb32.exe

MD5 1d8047e462fee009f55aafffd271e470
SHA1 74cca4df06ca60c3dd1144578f41e1e34acdc4c4
SHA256 9c2d1ef0e55761dc2af1c15b5536b2eee0e3275363593055cf9edf1547570880
SHA512 3189ad3cfb5d2a44270bb906ef6ea7a58c48f8a9f0b58222ca4a29cac3d81a595881475a0283f17515719a77c83f6b8ee3772934f39830a12be03133d92e2d4b

C:\Windows\SysWOW64\Cjakccop.exe

MD5 288f803a3741c94760da8b5039c869d5
SHA1 fea33d662174a320aa197524dd3bbee4f6c7665f
SHA256 c127a7386ebfd79f818a0cb759e042eec8423458606e94b1a20755cd763e74fb
SHA512 8373665df30c6ee1db04f2dcdb9a4f34390b0f787ead3caf45ab91aff600fe00d9b433f90ac500a0c763da4bc7dd6f19450ea09e9ce3d1e62dc7b64d93795513

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 5f764fc57764ee7dece9b82da2ea921e
SHA1 a9eb5e20bc37c09a7cbd5a5ad4139db89365c30d
SHA256 99c70bfd2bd88e052beb35d52469c10bc8347db318958823a029e9d1a6dc8443
SHA512 15e946b08a0207427f8f880e93cac96a345cfe2895b8c99b1a1e418cf9bd8361b26c0da99217b0d21936b757b0852fbd896e086485f231042e12d62593347a5e

C:\Windows\SysWOW64\Ceebklai.exe

MD5 29a02404b20dcd4e139a47d989566f31
SHA1 f2fa60bc5b170ee047f984423f614ec48ec3baad
SHA256 001d69af2cc157788441b933afe8b37d24a36353493a9ded3b4a4894519ae408
SHA512 a409affb7dda694f1577b5ff8861be8df5a16e4fea8eaaa1f6bbeeed13369e23133cc0b68a58580e0261ced353aeb527d85811d2ec03672096f20ad587777039

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 7dbe1625013b31029868b1d25220d602
SHA1 0504af408dbbe4c7efa5d1d59b6c1ba5c4e12b84
SHA256 94293d906a06a3f681a6296d3e947180b2382d9ed59084d12778d6eb175285f4
SHA512 0065363e3b9724c8f519e397cf41a8737e83b5ec4171effdb412c3d3a1a8d5452e0a9f9ea5969884bdd9f9f3baf11ab8030e63e58ec1cba401d1e0141ceefbb6

C:\Windows\SysWOW64\Ckmnbg32.exe

MD5 26537101174d0e486e40b1c8b39ae926
SHA1 ebd925ad2f38df498b7558e0b7decc6250f84bfa
SHA256 e19021a4eed9fd145f4ede134596cf8416353555f67c2ad7db65e6bf46d63174
SHA512 b8b6d21a65e6d60b9700ce093b61f17d1bafff5b91107eff03bcb8bb2d8eb69843d433d642bf2fd1607d7d90508958f2f9666e61b711f68ff5d996864bceb728

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 8e345bf2ef6b858071ff25f5815f28c0
SHA1 d902ce4e7c8d3812d14813f330582fe55350410e
SHA256 f8a6573f7120de72baaeb9e89cc5dd9b811224a4cf7eb11fa04364e797584be8
SHA512 a6b93a441b10a41c9076af3fabac8f70bc34dd98e55b627a0a28c7569f972cffa70e0701b7b2149e9691b8359229de1a021eb82e8ad079e8dfe844fd5b4bd572

C:\Windows\SysWOW64\Cebeem32.exe

MD5 15be40e0d54478049b398fe434bb8dd9
SHA1 067a415bee8904a2aeeab6dea11cc784700a0ad7
SHA256 3707127e5e8f68477ae2c8e1fe667938ed48df8f81e777eaec1ef86fa8f5deb6
SHA512 5ca909a6f9ac6e23bc6297b54f37b37bfe26cea4ce9589265c6d425f57833d8e8668248648d2fed6049b1a08c3b35c6c7df3eb82972a34cff7660dbdec6e5595

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 24dca8142316eb7c88e245c9dcaf5e62
SHA1 2ae0d1717f2e226ca2cfa5cae10f6a5c3e99a751
SHA256 344850900c0fbd8ca13e8812b4e9638182adf656f68e45bf312e35a3932dc79a
SHA512 aae8bd2477918db1d0156059544ab0b0a769534b58102c791ec156166f606a1b6c5b95d86f0bece8638ae9d9e4703f3c4faf32919456e196af0943db1c4be626

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 0a4542060ba5a53a907d93d11e669769
SHA1 ff58950239bf8a9c57d80a94077783e2906fb6ee
SHA256 d29ea0cd0e0a87532a040eaf8fdbe0e437b53bd1772d3508c024b3cf07c7be35
SHA512 f3606503c1acf4bf6c7ed22005c4cc6651e3e8be7141c8630aa484756053440c275905d63240801fc53004f3eebb46db2a536660559208b0a75d96baaa4e97bb

C:\Windows\SysWOW64\Cepipm32.exe

MD5 428dea9d853508f377751be8fbb60c55
SHA1 8f8f3a6125b4391ad529a4209daa92bd2cbd0fdd
SHA256 de67d44a38721d5c4c0d59735c9af4259629fe02b8c92db5e2d5499337e9ab3e
SHA512 953acf1cb5011e222d183efe1b59d5158712474a78ea0835f71723d01b8e6ce9110cc728f36f09318dc2d1bb48a9de6c2a4a3c74b5a8f51af4b4451f341ec345

C:\Windows\SysWOW64\Cbblda32.exe

MD5 0ba5bae345fbcd7e7d550776dc678fb1
SHA1 8b0daaaf7dbb30bb41ed452a97b0dafb138aca1a
SHA256 0b66cea05a98b3f3ffe9d08402a8f00da22f86d8e03ee30f4015c12733fcc562
SHA512 a5b24fab68a0a9cd07f3a52d2270c1f26916264efc4d0144ae47038709b4861fc1155857eba1103245d016b28c0d7a885fd2db3fd11c3d45bbf11f5d2c54a851

C:\Windows\SysWOW64\Cnfqccna.exe

MD5 560be56ec3f2e1b920e3997a4ccf96b5
SHA1 d9282b64e614ee5a4fad493ef099946b18a7be0e
SHA256 132a1c6a6d3d769a23a590dc9606ede37b34f67a665fa7d959c2ec227f24ff55
SHA512 f8080fc44121bdba01bd762e2e2240974fcd3a0819beb0c3e51e81e30834b795ba50a60be770a266d41dee240c00767953865491cfb8b01b1775f7da653d4556

C:\Windows\SysWOW64\Cocphf32.exe

MD5 a1aa5aa2c408886c6e2b1619e728c150
SHA1 3a145b7a3c0c428a8f295a1c32b3ff091e903d20
SHA256 98688b1784e5e5722baa8ca592308d5c91539f9907e201351a0ddd898b3dc72c
SHA512 a71c37f12b3d6efcf5f0fb006cb36c6959e8679397948d1a46ef9d5ef18b8ca738b9341ad03dad8fdd03d3b53cd7fc4b41b561c2891586fbee89dbfb2b9874c9

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 0d3f7f30ecf9394e7a4ba17e936010b6
SHA1 77ddfdf5e90e08056dcd934118fe58fc5a991387
SHA256 3ca9c09cc11ea6bf7d8b933a6247bc08b3ce7140ffbc2f1e14a74f7c4140385c
SHA512 1bbf48e688870b39aa779ebddea5c27e4981cd08c35f30ff51cc7adf9e3b492ba6da54fa96dee28bfe694d775c9a6a5efbd9ba5b6b99fadb4985f0dc75a123cc

C:\Windows\SysWOW64\Cfkloq32.exe

MD5 6c4436b6279d377d1d3a1ad0c051efd9
SHA1 d6f4670c7c54dfe6c6f5258ab53749af5d975e2a
SHA256 999c3d4000be31ad56facd5c6f70d99c952a4743bcc8d35eec9c3f40d14e14bd
SHA512 c004c700041829d80c75d93fdd0b4f6810b40fab696763854e4c4b95f025345da56f7f64d09b455f5485c97ae6fee7f190cd676a6143baae5dbe9d8e4fc0eb34

C:\Windows\SysWOW64\Cbppnbhm.exe

MD5 1ea9185357e9b0cf4716a0aaae7f357f
SHA1 f0bc2adc9b594f5b6eb1c9333b0c473ecd6a5eb6
SHA256 fd080c99683912cb9557e88241533fcdddf6e49fd6d033c4ce49e1ec8f10790d
SHA512 ddf10b2a84c85b3ccd0b288e18dde31ff586497a38039b10664b09e475b78e06ba1eaebd70dd8510306c821eadcd885abb75e33ecd764db9a7f653e78e3f2592

C:\Windows\SysWOW64\Bkegah32.exe

MD5 7641a35966e2e6ea24affdde04a764b1
SHA1 0a315f602c383177e0e00fc920cccad676b7146c
SHA256 7f64c9e90c1eba66a197482fb8d7a452cebd742653572343c266cb920f82f4d0
SHA512 34b43975f1aa244df7996dd7e7f51534af1f7137e1a853ac2a22e9b838b7ce4dc805e11e27b7512797115bd062a7de6d6c558b5d7f465fd265e08aba50294314

C:\Windows\SysWOW64\Bfioia32.exe

MD5 0ce03b00a3bfa60fa2019328d9d6d8e3
SHA1 0d811031ae400507a5986dea7f25315ea5922f0e
SHA256 95534eb6c92ecabf50ea35084a7db52e1d739a6fa844ffbb5ed35ae855a1f112
SHA512 9bd5940f5a7905142d8550546917eab2eb4f0fe395b125062f62dfe5689a66c8a0252defbdd2526acfc8663db339ec7a198317484ef578e15b7aa7b898b0f97a

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 1c7805326fbe967d6d98592e922d34e2
SHA1 0117487501c97e09f65930c8221ac44de08baba9
SHA256 909f9466254ca14f8b3484edf349f5c41e95fcb3f0bef927491ce76f998f0fe1
SHA512 69884a8f3747926594d864076d82edc50ee83e0d10c3771e7696ac6045ea4effcc252a61a2309df27d695fac9b1b82e7402eb8a1579597201d3518d10b298ae3

C:\Windows\SysWOW64\Bmpkqklh.exe

MD5 2f43f77babe17f38a127793156f9b67d
SHA1 0da57ca009faf1f7cc1cc0d976f96283b874950a
SHA256 d0d82cdf74e05de109296ab4980762e9ec515cf8672941c39387b265908fea81
SHA512 2e0f4a1ed36f88c14ed77d52db80b633b31e74b23a56f0274a556bfd43e6667150b17cc54339bcb15ecced83633edee7516d5e1de3ace07714fdbcc06d7cb024

memory/2388-487-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1996-486-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2388-485-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 c76ce2321982750dad6c592d0306e709
SHA1 7e5691e14e089e9df19c8ee74c42c670ed1a9ec9
SHA256 2c9b1bdf1215913c7c354a18b830e8779246f981b7056944a0aaac8b0ac86905
SHA512 fab6bf00cd87dc0e1317714717590b81e4394024117bd72b437ce926d0c72850358fca98a56aab51dfe35ca63aa1358181817dbb9dab0d099f5da71d712f1459

memory/1832-480-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2388-475-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1832-474-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/1832-473-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2784-464-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2784-463-0x0000000001F70000-0x0000000001FB0000-memory.dmp

C:\Windows\SysWOW64\Boljgg32.exe

MD5 0d6e4dadd111a07e40e567332b805c0e
SHA1 77eab5bcd2e5a9d907f43783060bb07ae89e9253
SHA256 42730bc0e16cbafca5bd49a26b9bbc851b0280ab5cb2da840697d9466e3853bf
SHA512 e33942e3f8f9a435df3bb00407bb31089d30cc01b0a6fd780a0646654a05e24fa481aaa98bf8b04ed26b0b0f0ec3a9d37770d65eda00b32781a21d8fddfd2f58

memory/832-459-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/1888-452-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bqijljfd.exe

MD5 9b2863ae9fd64aecfb698517ea01ac01
SHA1 411983fffbe8803d8fece1ea0e16bae2bc5ac868
SHA256 2ee1733383ef829553f3361c5c2782b4a7f39a117b30dcbf91a9242d00d1e020
SHA512 8fa56bc032f18c079fa35c119db27cfbaae7cac37d2bcf431aabaf4db2e244f8b61dcd1b9d65421cc909116201246c9a5db4451163e9f3763496be92a162322d

memory/536-442-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 a52ac17567f31cdb3b7692e815fe0352
SHA1 7c0ced60138f329878d34ceb890ae6bcd74d789a
SHA256 964d8a491cd0cfa404bdfcd2436e88da40ad76721b6f9b00348049a17a878948
SHA512 ddd9eb03e2f564e9a5a7dd555b96dbd08abfe745493abe856f5ec961b453a458e5cb17daec946c0dbc59c676e63a2c12ba9dc099636b1eeca82b3dd6abd9432e

memory/2348-438-0x0000000001F30000-0x0000000001F70000-memory.dmp

memory/2604-436-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/2348-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2604-430-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 bbdad20f28f42af75ffff2e97da1a3d5
SHA1 6216d1518f3bf054c1b04499f00d5f48a0566a15
SHA256 95c34a4fa2cc353f62e87a2560a58966692894ec51fd1b548cf3c2d915e5f57e
SHA512 c21f190204b96d7aa3f10493cdd2d5e034685da329a2a0e3c5b93df010dfcc655acdc3ca4b33b7e9783b5db89c75594d531ffa9a32a668c7aac32b1442eb0cd4

memory/2868-425-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2868-419-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1920-418-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2280-417-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Windows\SysWOW64\Bniajoic.exe

MD5 7c9ae68b93908fb9f1a9814c3fce68cf
SHA1 c59764cce612d2ac3aa6499405438da321e0d224
SHA256 e16617137904fbf7ba2979cfaaec6493a771472218ed7fe1b026cf5be2145a36
SHA512 d49e30b1732fba3684ea1d13cf30ac45fed7ad6eeb9f51e526b903dc4f2126e526ccfee8bc56e2e6693fa6f0b10573ae205abc10d6cbf3468b843fdbb46f52ab

memory/2280-412-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2700-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2164-406-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Bkjdndjo.exe

MD5 8df5c94a142c84e5bfc361990bea0f8f
SHA1 23c28c815fc59c95e72c7b5e890d8651e3389183
SHA256 cfcf27eda74aa728c9e9941fdb75705df3f782cdd5db52f8642ff2190e224aaf
SHA512 8720ce59b6b1b38b61c010748a986e19112a7cf1004506bc18b6353b8f649f3151cdcdafc5de72fcc9fe73bc1829e3447816aba77f39650b1f3d3557fb0a3914

memory/2692-402-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2164-396-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bccmmf32.exe

MD5 930acdc7511a3856e5a9f70053609f63
SHA1 ffb8e0d057d125b493e82540361394c565374288
SHA256 440f1b8a0773a59d89401d879442d1b1fc2b52bd33a06b457e23c131f2b9075c
SHA512 b41edb1f02b8c23e6ab762f9572b5183906ff66bf1e103f9c8a84b42ca3a180129379cd4a00052fd997ee8d5940e506db139936f4ec3612f007f624b4501b081

memory/2412-391-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2776-385-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2028-384-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2028-379-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1708-374-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3064-373-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 ae0be4d6e2d4fb0ddce246959d68dae9
SHA1 5dd32b7b3c7c4bba8c29fa895a912ffb269ca5a6
SHA256 bcf7e1da48b175cc5c0551652d06d4e557a80d5a3268ddf071120797bce7d3c5
SHA512 66fe1f9643aa648fd327804ac6195f0b867a779ac37b1423353a1ec200d7f9467c79b5e7eca1fcac54e4445393a2acb873e3358b9a72dc685b1adc7d16ff0994

memory/3064-367-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-363-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2760-362-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/2760-361-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/2760-352-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2688-350-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Aqbdkk32.exe

MD5 9bdfcbda8ac3f9ef9095a673f8693989
SHA1 09dff9bea935a0153a986ee77593af74ae6afa4a
SHA256 e872d8e911a85ccbb0cdfb1211b7d314f47de2831557e2ca10b6e951b04132a3
SHA512 2f0883a084fef4d24325d951d458f33aa775ddda2e4cc324f0f358a9f3e7d560f263d3f9711db0c84fcfc4f294a770c8961994d97127970443096a1dd4ddae30

memory/2972-340-0x0000000000440000-0x0000000000480000-memory.dmp

memory/2972-339-0x0000000000440000-0x0000000000480000-memory.dmp

C:\Windows\SysWOW64\Aoagccfn.exe

MD5 91f7eb313b9cdf69fec121579d8f8356
SHA1 b7b7cc1b507b1cff1c49bde4797b3fbb85e00377
SHA256 eb0a580df4d666da62912b6423e14b9b1f3cc413084bb9f3204951a60c20d020
SHA512 e0e1519ccfcdf16428414a4adb78a2b24a3aec9c6ac22a79d6a633b52ab2b07f75c5bab37aaca14c641aece82521c5472f3073711ddbbb38fb4c9fee7fc710ad

memory/2972-330-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2468-328-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Aficjnpm.exe

MD5 a4b09205a12988e5408dadcda785ec47
SHA1 1949cee9b96d5847b85e947c481c43e09e63f6e0
SHA256 db92d9527c5ab7305ecd266501b6d65b7c77a5fab4df14925bf496afec31f8d5
SHA512 14324745ab82fd462bdb8f06b0e817caa4f6ca2e1d3781b7e408dd65b9b05580d36c57baae2f35a40c60d4b2bd01d0eea1b5488363bbd7a8db0b2ff78840337f

memory/1668-318-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/1668-317-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/1668-308-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2996-307-0x0000000001F30000-0x0000000001F70000-memory.dmp

C:\Windows\SysWOW64\Akcomepg.exe

MD5 b9a5422b138576e31e7adaa8e2827b2b
SHA1 c06e14ff68918153405626517d1b7579dae7ee98
SHA256 d2931dc7c19ee4c7aa9d19004d8e4cb302b7137ea92c66052db26259ea4c6a55
SHA512 945e972c44bcdacce2327dd7c3796ab37e414ab172a2728efe8b4a6df2e529985061f0328593f94087e6a8690624a5756bf41b8b39f7a5c57110771aa28f9412

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 a385638311a7317bb00dc38779f05fa3
SHA1 327a70de8a5ee35093470967132b50c5a802cec0
SHA256 fdff4cb6853b57114a2be2e6a76e87ca9b97d31d73a246289cf99c94b8081e8a
SHA512 f72ff6db3844f0c3a866f98df19329f9145b6cea0c396e89337b3171cbaf794cb4ad6a89ed03c2ec6fdd51bf321d57375047f06d2fa26df09faa4cc54d6b5cba

memory/2064-297-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2064-293-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2064-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2500-286-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2500-285-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Windows\SysWOW64\Afffenbp.exe

MD5 5e279ebbf5bd3f00cfba7fe2d029298e
SHA1 cc108d7dd07d117e6a6b82acbdd21bda9d5ef6bb
SHA256 5d78cdb4298e931592e58c12d6a66ce42d1cacd138fa92c995ea07c7b2e0098f
SHA512 987a4aee9815ed2eacc736446963914885eb8bf49adfe71b95c2b4db479dd1fcdea9977fe6cca85ff90104a3f990c847f567e2999ba4e84b337a4fd7fe8ccd61

memory/1292-276-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1292-275-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 222bb9e2d9fbc49f2f130001af68894f
SHA1 f5b228006f977e3b20d5ec84a5c2b2ca04c733bf
SHA256 83531d970eb6cd4a604fb4515525a8bbafd51ba62c80522e5119e48c60f9d395
SHA512 bede989d322d68005625b2999541e495438e89520a6d6b787a0d9fedb19b7fd67c37d3509be23e6eb85bcea21d19ab909e5dcf10da6027b419f39bdce11bc8b2

memory/1540-266-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 f5c2782589eb8ebe2cc64ecb05bdbba9
SHA1 304c47b23b3ac28bd652aab20de1f2f6a91b77e3
SHA256 8a0d1d7fae3153425db52c2705b6c87dceb8b019d6484aef46a432db95d4cce5
SHA512 232bfa51243428b5b2a8e78d140492869626964c100e8aa81ad6e832ccc3c588fc1259b57591682b512e6774faf6f6c2858593c3844bdb179be08dcb8a0f3527

memory/1540-262-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1648-256-0x00000000002D0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\Akabgebj.exe

MD5 6b7a6bed052c47c51a6fbb4adaf0d816
SHA1 2efa99b896e94597fe24cc54a069eaa7ff926aba
SHA256 0faa8982a564c6d4a730a165c96c196ad04cbc6dcf325bd658365fd1c8f89b24
SHA512 d332e0b3086a08bad1e0391d9d186d4f4bc43356584bfa1e0e41a525a47b87b759994f9c732c20c92754aba34d93f701af1c4d3a75d063d38219a4ef7f315bb2

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 bb226d724ea36a092469307c8337bd58
SHA1 9ccd065d3d701232bb300046a46e03d63060a02e
SHA256 6eb5905e41da71541ff3c823b58d21351df77ce8e71a3716564a1aef5d113cdb
SHA512 8cb7ac53219e1d31c007618e114d8a0b2844aabaf4bf74bf32e1682b3bb5fc1458e7b749e5bc21153d0a2472d1be650bff91ae8a4363bef61200e4f4686fcf85

memory/2168-242-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1624-236-0x0000000001F50000-0x0000000001F90000-memory.dmp

memory/2168-237-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Afdiondb.exe

MD5 6ed1856be9fd3f20f3b3f15cf7eecb50
SHA1 f07a173c60b7648443bdf44488deca4b2cd1110f
SHA256 76f6bc3980536c8767b9cfecd98b5f2b78538c368b0650b4b24eef71aa9e903c
SHA512 0d368261ec97a29b7206f9b3c37e987dca7126213e1b6744559e47718eb4a8a291223738e2ad8e8089e99c30f726f28e0166e65f48fc268aaa522e8d3928890f

memory/2908-226-0x0000000000440000-0x0000000000480000-memory.dmp

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 ff8f2bd5cca8f5a984f923b5ad9ab392
SHA1 24d50e47abd46be89b4060d323dd14e6d6e36b87
SHA256 652d96990ef877d14215f003c740d9ba35e728d9758ec44cf567dbcac21b4ae0
SHA512 60828def96a678263b0e076e06425ce1fe5eacc7469ccea5903e238ac8b79d90b509c937efdabfe1d99b00787ca1400bbfe1562fc748447256f7a98e35b2ea06

memory/2908-222-0x0000000000440000-0x0000000000480000-memory.dmp

memory/840-215-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2908-214-0x0000000000400000-0x0000000000440000-memory.dmp

memory/840-201-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 3501949ab25cd3cb7f3ba8419fc18af6
SHA1 68138d5c1b48990b8965a721cea456dfebc373b3
SHA256 45d20312f42532725e0201df704096f88dc06c4da8f4fd925381ed31bb3534b1
SHA512 7aa2409208011d390fdcca749c91183d955bb5f2c9dfea0ff3a4c5732b849ed0bf48db97ea4839f1b3c5a1c4b2a14e74192c788e66a783d99a045e84ca3e14f1

memory/2008-188-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2852-187-0x0000000000310000-0x0000000000350000-memory.dmp

memory/1664-167-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 cef0441d93c54f1471a3f26a59a3ddb5
SHA1 dd2d9fbc35ae514ac1a205d124da761f7979bb83
SHA256 3160122890077d83c4bcdb72861e011d5585866515ed0b69c0306dfa1401bea9
SHA512 473b9aceb83e853d0d60adea9f799eb3f842b7794f175dc69b78fa8d4d5bbfaaff89ee59ed3a6be47f0ed12341cc67c7f46dae5d9ee7ef623714110a3864efb8

memory/1996-148-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2784-142-0x0000000001F70000-0x0000000001FB0000-memory.dmp

memory/536-115-0x00000000002D0000-0x0000000000310000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 14:44

Reported

2024-09-16 14:46

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nliaao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohghgodi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajggomog.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fplpll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jniood32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgibpf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebdcld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffnknafg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilqoobdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljnlecmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nihipdhl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkcadhgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdlqqcnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnfpinmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfdjinjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfbaonae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlfnaicd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alelqb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnangaoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adcjop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnmaea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oldamm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bojomm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmblagmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nknobkje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bcahmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nglhld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnkbkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdcliikj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkgcea32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mifljdjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeheqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnlkedai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nijeec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piijno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdgged32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbicpfdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glbjggof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hffken32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olgncmim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aomifecf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lenicahg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmnqjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epmmqheb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcoaglhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kncaec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmfkhmdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omdppiif.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opclldhj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akblfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baannc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oaompd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pakllc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cijpahho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knhakh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mqimikfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgeakekd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnafno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfldelik.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecefqnel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkobmnka.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mecjif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhafeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjpbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbgjbkfg.exe N/A
N/A N/A C:\Windows\SysWOW64\Majjng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnphmkji.exe N/A
N/A N/A C:\Windows\SysWOW64\Mblcnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maodigil.exe N/A
N/A N/A C:\Windows\SysWOW64\Mifljdjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhilfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njghbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbnpcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nemmoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nihipdhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlfelogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Noeahkfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbqmiinl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nijeec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nliaao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nognnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafjjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nimbkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhpbfpka.exe N/A
N/A N/A C:\Windows\SysWOW64\Nknobkje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nahgoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neccpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhbolp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkqkhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nolgijpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Najceeoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Niakfbpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhdlao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objpoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oehlkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidhlb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohghgodi.exe N/A
N/A N/A C:\Windows\SysWOW64\Okedcjcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooqqdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaompd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekiqccc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oifeab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oldamm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oocmii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oboijgbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaajed32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oihagaji.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohkbbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olgncmim.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooejohhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Obafpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadfkdgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeoblb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohnohn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oklkdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oohgdhfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Obcceg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeaoab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oimkbaed.exe N/A
N/A N/A C:\Windows\SysWOW64\Pllgnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pojcjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcepkfld.exe N/A
N/A N/A C:\Windows\SysWOW64\Pedlgbkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Piphgq32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hehhjm32.dll C:\Windows\SysWOW64\Palklf32.exe N/A
File created C:\Windows\SysWOW64\Giinpa32.exe C:\Windows\SysWOW64\Gbofcghl.exe N/A
File created C:\Windows\SysWOW64\Igigla32.exe C:\Windows\SysWOW64\Inqbclob.exe N/A
File created C:\Windows\SysWOW64\Mmfkhmdi.exe C:\Windows\SysWOW64\Lncjlq32.exe N/A
File created C:\Windows\SysWOW64\Jchdqkfl.dll C:\Windows\SysWOW64\Nnhmnn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjkmomfn.exe C:\Windows\SysWOW64\Ohlqcagj.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmlfqh32.exe C:\Windows\SysWOW64\Pnifekmd.exe N/A
File created C:\Windows\SysWOW64\Pllgnl32.exe C:\Windows\SysWOW64\Oimkbaed.exe N/A
File opened for modification C:\Windows\SysWOW64\Abponp32.exe C:\Windows\SysWOW64\Acmobchj.exe N/A
File created C:\Windows\SysWOW64\Iddgpk32.dll C:\Windows\SysWOW64\Iljpij32.exe N/A
File created C:\Windows\SysWOW64\Fnihkq32.dll C:\Windows\SysWOW64\Mgbefe32.exe N/A
File created C:\Windows\SysWOW64\Kpibgp32.dll C:\Windows\SysWOW64\Onocomdo.exe N/A
File created C:\Windows\SysWOW64\Bklomh32.exe C:\Windows\SysWOW64\Bhmbqm32.exe N/A
File created C:\Windows\SysWOW64\Ngmeal32.dll C:\Windows\SysWOW64\Nbnpcj32.exe N/A
File created C:\Windows\SysWOW64\Kalhafbk.dll C:\Windows\SysWOW64\Okchnk32.exe N/A
File created C:\Windows\SysWOW64\Iljpij32.exe C:\Windows\SysWOW64\Ingpmmgm.exe N/A
File created C:\Windows\SysWOW64\Pkgcea32.exe C:\Windows\SysWOW64\Pkegpb32.exe N/A
File created C:\Windows\SysWOW64\Nqdmimbf.dll C:\Windows\SysWOW64\Gbchdp32.exe N/A
File created C:\Windows\SysWOW64\Nahgoe32.exe C:\Windows\SysWOW64\Nknobkje.exe N/A
File created C:\Windows\SysWOW64\Ohnohn32.exe C:\Windows\SysWOW64\Oeoblb32.exe N/A
File created C:\Windows\SysWOW64\Bdgged32.exe C:\Windows\SysWOW64\Bahkih32.exe N/A
File created C:\Windows\SysWOW64\Igegpo32.dll C:\Windows\SysWOW64\Ahgjejhd.exe N/A
File created C:\Windows\SysWOW64\Ecbjkngo.exe C:\Windows\SysWOW64\Dimenegi.exe N/A
File created C:\Windows\SysWOW64\Kgffoo32.dll C:\Windows\SysWOW64\Ieidhh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kjjbjd32.exe C:\Windows\SysWOW64\Kgkfnh32.exe N/A
File created C:\Windows\SysWOW64\Pnpkdp32.dll C:\Windows\SysWOW64\Opeiadfg.exe N/A
File created C:\Windows\SysWOW64\Nnfgcd32.exe C:\Windows\SysWOW64\Nhmofj32.exe N/A
File created C:\Windows\SysWOW64\Ljnlecmp.exe C:\Windows\SysWOW64\Lgpoihnl.exe N/A
File created C:\Windows\SysWOW64\Folnlh32.dll C:\Windows\SysWOW64\Nnojho32.exe N/A
File created C:\Windows\SysWOW64\Dhblne32.dll C:\Windows\SysWOW64\Bkkple32.exe N/A
File created C:\Windows\SysWOW64\Gkmdecbg.exe C:\Windows\SysWOW64\Gdcliikj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnfgcd32.exe C:\Windows\SysWOW64\Nhmofj32.exe N/A
File created C:\Windows\SysWOW64\Abhemohm.dll C:\Windows\SysWOW64\Koodbl32.exe N/A
File created C:\Windows\SysWOW64\Npepkf32.exe C:\Windows\SysWOW64\Nmfcok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nafjjf32.exe C:\Windows\SysWOW64\Nognnj32.exe N/A
File created C:\Windows\SysWOW64\Oeaoab32.exe C:\Windows\SysWOW64\Obcceg32.exe N/A
File created C:\Windows\SysWOW64\Dqklch32.dll C:\Windows\SysWOW64\Pekbga32.exe N/A
File created C:\Windows\SysWOW64\Hmdkbp32.dll C:\Windows\SysWOW64\Bfgjjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmikeaap.exe C:\Windows\SysWOW64\Fbcfhibj.exe N/A
File created C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bohibc32.exe N/A
File created C:\Windows\SysWOW64\Ccpdoqgd.exe C:\Windows\SysWOW64\Ckilmcgb.exe N/A
File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe C:\Windows\SysWOW64\Digehphc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mqimikfj.exe C:\Windows\SysWOW64\Mmmqhl32.exe N/A
File created C:\Windows\SysWOW64\Gmiadfmi.dll C:\Windows\SysWOW64\Feoodn32.exe N/A
File created C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Ojajin32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbnpcj32.exe C:\Windows\SysWOW64\Njghbl32.exe N/A
File created C:\Windows\SysWOW64\Cbgpnkdm.dll C:\Windows\SysWOW64\Nihipdhl.exe N/A
File created C:\Windows\SysWOW64\Nekhop32.dll C:\Windows\SysWOW64\Oaompd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pakllc32.exe C:\Windows\SysWOW64\Pchlpfjb.exe N/A
File created C:\Windows\SysWOW64\Fpmehf32.dll C:\Windows\SysWOW64\Pkenjh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe C:\Windows\SysWOW64\Lgibpf32.exe N/A
File created C:\Windows\SysWOW64\Nbgqin32.dll C:\Windows\SysWOW64\Nnafno32.exe N/A
File created C:\Windows\SysWOW64\Nhokljge.exe C:\Windows\SysWOW64\Nnfgcd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpelhd32.exe C:\Windows\SysWOW64\Glipgf32.exe N/A
File created C:\Windows\SysWOW64\Dibkjmof.dll C:\Windows\SysWOW64\Glipgf32.exe N/A
File created C:\Windows\SysWOW64\Jkjpda32.dll C:\Windows\SysWOW64\Kngkqbgl.exe N/A
File created C:\Windows\SysWOW64\Lopmii32.exe C:\Windows\SysWOW64\Lmaamn32.exe N/A
File created C:\Windows\SysWOW64\Cdbfab32.exe C:\Windows\SysWOW64\Cbdjeg32.exe N/A
File created C:\Windows\SysWOW64\Jlgepanl.exe C:\Windows\SysWOW64\Jmeede32.exe N/A
File created C:\Windows\SysWOW64\Ilgonc32.dll C:\Windows\SysWOW64\Pfdjinjo.exe N/A
File created C:\Windows\SysWOW64\Ofkgcobj.exe C:\Windows\SysWOW64\Oclkgccf.exe N/A
File created C:\Windows\SysWOW64\Dgeaknci.dll C:\Windows\SysWOW64\Aokkahlo.exe N/A
File created C:\Windows\SysWOW64\Cjjlkk32.exe C:\Windows\SysWOW64\Cfnqklgh.exe N/A
File created C:\Windows\SysWOW64\Mmkkmc32.exe C:\Windows\SysWOW64\Mkjnfkma.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imgicgca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhkdof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipjoja32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmaamn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpfkpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcadhgm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bblnindg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckfphc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hkbmqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phincl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcahmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dikihe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhafeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnphmkji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oldamm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pibdmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oifeab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iljpij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmdemd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oejbfmpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hemdlj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igdgglfl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glkmmefl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amqhbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkbocbog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpabni32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bemqih32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akepfpcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjkmomfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnhenj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pakllc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahgjejhd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbcfhibj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkeekk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahjgjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adikdfna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckhecmcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jekqmhia.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpiplm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfldelik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gingkqkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icknfcol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmpkadnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnqklgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebjdgmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klhnfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpqjglii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhmofj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppgegd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcigeooj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icdheded.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lenicahg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bepmoh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eejeiocj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adhdjpjf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fplpll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgkkkcbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjahlgpf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nndjndbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knnhjcog.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoddaaj.dll" C:\Windows\SysWOW64\Cfcjfk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlghoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dflmlj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnimm32.dll" C:\Windows\SysWOW64\Kkgiimng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjkmomfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjnmpl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ccpdoqgd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oplfkeob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabdjc32.dll" C:\Windows\SysWOW64\Jqhafffk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hbhboolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll" C:\Windows\SysWOW64\Gehbjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qdaniq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acmobchj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjpqjh32.dll" C:\Windows\SysWOW64\Bmabggdm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bombmcec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Glkmmefl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmpmnl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohghgodi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bljlfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll" C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdkifmjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccfqqkf.dll" C:\Windows\SysWOW64\Bljlfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" C:\Windows\SysWOW64\Hffken32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkobmnka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" C:\Windows\SysWOW64\Keimof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll" C:\Windows\SysWOW64\Kgkfnh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkjmfeo.dll" C:\Windows\SysWOW64\Alcfei32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmfhkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" C:\Windows\SysWOW64\Ccmgiaig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpchib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jpaleglc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkdcbd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qpcecb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpopgneq.dll" C:\Windows\SysWOW64\Nkqkhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhldpj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmnqjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" C:\Windows\SysWOW64\Cnahdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" C:\Windows\SysWOW64\Jedccfqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnegbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebldil.dll" C:\Windows\SysWOW64\Nimbkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmncbodd.dll" C:\Windows\SysWOW64\Ooejohhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojgjndno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckhecmcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfjola32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll" C:\Windows\SysWOW64\Pfandnla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apjkcadp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Maodigil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngjep32.dll" C:\Windows\SysWOW64\Mjkblhfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgninn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjdebfnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll" C:\Windows\SysWOW64\Pchlpfjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljeffhcd.dll" C:\Windows\SysWOW64\Hgkkkcbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oidhlb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll" C:\Windows\SysWOW64\Ncofplba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbofaoj.dll" C:\Windows\SysWOW64\Ecefqnel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" C:\Windows\SysWOW64\Njpdnedf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll" C:\Windows\SysWOW64\Gimqajgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll" C:\Windows\SysWOW64\Mmkdcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmhigf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfoiaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oejbfmpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcelpggq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amcehdod.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mecjif32.exe
PID 4432 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mecjif32.exe
PID 4432 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mecjif32.exe
PID 3200 wrote to memory of 4512 N/A C:\Windows\SysWOW64\Mecjif32.exe C:\Windows\SysWOW64\Mhafeb32.exe
PID 3200 wrote to memory of 4512 N/A C:\Windows\SysWOW64\Mecjif32.exe C:\Windows\SysWOW64\Mhafeb32.exe
PID 3200 wrote to memory of 4512 N/A C:\Windows\SysWOW64\Mecjif32.exe C:\Windows\SysWOW64\Mhafeb32.exe
PID 4512 wrote to memory of 768 N/A C:\Windows\SysWOW64\Mhafeb32.exe C:\Windows\SysWOW64\Mjpbam32.exe
PID 4512 wrote to memory of 768 N/A C:\Windows\SysWOW64\Mhafeb32.exe C:\Windows\SysWOW64\Mjpbam32.exe
PID 4512 wrote to memory of 768 N/A C:\Windows\SysWOW64\Mhafeb32.exe C:\Windows\SysWOW64\Mjpbam32.exe
PID 768 wrote to memory of 4740 N/A C:\Windows\SysWOW64\Mjpbam32.exe C:\Windows\SysWOW64\Mbgjbkfg.exe
PID 768 wrote to memory of 4740 N/A C:\Windows\SysWOW64\Mjpbam32.exe C:\Windows\SysWOW64\Mbgjbkfg.exe
PID 768 wrote to memory of 4740 N/A C:\Windows\SysWOW64\Mjpbam32.exe C:\Windows\SysWOW64\Mbgjbkfg.exe
PID 4740 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Mbgjbkfg.exe C:\Windows\SysWOW64\Majjng32.exe
PID 4740 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Mbgjbkfg.exe C:\Windows\SysWOW64\Majjng32.exe
PID 4740 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Mbgjbkfg.exe C:\Windows\SysWOW64\Majjng32.exe
PID 3172 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Majjng32.exe C:\Windows\SysWOW64\Mnphmkji.exe
PID 3172 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Majjng32.exe C:\Windows\SysWOW64\Mnphmkji.exe
PID 3172 wrote to memory of 2768 N/A C:\Windows\SysWOW64\Majjng32.exe C:\Windows\SysWOW64\Mnphmkji.exe
PID 2768 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Mnphmkji.exe C:\Windows\SysWOW64\Mblcnj32.exe
PID 2768 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Mnphmkji.exe C:\Windows\SysWOW64\Mblcnj32.exe
PID 2768 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Mnphmkji.exe C:\Windows\SysWOW64\Mblcnj32.exe
PID 2508 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Mblcnj32.exe C:\Windows\SysWOW64\Maodigil.exe
PID 2508 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Mblcnj32.exe C:\Windows\SysWOW64\Maodigil.exe
PID 2508 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Mblcnj32.exe C:\Windows\SysWOW64\Maodigil.exe
PID 2136 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Maodigil.exe C:\Windows\SysWOW64\Mifljdjo.exe
PID 2136 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Maodigil.exe C:\Windows\SysWOW64\Mifljdjo.exe
PID 2136 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Maodigil.exe C:\Windows\SysWOW64\Mifljdjo.exe
PID 4924 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Mifljdjo.exe C:\Windows\SysWOW64\Mhilfa32.exe
PID 4924 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Mifljdjo.exe C:\Windows\SysWOW64\Mhilfa32.exe
PID 4924 wrote to memory of 1628 N/A C:\Windows\SysWOW64\Mifljdjo.exe C:\Windows\SysWOW64\Mhilfa32.exe
PID 1628 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Mhilfa32.exe C:\Windows\SysWOW64\Njghbl32.exe
PID 1628 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Mhilfa32.exe C:\Windows\SysWOW64\Njghbl32.exe
PID 1628 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Mhilfa32.exe C:\Windows\SysWOW64\Njghbl32.exe
PID 2028 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Njghbl32.exe C:\Windows\SysWOW64\Nbnpcj32.exe
PID 2028 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Njghbl32.exe C:\Windows\SysWOW64\Nbnpcj32.exe
PID 2028 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Njghbl32.exe C:\Windows\SysWOW64\Nbnpcj32.exe
PID 4372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nbnpcj32.exe C:\Windows\SysWOW64\Nemmoe32.exe
PID 4372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nbnpcj32.exe C:\Windows\SysWOW64\Nemmoe32.exe
PID 4372 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nbnpcj32.exe C:\Windows\SysWOW64\Nemmoe32.exe
PID 2248 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Nemmoe32.exe C:\Windows\SysWOW64\Nihipdhl.exe
PID 2248 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Nemmoe32.exe C:\Windows\SysWOW64\Nihipdhl.exe
PID 2248 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Nemmoe32.exe C:\Windows\SysWOW64\Nihipdhl.exe
PID 3436 wrote to memory of 4392 N/A C:\Windows\SysWOW64\Nihipdhl.exe C:\Windows\SysWOW64\Nlfelogp.exe
PID 3436 wrote to memory of 4392 N/A C:\Windows\SysWOW64\Nihipdhl.exe C:\Windows\SysWOW64\Nlfelogp.exe
PID 3436 wrote to memory of 4392 N/A C:\Windows\SysWOW64\Nihipdhl.exe C:\Windows\SysWOW64\Nlfelogp.exe
PID 4392 wrote to memory of 1584 N/A C:\Windows\SysWOW64\Nlfelogp.exe C:\Windows\SysWOW64\Noeahkfc.exe
PID 4392 wrote to memory of 1584 N/A C:\Windows\SysWOW64\Nlfelogp.exe C:\Windows\SysWOW64\Noeahkfc.exe
PID 4392 wrote to memory of 1584 N/A C:\Windows\SysWOW64\Nlfelogp.exe C:\Windows\SysWOW64\Noeahkfc.exe
PID 1584 wrote to memory of 840 N/A C:\Windows\SysWOW64\Noeahkfc.exe C:\Windows\SysWOW64\Nbqmiinl.exe
PID 1584 wrote to memory of 840 N/A C:\Windows\SysWOW64\Noeahkfc.exe C:\Windows\SysWOW64\Nbqmiinl.exe
PID 1584 wrote to memory of 840 N/A C:\Windows\SysWOW64\Noeahkfc.exe C:\Windows\SysWOW64\Nbqmiinl.exe
PID 840 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Nbqmiinl.exe C:\Windows\SysWOW64\Nijeec32.exe
PID 840 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Nbqmiinl.exe C:\Windows\SysWOW64\Nijeec32.exe
PID 840 wrote to memory of 2320 N/A C:\Windows\SysWOW64\Nbqmiinl.exe C:\Windows\SysWOW64\Nijeec32.exe
PID 2320 wrote to memory of 4520 N/A C:\Windows\SysWOW64\Nijeec32.exe C:\Windows\SysWOW64\Nliaao32.exe
PID 2320 wrote to memory of 4520 N/A C:\Windows\SysWOW64\Nijeec32.exe C:\Windows\SysWOW64\Nliaao32.exe
PID 2320 wrote to memory of 4520 N/A C:\Windows\SysWOW64\Nijeec32.exe C:\Windows\SysWOW64\Nliaao32.exe
PID 4520 wrote to memory of 4444 N/A C:\Windows\SysWOW64\Nliaao32.exe C:\Windows\SysWOW64\Nognnj32.exe
PID 4520 wrote to memory of 4444 N/A C:\Windows\SysWOW64\Nliaao32.exe C:\Windows\SysWOW64\Nognnj32.exe
PID 4520 wrote to memory of 4444 N/A C:\Windows\SysWOW64\Nliaao32.exe C:\Windows\SysWOW64\Nognnj32.exe
PID 4444 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Nognnj32.exe C:\Windows\SysWOW64\Nafjjf32.exe
PID 4444 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Nognnj32.exe C:\Windows\SysWOW64\Nafjjf32.exe
PID 4444 wrote to memory of 4692 N/A C:\Windows\SysWOW64\Nognnj32.exe C:\Windows\SysWOW64\Nafjjf32.exe
PID 4692 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Nafjjf32.exe C:\Windows\SysWOW64\Nimbkc32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Mecjif32.exe

C:\Windows\system32\Mecjif32.exe

C:\Windows\SysWOW64\Mhafeb32.exe

C:\Windows\system32\Mhafeb32.exe

C:\Windows\SysWOW64\Mjpbam32.exe

C:\Windows\system32\Mjpbam32.exe

C:\Windows\SysWOW64\Mbgjbkfg.exe

C:\Windows\system32\Mbgjbkfg.exe

C:\Windows\SysWOW64\Majjng32.exe

C:\Windows\system32\Majjng32.exe

C:\Windows\SysWOW64\Mnphmkji.exe

C:\Windows\system32\Mnphmkji.exe

C:\Windows\SysWOW64\Mblcnj32.exe

C:\Windows\system32\Mblcnj32.exe

C:\Windows\SysWOW64\Maodigil.exe

C:\Windows\system32\Maodigil.exe

C:\Windows\SysWOW64\Mifljdjo.exe

C:\Windows\system32\Mifljdjo.exe

C:\Windows\SysWOW64\Mhilfa32.exe

C:\Windows\system32\Mhilfa32.exe

C:\Windows\SysWOW64\Njghbl32.exe

C:\Windows\system32\Njghbl32.exe

C:\Windows\SysWOW64\Nbnpcj32.exe

C:\Windows\system32\Nbnpcj32.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nihipdhl.exe

C:\Windows\system32\Nihipdhl.exe

C:\Windows\SysWOW64\Nlfelogp.exe

C:\Windows\system32\Nlfelogp.exe

C:\Windows\SysWOW64\Noeahkfc.exe

C:\Windows\system32\Noeahkfc.exe

C:\Windows\SysWOW64\Nbqmiinl.exe

C:\Windows\system32\Nbqmiinl.exe

C:\Windows\SysWOW64\Nijeec32.exe

C:\Windows\system32\Nijeec32.exe

C:\Windows\SysWOW64\Nliaao32.exe

C:\Windows\system32\Nliaao32.exe

C:\Windows\SysWOW64\Nognnj32.exe

C:\Windows\system32\Nognnj32.exe

C:\Windows\SysWOW64\Nafjjf32.exe

C:\Windows\system32\Nafjjf32.exe

C:\Windows\SysWOW64\Nimbkc32.exe

C:\Windows\system32\Nimbkc32.exe

C:\Windows\SysWOW64\Nhpbfpka.exe

C:\Windows\system32\Nhpbfpka.exe

C:\Windows\SysWOW64\Nknobkje.exe

C:\Windows\system32\Nknobkje.exe

C:\Windows\SysWOW64\Nahgoe32.exe

C:\Windows\system32\Nahgoe32.exe

C:\Windows\SysWOW64\Neccpd32.exe

C:\Windows\system32\Neccpd32.exe

C:\Windows\SysWOW64\Nhbolp32.exe

C:\Windows\system32\Nhbolp32.exe

C:\Windows\SysWOW64\Nkqkhk32.exe

C:\Windows\system32\Nkqkhk32.exe

C:\Windows\SysWOW64\Nolgijpk.exe

C:\Windows\system32\Nolgijpk.exe

C:\Windows\SysWOW64\Najceeoo.exe

C:\Windows\system32\Najceeoo.exe

C:\Windows\SysWOW64\Niakfbpa.exe

C:\Windows\system32\Niakfbpa.exe

C:\Windows\SysWOW64\Nhdlao32.exe

C:\Windows\system32\Nhdlao32.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Objpoh32.exe

C:\Windows\system32\Objpoh32.exe

C:\Windows\SysWOW64\Oehlkc32.exe

C:\Windows\system32\Oehlkc32.exe

C:\Windows\SysWOW64\Oidhlb32.exe

C:\Windows\system32\Oidhlb32.exe

C:\Windows\SysWOW64\Ohghgodi.exe

C:\Windows\system32\Ohghgodi.exe

C:\Windows\SysWOW64\Okedcjcm.exe

C:\Windows\system32\Okedcjcm.exe

C:\Windows\SysWOW64\Ooqqdi32.exe

C:\Windows\system32\Ooqqdi32.exe

C:\Windows\SysWOW64\Oaompd32.exe

C:\Windows\system32\Oaompd32.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Oifeab32.exe

C:\Windows\system32\Oifeab32.exe

C:\Windows\SysWOW64\Oldamm32.exe

C:\Windows\system32\Oldamm32.exe

C:\Windows\SysWOW64\Oocmii32.exe

C:\Windows\system32\Oocmii32.exe

C:\Windows\SysWOW64\Oboijgbl.exe

C:\Windows\system32\Oboijgbl.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Oihagaji.exe

C:\Windows\system32\Oihagaji.exe

C:\Windows\SysWOW64\Ohkbbn32.exe

C:\Windows\system32\Ohkbbn32.exe

C:\Windows\SysWOW64\Olgncmim.exe

C:\Windows\system32\Olgncmim.exe

C:\Windows\SysWOW64\Ooejohhq.exe

C:\Windows\system32\Ooejohhq.exe

C:\Windows\SysWOW64\Obafpg32.exe

C:\Windows\system32\Obafpg32.exe

C:\Windows\SysWOW64\Oadfkdgd.exe

C:\Windows\system32\Oadfkdgd.exe

C:\Windows\SysWOW64\Oeoblb32.exe

C:\Windows\system32\Oeoblb32.exe

C:\Windows\SysWOW64\Ohnohn32.exe

C:\Windows\system32\Ohnohn32.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Oohgdhfn.exe

C:\Windows\system32\Oohgdhfn.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oeaoab32.exe

C:\Windows\system32\Oeaoab32.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pllgnl32.exe

C:\Windows\system32\Pllgnl32.exe

C:\Windows\SysWOW64\Pojcjh32.exe

C:\Windows\system32\Pojcjh32.exe

C:\Windows\SysWOW64\Pcepkfld.exe

C:\Windows\system32\Pcepkfld.exe

C:\Windows\SysWOW64\Pedlgbkh.exe

C:\Windows\system32\Pedlgbkh.exe

C:\Windows\SysWOW64\Piphgq32.exe

C:\Windows\system32\Piphgq32.exe

C:\Windows\SysWOW64\Phbhcmjl.exe

C:\Windows\system32\Phbhcmjl.exe

C:\Windows\SysWOW64\Plndcl32.exe

C:\Windows\system32\Plndcl32.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Pakllc32.exe

C:\Windows\system32\Pakllc32.exe

C:\Windows\SysWOW64\Pibdmp32.exe

C:\Windows\system32\Pibdmp32.exe

C:\Windows\SysWOW64\Phedhmhi.exe

C:\Windows\system32\Phedhmhi.exe

C:\Windows\SysWOW64\Pkcadhgm.exe

C:\Windows\system32\Pkcadhgm.exe

C:\Windows\SysWOW64\Poomegpf.exe

C:\Windows\system32\Poomegpf.exe

C:\Windows\SysWOW64\Pcjiff32.exe

C:\Windows\system32\Pcjiff32.exe

C:\Windows\SysWOW64\Peieba32.exe

C:\Windows\system32\Peieba32.exe

C:\Windows\SysWOW64\Phganm32.exe

C:\Windows\system32\Phganm32.exe

C:\Windows\SysWOW64\Pkenjh32.exe

C:\Windows\system32\Pkenjh32.exe

C:\Windows\SysWOW64\Pcmeke32.exe

C:\Windows\system32\Pcmeke32.exe

C:\Windows\SysWOW64\Pekbga32.exe

C:\Windows\system32\Pekbga32.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Plejdkmm.exe

C:\Windows\system32\Plejdkmm.exe

C:\Windows\SysWOW64\Pocfpf32.exe

C:\Windows\system32\Pocfpf32.exe

C:\Windows\SysWOW64\Pabblb32.exe

C:\Windows\system32\Pabblb32.exe

C:\Windows\SysWOW64\Piijno32.exe

C:\Windows\system32\Piijno32.exe

C:\Windows\SysWOW64\Qofcff32.exe

C:\Windows\system32\Qofcff32.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qcclld32.exe

C:\Windows\system32\Qcclld32.exe

C:\Windows\SysWOW64\Ajndioga.exe

C:\Windows\system32\Ajndioga.exe

C:\Windows\SysWOW64\Ahqddk32.exe

C:\Windows\system32\Ahqddk32.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Aojlaeei.exe

C:\Windows\system32\Aojlaeei.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Aeddnp32.exe

C:\Windows\system32\Aeddnp32.exe

C:\Windows\SysWOW64\Ajpqnneo.exe

C:\Windows\system32\Ajpqnneo.exe

C:\Windows\SysWOW64\Ahcajk32.exe

C:\Windows\system32\Ahcajk32.exe

C:\Windows\SysWOW64\Akamff32.exe

C:\Windows\system32\Akamff32.exe

C:\Windows\SysWOW64\Aomifecf.exe

C:\Windows\system32\Aomifecf.exe

C:\Windows\SysWOW64\Aakebqbj.exe

C:\Windows\system32\Aakebqbj.exe

C:\Windows\SysWOW64\Afgacokc.exe

C:\Windows\system32\Afgacokc.exe

C:\Windows\SysWOW64\Ajbmdn32.exe

C:\Windows\system32\Ajbmdn32.exe

C:\Windows\SysWOW64\Alqjpi32.exe

C:\Windows\system32\Alqjpi32.exe

C:\Windows\SysWOW64\Akcjkfij.exe

C:\Windows\system32\Akcjkfij.exe

C:\Windows\SysWOW64\Aoofle32.exe

C:\Windows\system32\Aoofle32.exe

C:\Windows\SysWOW64\Ackbmcjl.exe

C:\Windows\system32\Ackbmcjl.exe

C:\Windows\SysWOW64\Afinioip.exe

C:\Windows\system32\Afinioip.exe

C:\Windows\SysWOW64\Ajdjin32.exe

C:\Windows\system32\Ajdjin32.exe

C:\Windows\SysWOW64\Ahgjejhd.exe

C:\Windows\system32\Ahgjejhd.exe

C:\Windows\SysWOW64\Alcfei32.exe

C:\Windows\system32\Alcfei32.exe

C:\Windows\SysWOW64\Aoabad32.exe

C:\Windows\system32\Aoabad32.exe

C:\Windows\SysWOW64\Acmobchj.exe

C:\Windows\system32\Acmobchj.exe

C:\Windows\SysWOW64\Abponp32.exe

C:\Windows\system32\Abponp32.exe

C:\Windows\SysWOW64\Ajggomog.exe

C:\Windows\system32\Ajggomog.exe

C:\Windows\SysWOW64\Ahjgjj32.exe

C:\Windows\system32\Ahjgjj32.exe

C:\Windows\SysWOW64\Akhcfe32.exe

C:\Windows\system32\Akhcfe32.exe

C:\Windows\SysWOW64\Aodogdmn.exe

C:\Windows\system32\Aodogdmn.exe

C:\Windows\SysWOW64\Abbkcpma.exe

C:\Windows\system32\Abbkcpma.exe

C:\Windows\SysWOW64\Bjicdmmd.exe

C:\Windows\system32\Bjicdmmd.exe

C:\Windows\SysWOW64\Bhldpj32.exe

C:\Windows\system32\Bhldpj32.exe

C:\Windows\SysWOW64\Bkkple32.exe

C:\Windows\system32\Bkkple32.exe

C:\Windows\SysWOW64\Bcahmb32.exe

C:\Windows\system32\Bcahmb32.exe

C:\Windows\SysWOW64\Bbdhiojo.exe

C:\Windows\system32\Bbdhiojo.exe

C:\Windows\SysWOW64\Bfpdin32.exe

C:\Windows\system32\Bfpdin32.exe

C:\Windows\SysWOW64\Bhoqeibl.exe

C:\Windows\system32\Bhoqeibl.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bkmmaeap.exe

C:\Windows\system32\Bkmmaeap.exe

C:\Windows\SysWOW64\Bohibc32.exe

C:\Windows\system32\Bohibc32.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bbgeno32.exe

C:\Windows\system32\Bbgeno32.exe

C:\Windows\SysWOW64\Bfbaonae.exe

C:\Windows\system32\Bfbaonae.exe

C:\Windows\SysWOW64\Bjnmpl32.exe

C:\Windows\system32\Bjnmpl32.exe

C:\Windows\SysWOW64\Bhamkipi.exe

C:\Windows\system32\Bhamkipi.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bokehc32.exe

C:\Windows\system32\Bokehc32.exe

C:\Windows\SysWOW64\Bcfahbpo.exe

C:\Windows\system32\Bcfahbpo.exe

C:\Windows\SysWOW64\Bbiado32.exe

C:\Windows\system32\Bbiado32.exe

C:\Windows\SysWOW64\Bfendmoc.exe

C:\Windows\system32\Bfendmoc.exe

C:\Windows\SysWOW64\Bjpjel32.exe

C:\Windows\system32\Bjpjel32.exe

C:\Windows\SysWOW64\Bhcjqinf.exe

C:\Windows\system32\Bhcjqinf.exe

C:\Windows\SysWOW64\Bkafmd32.exe

C:\Windows\system32\Bkafmd32.exe

C:\Windows\SysWOW64\Bombmcec.exe

C:\Windows\system32\Bombmcec.exe

C:\Windows\SysWOW64\Bcinna32.exe

C:\Windows\system32\Bcinna32.exe

C:\Windows\SysWOW64\Bblnindg.exe

C:\Windows\system32\Bblnindg.exe

C:\Windows\SysWOW64\Bfgjjm32.exe

C:\Windows\system32\Bfgjjm32.exe

C:\Windows\SysWOW64\Bjbfklei.exe

C:\Windows\system32\Bjbfklei.exe

C:\Windows\SysWOW64\Bmabggdm.exe

C:\Windows\system32\Bmabggdm.exe

C:\Windows\SysWOW64\Bkdcbd32.exe

C:\Windows\system32\Bkdcbd32.exe

C:\Windows\SysWOW64\Bopocbcq.exe

C:\Windows\system32\Bopocbcq.exe

C:\Windows\SysWOW64\Bckkca32.exe

C:\Windows\system32\Bckkca32.exe

C:\Windows\SysWOW64\Cfigpm32.exe

C:\Windows\system32\Cfigpm32.exe

C:\Windows\SysWOW64\Cjecpkcg.exe

C:\Windows\system32\Cjecpkcg.exe

C:\Windows\SysWOW64\Cmcolgbj.exe

C:\Windows\system32\Cmcolgbj.exe

C:\Windows\SysWOW64\Ckfphc32.exe

C:\Windows\system32\Ckfphc32.exe

C:\Windows\SysWOW64\Ccmgiaig.exe

C:\Windows\system32\Ccmgiaig.exe

C:\Windows\SysWOW64\Cbphdn32.exe

C:\Windows\system32\Cbphdn32.exe

C:\Windows\SysWOW64\Cfldelik.exe

C:\Windows\system32\Cfldelik.exe

C:\Windows\SysWOW64\Cijpahho.exe

C:\Windows\system32\Cijpahho.exe

C:\Windows\SysWOW64\Cmflbf32.exe

C:\Windows\system32\Cmflbf32.exe

C:\Windows\SysWOW64\Ckilmcgb.exe

C:\Windows\system32\Ckilmcgb.exe

C:\Windows\SysWOW64\Ccpdoqgd.exe

C:\Windows\system32\Ccpdoqgd.exe

C:\Windows\SysWOW64\Cbbdjm32.exe

C:\Windows\system32\Cbbdjm32.exe

C:\Windows\SysWOW64\Cfnqklgh.exe

C:\Windows\system32\Cfnqklgh.exe

C:\Windows\SysWOW64\Cjjlkk32.exe

C:\Windows\system32\Cjjlkk32.exe

C:\Windows\SysWOW64\Cmhigf32.exe

C:\Windows\system32\Cmhigf32.exe

C:\Windows\SysWOW64\Ckkiccep.exe

C:\Windows\system32\Ckkiccep.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cbeapmll.exe

C:\Windows\system32\Cbeapmll.exe

C:\Windows\SysWOW64\Cfqmpl32.exe

C:\Windows\system32\Cfqmpl32.exe

C:\Windows\SysWOW64\Cjliajmo.exe

C:\Windows\system32\Cjliajmo.exe

C:\Windows\SysWOW64\Cioilg32.exe

C:\Windows\system32\Cioilg32.exe

C:\Windows\SysWOW64\Ckmehb32.exe

C:\Windows\system32\Ckmehb32.exe

C:\Windows\SysWOW64\Ccdnjp32.exe

C:\Windows\system32\Ccdnjp32.exe

C:\Windows\SysWOW64\Cfcjfk32.exe

C:\Windows\system32\Cfcjfk32.exe

C:\Windows\SysWOW64\Ciafbg32.exe

C:\Windows\system32\Ciafbg32.exe

C:\Windows\SysWOW64\Cmmbbejp.exe

C:\Windows\system32\Cmmbbejp.exe

C:\Windows\SysWOW64\Coknoaic.exe

C:\Windows\system32\Coknoaic.exe

C:\Windows\SysWOW64\Dbjkkl32.exe

C:\Windows\system32\Dbjkkl32.exe

C:\Windows\SysWOW64\Diccgfpd.exe

C:\Windows\system32\Diccgfpd.exe

C:\Windows\SysWOW64\Dkbocbog.exe

C:\Windows\system32\Dkbocbog.exe

C:\Windows\SysWOW64\Dcigeooj.exe

C:\Windows\system32\Dcigeooj.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dpphjp32.exe

C:\Windows\system32\Dpphjp32.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dikihe32.exe

C:\Windows\system32\Dikihe32.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Elpkep32.exe

C:\Windows\system32\Elpkep32.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Eidlnd32.exe

C:\Windows\system32\Eidlnd32.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Elgaeolp.exe

C:\Windows\system32\Elgaeolp.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Fbcfhibj.exe

C:\Windows\system32\Fbcfhibj.exe

C:\Windows\SysWOW64\Fmikeaap.exe

C:\Windows\system32\Fmikeaap.exe

C:\Windows\SysWOW64\Fbfcmhpg.exe

C:\Windows\system32\Fbfcmhpg.exe

C:\Windows\SysWOW64\Fjmkoeqi.exe

C:\Windows\system32\Fjmkoeqi.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Fplpll32.exe

C:\Windows\system32\Fplpll32.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Gbofcghl.exe

C:\Windows\system32\Gbofcghl.exe

C:\Windows\SysWOW64\Giinpa32.exe

C:\Windows\system32\Giinpa32.exe

C:\Windows\SysWOW64\Gbabigfj.exe

C:\Windows\system32\Gbabigfj.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gdaociml.exe

C:\Windows\system32\Gdaociml.exe

C:\Windows\SysWOW64\Gingkqkd.exe

C:\Windows\system32\Gingkqkd.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hpjmnjqn.exe

C:\Windows\system32\Hpjmnjqn.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hplicjok.exe

C:\Windows\system32\Hplicjok.exe

C:\Windows\SysWOW64\Hkbmqb32.exe

C:\Windows\system32\Hkbmqb32.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hcmbee32.exe

C:\Windows\system32\Hcmbee32.exe

C:\Windows\SysWOW64\Higjaoci.exe

C:\Windows\system32\Higjaoci.exe

C:\Windows\SysWOW64\Hpabni32.exe

C:\Windows\system32\Hpabni32.exe

C:\Windows\SysWOW64\Hgkkkcbc.exe

C:\Windows\system32\Hgkkkcbc.exe

C:\Windows\SysWOW64\Hpcodihc.exe

C:\Windows\system32\Hpcodihc.exe

C:\Windows\SysWOW64\Hkicaahi.exe

C:\Windows\system32\Hkicaahi.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Iljpij32.exe

C:\Windows\system32\Iljpij32.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Iinqbn32.exe

C:\Windows\system32\Iinqbn32.exe

C:\Windows\SysWOW64\Ilmmni32.exe

C:\Windows\system32\Ilmmni32.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Iloidijb.exe

C:\Windows\system32\Iloidijb.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Inqbclob.exe

C:\Windows\system32\Inqbclob.exe

C:\Windows\SysWOW64\Igigla32.exe

C:\Windows\system32\Igigla32.exe

C:\Windows\SysWOW64\Jpaleglc.exe

C:\Windows\system32\Jpaleglc.exe

C:\Windows\SysWOW64\Jkgpbp32.exe

C:\Windows\system32\Jkgpbp32.exe

C:\Windows\SysWOW64\Jdodkebj.exe

C:\Windows\system32\Jdodkebj.exe

C:\Windows\SysWOW64\Jkimho32.exe

C:\Windows\system32\Jkimho32.exe

C:\Windows\SysWOW64\Jlkipgpe.exe

C:\Windows\system32\Jlkipgpe.exe

C:\Windows\SysWOW64\Jdaaaeqg.exe

C:\Windows\system32\Jdaaaeqg.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jlobkg32.exe

C:\Windows\system32\Jlobkg32.exe

C:\Windows\SysWOW64\Kjccdkki.exe

C:\Windows\system32\Kjccdkki.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kdkdgchl.exe

C:\Windows\system32\Kdkdgchl.exe

C:\Windows\SysWOW64\Kgipcogp.exe

C:\Windows\system32\Kgipcogp.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Kkgiimng.exe

C:\Windows\system32\Kkgiimng.exe

C:\Windows\SysWOW64\Kjjiej32.exe

C:\Windows\system32\Kjjiej32.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lqikmc32.exe

C:\Windows\system32\Lqikmc32.exe

C:\Windows\SysWOW64\Ljaoeini.exe

C:\Windows\system32\Ljaoeini.exe

C:\Windows\SysWOW64\Lmpkadnm.exe

C:\Windows\system32\Lmpkadnm.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lkchelci.exe

C:\Windows\system32\Lkchelci.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lkeekk32.exe

C:\Windows\system32\Lkeekk32.exe

C:\Windows\SysWOW64\Lmgabcge.exe

C:\Windows\system32\Lmgabcge.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mcqjon32.exe

C:\Windows\system32\Mcqjon32.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mnkggfkb.exe

C:\Windows\system32\Mnkggfkb.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Mjahlgpf.exe

C:\Windows\system32\Mjahlgpf.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mjdebfnd.exe

C:\Windows\system32\Mjdebfnd.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Nclikl32.exe

C:\Windows\system32\Nclikl32.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Nlfnaicd.exe

C:\Windows\system32\Nlfnaicd.exe

C:\Windows\SysWOW64\Nndjndbh.exe

C:\Windows\system32\Nndjndbh.exe

C:\Windows\SysWOW64\Nenbjo32.exe

C:\Windows\system32\Nenbjo32.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Nnfgcd32.exe

C:\Windows\system32\Nnfgcd32.exe

C:\Windows\SysWOW64\Nhokljge.exe

C:\Windows\system32\Nhokljge.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nmnqjp32.exe

C:\Windows\system32\Nmnqjp32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Pkegpb32.exe

C:\Windows\system32\Pkegpb32.exe

C:\Windows\SysWOW64\Pkgcea32.exe

C:\Windows\system32\Pkgcea32.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qaalblgi.exe

C:\Windows\system32\Qaalblgi.exe

C:\Windows\SysWOW64\Qhkdof32.exe

C:\Windows\system32\Qhkdof32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Aogiap32.exe

C:\Windows\system32\Aogiap32.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Ahdged32.exe

C:\Windows\system32\Ahdged32.exe

C:\Windows\SysWOW64\Akccap32.exe

C:\Windows\system32\Akccap32.exe

C:\Windows\SysWOW64\Anaomkdb.exe

C:\Windows\system32\Anaomkdb.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Akepfpcl.exe

C:\Windows\system32\Akepfpcl.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Aaohcj32.exe

C:\Windows\system32\Aaohcj32.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Bemqih32.exe

C:\Windows\system32\Bemqih32.exe

C:\Windows\SysWOW64\Bhkmec32.exe

C:\Windows\system32\Bhkmec32.exe

C:\Windows\SysWOW64\Bkjiao32.exe

C:\Windows\system32\Bkjiao32.exe

C:\Windows\SysWOW64\Bnhenj32.exe

C:\Windows\system32\Bnhenj32.exe

C:\Windows\SysWOW64\Bepmoh32.exe

C:\Windows\system32\Bepmoh32.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bohbhmfm.exe

C:\Windows\system32\Bohbhmfm.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bkobmnka.exe

C:\Windows\system32\Bkobmnka.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bahkih32.exe

C:\Windows\system32\Bahkih32.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Cnahdi32.exe

C:\Windows\system32\Cnahdi32.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Ckhecmcf.exe

C:\Windows\system32\Ckhecmcf.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Dbicpfdk.exe

C:\Windows\system32\Dbicpfdk.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Eejeiocj.exe

C:\Windows\system32\Eejeiocj.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Fmcjpl32.exe

C:\Windows\system32\Fmcjpl32.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Feoodn32.exe

C:\Windows\system32\Feoodn32.exe

C:\Windows\SysWOW64\Fngcmcfe.exe

C:\Windows\system32\Fngcmcfe.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fnipbc32.exe

C:\Windows\system32\Fnipbc32.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fiaael32.exe

C:\Windows\system32\Fiaael32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gehbjm32.exe

C:\Windows\system32\Gehbjm32.exe

C:\Windows\SysWOW64\Glbjggof.exe

C:\Windows\system32\Glbjggof.exe

C:\Windows\SysWOW64\Gfhndpol.exe

C:\Windows\system32\Gfhndpol.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gihgfk32.exe

C:\Windows\system32\Gihgfk32.exe

C:\Windows\SysWOW64\Glgcbf32.exe

C:\Windows\system32\Glgcbf32.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Geohklaa.exe

C:\Windows\system32\Geohklaa.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Hpiecd32.exe

C:\Windows\system32\Hpiecd32.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hmmfmhll.exe

C:\Windows\system32\Hmmfmhll.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hidgai32.exe

C:\Windows\system32\Hidgai32.exe

C:\Windows\SysWOW64\Hlbcnd32.exe

C:\Windows\system32\Hlbcnd32.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hoclopne.exe

C:\Windows\system32\Hoclopne.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Hmdlmg32.exe

C:\Windows\system32\Hmdlmg32.exe

C:\Windows\SysWOW64\Hpchib32.exe

C:\Windows\system32\Hpchib32.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Imkbnf32.exe

C:\Windows\system32\Imkbnf32.exe

C:\Windows\SysWOW64\Ipjoja32.exe

C:\Windows\system32\Ipjoja32.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Iibccgep.exe

C:\Windows\system32\Iibccgep.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Impliekg.exe

C:\Windows\system32\Impliekg.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jghpbk32.exe

C:\Windows\system32\Jghpbk32.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jcoaglhk.exe

C:\Windows\system32\Jcoaglhk.exe

C:\Windows\SysWOW64\Jenmcggo.exe

C:\Windows\system32\Jenmcggo.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jgmjmjnb.exe

C:\Windows\system32\Jgmjmjnb.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jgbchj32.exe

C:\Windows\system32\Jgbchj32.exe

C:\Windows\SysWOW64\Jedccfqg.exe

C:\Windows\system32\Jedccfqg.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Knnhjcog.exe

C:\Windows\system32\Knnhjcog.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Keimof32.exe

C:\Windows\system32\Keimof32.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Kncaec32.exe

C:\Windows\system32\Kncaec32.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kjjbjd32.exe

C:\Windows\system32\Kjjbjd32.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Kcbfcigf.exe

C:\Windows\system32\Kcbfcigf.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Loighj32.exe

C:\Windows\system32\Loighj32.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Ljnlecmp.exe

C:\Windows\system32\Ljnlecmp.exe

C:\Windows\SysWOW64\Lqhdbm32.exe

C:\Windows\system32\Lqhdbm32.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lmaamn32.exe

C:\Windows\system32\Lmaamn32.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lqojclne.exe

C:\Windows\system32\Lqojclne.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Lncjlq32.exe

C:\Windows\system32\Lncjlq32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mqdcnl32.exe

C:\Windows\system32\Mqdcnl32.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Mcelpggq.exe

C:\Windows\system32\Mcelpggq.exe

C:\Windows\SysWOW64\Mfchlbfd.exe

C:\Windows\system32\Mfchlbfd.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mqimikfj.exe

C:\Windows\system32\Mqimikfj.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mjaabq32.exe

C:\Windows\system32\Mjaabq32.exe

C:\Windows\SysWOW64\Mmpmnl32.exe

C:\Windows\system32\Mmpmnl32.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Mgeakekd.exe

C:\Windows\system32\Mgeakekd.exe

C:\Windows\SysWOW64\Nnojho32.exe

C:\Windows\system32\Nnojho32.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Nqpcjj32.exe

C:\Windows\system32\Nqpcjj32.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Nmfcok32.exe

C:\Windows\system32\Nmfcok32.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Nadleilm.exe

C:\Windows\system32\Nadleilm.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Ofhknodl.exe

C:\Windows\system32\Ofhknodl.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Omdppiif.exe

C:\Windows\system32\Omdppiif.exe

C:\Windows\SysWOW64\Opclldhj.exe

C:\Windows\system32\Opclldhj.exe

C:\Windows\SysWOW64\Ogjdmbil.exe

C:\Windows\system32\Ogjdmbil.exe

C:\Windows\SysWOW64\Ojhpimhp.exe

C:\Windows\system32\Ojhpimhp.exe

C:\Windows\SysWOW64\Omgmeigd.exe

C:\Windows\system32\Omgmeigd.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pjkmomfn.exe

C:\Windows\system32\Pjkmomfn.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pffgom32.exe

C:\Windows\system32\Pffgom32.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pjdpelnc.exe

C:\Windows\system32\Pjdpelnc.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qfmmplad.exe

C:\Windows\system32\Qfmmplad.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qacameaj.exe

C:\Windows\system32\Qacameaj.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Akblfj32.exe

C:\Windows\system32\Akblfj32.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bpfkpp32.exe

C:\Windows\system32\Bpfkpp32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Bknlbhhe.exe

C:\Windows\system32\Bknlbhhe.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Cdimqm32.exe

C:\Windows\system32\Cdimqm32.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Conanfli.exe

C:\Windows\system32\Conanfli.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Cocjiehd.exe

C:\Windows\system32\Cocjiehd.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cklhcfle.exe

C:\Windows\system32\Cklhcfle.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Dgeenfog.exe

C:\Windows\system32\Dgeenfog.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13976 -ip 13976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13976 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4432-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4512-16-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4740-33-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mbgjbkfg.exe

MD5 d49267900ccffec2fc14f93934cd37ba
SHA1 92b59ccadc2cc1380d60ecdae6b8b06a8be9c8b3
SHA256 5c9ec29b23cd69775fe45f27c2963b8fe24b4f97c63c35f05ec0a5ef542c425c
SHA512 f9ec84f215e6591bf1b714685a22294ac5023665c3cc7c5e83bfd092a39a1cac991aba8be542a054ae8d9708dc8aeb100e124fac1e1690e34646b757bd425034

memory/768-25-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mjpbam32.exe

MD5 e366dbfe5f27838d0aa3bf3db097a6c2
SHA1 e8d46611cd26b4d6834fb83e4eab367fbf1afdd2
SHA256 aea219b2c9826e1f05f59fc8005852853ed4acddd818ad973ef06cf99c64ab94
SHA512 b9da70c450dd09e7114cfc954b3c655c37f6b896b90291169734ec92ec0ffb65abda937b7aaf14204b1d1c8af3fd685bc825cc5b7a8bf5d20149249a4727a309

C:\Windows\SysWOW64\Maodigil.exe

MD5 b45b1410496d5459f4d99175ae085eb0
SHA1 e94b36dda9b971b67118d98c6f9b5f86cbcdb1bb
SHA256 36bbb2c09c0b82863bc56db8ceac8c537dbe96ce4cff08521ca1d186c7194daf
SHA512 9f893a6bf8807fe0caa8191ce00e44a96712a6bb233bca99cbc85380aec7d12abdb66f12d7c38c963eb167b04aa37d241308efcdac2ba1ea1c311ba0e1127d7b

memory/2136-64-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2028-88-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Njghbl32.exe

MD5 1ad6ede6a7fb40f87a0804bacb4802ef
SHA1 03d0602ce6b81216bbfdf27d869dc8aa02180ead
SHA256 4dbeff93a15f3ef0f22393f10d2b071876efe66affa6c76e8258ae399d8a8a34
SHA512 4ef5bd1633c8b61ee518f9fa0ab41e0219a4f8f0b688750ebfa90cb591281f74d8ecae52a97fd26e7b329520b55cda44027fb638836e81bf84f51ada5ba3b2c1

C:\Windows\SysWOW64\Nemmoe32.exe

MD5 5014bdc1abcf7083a631fb64e6fae2ed
SHA1 f006050e66ac8ed9cba76b166af8988a8cbe26b6
SHA256 64d830c83940cfa2194e2c370f27ba5673cbc9a811e631d0f84d6012041f7b2a
SHA512 34fa63d98e8f58d0c08432911a9789caa826bcf4db5a66b98beae0b1490a03c2958e4e52177ef2862978a2830dce135ff9ca6201ec6a1bf29697d56904621f78

C:\Windows\SysWOW64\Nihipdhl.exe

MD5 d84f0cf18bf0f31e89eedbb5ff057ba4
SHA1 e94b1c0d5c3ca5e7740fc07a91bdcad6afe0bbb2
SHA256 dcf5fc66b793442ba01f1ef00bd2dce66829624cac6d8a4e9d3d66f4add6cc6e
SHA512 b7a003ff5cbd199392b803820cf28e6dc8277709076d8651a805a5aa5b7a814441e7a74f177c39207917b3233640a558905029ef4d3186bd328ae7bb603748f5

C:\Windows\SysWOW64\Noeahkfc.exe

MD5 ee712445ce354ec7ecd3e104a11f404e
SHA1 a8e18a83e44bac17d7bf83bc125582ce972696cd
SHA256 6852177aa2f9e2c215685b12762e6899ede3eef28ee9dc6d19be78a2e034957a
SHA512 27ca316e679d78141ec0fca77b5ae7de6134e6d67a82b9110361cc10c2cc74c868dc74eb79edc7384036e26b351fe32cffaf3e0fed9883241fdba84d7779a3a2

C:\Windows\SysWOW64\Nbqmiinl.exe

MD5 cf1d48e71ffb972cefc4284fc9cfbd8b
SHA1 c1196bccf7456602a1e1739cfd2d2cde270df5e6
SHA256 020e3c3b33db4e27d07253e3c65aeab1566781dec533e83d544f47cebe4a568b
SHA512 db1935689546a4ad7d9a4e196388ef67498a6fb019babcdcc290839ccdfacf1a42006c27f9a0e9993fbab75803d173341d94d63ed444010ade073342df1b0eb4

C:\Windows\SysWOW64\Nijeec32.exe

MD5 b103002d1b3f477837bf43cba76b64b1
SHA1 a680a92a9ae131c70784ce82ed397c96c49d9cce
SHA256 1aac876e03bd9a8f8015c711b077020ed932b8290025bd3bffe3e81488ec74e7
SHA512 7e1eefc58af918c4221605afcc653ea0d3c85a931f22c53c545d645afbc1cb88b8343d08b94a46f30e0e63e07c8fb0328d89aac86e164a0f215cb77ef2bf4ff6

memory/4444-160-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nimbkc32.exe

MD5 2c35cc9adee0fdeac7beef1267cce8f8
SHA1 6c1809024cf16da1c0cf528968e5593965a3d458
SHA256 92257ab2021a753bc72c9baf4f4102d73ce506e2a8e7bd6dbf832ee5591ad68e
SHA512 23d96bf24f84421e106b8adf2aefbdce6a654d869b16399fe7e5a062a007dcc953b451aec16bcec2cd6cf02c3144235fdff6b1103a57330f8e403221765f2117

C:\Windows\SysWOW64\Nknobkje.exe

MD5 f3be6006a3104a5b795c1bcae0f80f92
SHA1 51846c4b304330da68c54ca2fd66bfc4674b5681
SHA256 a8801cbceab02be4800d07befd97e476a3914b13b2a28b5afe25ed5814c847e5
SHA512 14d4b11001fbb828f1e33642d57214cbf1f2c2e4239aba4590cece6f73235ee0e3f724587fbf4105a1ac5005980d860f7f5dc1e53b68d9fd8981d86ae9fe7ba2

C:\Windows\SysWOW64\Nahgoe32.exe

MD5 b6df2489e32cdcf71b6186a2e5631862
SHA1 14f236c5d67a90d1a7f81bed45dc24a85166f554
SHA256 be13fd96abf5f3a5133e8b63cdb67d8f62979882f37c90925794e617890c5f8e
SHA512 c21e4a8af0042751e5dbfb3f958f0246bb4332c947b1d61f1aee1a9c001bbd75f8e3c7c0a596f806c9ccc539268118ae53d07921a1a17d5bcba0b847748babe0

C:\Windows\SysWOW64\Nhbolp32.exe

MD5 8ab5b3ed6f8c8bd614f50acc6c9ce188
SHA1 ffee492cb5158c7fa216008cd5e037344369426b
SHA256 1bbd4c46d2453c94e5297ff064a237c9bebb829f4d3912626b69549ef827835e
SHA512 c3ee04e62c7808a4510741a027800827720bf1589bdde0fcebc9b88a204d1b415ea71d60c7b82a690b2ad1b23ff51757fef2dad461cb635e46a8e99b76e6e514

C:\Windows\SysWOW64\Najceeoo.exe

MD5 4410e44b98b63dc9ebcdcb11822c7a66
SHA1 da6900ad221fb84092fe9f649b19a71471a628c8
SHA256 36e9795fa982dec25bb4187f564dd292c87105eca3b3b3d5970b7d7a9c6bd1b2
SHA512 1edca04baa5e56313c62222b259d6d32e81b28ededa1a630a948a7c4950f38c0d6120f50d4ae7f901aa67025d3a5d2076b157682757503cd604e6745530b66d8

C:\Windows\SysWOW64\Nhdlao32.exe

MD5 cc19bfb1d9286e8dbc6175cd5cde3e78
SHA1 e225f52e3fb11651e0968e2c3eb5cea8b9c100e7
SHA256 b7cfaa8608d8b0e90de19e2de1821d3df69509b8d92382739e078eeeb0be75a3
SHA512 333909d1739d8077b18c2eff88dae1e68e5bd00bc26db673a9f2cb22be1f1863c12910d335810cc3a0ca2b32aa4b67350c18881fa06446eee61ba94993a57e1c

memory/1836-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5072-305-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1088-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2104-341-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4820-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1280-359-0x0000000000400000-0x0000000000440000-memory.dmp

memory/912-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4036-383-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Oohgdhfn.exe

MD5 404ba37e677e49665fb587e8a9c50587
SHA1 78507d9b0baaf4c11406b00bfbd0b1b6d8e31b59
SHA256 eac4f066a1f7c5605f7f0084429f06d811c9354954703685cafcf4038103341b
SHA512 98743930298355c49a85e18037b9c9c5279bdf4306af630977d0be907a7aafae41e4c05bb599552b373c32d7293b737dd7171ed348975c9987271bf91d5f18ca

memory/748-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3732-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4948-437-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3048-461-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1792-473-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3324-485-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3964-497-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4232-521-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3040-540-0x0000000000400000-0x0000000000440000-memory.dmp

memory/752-546-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4512-559-0x0000000000400000-0x0000000000440000-memory.dmp

memory/768-566-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3260-579-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2508-594-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ahgjejhd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bmabggdm.exe

MD5 eebe2ed7d1f8692820600744b6c7a37a
SHA1 f5a7d75c428d368f1f795cc05e8e90e666945480
SHA256 c648bcb03c8b4256894ca309d51bd0f7f35744a4e3817a0583205a563259fb97
SHA512 b5056f35b94766135d3cb3294c713bbc62381090138ad3fa44c2a48d74fbedcec65fc954b9c857fb881c4b575272974fd45cce12fc16a0184a7e417685627dd6

C:\Windows\SysWOW64\Ckfphc32.exe

MD5 6ceb325a765c4ef8be3ade80c0c6ce0b
SHA1 20270fd037b985a8a5672a4926d41575318c70fb
SHA256 a3689c0d789ed6f9e52de30d9dbad3ec93782d09e8791ab5105e82b20b13fe11
SHA512 b1272a768a8b73cd00654b52d98f274edec30d36867d59053c80fd1ef7a4a103d0f6083d07551f316ceed7d3bd2ef55562cdf56cea9604a565a212b810c58236

C:\Windows\SysWOW64\Cbbdjm32.exe

MD5 c42df34f42194c9671070d4dae9fa466
SHA1 8e57dc5c4eb7f946923bb819090d279e9ec311e7
SHA256 d903ab47ea59cdc82db3f06425f5c076a3e8be4821a10969eff61b0ef28fa4fc
SHA512 24dff22bf8339c7f2abd59cc623d9a885bc4f0f21469975204217b6800938fdf63544f9b7d76bec7a3a2112b84dc0164bac12c104ce70abc5b659e1f500a7de0

C:\Windows\SysWOW64\Cmhigf32.exe

MD5 1a62f9719f15512d07ded1dd17f35ae3
SHA1 366436c87dcc3f5a54c479dc67bc2d636840c7ee
SHA256 cc6ef3305b9827a4f809067d27162074696d4abf1c1504f13420945cb309716c
SHA512 38cce66b8adac645363334606de115a179fa7d91d679e8bde01342ecae5ede9adc392c8260aa560ef43e86af62446a5cdee70bca49a76e4d5b2dc3d8a13e6b5e

C:\Windows\SysWOW64\Bcinna32.exe

MD5 27e5dcd2f320faea77a2da1afc229404
SHA1 86cfdf57f86d8e8a2762fd3fed820536d34136a0
SHA256 b34e73f5d02caa7bbc0079f1d27c2d9bb290e472d5d29708fe5a60cf9b902e03
SHA512 5e0df05b33559f73e2c905040550b2795e47886c3d5d7747024d3e6bfe53d44f9c4ac747da56bb3b6f0e22e78e6a333937e2573be32e4a089ed453d550e25c42

C:\Windows\SysWOW64\Bkafmd32.exe

MD5 fc3e091d0da3457fa717735113493fb6
SHA1 b9a1ce2e48dc8a659c58cfeb8de76ac0063c6748
SHA256 38e4ce77c7955246e19775b4fb4c9711ed6a10e736a8b06b8e9760b2fe6066e7
SHA512 9ed22f03a7beacb93f2c5c5c32fbc9db7e22af435351a8383b2931b46e002379c106861907f637c7933b17a477c6cb8e4a1ea54b9aebd7e228d13ce9e3d8b8a0

C:\Windows\SysWOW64\Bjpjel32.exe

MD5 0b2f0022a12ded993a0ac0ad30b379fb
SHA1 bca577ec4da11a8e890512c458ce201a14480325
SHA256 94d9228bdb5bcd2f144b2474e4a7ecfdf3134f862c21896ef5a2499c2d16c400
SHA512 126b760c853e8fbc6341396dd1135f1c13a82352cd051b85405cd517ab8b42d5f40f3f6c552496610bd1560493d9ce43fc2bb5638cda49ceabaeb4f9aae4d4e3

C:\Windows\SysWOW64\Bcddcbab.exe

MD5 83254eedddc2a2e64ce188b258147040
SHA1 09953b913243774b2b2b942daebe76f79646b410
SHA256 07f3abf0bc2ed68b5f2f60b7a8f584a0e693e5de6078808a6be6be30ed60f115
SHA512 efa6a1e75bb830b84292b2850811bbaaae15ce0ceba1bad2c5b9ff8c0762a86c6ff72087ff499c552741a7d7e434dedc02d523e273da7f0027ff8e5f15c9dc4b

C:\Windows\SysWOW64\Bljlfh32.exe

MD5 d206f5ab56f1b441c0873f6bd3417fcb
SHA1 582d7065824bcd8f1ee4db2b05601f7ed52ee9a3
SHA256 2a30a752cc1e31a5479f46c20c8460cef982a5fc9745aeb2afb799d30e390359
SHA512 c95e43291e181e8bbbfcabfa4c095dc493e216170bc72a04e99ac0d5482ed80dbad0d25e7f587a976431657a5037ed2269b48bed1382b7c1186394dc307979df

C:\Windows\SysWOW64\Ahjgjj32.exe

MD5 ae9c42ec75b668ad993e0fedd34656ad
SHA1 162293ce3b2519cc85f19a4cc567492be1758099
SHA256 2282dfe6915976c77e7a0dd33c515fe00a9f343b37435366d13b950d02c341db
SHA512 02e3ce093cf347e0be57fbe136ca314b2ab4c3dbcac08724a55199bcaaeecfa0b5d0bfa2e15a6139010ec5c274e15128fddd1892735b108dd43cd88ac9f165b7

C:\Windows\SysWOW64\Afinioip.exe

MD5 03bf6f0be9049f5aaeb724e23ba19beb
SHA1 3d667aad493e9a3327e26ab1a30e287dea59088b
SHA256 c2717618682adf15d0b39e8a27a688be5525273723e66afb944be48ca3b8a3b9
SHA512 40f9abbf7553789c3f4769ecc319a30a1f5f18c3012071ae641028b741888b12c849cc3a29682e19b5747798dc400590e543de4dfe2323d64c9d2bd768c76680

C:\Windows\SysWOW64\Ajndioga.exe

MD5 cbb9842df419ecb7516b13cbbe688afe
SHA1 7093723d61fd982e01895d84a521cbd0337ef113
SHA256 57b43800f5740fbf5c366b6ed75c4f87d155b75c307060b64dfaf0c9b5a0324a
SHA512 a4b856edd40f10edaf45b15353fd9ede48807dc1f8261983aec5f5910d4dbc2b5516fc4d636282221c64c699a24da790e818faff591fe0feac7201dc4f05fe9d

memory/1404-588-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2768-587-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3696-581-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3172-580-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4740-577-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qofcff32.exe

MD5 18b7c82af1d873a5b749400eb9938bfd
SHA1 5cd29bf53730492d8d3098f4ff3e80c7ec52ad1d
SHA256 0d9f52ab75b57b701ab74991f7913cc4102baf6391be52fa4bffca0a5c2981bf
SHA512 848b666b2604a56a884e057a896749b1a0fa7aa8be423c3fb395a93d95a76b6e304b8aa043faeb1a4ce750ac8e56110827d5ad3e837eaa6e22368ba48c7ab35c

memory/4064-567-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2016-560-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-553-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3200-552-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4432-539-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2284-533-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2300-527-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4664-515-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Phganm32.exe

MD5 6953670bf8be15b81cebf47be76ff389
SHA1 306e49f2d8c9dc47afed3b8b4fe9aa856f9a2d76
SHA256 a053956be9b162c552e695e7678df5f5f46a81a16a3d5ae11df8d17eac924a6c
SHA512 8e60e9bb1e1ea94fa0e1f4f6a5353538b48c03dd0bc33d396d09db8fa183f7f9f1aa2f14358695a0c596008bafda8d0f0d7f57ba9e04a961887be9643b9acdcf

memory/3272-509-0x0000000000400000-0x0000000000440000-memory.dmp

memory/648-503-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pcjiff32.exe

MD5 1d6fa824253737c94004e0397df62351
SHA1 e7f252be922fc73367dd49399fd9f0cf6471f83d
SHA256 9713c307e3eb5013577944f2d2a8444b5b26a93312dbe5558dc7b00487fba1f0
SHA512 1bbc2e9c062579e017ca4184074b8c40d637157b511f8adde9d8db8b4be0b2f0af96ece9ecf8f4998dd7f12211e85d450fd12d905af28a75ff76a13117344553

memory/4132-491-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pkcadhgm.exe

MD5 0b40b0624d427e286c879794bc0617dd
SHA1 7d4eb9cc1688e50e9dbd6ae3fbbdfc3b280e754f
SHA256 c7e9ebcd96ada4b4e17636c6f9a625f9db5da0f5e6e09698496d22da89813e77
SHA512 30d0cb80697a0cd847fa05b5f8e48b1152940db4a9c4c620df5d11a5116e38640d568d671a613e9c1c443e7ee34b9126837d654cd2491f35d1a93cee42daf5cb

memory/1528-479-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4484-467-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4248-455-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4300-449-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3596-443-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3616-431-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3192-419-0x0000000000400000-0x0000000000440000-memory.dmp

memory/400-413-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4980-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1612-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2208-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3156-377-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1292-365-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3416-353-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Oaajed32.exe

MD5 76d9ccb18dd47029af500d50c01ac5c9
SHA1 207fe4e6444b48174ffed5e67a455593d437b064
SHA256 68b1e0ac4e8b5b63e1ed0274a0ed6f39274354f129c2b245ea538850aed17f60
SHA512 80e7cce6b9eef7fa123003562d8df7f4ca8a7d67c2d95f52a4c91aafbaf41f1897d61035a12641d361f9b15bc3773ea32f7a1da1a777457e64908d0cfe594a12

memory/4192-335-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3504-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/464-323-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4884-311-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Oekiqccc.exe

MD5 b4368ea7ec2117c05145ebdf6adc728b
SHA1 dc72e065b711cb96e53ae15a6ebd33520b8d5e50
SHA256 1ddde02e6d27118e60b0ed0d5d610c6f84658ea87cd41d9ca7d10e07cc20fa3d
SHA512 73affebeaf027fa5137e60639808c49f57ca612432b02e9d6913fadded3ccbac8bc3073aac91844aebaed56c54f41091e4b940ce51b56261dde37ed297538683

memory/4320-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2612-293-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4424-287-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ohghgodi.exe

MD5 f21ae52cd644ac60b7c107aabc3c4a44
SHA1 f7a87d058265ad7cfb2fafb22efb8912a884bcc3
SHA256 bb87ec1109b466d60db9e8f2b48c1c642b7069611a6003d5c1d3a5dc775afc2d
SHA512 7ef0750b788ec0c447e22d370c40f1d297c81455dbbf605020116be237692b2a09c980ef286431d1d214304a7d0caddeaa07b237d97dad9da7522df6fc0d4404

memory/4588-275-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Oehlkc32.exe

MD5 e0bb4b1a15589581dc5788d28b79f914
SHA1 673d2901a6cee66f1e398ce8284248e7176f71fe
SHA256 3013e6c895113d7c8d4e5cc0cfcd5be865c4c929ae8a02f1ebb6099f7212eedc
SHA512 adef3d306b9cb3f5c835c5e6f4768f3ee6762e28a4931226a32b69cad8c797b6582f25be77b478b799ad455dc15c69302ebbcac14fcd2d8c768081feea832dad

C:\Windows\SysWOW64\Coknoaic.exe

MD5 8e22bea2f18e7b0f4e991ef447c0a660
SHA1 41ba291460030adbc50d370a3f6e7449ec4bfc17
SHA256 1b7c6497d72fed6e51b7ccd6a67c2b279fdd440d114291b76afb3b7701d9e66e
SHA512 5357f638190a99c69d946923bdd6de077c33d365a68ee949164f207f5c3b152fa58040cc822a8b2b59025c8c87bbb7fe1a3f3bb3f79a1a49fb29148ac08b6bb0

memory/3792-269-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2816-263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1424-257-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3968-254-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Niakfbpa.exe

MD5 29f2eb75a3717398aa78dcdd4c998eee
SHA1 480d09ea7d131b6b7691b445c73e47178661de0b
SHA256 375bd22a7a53e600490ebb63301ae562ae937bfc82cf38e7233e7aa552769fec
SHA512 14b2a220d6b23d1752ded5e930868a66d4bef0936c0753a796b43d54c660bf5ba08a177f0a663746356da0c1634f167ad448ff1b0fd87084e91459ee5f821cee

memory/3340-240-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2140-238-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nolgijpk.exe

MD5 2c0e038f6ea584446f92bd06a0ff3792
SHA1 52a486dfe40ba3f5f2dd38e2deee6f1b76aada35
SHA256 31d375512ef1298feaf0df3345f0ac3cc717663f3f23b95f0e56b84a6dd0a7fc
SHA512 3a73ebd4d8ea1457fb6c906330f8e983d9a8dd2731f4cfe29d23bf15b7c3effa96ac0b282d1858d503fd615e3338d765fafda3d715869949cb410a81587bddeb

memory/3704-225-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nkqkhk32.exe

MD5 8a13f5682a5624c25b22b0c477eec9aa
SHA1 e60a10aa1141d4fac35233e19a324adf3458cd64
SHA256 3404ca52acd622b3bc039c9ffd4f7879dc45c40a5f87cdf9f1242d547a1f1dd7
SHA512 c7910aa959855078203fa8443dbea0e0044be94ccc6728a11dd53543a8ccd0d37ae4e6d0f842a2ac548e5d8a02514c9248293f85bcb5561f85913a64e0da08d7

memory/2656-221-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2968-212-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Neccpd32.exe

MD5 f921a2ac42241058afd71703efbe11ef
SHA1 f02c94f62df3a518156834becf71715184d957c4
SHA256 15ea6d4b38a0e1e724c9beae493aae49d72f477816a64b186516928de8da52d3
SHA512 f2708e974ef7eed827950361efebae3301f1e8d15105f132a3c6af664435bffb2b327c3db9b32a5bacf58e8cd7d863add2685a1767698fd126b64c088c9853bc

memory/4984-205-0x0000000000400000-0x0000000000440000-memory.dmp

memory/864-193-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2592-189-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nhpbfpka.exe

MD5 428dca85dc3ec650c9f5c1173397c370
SHA1 f03e302b76272224b00fa303537b09703bbe5805
SHA256 1bc72aad7106f380ba087508a659d3b217c026d91e90381229c0d1c60934582f
SHA512 ecded846cc42d31c7cef7143f50a19c1cf78a15227a3f0edaf52b088ecde2bb638c42982c0d4fd7e58cd841165ac9a9debf4f354effe4cc4602fe161606ef928

memory/1908-176-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nafjjf32.exe

MD5 8b3870d0b98ed8d27d565a22a47c9600
SHA1 f9db62230a8277e7bd1391632d76dd9747f57bd9
SHA256 1425f1e477ee0fd66c9729bcfd2703d687aefabd1fa39a30d1714b4b742ee4eb
SHA512 785c1cc43422b87ed8bbf13b257391478e3ba3e7853a2399f6de54df8171dec152bfd0754337cb4855fa10ea44307d296bb3405185c3759bdcd0be4391bde6c9

memory/4692-169-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nognnj32.exe

MD5 245ef75ba313a33a83e74fab7312b2fc
SHA1 aa56446ee696f5df0358c8cb6bccafb6b79ee12b
SHA256 761b2684e49595440e209c329f5fc583e9160de6f77fc950fe64974654c152e4
SHA512 4f09181dce63f0595b411378d97f3b4107500ce76267737a844988dc27570f3cf0ed620cd8da8de4a4ae55f9b3a3619413d1eebd5f5c4138f1d7c021bfd464f7

C:\Windows\SysWOW64\Nliaao32.exe

MD5 80bcce2cce0c5540e51ad2e616ca7638
SHA1 d00d2534a57e230ecddf521ef473290cb721be8f
SHA256 a12a09e9a46a40b811e5339497bfe2d5fe98d5c04dee2f1c455e88f8a848c5bf
SHA512 9b4f8663f32436e0333ccdbb39c86d5423649441ce2291b393b76dd880be360fd591ace289f3c93e2b5bef46f4eeb464fbe99daf473a365c3e1c41931f34adce

memory/4520-152-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2320-144-0x0000000000400000-0x0000000000440000-memory.dmp

memory/840-136-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1584-128-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nlfelogp.exe

MD5 30b593d359996ab4d2965cf52edc645d
SHA1 0aef78884f0183f79159278a9a8c0ab0de9bc1fa
SHA256 ff50be8c9d5977ba5e76557f0e89c801ae713aedb98586a0aaa89c0ae6cd5232
SHA512 f0cc571a18a3a34a85bb7267bdf978c89eec9a2cd49551e95e21c04b7984cf8a23c3ac61b908e78ec065ede9196413b0e7dfd5efabd652caae0860538643fe0d

memory/4392-120-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3436-112-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2248-104-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nbnpcj32.exe

MD5 da2c079012512509087851a268fa948c
SHA1 e846c39f0341b88d96a2400f26558200065ba33b
SHA256 8232d89e113d5fea81b3533ca4fd6af75ed19bb4a53f904e2231804cb925a9f7
SHA512 cbfb294938d319bc17b1363663c6489c034d2ea2408b5f44ab1d6ed6011e8cf556258935525b7ec420daf08d1e53de683641c123462f98b87f43c524c5fb60d8

memory/4372-96-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mhilfa32.exe

MD5 062d4b9dfb5c94c7e2ad54f94adac588
SHA1 09ccad491c9aaafad13431e8cac28abed2259bb6
SHA256 eb11eb3bebe248d32237842332d4e55453d6dd808d9dd80266b8db184fba12b9
SHA512 c4baef1ddc8ba4622d04e8e5bebd48e38f93f09c5b1d6c954d98a34169aaae37856af1ba63dbadf2634f2b484dcce8e8e81181a632e29a6d9488e68e72645960

memory/1628-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mifljdjo.exe

MD5 a49594da9ac94a1f5c1d358e0d4ceeb7
SHA1 73532fc9b0569d9c10bd4abb4bf49f5648e8bb83
SHA256 cc7feb12d5f71d172ee53e8640e00f5b394cf2b9acc739946d3a42bff6114831
SHA512 ca0fe2d7e0fb697a5d32084bd391698c4e1b6e19b873976019d86c828d38246092d1c2340cae1353c6063ff151a9de5a82c27366b924abf09b262d251f2bcbe5

memory/4924-72-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mblcnj32.exe

MD5 8c702cdd64926498be9402315cfe5044
SHA1 2b91736340ddf2dfc4d550276546f02b6ba09b5b
SHA256 9690815ced11755d459d4635389c87173d17625b19f5998c8217202d2f3c8498
SHA512 63af930f19ab76122564275ba13e6967298762029180a1ef274b9aa1f49cb6ad0f82a29603ce9f15de828d16ccf2e2e03b6de069448bde1715821b77ae7fbf67

memory/2508-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mnphmkji.exe

MD5 43cd6ad3019731ef02b3e5928f570728
SHA1 2c71b007303cef33edd0189a5b6722eed2770756
SHA256 8f7846b0299227fd88fdea505f4e06246ce1b58c85c7df3e4d71300884047be6
SHA512 4b6c012fc113950e95232e273bb290cb1f8e3b675e01ccb84264d6f89eb1c44898db209194788f0dca9bac89e1b7d539a5992a5b2fd5d978b20873b436531cde

memory/2768-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Majjng32.exe

MD5 97dee42889491a54c5d28828eb20f986
SHA1 f06faab495506761eb54c2b55b08e4246a5c4b29
SHA256 57fe038848ed4c6d41a5088abddc9f57f1c6e271cfdac45fc2af7f1a696714d6
SHA512 359fe64c00bcf4cc802300da2e99a9c462274286bd728cfd85149a722b0a676ba979cb03b8aac645b39b2220390068e72485aca2837e933019525f640bd9544f

memory/3172-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mhafeb32.exe

MD5 c8555c638e1a28e2a04e091e1d71d47e
SHA1 cdf254502252cb8507b3ed96712ad577140be6ea
SHA256 b826b95e063722ad2d5e3d6053f53a96251c47afabf30dda1644da5cefb74eaf
SHA512 87134e2b3c1bd38a8e35e85f132626340bda2ac9c05819c9bccd42e56dbb5e938537876c06320baf3cc44c2715529e9288f78d1e8bd7d88f6e83b39578a92929

C:\Windows\SysWOW64\Mhafeb32.exe

MD5 a71ad3a58c9fec019ae945b121fa52ce
SHA1 735b3a9ec5605957ec34ead263c9166ffafa3d58
SHA256 2611b075af7e1ab3817312023db8a2c9804a636355e46d7b5680a17b22a1b499
SHA512 05575f9613bae8a1c74f7fab02694ae2a99b17580e6d1bdab4a2c37cbf6ea8f0404200fbb3dd146a426bbeaa6d82a9b2f8a65caf2db79d13aa95d52972644a5b

memory/3200-8-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4432-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Dpphjp32.exe

MD5 18aa5cc5cf179e6ee1bc88679e80cec6
SHA1 34dd7dae9e7af74086a62e7d3802d3fedeae7ed1
SHA256 79d5cdefd22cc0cc9eef191989946376842a454fb3a8df02133550e4d1a955e5
SHA512 8b82bc59bd61fece29b4b680cc027f821c1214079ef92175dba54ed11764e67f66cb24d6f90a41b1d6fdab0e193ccb2877b4f0ca6b30207770e4669ef16beb19

C:\Windows\SysWOW64\Eidlnd32.exe

MD5 f87bc9e84b101663f7599ab5b9070f1b
SHA1 cf8b32e85106650fa8960aa0ba6374d722037b60
SHA256 45ca3ef57df4390730317b44d10ad0cdc3dcd81c5a5595b6076cf3965e1d7912
SHA512 64a6b246a297ddb67309a45c0cc2ad46aad3d9992983d31e197b7edaa6896a85c88c66268dd23ab424591de27ad259b1e1ac8b60217d2bdf4db3e424cc0b6c2a

C:\Windows\SysWOW64\Ffmfchle.exe

MD5 8d2e2ec2123fa6b585c6308c5f5fc7e8
SHA1 32b7a95f11a6d2fc1f9cf3efe1f1e07239bf9849
SHA256 d7c673ee14abc38a80fedc93109bf6bedeb626f2c58f35bea2453095fb537feb
SHA512 40b60d9534db726ccd267d795faea1a253e3ae14ed836c3b28b3a510c26d30d32c6318ccde989de0a1e7cbc0f36918b9d2c627aa08874e05c82d395c1ae505e5

C:\Windows\SysWOW64\Fplpll32.exe

MD5 5079c42e7149be8de4d2c350aa797519
SHA1 e6e893d76bc09b80bee213e56356ed9916ef31c1
SHA256 a476119c8610575809576f256b0c19863a190f21e4c1f24a5ddc11df32aed8c7
SHA512 05534d48213407fe397b9ee0f963903a5b8e14a68d31de89b00606d7eb03f1e467eb7399a59ca1e32e9c42ab48d5989c15d25dde44c79ce3cc4557a0146dbc3a

C:\Windows\SysWOW64\Gdjibj32.exe

MD5 5dc9343a73480187fc9d311f210beb98
SHA1 5150c9d84ca95a87ae80ef06ba91e8e4b82727d1
SHA256 45a6ba4ee5c1cb0e7281a9ce7d75be2c72dd229d725eceee70c81632c6c40ebc
SHA512 a63882e82e0daf7d4b8efe01149d09cba66bb524dcfbc1a4ff73055cec79490da4937a67cf2ea8e64e318145421477189f40dfc7937ad8b776d20680d889ca05

C:\Windows\SysWOW64\Gbabigfj.exe

MD5 b41fcdcb5c95a26b14f385f4bbf886b7
SHA1 488ba3dc5c56c6112fe06a985f0d3f6a95d1b375
SHA256 138c534bd24a47562f325f8a9c9b5e3bac841ba8f4b1dfcb6085353e0e1e7780
SHA512 c61f913c31d3fc6f785615a6cf1ea4a7b2a16a7d4a9cd9bd4cec4af0cf64a348560c03f2c2d1e22353b122234dc1f52367086dc05ca673b72e90d5c41958c975

C:\Windows\SysWOW64\Hpjmnjqn.exe

MD5 7b21b6663b836893e04a1ce649c90fea
SHA1 46d17e3539ea343cb7f4990ce500783d0cbf559e
SHA256 a10fad6dbab31dc1abfad4570e8dce60dca2cbd964cf5b5a3dd4aad5f11cceff
SHA512 1ddda41bbc13c8d0a89bc21e37bd6192f86fb4da90a7e6194f1b8f99dd3cb531114d4a83c590c9ae63b797af0fd3a6467a58d8f5d475b2c584f375db35281a4c

C:\Windows\SysWOW64\Hkbmqb32.exe

MD5 588b7c731f52f3d237f593b5f84c5c64
SHA1 b2a7d469b1d9a13bddfd8c867efdf02bdf693bfd
SHA256 091317f02863bbd19c98bd317416217b8b5ebaee1b518b4eae22c17969aafcb1
SHA512 129cec3601f9f611b13bef75ef16969438737a431e5b39fe3d890b27561815976c5b8d66139a47c9caa82d95025a8fdc477b91b78eaf48c12d22f69e32e01ef6

C:\Windows\SysWOW64\Hpofii32.exe

MD5 1bb5bab389de115f5fd5ae551198470e
SHA1 2fe5637cc2c5bd70668d6ad81a03110e332c0b4a
SHA256 a2d7f93816508104add30e40c89b436c7039633228ea3974e0f4b32ee58de83e
SHA512 7698b19b1cecdfe88661fe95c2ab8c20fcdc86422ac8a5ec015cef693957ceebb2b18787a259f4e432c807e52aa445f84426c57a1bb82c8658c21f75990284b1

C:\Windows\SysWOW64\Hgkkkcbc.exe

MD5 9f3947629270257d1383a3040f02a75e
SHA1 08c960387163e3bc5ff3cef0a8f68098b7c9db1b
SHA256 9a8bc2b883038d5763df006b1e673abe29db8b15a71cab2ea620e30a0839fc48
SHA512 b2c97588ce6e67e9dbe4204dd2b44268e78386e254d450c1433722e4698d555fab704697c74ccf2d6f39326c4ef24103b5b7bf1d1ab6ce527f409ec82bfcb7b6

C:\Windows\SysWOW64\Iljpij32.exe

MD5 b629f80238c1eba186bc0e21a6d6d99b
SHA1 78d804b61945d544c132fbd21e85bd0b2abb5815
SHA256 3ea7c53a547315b635b24e53d1a039f05b030527fa4072bae6ec861e719fe215
SHA512 2fda26f30b6e6eb1a9aa21eda618db0d63cfd8da54da4468945d64850d3d55322d55e6bde06563624f159ab8f205a18bd3062138edf31b855fbfd17c37e0af14

C:\Windows\SysWOW64\Igbalblk.exe

MD5 ac625b6f149d064b79766cb69b1fc8d8
SHA1 6f250423707b18f9343e6c2cd563973c89f492ed
SHA256 c52f9256d7cbab25d2e13f8751ddbd70155ae9b902e55edb2615e4b1ca1ca53c
SHA512 f66410d9c1fc52725615797d818ba50fbe7639897a094f1863ceb85c3ac403bcf88c0b99319b4ffcd5d1b06ff864347a4be089758effc5d8e6184393f876e34f

C:\Windows\SysWOW64\Jdaaaeqg.exe

MD5 9d1aba5b624a1fa6421e3eccc87d36ae
SHA1 8110827782347f612e872ed7a17a34d9db2ebd52
SHA256 5ca37e8dfba87b85fe26aea4cf6604e69638ae2b71ee17c182a9677cfdaee21f
SHA512 e24c88d329372d2f5ed774102469386f29f0ed9e31066f1a74459b88775c6d640589fbf1e091bdacbfe346aa3de936298085dc636b3355b914168cc136462430

C:\Windows\SysWOW64\Kclgmq32.exe

MD5 f3ed574f4aef66971f710f2094734be5
SHA1 e5a5a7b9417393d6fd9fdac59cec3d238b484788
SHA256 cee6f870193412d1665d9b5fb5e357c3d1dae11d29920fa2f5bd82525bfbb5c5
SHA512 52a94e3377b74b5a348643bb4d7215ba5479047bf59c0c50798b388d318b6f4edb35de0e1994ef35f1c82edae3d0c95bfd3df5ad8ede2f77d89f002cb51ed8dd

C:\Windows\SysWOW64\Kgipcogp.exe

MD5 d4ff9ba2ea469ed85a362617f8dc6f6f
SHA1 86a6736e75f8f5af0dad92db76ee80812e08d498
SHA256 5c97009406a3ed984703b63ba5d34cc29577483249094f9ff68465b8c6835f3d
SHA512 6f5db6705ed7ffe9482e2bfdaa0f028260089e779f14398c1a2dbe5751cc18c73f287be032bf0b1b1ce6b02eaaa9e03fbab4c28b73e8f3fa0d308194dbbcaab2

C:\Windows\SysWOW64\Kmieae32.exe

MD5 5c4ecb6222eb7239bb03e7b937ee2611
SHA1 0ac8e2f0c1cbe1badbbd96dd1aea7ae47f95b59a
SHA256 6725f1f75c76dca3711b7be85357e96c6becda4048a5e040914f3bf4173e1ccb
SHA512 f727d36942e015582886a66d9443e051aa401f0752e535a3d6e5269adab9f75f26e643acce342c21d20d7d524bc33c1ff8077bb35c466d756f4a3861978415fa

C:\Windows\SysWOW64\Knhakh32.exe

MD5 c0997de556317bbcd8519d47e983f774
SHA1 c9ee6644506c47b0923395a642b0912c29e78aa8
SHA256 e36d9ba40e9f158c2b77c8601492b2f8ab90f3825a8120bcbf327817729b55a6
SHA512 d062d002f512faa1e171e6eb6767dec5e18f51ba741c7dc0c2099d10165b4f8ac69019f70ea4c44cab9f51dbe7f22acb4b32ae058e94a8282e553da548fd804c

C:\Windows\SysWOW64\Lkeekk32.exe

MD5 adcdd77a6588aac2a1ae0527285efae7
SHA1 ed0691a039a24e8018ffa2f6da872f95befd3bea
SHA256 be0b2fa4b935469b51e3e0bddfb21f9646469c40dc294e210bd4945328057094
SHA512 7953b682406167c91dcd5f29e985ffcd00a83dc566d7f5609dc8369a275eabb7cea24315db4000010b678607bb0e64ca62e2f48fca24626c85f6e2dffef14b5a

C:\Windows\SysWOW64\Malpia32.exe

MD5 88e34e1fe8636d2e5fb1bc5c4db70a14
SHA1 742fe1cd76072c07c610c8698014b4190cf66b59
SHA256 727d969692bc03b3263d5d60b520ba3c10d521b85d61642eaca8af250d767bf2
SHA512 3c07c677f9ee75927cb699f03344203019bcbcd0e14e2bd553aadf15206c4ac8f90c55c518c7fd3660c8cb0485b5712aacc03bcc048932c7f96fc6953c7e8acb

C:\Windows\SysWOW64\Manmoq32.exe

MD5 a3727cae3b7131e13ebcd0acb13cd5ec
SHA1 70a4040371ab9012717a9a7530c1f30d842823b9
SHA256 e6052f7a608687e245094fa5ff8ec62dcde3179d4078eeeb0c1833bd1102c8b9
SHA512 51e97034e1f420d25c130e140cf55ccd007662061a205da25a6d22bb9711983081ee57fe27ed1f8f60a91ad71f9c7b44c55c814611eb7b549bf94f2b1e3e2562

C:\Windows\SysWOW64\Ncofplba.exe

MD5 6ac5af06632add7dd9db09577296dad6
SHA1 6664b391090736f969fc82690ba55a0e4f1df43c
SHA256 a7eb46c6338a5c4615e12b85b484736f34384e7c9a771b222d58dfcf09e93123
SHA512 40c599851b3ca0cceebd8812e05f0aa3bb8e54ddca6fa18585de5248a6f1808c5206313597b145afdbf6cc941bcb0e623ee959cd557df0a1474cbe1d299abf07

C:\Windows\SysWOW64\Nnfgcd32.exe

MD5 b3807907e3432ae8d8b647f56a4bd040
SHA1 5dacdf42b06dfaa9906841b298bf6f13732ba8e4
SHA256 025b4a7e889558b27413e24cce346a09aad3d879a0eea198db3147c2439425a6
SHA512 840406c7b05156735d9081cf9bc865f1772c3a3bab9584d692f31436dce7d36722c793ca867ae553b16ba50825e513ddd17202a4af53baf671d30d6c9f058757

C:\Windows\SysWOW64\Nmlddqem.exe

MD5 f5b76f4143f1bc36af802137225749a0
SHA1 d03aee2da6c273362a769efc07f56cecc426e1d7
SHA256 2d7c55c3c6bbf484d8cfa2ba8bef45a40b2049a5ffeaf3f31fccb7626185d4a4
SHA512 cb12f9cadcaa22ac91da9862241e89d8d188f7e28f00061f8bf2b3e401d263d5ba3b8e5cd1cc494535831a76a52184af9a782c2f05ddc288e7c33726ad3aaf9b

C:\Windows\SysWOW64\Omqmop32.exe

MD5 09700ff759878ca1d97cca938b361549
SHA1 2e4c5d51cec255a032ea970d5ce8935c46c009f3
SHA256 ace1b7479045cb86a8d49b7bcd8f8ac0b0c2a1ef28e962b66c9ae46779b8ff6c
SHA512 2676f4032093e9e9f8334f701e8b53ac17e5cb3e4f6d2105336b0df4fbeac8979dcd84d9be0b42211c26ae58548f7598df8221e7dabf8a9557266f42c81522c1

C:\Windows\SysWOW64\Ojdnid32.exe

MD5 e7e18d05220e1f574645bcd6ade1098f
SHA1 501c83867862e1d44b91ccf6f9bb4c6d6e957362
SHA256 5c72da24fe454535e0cdb68152545fab1fb09704e669c939fec2884b27d186ab
SHA512 0eb2249c9e1b8a9934b7191957dbd3c6c4d7abd8501ef309db51fa0f8247652d9fe45b96245daaed4e228dc4e4f64c46058323772b3992cca503517f82a12260

C:\Windows\SysWOW64\Ojgjndno.exe

MD5 dd27de88c4b4d098dea67c80ce524359
SHA1 4f624ebd7aef47cf03450f7f10668e038d58cb2b
SHA256 97984e45e7f619bf369a45d102f84c8bf138cce542c1fb60daff5e12ca60fb69
SHA512 249d124e1623d9d2737f1a7b8589a0514ec907d3ac5651417753d905262f1d4e3c403d36cbf9919f26cfc08a86570c9e64b1120a1ca1da74a7b13f40c8008d3b

C:\Windows\SysWOW64\Ojigdcll.exe

MD5 982cd59f45246925b821323543ed5621
SHA1 54c4b719c13e5fa1fe987e58ac3e62111f24386c
SHA256 ef64e3333f74f6c6aca2797e72df6e0c56033257c88c8a3974f2aef6ed1c8324
SHA512 4aad9deb0ce5820222c79d8f9b5226c027c1b22cac9df8af64cb54402e0082d68f6609a01e840788fec759e9448f75e09cb891e1582bd89acd752196df399178

C:\Windows\SysWOW64\Pknqoc32.exe

MD5 82c968cc5c9939fc4a2aa5c98ddd3206
SHA1 f5ae4b1626bac656a590a0a959459e6c0c0bdf79
SHA256 28b1528862307b83ec6d148f3bce76f8e2585a0cff4857a3725ce27e11e25917
SHA512 1d4418a409d041a8f86b14cdc1d45b77453c91f8342a62317d2bf9e9901011fd52d3111dd153fe3adc72187f0a9f08e727461ae2bb3db8ef5e23ce57f20d76a4

C:\Windows\SysWOW64\Pkegpb32.exe

MD5 bb0b39a813ad042227418f9afdb24945
SHA1 408b7580d25e0dab16c5be1112f96b412c63e347
SHA256 09587e430eace1e6b8f08b3ae6bae7c21830d64d967ce813d530e8cd624255f8
SHA512 5fcedb6ca01e92ff35dcbf56eb83707939a0ee0f4bdf0aa6a1d5348cde4c1d5057f4f6f4259e5ccaf15d178bcda7b01616170a4beb65a7f3e9e6e83a98adf53e

C:\Windows\SysWOW64\Qhkdof32.exe

MD5 1d39ff7bcd15eac2d1c13255389377bc
SHA1 7d4406df0c58172c1bb26e868e3ba3ae1d47738a
SHA256 30dce142dd012e831ecb7d6a579591eb8a94d10cb1104894346b9b14cea47076
SHA512 a228e26d2b173804b8228241b5ba7f3fabb1aa7b3fd046cf3ce541f135324a90abef66be4ebb8c6a68e9cb44b49e57f8b893b5d66e1c073061a01e580b279c4d

C:\Windows\SysWOW64\Aogiap32.exe

MD5 f7e3beb99a97f2798fdbfed97eb10aa4
SHA1 ef48af942aee5f9b24667b1efb44a820992688b8
SHA256 d0ee7476de01f89b1db5941b5f1051f1b932f4fdfa02933fa4548467c998536c
SHA512 c5eac7123c7cee9635c5a863c593a2cc2f1a8895a9391d63d6c8b91cff35e5b6c90181972c4f3fc0138d0d9fcf5fcc8294b9771d64455d6329a82fd38a2fd46b

C:\Windows\SysWOW64\Bepmoh32.exe

MD5 1a2ae88e326201064b15fbb9f00c6ae1
SHA1 ba01bec907e4dc30946fa3a130817d1d04de9ef4
SHA256 f64b3983e3169ec71e8f8a634f905d5ed1a662d83056a829f0a4d65d9763bdde
SHA512 afcb7cf37f8c277086085f90e76bbfd117e7600dd170d22c73654851a57ff0f757af21695d5122b0a098a6802fe7b8c4391641280c517d1b6022da20c24fb440

C:\Windows\SysWOW64\Cnahdi32.exe

MD5 cedaa9e89ee1d2e3f5661416a888113d
SHA1 7c2fb3847b4a8e18f1a7f2c2f96d3a2953447168
SHA256 ef67b261d3e99f1c76adb3f2b588734a5eb331ee86075bf66b49b14b2d0284f2
SHA512 a8154930d5fb611a9bc2da8cef46d2f071e3be5d6a2835bc2547de83a98dc9268a631d7058e12210177fe8eba92a9a2d65486324934b1d6e1bd2dc5fc4dd60db

C:\Windows\SysWOW64\Ckhecmcf.exe

MD5 fe54fa1922d60368bf25cecb86e4fc09
SHA1 57af8bfa262cf0b197cdda883447e959e8e991fd
SHA256 be2db2088f7fb95783843b47d72b8c5615117c458bab3e07f69e282d19ddfeb4
SHA512 5445ca2ecdecd276ef44040c4aa9b543c33c89787c1e08c9bd35b83e3c04d258d42213cc53c23b87e5341ad2409df6f75431b55218e78eece1b53c14dc047314

C:\Windows\SysWOW64\Deqcbpld.exe

MD5 5a61806e57fc6129cef922170ef5df14
SHA1 5264a063c57b89750ab142e17afadef524efac7c
SHA256 bc8af67a67f3fb348405cc3eedd56164cd876b31088c1a0cab362146ac4b9f94
SHA512 eba0d75279cc7b8699673ecb656f8bbf2a569322c29a449e359c3e3ab1a03a93c83dcb0b2fe774d125e37f323e6bb74a28b92552d7f305fbb6bb405d5ac8b99e

C:\Windows\SysWOW64\Ebdcld32.exe

MD5 3c4cb28d96f647e9c1678194d2ff9dac
SHA1 d41d3755fdd78c6e8f42fc03767214efe60af0db
SHA256 4c04a81a350925efebb81ee1d414a943724c3ad718a6dff2003692d9ec8b2c43
SHA512 f88c0f161398438d53577d65b55c1e9be657d9745c8e60f8dc85580e0a45c2869472026bb4d5a01858f6106fcdc4bfb5606bdbbd6d66baa8277a3b146cf1c824

C:\Windows\SysWOW64\Eicedn32.exe

MD5 03d27d97c731cc0ae6d42d7d2c5ca718
SHA1 ffc7e212fbbdca9223694da048b0f7973bf0af1f
SHA256 094f89aa80f37e7c5c7b87d7b15b6c9efbb7d2e8cc80bf132beabd7041043baa
SHA512 20d6ff10b84ae4408bb0d34a027fd652164cb0a8bff6bfe5b68767398de4baa8c62e703906f3b50eaff1283af0124ed6db80817322511b5120fbfe1ab71ec768

C:\Windows\SysWOW64\Efjbcakl.exe

MD5 8e9bdd3c82743686497aefdf895d8192
SHA1 e3408c8a99838a8ad6062197094bef3c38d10de4
SHA256 fc6a343a9861bc967a76c174180ee9d92c5ffc6f8e416ba399ef73630ccb4771
SHA512 2ccdd9987d7e3d78403b6c4600c88b1ae31b8c87806af3e96b6f2377421ac252bc86d8e9048e54c3286cb6b1b0393828962d3700cb584dd16f25e7929538b4dc

C:\Windows\SysWOW64\Fngcmcfe.exe

MD5 9e59a28fde62f10d838fb70ee50814c0
SHA1 7dd3e3151190e169e6eb08970b7efe6949e83150
SHA256 94e8b46b23c4bf796eafa51cee10bafdfe0e57b75ad5a156a41b1201d66c1725
SHA512 94d4265c078a6dcfbfac6af7bbed89dec2f2f72352c90a358d4f6d815f9dbbf4f68de3173472f785a8993a2c6cb0b39de62d725d610d0c9905349e09e56db323

C:\Windows\SysWOW64\Fnnjmbpm.exe

MD5 27271ace947cf1d7e22a96ec1e2bb6f9
SHA1 0d481cb44d63aa5d4fcc0872cf653dee023f4c7c
SHA256 c95e86b9eef3ac269efcac57dddf6d7a0342f11c402a345c4362951acd958c70
SHA512 d10806c0d2783cef4d2cf8bacc28d1b4d03e2c1750700af4a0ccff45e0d07592a863e5347cc7981de3235ebc80cf445c194de9c14cbe1c7a3c555e407ad18fd7

C:\Windows\SysWOW64\Gfhndpol.exe

MD5 1e3cefd1ffb61dfb181ce45dfe5905b6
SHA1 027297ed52b28ceb452a0edcee12acab9bf0f13d
SHA256 c52b2ce22db467771d74514d7f4030286e7f95c2a280a5dec28f7ce6f5c54bf1
SHA512 4fdc0be79ae35f2d18783930f0d9bc9eca784ef40b8f7d1ffe8f2b7ce2bf2ab2e065f51c91c3046e631476877ca8d36e1b52e1761584100ba3f2a513a4913ad7

C:\Windows\SysWOW64\Geohklaa.exe

MD5 5100be01015148f78f94fae141a64295
SHA1 59e9b26b6b966d73c31c9454b1d332c2a22937ea
SHA256 bf676462e8db84b2cac00150a13ae761d166753e3d7f373eb50cc56012f4ee41
SHA512 c06230c94dda91b6be75cd3f415b9b2f9afa8cbbb7ce1b1b8ac68953ba839defeaa6ab29763166723a0491da524fc2c736fc92630e25235e48de38d272e3c32c

C:\Windows\SysWOW64\Gimqajgh.exe

MD5 5e36c569cc5d4d4fa1e279d83ea59150
SHA1 a912e440293dd45cd50808d318f1c43a0c0ae394
SHA256 6caa369c1786402a4758695af5213920b09ac483e79d6f1e9da44a70c2c42cb6
SHA512 93355c5a74c78af8cad3c0caa5e9f57ca153d8bb55bdfbaaa304167f848f6209a4a4d9b3cf4dfa9793467cf9b8287a82fc5d64a621b1363874f40d117ca58de4

C:\Windows\SysWOW64\Hedafk32.exe

MD5 15648e2a2c329a5afe26b4f52080ec71
SHA1 88f7c548265218c6194fd48b228929e5eb725a4b
SHA256 6836fcba3c6afb3027aa61656488e12128c2bc565b0f7fbe1048aa4c849d6c10
SHA512 dd38299d32c1c9890ded2be570f8d368a65db82844a437367c3a7066fdf1e1320714c7a5db9820917a958ec2596578b02774b1e59270479254f35313a8d2be56

C:\Windows\SysWOW64\Hmmfmhll.exe

MD5 eab2d8010f96b3977478f46eb06f9377
SHA1 9e3512d7bab0ea0cb8b15daa62d8d2a4211a8902
SHA256 b0c161b9587f96231b5c747bde3e0f94b26d345633aec8604fe0af1e74cabe39
SHA512 d644a1e2574f9ccb00809602494e5dbb5af2821efc5279e7b683f5995ebfe992e563aaeab0ce6b5d307e955b40bdeda02c9b35bb1b8f34f8c21159f72e8a57af

C:\Windows\SysWOW64\Hidgai32.exe

MD5 67029526cedbdb7218f699171c2c8d6d
SHA1 01bb344e6c0408d95f68454117492454f291c080
SHA256 17d98d252a3ff476100b6eaa5d1a8a2957fa9e1c8ecf475853e43d1e9fff3982
SHA512 459797f995caafb26562291b47da38b0398d83f865ec7c368ae036efc65ed2c83405a3df7d317d5f2cffa848880bda0a789a6945fae9221ba680e2501d309c73

C:\Windows\SysWOW64\Iojbpo32.exe

MD5 378a15861c9c6bfd6ef0d46b7cd19fea
SHA1 60bc8eafdf5757349a56632d8c505a48a31a615b
SHA256 58203b895ce04ffbb655b4c170dea14dc985ed671af9d54a517c4b3d0f3eedb4
SHA512 0493f0dd9755fb4eb1b6ee0965d95845cdb9916f7373547d8b62d3ded836931f453e8b02fdda99b74717c6bf251d6f44b3f988cffefd5511610cc319fc42407c

C:\Windows\SysWOW64\Jebfng32.exe

MD5 6a82bb71b3ae940dcbc1db1d0eabc2c0
SHA1 b3182920eea886775815274361813e5c9b618490
SHA256 665118276ddc0186ec78c6a1e80c8dc6e38f7f4fbee6a2e64ead61e6c94a8b18
SHA512 1aadd3f3de8386686e7b8fe9cf6d9e95e112bc4f629c43cf5f9ef034c19720b3cc8fb3ccca67b05c35c90b538497e1b6814d0deda07cb6acc929a73a9e8b04a8

C:\Windows\SysWOW64\Kegpifod.exe

MD5 e90f597724ff5910df91b7b4d2ec7564
SHA1 f10a85cccab78eb2cec292b373b5ca3e8fa4581d
SHA256 f870ae2b075c2201595b36387362a7dffd48e80f4e16596ed4048d6aff66e592
SHA512 c4d4b2cf4cca19d0fa720ebb4ab698cfd024d5792155a3ca389a4ace2a7c93dbfed66d2be10122156798861e19e6b57748d24c753bd301dfc1472acc614750a4

C:\Windows\SysWOW64\Kgiiiidd.exe

MD5 4b56e28d4fdd0b6e89c00560e494526d
SHA1 4b13f2a0746a6fa518934faeccafa7cbb6c73324
SHA256 2d5a505155a67bb38301dda94bfaf95ac2b9810d14f7a5c4bbe7a041e30638f0
SHA512 74f0e8528abe0bd739c16ea63a57da715b05ab007eec3f5ba8db1f165692fa25eec524d61078df60a0d3e80522085a2c2a09ebab3ea2ff9e6b97d73c99d903fa

C:\Windows\SysWOW64\Kfpcoefj.exe

MD5 20c912020654790b4b70990767d78b42
SHA1 8a0b7392382e308f354f0642dd405e9a29a39b31
SHA256 d3616063181731a9035d4425f9c84991d2d4b60440c613a2cb102a5253483c99
SHA512 8bfa211a2417bce078f10994e0cdc710e234f08c0b86049e541f804f42fcdaab905b6892bdffb92a393539369a608ff130f8f29de11e89d28162a58b93c57eac

C:\Windows\SysWOW64\Loighj32.exe

MD5 91cb09075261b3e3fac4c528c0063eb6
SHA1 b19f067c9b46e8dcf57550fb6ad7f36946411b33
SHA256 0e53d51de254de508bdcc30f6a427a67a5eeb8e43d679629c7d5fabf27aad9e8
SHA512 3df2f7a42f9ae4a1d0758ce7dac9b00479269de75c694cdbc36fd15cfb9b713ff681b8db9ff3c3aca37e98ceb7691ece63e67cfad7f0f9aedc1e1c1f2dcda3db

C:\Windows\SysWOW64\Llodgnja.exe

MD5 3be946337a0bf8dfc268604dd6f30227
SHA1 ba437b3d4f969f711084e337a53c0fac03669518
SHA256 0e710f9579a2f91abc2c1dfc0756fc32fb0890674d90c0abce0055776f12d730
SHA512 c00f48c5c080b492e9e91b526e8e30bd1403fceea2de8db772b78c7216bc476242e95947f7d58b02b0673c9ac29f4f043e22f4fad0a0d28910004f49ff5b74c4

C:\Windows\SysWOW64\Lmaamn32.exe

MD5 aab621125f96b0aac506ffa9bad297c5
SHA1 f6b50d71a92c4c6763d0d8e72b07d9e94a5b4291
SHA256 75b30e0c46a4ef30bd6124d16f9bf38dd63d26beb664f3d5492a788bed54c5b1
SHA512 6e232dcc3badbf7c9e27e55f9f4ddc07fffe7ae65266a02e7fc925562871bfbaa5d50a9befe8f78275fdbe17eb50789b2287bf38b701ad0618c082af838c0590

C:\Windows\SysWOW64\Lqojclne.exe

MD5 dbaae0dcb6ca5cfaafb4af66c91a88f7
SHA1 1225944d2d0491231c9fe52b883424680cad12fd
SHA256 eee8e8abf04b599fb4998a8a3d8c0457787bd75d7d6f1da52b43754ce73f7845
SHA512 3359f75e42ad43f9c8ceed46f1e4b565581758a96999300683c16e4b7fd478128251f551cc8420f01203e34d824900034899e6c73848a091860fe99bdf773cd9

C:\Windows\SysWOW64\Mqdcnl32.exe

MD5 e297a209aaf9ca0c0f5cb2ec02ebf9a2
SHA1 7b22436598f539ea3bb4337468e5fce93fd23ed7
SHA256 f3d21c694fcade6b914e1484d198abac6a970bab973e2fb65aa0174ac900e9fe
SHA512 aa2929fc2392a850eb67ca4e488dcbae651ac5e6b906f91faeb0ffefd872af7e6541b2c0a2ab35eb4d97c45fa043b4a47db1efb0eb83c1ac363fe3fbd299669e

C:\Windows\SysWOW64\Mjlhgaqp.exe

MD5 ecc6ba00005b5891fedc43501d3ee64a
SHA1 edec9749f7de6a2f07c6e81caa4c36910da49a26
SHA256 bc402edc2f4e2674dbf14966a640d503e7f712a34a507ae8e317ff98aea0f22a
SHA512 e9b7da76a9a5ed53aafdef4929725cfdad61f1f9c86541e50ff5b108ac8834e0bd053604109720d554f17e1ca75082538c98b759cdb979269f53453068d012a2

C:\Windows\SysWOW64\Mgbefe32.exe

MD5 e675148a9ba5604d74b90651474ca3d5
SHA1 b0d1bc58bd219139224793f9751dffe527ee00e0
SHA256 2f193c73cf1843bae158f3fd2547b706b6ff255bea19a9979b9901218c315940
SHA512 415e2680f7cb443e520627b7094622ece8741ae81a474f23e48a955d5733020e21b60787a45ed1988b7d1a4bd77d808856a28c722700598eeb038b9fc253800e

C:\Windows\SysWOW64\Mmpmnl32.exe

MD5 cf4a8d36b86b96c6ba79d5c9c58154d6
SHA1 48da1629e242ea7894b9daf8c50a902bc9d08566
SHA256 0f69beed9d6d9deff1621c9e044ce2fbf87839081cb653883e6b1402f8508767
SHA512 74403da558a7b7e8fa0fa0ff32236e33326ecc7aad02ec59adc8ab82a9ebfe15ad7370b615767621c76fdc4f55919c3744dc85c2fb377f8481708b7cca83c76a

C:\Windows\SysWOW64\Nnojho32.exe

MD5 a12a017cc8e82b85d6a7dad3743923c6
SHA1 45d2cf5994f3548ef1881afb91741227446a2a9d
SHA256 7de94e8971f9df0f6d70fc020770ca0bd70bbd0ee6de8b0bc72e4313a5747808
SHA512 d83b5aee809e8560a7894197c1274398bdb8e4492eff9442e3290d8b4ce712d019f257b9f79522bdf9d78898424cad8eddc6b120135f5d7c9105df7340da99d6

C:\Windows\SysWOW64\Nclbpf32.exe

MD5 5d2d85f65d290e742869b5fdc7095d18
SHA1 fa44da6d8310688791ed84937131aed56822344a
SHA256 5e9cdda92764124c2a2ee64aaf5af38be9abd184282ca65316b5b08c7b6a62e9
SHA512 753072657e69b3e32060570202146f9bc76361150853bda6ae1d16a2c838abd508fe33fb8f385fbbaec6e07e355e5cc38c0690de710c755ca130b1a4e832959c

C:\Windows\SysWOW64\Nnafno32.exe

MD5 472930318e341435a8f0c4a5e2fc5cc5
SHA1 b88765af41b07a8dc5a21d9b5d33a461e770e81a
SHA256 16697011834047d107cb1f9347de73dd22564d3a7ece72c58066912adcec0590
SHA512 9573b396f7763168f0fcfc845c34f0ca7e3e4951981478482b9a0d3cf4023dce1464cbf211ba4dd8841fdf5c2891e21b6cbe2b7da654a75a942763700fd33ed9

C:\Windows\SysWOW64\Npepkf32.exe

MD5 45b27d55cd28df3d810387a9cce9aee1
SHA1 37c528051a423088abfd41d132260a2a09d260e9
SHA256 0ff0f53de883767cb812ef89fc684bbb51cfc21ea22583db7753078e37133734
SHA512 a2c26d7b1bcbbd28f66f49b1e785ac20c2587d6f8a87043a658fc2eb83392237af8f73ba17e9d6c3211dea0509599e9be3bc1cf3e7580fab1c4e5581fbde1028

C:\Windows\SysWOW64\Nadleilm.exe

MD5 c7f66866cebdb8506a6b84b2da18ccb6
SHA1 ccb7bb5ea148e069e35a337990bb8b8c13c83d46
SHA256 c2e112c1615e5c3c27011ae1e431a68b75711b4c951ad23f48f090b6d466e110
SHA512 9c8ce612cc187bd67ce7fefb260cd62e62f2856d14e30f4650ad1262645ce6da1d51b287a27694ae4d06b5f3d2f11e220b8aa4b89b92dffc2d004cb9fd4d789a

C:\Windows\SysWOW64\Nfcabp32.exe

MD5 8c00815b4e873afccaa44632cdaaa965
SHA1 d064b0093cd176292f41c54d6c5d6bdf1243bc29
SHA256 857f4a067be01eef52dec5ba71a88065785db5e10b091e54217104e21690f66f
SHA512 ab9fcee43aedfbd9878a6af69d36b95b5af49f7ebe109f7f20e6afacad56ad59fcf943aeeb84bb064032f5422e41f31b4dc3e95239c31011f7744728ea051230

C:\Windows\SysWOW64\Onkidm32.exe

MD5 2e2e17f353b70a14e410c60b0633365b
SHA1 2c51630a176ca37c4c1e5b4f67d6e003627d31a4
SHA256 8fddcdd0189fe77139a748a87e11f47d16491ae14b7f90c5a49ac73f6e53ac85
SHA512 c2d62eff3d5e893396b1c11dd8f688c6d8ac578a38f909eda0214b21a0b66f7d8c4491eb7e2e3512230cd2b9db65f62e1486f85389d15f553522e6ef9c5e368c

C:\Windows\SysWOW64\Ogcnmc32.exe

MD5 4926af9b00343b9e6846fb9a94515663
SHA1 175da6829883ac6222550e88a6962f786da56e3b
SHA256 b707341f4aef16a82d162e6a1e62db3847440249a436637a2b2717baf35db592
SHA512 775e945ba0e26b5d1a993dc26206b33c8ad9627cc9a67e4efc97867caf767c49466dac743e648b986a57f8352763b6b68df9c78b7dc6d591705f5d1e32b3ddbb

C:\Windows\SysWOW64\Oanokhdb.exe

MD5 49067aad8aec38e450b2cf53c7e97dd0
SHA1 115d6110cdf76ae329ebc556ccc83af7b6ec205d
SHA256 8f5680958886ade13df13c7f8e1f57752145766101d9eef68d8b31f1161121fa
SHA512 c0af1544f0943bb41b5c7fe68039f878725f395e03b752699c2b5626ee3dde9aaf2d79c9028b26a3e68d2d74de69112cd382a703f57cf3cd065599f471a12801

C:\Windows\SysWOW64\Omdppiif.exe

MD5 18a36886b026eece839a0c2221ee9478
SHA1 6cc8fe73e0e2ff140a4cb30c0e25e27b49c0318f
SHA256 6d6e592534b70676bce706971deb6477cbca18de3397751cdabd0493116d2a79
SHA512 6123ef3f5aeeee966415b903ebd27b09d0411e5389aa69b636a0fcff670ef3c5eb545199eee3a191ebc9b92ccf8b14f529785e8c6bea0c1b3c34b6de1aab218b

C:\Windows\SysWOW64\Ohlqcagj.exe

MD5 a44c02a3d1ea59456902612bfbf8f3df
SHA1 670864cfa0ed1685ca314cb9f40e31ed6597bb1a
SHA256 4cee894878b97d1c50e3fbfab9b89d8ca54ef3d421713c732a5ece8b9f5a1f8e
SHA512 8b073c5ff671b2fa9c20bcbdc654f79ce1499942ebe95819f24de6e739afa31d0e7dffaa9b36244d98816248f1125f185fa4652c9a4aad718369e76943bd54ea

C:\Windows\SysWOW64\Pfandnla.exe

MD5 772da3769a1be34bf0c5637eef54002d
SHA1 07ca94425653deac2b6c5ad3a8004436f2da7da7
SHA256 40714c73a9f209252a5e7015d8e7492f30a5fba3673fab092336b8b9774f8af8
SHA512 a477a3eb822d281a06bd78e6e2331a8a55e9bae324a74b26b4147a3f8796ba0568798aac17b8c4ce01fc1f92628be9f07393ed27f41612b1c48d6bc8b9538cfb

C:\Windows\SysWOW64\Pfdjinjo.exe

MD5 6e841fe6922684f09573371760a0258e
SHA1 c063c2d538a3ed0d25b50f771b011e42456ad0e6
SHA256 90518a299a5d9b4b6c5ca728bdbb7773aea47a33ffbe47c1edc2a46214a11fd0
SHA512 61a483ed70a724b7e4b200c75ee97f7cdfaf387305b569d307f832fb6ffc9db87ab8ed1f5bfe9582ecd383bfa39a766cb89dda9ef77d1b92760f7361da53fc37

C:\Windows\SysWOW64\Pnmopk32.exe

MD5 cdefe0fc75746641da516918eaf1e0fa
SHA1 b4b91bc8849181961845f54573cc4d8f9a4a12d2
SHA256 732ff3e627da4ac9cb3b14c2155e0d9aea71f8b255e90638f8289a42f109cbd5
SHA512 fbea2eed7c0ab71b7f2bc488b67fe9f266553de5d6368520192b6b4f3e43b21fdc2d4efbb959f7ca4c6394b65fea60666573fb6126cb83e22472e27a157f3e99

C:\Windows\SysWOW64\Pmblagmf.exe

MD5 d7ec9e7bb75d2183b65b395b394fe54e
SHA1 caa278bcef5e41bdc59973fb95c2db84ec750c1d
SHA256 2808967a6a19fcb0b7cadec3d989f2a8055cf152a0a34b7448c982d820d8cfea
SHA512 9b72ec8256e07b43e973d7a42bb576b473cb46e394c8eabe93f98b1b34ea52b4305bc556e6025e4ce00e24be44f5a5973ed722f6d9fe5a5c167c4732b77e8261

C:\Windows\SysWOW64\Qmeigg32.exe

MD5 83efe6bb52e5fffb7b9d1d443eb30ef2
SHA1 70dbee92484581f6f8ce455069f89d58ed28d26d
SHA256 eb482885184b6da15e63c3e738029667e7b49f14c3e458b54c0df0036624d40a
SHA512 5a1f3bf25d5e27057d62fa46ca035a0603a65e7e7fdcdff6399ef69cdb992e77e03bf7c0478461981bf4ebf0cfdbf24f83a33984f36db9bb757e7b0fd9552c56

C:\Windows\SysWOW64\Qacameaj.exe

MD5 a5912c3e3ff49acc936126065e9f4bce
SHA1 40a30b233f1ecfc422df3553099565e2a48cc8e4
SHA256 5090d79b2775098c658a47ec99ebedbdc3e291dd5c30c883b1456a51cf8df9ce
SHA512 e245fbd42145ac9260b3d5c65b8dce831745cae26232446497f988b59aea75be5154421330c4b529bca674313a9391e2c677e66705702779ebda78e2532a27b9

C:\Windows\SysWOW64\Adcjop32.exe

MD5 1beeef42cce1e0cdf448cbc3cb5aa668
SHA1 28418281cbca66337cafcac52597c20177138a88
SHA256 65748ec260ea9cb7a1c29a0e2cf1d7c8ed2302acc483b6724b03a2fb9e5a2295
SHA512 974fa87c1079b15ff62b932cefef0ef71ced3e3c53ab7aae16fef23fb29f50f7cf061729b73a4d85958848bec9e0816a6b899efa6e5d8188c01bd2e6fb127706

C:\Windows\SysWOW64\Apjkcadp.exe

MD5 ebf276f25afe4fd10080a26b55a32e8b
SHA1 ed50c1f760843187572c54ec6f3a4ffc82e7c995
SHA256 3aa64603ee0eeda8460bd6023f4b87af15b24039956161827b2373d0b0f86552
SHA512 c79b04e07632b2e4ae31e0f3b230b75ec019d91abbf655857d71961f05a1e95e2b833e186c3246f371794d77fbb6cce277af350b749422de2c5ba6650b6995eb

C:\Windows\SysWOW64\Aokkahlo.exe

MD5 009e2ea4cb0dbbf31d934264b1133ed1
SHA1 568b0279b8dc75ef0eaa5a71ff0bee9c849149a8
SHA256 5da29befac359ed00eaecfcd97a5422aa71b73ec285d66fa4b7bd362f5e404e2
SHA512 13785f21dbf0acfa027790879c19b1228c0f0f7757dba338a8af1c0632f527d3330e7cfe200309bc01642fd9556d601be996ca6304b27ab33e5fbe1c03f5aaf6

C:\Windows\SysWOW64\Adhdjpjf.exe

MD5 2ef54d78c261bbdb456213945173518b
SHA1 4733726ecade83a229423434c63f1a7012351045
SHA256 0c595fa37605db20b5884277dac8fca7f3aa1ca9d2729c4a03ee0dd2f00328f2
SHA512 7f4e88182e1d1d4a0908a2a6595c25e1179ab3c335bdc0fbe2d9fa84c54ed0a83bbefd2d86826e811ad1acf86ef5399210da6f7a65449da07ea946f075da91d9

C:\Windows\SysWOW64\Apodoq32.exe

MD5 e30661d06102bec490ffb979aa481d24
SHA1 6a7c2014dd0824e03adfe75b1e795cecfeb033c7
SHA256 71348a44839b1540973ced24b69e410818245fd8b956cd87c44f947333f0cb25
SHA512 93a59ef868c1b8e59f34077af62d4ea5553d907d746fcdf1742c12321168f95a1346f081c0306362d305159d0f9039a5ea985f6e4bfd6736a0a13470d77df59e

C:\Windows\SysWOW64\Bdmmeo32.exe

MD5 0a2495b515a45b0b933cfde92c1bdacf
SHA1 27933590fef81e0711d94eede6c17e4b737c1ed2
SHA256 794d3206065149d55d7e50992c9f664896caaa1efdea7546f37550e9e84f9a3b
SHA512 7a3e9177257f6d5ec86fe94cc096db46ef12bde0d6ab727a814276b9d473116a424d5f1ac9749447bd4aaab1901d2b88a1afcf9d699478d118102318b1e49aa7

C:\Windows\SysWOW64\Bkgeainn.exe

MD5 c0b3025ba0ad0e85a0d1230a3eb8d1e6
SHA1 cc6bc9716d8facf9333bbff1bbed44f72b3cda16
SHA256 57029e85d46004418b72393f96458d3c35ae0611959387727b285c38218ba07c
SHA512 42cd362761920a307c006b5f2dd7babaf5f45649bca751bcc3aa948d9057d704617079662b5385fbafa518a4c75bb066afcab14f74da948383bff721b4848ce3

C:\Windows\SysWOW64\Bgnffj32.exe

MD5 b9b84afaf53fb7a4b87f2c1f992cad0c
SHA1 52d7ee45288d0a82bc1bae324d6da5a617331e3d
SHA256 ac1f58fcdf5381ec22c3c63b59d21d7c17acd39e6e66a3750d8f138fed269e4b
SHA512 3a87776335ba345baecf7ee38a0db8cfdd3cfe472acadfa281a13eff60da72f628fa31244ab0314fd2a7618fadd9743660be38f21761541da49d13284d055eef

C:\Windows\SysWOW64\Boenhgdd.exe

MD5 64b563f4e9f60e9508ae5d026c9eef3b
SHA1 1bfc15bc7caa2c3e643249c7637e2f465cc428f3
SHA256 75160f9ac46205c7da856b3a5b762154bf4f94d43676cdc355a1214822da6199
SHA512 779cb7b521f1dbe61ca7f5be5f59ac4ad42e784bd99cd2c5ed455be79b0c79b75b558dac337e4ec27be02f842bd355aa0c7667fa0e1802d228f1d265bdb5af58

C:\Windows\SysWOW64\Bmjkic32.exe

MD5 b9d52759db5af29e0de50d1cba105b18
SHA1 b76fec740b268de2dc5dfa1649279c2c304ee9f1
SHA256 e0574e786b35b2044cac71337bc2065a8a2e39e0f89cedc5a58dee8dd56986da
SHA512 cd138f69f0cadda8d4f4efa3e2a27f53c57e021701074098acbe09d0150c8c3b9c0bc97d73804158aeed773eca3d7f75175ecef41d681f970337191276b430fd

C:\Windows\SysWOW64\Bnlhncgi.exe

MD5 1e6046d37ef7c488a5fafcb8e6ca3caa
SHA1 5e1059720ca52f6bba6a2e44eeffa9f6ac8012cf
SHA256 fe463906503f19f3e7a9be31026f87561c3942d9884dadc827c2a5f8e0401e7a
SHA512 464426a91becad9a3dc901bdeff9b34524a8946f3ace237a74437e5a01381855a335a0e8a129cf742c34d8f7f2a3b4a8b08c995f8177eaf571a09be59e025d65

C:\Windows\SysWOW64\Bajqda32.exe

MD5 b5dedac8d237ce798aabfb5853c541a8
SHA1 21d4d862671515108dde973f6ebeabf830972f5a
SHA256 c79ce9071bd1886e56650221e85f788459f503da8d338d06178fce0d797cd0ab
SHA512 70bb055e96eeea7fd42055f33a66af1d74ec3c9f0ff171e7b4b3e8acffa20c3e47fc22a961bdd9e27a9ba6c00d615372c532d953a9971376943941083a713dd7

C:\Windows\SysWOW64\Conanfli.exe

MD5 9f7362b5b47eb0906e14b02a3dc67abe
SHA1 36d4b5d6e1e2949d1de0ec864b202e9f4cb34f18
SHA256 98519334029eb948b0f6858cfdb7bcfb3fd5a6d8bd28b6b35795e194b9fcdfc0
SHA512 0c47d5950630e959257392d57fe9d7f675b6ddec65657b079f4b49cca66ff558ad161a539fa1e60565e94930afab5a41efd6157cd845df4c9b664323956f125f

C:\Windows\SysWOW64\Cdmfllhn.exe

MD5 053c9b313182235078288f3a7ed23dda
SHA1 77b83bd3b73d8676b0a5f7872ededfa49072005f
SHA256 7e246e29a4ecceaf33cc87236227c61501696486d859573e7042bf770478bd71
SHA512 74124dcb4a1d5ef740c9cc29e1a2c0ad9461f500211aad9a52e6ad8ecef4f350f8f73ec875b97d37db2cafe69d4355faf4d7b52f80e235d2c076bdd3552f03a6

C:\Windows\SysWOW64\Cpfcfmlp.exe

MD5 17318d93246b2a6a28791e7bf7c36486
SHA1 c027189a7a754abae2bdea1da102de7cda0aeb91
SHA256 8c24f88e4638657f67aca88e09c97b808c3165dd0b49cec1b4c55de46301f372
SHA512 758a39cf4de0ffcaca05399e2ab6594fc2cf743d601ac6f18a154f363d215d11feec6c6df9087717cd20a51b8d2ccb9105f53fb925751cf25ffd78e0585555d7

C:\Windows\SysWOW64\Cnjdpaki.exe

MD5 9a0884b74f94443d50bd3fbbaa47ba61
SHA1 b5e65bb75bc71b3c92e1ac038ebb6eae818771a9
SHA256 632202ee171159d2ac154123549aafd65ee3ecd5f9c092085bc0199c17646c84
SHA512 6bd038861b9072e54f29682ae433538e1893be764d9b2b4d89b81d8df1404f3ca7c12b13432f915c53f744f8214e739918058d32646147d1e8720772b5903d35