Malware Analysis Report

2025-01-23 00:20

Sample ID 240916-r4rvvstaqg
Target TrojanDownloader.Win32.Berbew.pz-964629cf18f32cee219a1ade43a360ce71c9527c59c1d6ecd9c8d265a2b5cdf7N
SHA256 964629cf18f32cee219a1ade43a360ce71c9527c59c1d6ecd9c8d265a2b5cdf7
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

964629cf18f32cee219a1ade43a360ce71c9527c59c1d6ecd9c8d265a2b5cdf7

Threat Level: Known bad

The file TrojanDownloader.Win32.Berbew.pz-964629cf18f32cee219a1ade43a360ce71c9527c59c1d6ecd9c8d265a2b5cdf7N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 14:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 14:45

Reported

2024-09-16 14:47

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Offmipej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alqnah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bcjcme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpgobc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nmkplgnq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njjcip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgjccb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlqmmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agolnbok.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpgobc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ompefj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pebpkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pplaki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjakccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Danpemej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbjeinje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oococb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bigkel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njhfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phqmgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abpcooea.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjkgjl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofadnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aficjnpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qlgkki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qnghel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Allefimb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Calcpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlcibc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdjjag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odedge32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmnnkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnfddp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cocphf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nidmfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndqkleln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnafnopi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afdiondb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pidfdofi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paknelgk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndqkleln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oidiekdn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgaebe32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mjkgjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpgobc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nidmfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Napbjjom.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndqkleln.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadkej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odedge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Offmipej.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooabmbbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiffkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oococb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabkom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemgplgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Phlclgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdbdqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phnpagdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmkhjncg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pebpkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phqmgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgcmbcih.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pplaki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgfjhcge.exe N/A
N/A N/A C:\Windows\SysWOW64\Pidfdofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Paknelgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdjjag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcljmdmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbojmmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgjccb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiioon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlgkki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcachc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeppdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnghel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Agolnbok.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkgjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkgjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpgobc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpgobc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nidmfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nidmfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Napbjjom.exe N/A
N/A N/A C:\Windows\SysWOW64\Napbjjom.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndqkleln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndqkleln.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfoghakb.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadkej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadkej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odedge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odedge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Omnipjni.exe N/A
N/A N/A C:\Windows\SysWOW64\Offmipej.exe N/A
N/A N/A C:\Windows\SysWOW64\Offmipej.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oidiekdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompefj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Enjmdhnf.dll C:\Windows\SysWOW64\Oekjjl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe C:\Windows\SysWOW64\Oemgplgo.exe N/A
File created C:\Windows\SysWOW64\Aebfidim.dll C:\Windows\SysWOW64\Aoojnc32.exe N/A
File created C:\Windows\SysWOW64\Ofaejacl.dll C:\Windows\SysWOW64\Cjakccop.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjkgjl32.exe C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Oaghki32.exe C:\Windows\SysWOW64\Oippjl32.exe N/A
File created C:\Windows\SysWOW64\Odedge32.exe C:\Windows\SysWOW64\Oaghki32.exe N/A
File created C:\Windows\SysWOW64\Ooabmbbe.exe C:\Windows\SysWOW64\Ompefj32.exe N/A
File created C:\Windows\SysWOW64\Cbehjc32.dll C:\Windows\SysWOW64\Dnpciaef.exe N/A
File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
File opened for modification C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Hiablm32.dll C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ompefj32.exe C:\Windows\SysWOW64\Oidiekdn.exe N/A
File created C:\Windows\SysWOW64\Qcachc32.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Bceibfgj.exe C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File created C:\Windows\SysWOW64\Bcjcme32.exe C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pplaki32.exe C:\Windows\SysWOW64\Pmmeon32.exe N/A
File created C:\Windows\SysWOW64\Qpbglhjq.exe C:\Windows\SysWOW64\Qlgkki32.exe N/A
File created C:\Windows\SysWOW64\Dfqnol32.dll C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Alppmhnm.dll C:\Windows\SysWOW64\Abmgjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oippjl32.exe C:\Windows\SysWOW64\Ofadnq32.exe N/A
File created C:\Windows\SysWOW64\Lflhon32.dll C:\Windows\SysWOW64\Oaghki32.exe N/A
File created C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
File created C:\Windows\SysWOW64\Kaqnpc32.dll C:\Windows\SysWOW64\Cebeem32.exe N/A
File created C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File created C:\Windows\SysWOW64\Calcpm32.exe C:\Windows\SysWOW64\Cjakccop.exe N/A
File created C:\Windows\SysWOW64\Jhbcjo32.dll C:\Windows\SysWOW64\Pnbojmmp.exe N/A
File created C:\Windows\SysWOW64\Afffenbp.exe C:\Windows\SysWOW64\Aomnhd32.exe N/A
File created C:\Windows\SysWOW64\Bjbndpmd.exe C:\Windows\SysWOW64\Bffbdadk.exe N/A
File created C:\Windows\SysWOW64\Pqbolhmg.dll C:\Windows\SysWOW64\Offmipej.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qpbglhjq.exe N/A
File created C:\Windows\SysWOW64\Lmdlck32.dll C:\Windows\SysWOW64\Bbbpenco.exe N/A
File created C:\Windows\SysWOW64\Oekjjl32.exe C:\Windows\SysWOW64\Ooabmbbe.exe N/A
File created C:\Windows\SysWOW64\Pidfdofi.exe C:\Windows\SysWOW64\Pgfjhcge.exe N/A
File created C:\Windows\SysWOW64\Cjakccop.exe C:\Windows\SysWOW64\Cgcnghpl.exe N/A
File created C:\Windows\SysWOW64\Fkdqjn32.dll C:\Windows\SysWOW64\Ccjoli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcljmdmj.exe C:\Windows\SysWOW64\Pdjjag32.exe N/A
File created C:\Windows\SysWOW64\Ndqkleln.exe C:\Windows\SysWOW64\Nmfbpk32.exe N/A
File created C:\Windows\SysWOW64\Omakjj32.dll C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\Ciohdhad.dll C:\Windows\SysWOW64\Cegoqlof.exe N/A
File created C:\Windows\SysWOW64\Nibqqh32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
File created C:\Windows\SysWOW64\Pmkhjncg.exe C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
File created C:\Windows\SysWOW64\Kmapmi32.dll C:\Windows\SysWOW64\Bhjlli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe C:\Windows\SysWOW64\Bnfddp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe C:\Windows\SysWOW64\Cnfqccna.exe N/A
File opened for modification C:\Windows\SysWOW64\Qcachc32.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Jmclfnqb.dll C:\Windows\SysWOW64\Akfkbd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Andgop32.exe N/A
File created C:\Windows\SysWOW64\Bnfddp32.exe C:\Windows\SysWOW64\Bhjlli32.exe N/A
File created C:\Windows\SysWOW64\Qqmfpqmc.dll C:\Windows\SysWOW64\Pmkhjncg.exe N/A
File opened for modification C:\Windows\SysWOW64\Andgop32.exe C:\Windows\SysWOW64\Akfkbd32.exe N/A
File created C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Hpqnnmcd.dll C:\Windows\SysWOW64\Adnpkjde.exe N/A
File created C:\Windows\SysWOW64\Pohbak32.dll C:\Windows\SysWOW64\Mjkgjl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File created C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Nmkplgnq.exe N/A
File created C:\Windows\SysWOW64\Baepmlkg.dll C:\Windows\SysWOW64\Ofcqcp32.exe N/A
File created C:\Windows\SysWOW64\Enemcbio.dll C:\Windows\SysWOW64\Oiffkkbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Offmipej.exe C:\Windows\SysWOW64\Omnipjni.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
File created C:\Windows\SysWOW64\Aacinhhc.dll C:\Windows\SysWOW64\Allefimb.exe N/A
File created C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File created C:\Windows\SysWOW64\Pdbdqh32.exe C:\Windows\SysWOW64\Phlclgfc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32†Dcllbhdn.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\system32†Dcllbhdn.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oippjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alqnah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phqmgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aficjnpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cocphf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmnnkl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfoghakb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ooabmbbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmmeon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Allefimb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phlclgfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phnpagdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcachc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adifpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bceibfgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmicfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oibmpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlgkki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alnalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njhfcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmkplgnq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjkgjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpgobc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oekjjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bigkel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnpciaef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nibqqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aebmjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andgop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odedge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njjcip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omnipjni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ompefj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnfqccna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nidmfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oaghki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidiekdn.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aomnhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alqnah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" C:\Windows\SysWOW64\Dnpciaef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" C:\Windows\SysWOW64\Nibqqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" C:\Windows\SysWOW64\Bbbpenco.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adnpkjde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" C:\Windows\SysWOW64\Ompefj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ompefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bceibfgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oemgplgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" C:\Windows\SysWOW64\Andgop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" C:\Windows\SysWOW64\Agolnbok.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oaghki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" C:\Windows\SysWOW64\Pmmeon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" C:\Windows\SysWOW64\Bceibfgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pebpkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cegoqlof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calcpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" C:\Windows\SysWOW64\Njhfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Offmipej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qiioon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agolnbok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adifpk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Alqnah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qcachc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" C:\Windows\SysWOW64\Allefimb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbbpenco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bffbdadk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" C:\Windows\SysWOW64\Calcpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cagienkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oabkom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agjobffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oibmpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll" C:\Windows\SysWOW64\Phqmgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjakccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Napbjjom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phnpagdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" C:\Windows\SysWOW64\Bniajoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlcibc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfdenafn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Mjkgjl32.exe
PID 2324 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Mjkgjl32.exe
PID 2324 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Mjkgjl32.exe
PID 2324 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Mjkgjl32.exe
PID 2652 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Mjkgjl32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2652 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Mjkgjl32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2652 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Mjkgjl32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2652 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Mjkgjl32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2156 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Mpgobc32.exe
PID 2156 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Mpgobc32.exe
PID 2156 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Mpgobc32.exe
PID 2156 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Mpgobc32.exe
PID 3068 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpgobc32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 3068 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpgobc32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 3068 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpgobc32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 3068 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpgobc32.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2800 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 2800 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 2800 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 2800 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Npjlhcmd.exe
PID 2192 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2192 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2192 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2192 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Npjlhcmd.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2792 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Nbhhdnlh.exe C:\Windows\SysWOW64\Nibqqh32.exe
PID 2792 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Nbhhdnlh.exe C:\Windows\SysWOW64\Nibqqh32.exe
PID 2792 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Nbhhdnlh.exe C:\Windows\SysWOW64\Nibqqh32.exe
PID 2792 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Nbhhdnlh.exe C:\Windows\SysWOW64\Nibqqh32.exe
PID 2580 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Nibqqh32.exe C:\Windows\SysWOW64\Nlqmmd32.exe
PID 2580 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Nibqqh32.exe C:\Windows\SysWOW64\Nlqmmd32.exe
PID 2580 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Nibqqh32.exe C:\Windows\SysWOW64\Nlqmmd32.exe
PID 2580 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Nibqqh32.exe C:\Windows\SysWOW64\Nlqmmd32.exe
PID 3052 wrote to memory of 616 N/A C:\Windows\SysWOW64\Nlqmmd32.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 3052 wrote to memory of 616 N/A C:\Windows\SysWOW64\Nlqmmd32.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 3052 wrote to memory of 616 N/A C:\Windows\SysWOW64\Nlqmmd32.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 3052 wrote to memory of 616 N/A C:\Windows\SysWOW64\Nlqmmd32.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 616 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Nidmfh32.exe
PID 616 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Nidmfh32.exe
PID 616 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Nidmfh32.exe
PID 616 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Nidmfh32.exe
PID 1712 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Nidmfh32.exe C:\Windows\SysWOW64\Nlcibc32.exe
PID 1712 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Nidmfh32.exe C:\Windows\SysWOW64\Nlcibc32.exe
PID 1712 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Nidmfh32.exe C:\Windows\SysWOW64\Nlcibc32.exe
PID 1712 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Nidmfh32.exe C:\Windows\SysWOW64\Nlcibc32.exe
PID 2304 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Nlcibc32.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2304 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Nlcibc32.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2304 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Nlcibc32.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2304 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Nlcibc32.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2496 wrote to memory of 868 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Napbjjom.exe
PID 2496 wrote to memory of 868 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Napbjjom.exe
PID 2496 wrote to memory of 868 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Napbjjom.exe
PID 2496 wrote to memory of 868 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Napbjjom.exe
PID 868 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Napbjjom.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 868 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Napbjjom.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 868 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Napbjjom.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 868 wrote to memory of 2032 N/A C:\Windows\SysWOW64\Napbjjom.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 2032 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 2032 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 2032 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 2032 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Njhfcp32.exe
PID 2396 wrote to memory of 408 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 2396 wrote to memory of 408 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 2396 wrote to memory of 408 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nmfbpk32.exe
PID 2396 wrote to memory of 408 N/A C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nmfbpk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

C:\Windows\SysWOW64\Mjkgjl32.exe

C:\Windows\system32\Mjkgjl32.exe

C:\Windows\SysWOW64\Mmicfh32.exe

C:\Windows\system32\Mmicfh32.exe

C:\Windows\SysWOW64\Mpgobc32.exe

C:\Windows\system32\Mpgobc32.exe

C:\Windows\SysWOW64\Nmkplgnq.exe

C:\Windows\system32\Nmkplgnq.exe

C:\Windows\SysWOW64\Npjlhcmd.exe

C:\Windows\system32\Npjlhcmd.exe

C:\Windows\SysWOW64\Nbhhdnlh.exe

C:\Windows\system32\Nbhhdnlh.exe

C:\Windows\SysWOW64\Nibqqh32.exe

C:\Windows\system32\Nibqqh32.exe

C:\Windows\SysWOW64\Nlqmmd32.exe

C:\Windows\system32\Nlqmmd32.exe

C:\Windows\SysWOW64\Nbjeinje.exe

C:\Windows\system32\Nbjeinje.exe

C:\Windows\SysWOW64\Nidmfh32.exe

C:\Windows\system32\Nidmfh32.exe

C:\Windows\SysWOW64\Nlcibc32.exe

C:\Windows\system32\Nlcibc32.exe

C:\Windows\SysWOW64\Nnafnopi.exe

C:\Windows\system32\Nnafnopi.exe

C:\Windows\SysWOW64\Napbjjom.exe

C:\Windows\system32\Napbjjom.exe

C:\Windows\SysWOW64\Nhjjgd32.exe

C:\Windows\system32\Nhjjgd32.exe

C:\Windows\SysWOW64\Njhfcp32.exe

C:\Windows\system32\Njhfcp32.exe

C:\Windows\SysWOW64\Nmfbpk32.exe

C:\Windows\system32\Nmfbpk32.exe

C:\Windows\SysWOW64\Ndqkleln.exe

C:\Windows\system32\Ndqkleln.exe

C:\Windows\SysWOW64\Nfoghakb.exe

C:\Windows\system32\Nfoghakb.exe

C:\Windows\SysWOW64\Njjcip32.exe

C:\Windows\system32\Njjcip32.exe

C:\Windows\SysWOW64\Oadkej32.exe

C:\Windows\system32\Oadkej32.exe

C:\Windows\SysWOW64\Odchbe32.exe

C:\Windows\system32\Odchbe32.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Oippjl32.exe

C:\Windows\system32\Oippjl32.exe

C:\Windows\SysWOW64\Oaghki32.exe

C:\Windows\system32\Oaghki32.exe

C:\Windows\SysWOW64\Odedge32.exe

C:\Windows\system32\Odedge32.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Oibmpl32.exe

C:\Windows\system32\Oibmpl32.exe

C:\Windows\SysWOW64\Omnipjni.exe

C:\Windows\system32\Omnipjni.exe

C:\Windows\SysWOW64\Offmipej.exe

C:\Windows\system32\Offmipej.exe

C:\Windows\SysWOW64\Oidiekdn.exe

C:\Windows\system32\Oidiekdn.exe

C:\Windows\SysWOW64\Ompefj32.exe

C:\Windows\system32\Ompefj32.exe

C:\Windows\SysWOW64\Ooabmbbe.exe

C:\Windows\system32\Ooabmbbe.exe

C:\Windows\SysWOW64\Oekjjl32.exe

C:\Windows\system32\Oekjjl32.exe

C:\Windows\SysWOW64\Oiffkkbk.exe

C:\Windows\system32\Oiffkkbk.exe

C:\Windows\SysWOW64\Oococb32.exe

C:\Windows\system32\Oococb32.exe

C:\Windows\SysWOW64\Oabkom32.exe

C:\Windows\system32\Oabkom32.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Phlclgfc.exe

C:\Windows\system32\Phlclgfc.exe

C:\Windows\SysWOW64\Pdbdqh32.exe

C:\Windows\system32\Pdbdqh32.exe

C:\Windows\SysWOW64\Phnpagdp.exe

C:\Windows\system32\Phnpagdp.exe

C:\Windows\SysWOW64\Pkmlmbcd.exe

C:\Windows\system32\Pkmlmbcd.exe

C:\Windows\SysWOW64\Pmkhjncg.exe

C:\Windows\system32\Pmkhjncg.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Pmmeon32.exe

C:\Windows\system32\Pmmeon32.exe

C:\Windows\SysWOW64\Pplaki32.exe

C:\Windows\system32\Pplaki32.exe

C:\Windows\SysWOW64\Pgfjhcge.exe

C:\Windows\system32\Pgfjhcge.exe

C:\Windows\SysWOW64\Pidfdofi.exe

C:\Windows\system32\Pidfdofi.exe

C:\Windows\SysWOW64\Paknelgk.exe

C:\Windows\system32\Paknelgk.exe

C:\Windows\SysWOW64\Pdjjag32.exe

C:\Windows\system32\Pdjjag32.exe

C:\Windows\SysWOW64\Pcljmdmj.exe

C:\Windows\system32\Pcljmdmj.exe

C:\Windows\SysWOW64\Pnbojmmp.exe

C:\Windows\system32\Pnbojmmp.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qgjccb32.exe

C:\Windows\system32\Qgjccb32.exe

C:\Windows\SysWOW64\Qiioon32.exe

C:\Windows\system32\Qiioon32.exe

C:\Windows\SysWOW64\Qlgkki32.exe

C:\Windows\system32\Qlgkki32.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qcachc32.exe

C:\Windows\system32\Qcachc32.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Qnghel32.exe

C:\Windows\system32\Qnghel32.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Aebmjo32.exe

C:\Windows\system32\Aebmjo32.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Allefimb.exe

C:\Windows\system32\Allefimb.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Afffenbp.exe

C:\Windows\system32\Afffenbp.exe

C:\Windows\SysWOW64\Adifpk32.exe

C:\Windows\system32\Adifpk32.exe

C:\Windows\SysWOW64\Alqnah32.exe

C:\Windows\system32\Alqnah32.exe

C:\Windows\SysWOW64\Aoojnc32.exe

C:\Windows\system32\Aoojnc32.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Aficjnpm.exe

C:\Windows\system32\Aficjnpm.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Abpcooea.exe

C:\Windows\system32\Abpcooea.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bhjlli32.exe

C:\Windows\system32\Bhjlli32.exe

C:\Windows\SysWOW64\Bnfddp32.exe

C:\Windows\system32\Bnfddp32.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bgoime32.exe

C:\Windows\system32\Bgoime32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bniajoic.exe

C:\Windows\system32\Bniajoic.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bceibfgj.exe

C:\Windows\system32\Bceibfgj.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bmnnkl32.exe

C:\Windows\system32\Bmnnkl32.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bmpkqklh.exe

C:\Windows\system32\Bmpkqklh.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bigkel32.exe

C:\Windows\system32\Bigkel32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cbppnbhm.exe

C:\Windows\system32\Cbppnbhm.exe

C:\Windows\SysWOW64\Cfkloq32.exe

C:\Windows\system32\Cfkloq32.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cnfqccna.exe

C:\Windows\system32\Cnfqccna.exe

C:\Windows\SysWOW64\Cfmhdpnc.exe

C:\Windows\system32\Cfmhdpnc.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Calcpm32.exe

C:\Windows\system32\Calcpm32.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dnpciaef.exe

C:\Windows\system32\Dnpciaef.exe

C:\Windows\SysWOW64\Danpemej.exe

C:\Windows\system32\Danpemej.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 144

Network

N/A

Files

memory/2324-0-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Mjkgjl32.exe

MD5 f0103e2e1e201b094e06ceb494f6d20a
SHA1 dd63052b9037e0bd4ef20bc9d30a6ad30ff22f91
SHA256 1d70b30a0c21c827129efe1539192684fc045128bdd0ffbf322e3d93b8db4b8e
SHA512 6eeb9c0704027693571e8ea8bafdcd4be0edade87aafa7aae2b95645c27e0196717dead01962fed4db27ee4d8182adfd65efd3782ad747e2cbb51c813db57f63

C:\Windows\SysWOW64\Mmicfh32.exe

MD5 926281c7fb8d51529baba4816d87e8a5
SHA1 5df7b5d6e874ccffe8e289e0658f7bc81df9db9a
SHA256 79768583fc8bbb5492d74286a21f00e3d97ba4a889078e307dc798f77b739ec4
SHA512 0080ddd90388eea66857398b12a537ef1ddb39e9b131455ff90620e4972c491104e2e85a5cfcecf003325eca0e42340b764089db0e6273b8729b67cb242b6cf4

memory/2156-28-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2652-27-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2652-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2324-13-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2324-12-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Mpgobc32.exe

MD5 8063fedb44209b561530da3b4c7078be
SHA1 1f582cfd0e375adbe0c032d98ecf4851ffb26eff
SHA256 bd0792102e4e9e20158d4eab92ccd2559c4667032a1118cc1939ffcbd4adda2f
SHA512 fe5f868e17bdca781e8c2c00a992dd749266e0cd6b4f1a67fc0cdd90ef6ab1866363844f6cad719697f6e5166f8748f0658a01d57d2e3a18493c79e44a1a818b

memory/2156-35-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Nmkplgnq.exe

MD5 2bef2d03d53fdbd45ccca62a16d5efa6
SHA1 3e300d36b14b2e96ce548ca0a24bb1c4613d94fc
SHA256 eaa01a814e84db5760756c958b3346ad23c637a8d2ead0d60fe3ab05595a8a87
SHA512 03158b81c5e1db04150ff4c4463ed5525976ed91ef610a61486bcfbe23c7eefa960b32951253febc3ab717cd53ccb7a11f660ad3f1255446b7aff8817e091e41

memory/2800-55-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3068-54-0x0000000000280000-0x00000000002AF000-memory.dmp

\Windows\SysWOW64\Npjlhcmd.exe

MD5 cc06089c43acc4cbf8acbe2543016830
SHA1 5611a9bcce77a61ac257fe70935db2cbbbedb208
SHA256 0d334dd045bed55bde802a69bf0bc1354daa73f794db05e0fdc9ac8c25f33ecd
SHA512 7fcde7c128ea3fbe7d7ba7ab32d2405713317dd54606407c9b46edc5b456e8124b73667b62a6a1e8fe7c0ed5b0588fb34f3a7d47d4da3a6149a18c07defd385a

memory/2800-62-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2792-82-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2192-81-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Nbhhdnlh.exe

MD5 42be850687e7e571fc6dd751124f7053
SHA1 5fa96f33aaaa33bb423d18eebd73f0e6be029c0c
SHA256 64978e79185b19f8bd63abe88216eae617d406b3ff9aa9f89d9ff28d75bc7fed
SHA512 78de1564c7dcc38819b8408ad201c7f48489db4012aae4005bd065995b628e1ad392ba92590455137bc96e520ba2ed6f5eff637f1db32a10ec4d503b066b2858

\Windows\SysWOW64\Nibqqh32.exe

MD5 3618beb128a9b74ac145130171bf7848
SHA1 bb955958d4aac940a7d6cfc9233d2833a9d2fd5e
SHA256 bffecaf94fedbee83bbe984bab165ddc2524b780a94e6dcfeca890062c500a76
SHA512 e0ab6aa1aa9751dc9f5ea0db1c15fa9037acd4f18b049fc2dd301521b3833b89740f7e36410536d2dcd806a618b8993c41687001055c251b56d7ade880aa1dbd

memory/2792-89-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Nlqmmd32.exe

MD5 48bc772649f0274b337db4a17942df39
SHA1 4a379f108d3f06f6786f56a909e2956ae6bd9888
SHA256 4175ff035e5a170c2e8a138b91a4bc5bea3d64f5084451898caad1f7e810b61f
SHA512 200a3417f2bb0f740cf16bde7ae3ea6695042bcc688d230b7d4ec7e9c7e9c569d0f4c68238150ad96e104d9401ef84797220e3b7340179febdb055c8348c433a

memory/3052-109-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2580-107-0x00000000002E0000-0x000000000030F000-memory.dmp

\Windows\SysWOW64\Nbjeinje.exe

MD5 bfbed8d5edbe38543df0c2803be9e350
SHA1 ec078904ce2016722aeeb3e1834d015db2cf323e
SHA256 098dcc826aa8958ae0dc42034ddcc5b11b74916c3e8f69313f49bcca8e9e0b49
SHA512 2328799ba9c234cba8935e75add62106883029a3bafab85463f34660fd42b3cd00bc8cd9a4e1ad0dfbfa16d510e14fe3d70a3bf442f4b0b719b099fb4317ef66

memory/3052-121-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/3052-122-0x00000000003D0000-0x00000000003FF000-memory.dmp

\Windows\SysWOW64\Nidmfh32.exe

MD5 434afb55b2f0bc1f0c1981d2046def0a
SHA1 235eb38ff6f905eb135c8327107b6fa26eb9281a
SHA256 b23d3b9e304b8dac6e49c785e9638c793f13e62c2eb7a7c4694551ff3af5756d
SHA512 152d03c179f47a612c51e0920731800b842fd0be482cb08a2f7e5e3c9b5e1ee553cbf287aa51f382ad50d87d5a009fc200b7f6525f7b1f24f3e80264a5920017

memory/1712-137-0x0000000000400000-0x000000000042F000-memory.dmp

memory/616-135-0x0000000000430000-0x000000000045F000-memory.dmp

\Windows\SysWOW64\Nlcibc32.exe

MD5 e0dd83071718be7269c9450e639d5f33
SHA1 8c4fc7aa02529e50bdfe14a46160631e01a836f5
SHA256 f809d34133e92310aefdbfb8a17bc272ddb033d5769c2309fc8823c3ae12cfc0
SHA512 8ba2a0b0fe975744733a8c6c54abf7fc69242677e0287d1063388623ac9a6ef0bfd68ea43d965823dddf6b2b49d91571359f93f23915379195efb4c3aa105486

memory/1712-145-0x0000000000260000-0x000000000028F000-memory.dmp

memory/2304-151-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Nnafnopi.exe

MD5 42dd33735ddff20cf48741498ee1d67f
SHA1 043305585cdca6df17251bf4c2eff34e58b065a5
SHA256 62256fd6f29c590f8af73fa6549f241876bc2138472122ca27884f4a8537f7cb
SHA512 9400e5fd84d2c67a82f3887e3a41c13648148b0eb7eb0e54baa2d2f7409594811afb8f57455b22fc634f9976893f4ff9f060b5237df980429682755fb3bd1c34

memory/2496-165-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2304-164-0x0000000000280000-0x00000000002AF000-memory.dmp

\Windows\SysWOW64\Napbjjom.exe

MD5 b95646c8d15e17bff2247c2a12d584ab
SHA1 9c0ebb295e80ef81c2f9f570eb1e3c6f73d0c2d1
SHA256 609ec753a7606a0ac7d7d75b45d83130124907210f55ff9d72712d94237158cc
SHA512 df9b61bf4e233846704eb95e183f97994db7a90b0108738ffee10325215d4035625f050e1c9f05fc1401de095f0118af4cb3130c8685138de86a25972ac10bad

memory/2496-173-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Nhjjgd32.exe

MD5 ec0e37edec827c68f29521e7820843bd
SHA1 20b2c3cdc9fd84a9eee0626bee2bdb32f52bc43a
SHA256 74e01ddbfaa1cbd8558fcb1b58fce9e4015e882f1f7fff2842d82c16df105e4e
SHA512 d9f50b48053c2c68ec9f7b847d966c1c8c21b83162ffa0d38bbf16f04c06faf8b320fc187be6a81ab2f634a6928d44199eb521e1ec5ac97f41b3e1264dd1080b

memory/2032-192-0x0000000000400000-0x000000000042F000-memory.dmp

memory/868-190-0x0000000000280000-0x00000000002AF000-memory.dmp

\Windows\SysWOW64\Njhfcp32.exe

MD5 522e6dd4f32e8a1af912ed985d3d5e64
SHA1 da2e89d308315857214a891a12b4b66c05619304
SHA256 5ddbbeda15fccffec6a68a50d4fc1a7a1d7822563630d746f574bf7342da7194
SHA512 909462db0d286fc08e5a12a0e82ab5a2a1c348ea0a9f324875b2f4e9c7cae63f3f27a8210dbd1d11a718fd970a5c09ee42526911776333f83d96b844efe433d4

memory/2032-199-0x00000000002E0000-0x000000000030F000-memory.dmp

\Windows\SysWOW64\Nmfbpk32.exe

MD5 58113f49f731280a1be565340cd6507a
SHA1 9eac6ef9ac8b7222e39c60c5ffed7be70f520cb0
SHA256 f1de088f217865b5aaa65b81943bd233500cab4e04e35c577e4e6875798d89a5
SHA512 916c09de7041b5cc6a4f2cae716a38b24806c1c66c9f8cf298d99c7dcf3620d96bd882c9c2351c377bf2e5991777d57503aeebb713b3f304d5c294168cd3c5f8

memory/408-218-0x0000000000400000-0x000000000042F000-memory.dmp

memory/408-225-0x00000000003D0000-0x00000000003FF000-memory.dmp

C:\Windows\SysWOW64\Ndqkleln.exe

MD5 3bc727829c8be5ccdd9d417a4c972244
SHA1 4dc8ffb79d0254fa3f01fd9b3783ec5239d66b26
SHA256 5fbb05e22eb56a730c577e4a9eec120e3521222879d3678bfd8b792d58a3a9b7
SHA512 3104b1a2100218fb455ffc778ed48ba1c6f324197282f4b42cdd793f00e1ef5c1c7b9af4c0e6fb1761b7e4616f98f02319b568b79239c2f33586b52d62f7342c

C:\Windows\SysWOW64\Nfoghakb.exe

MD5 ab14ed7ddb1aa34f81d5b0c9e92d4251
SHA1 ee3abdac58c2cd9c223285de74e03afbc4ee7843
SHA256 0091930313fbd9f665db01a17f2189a4959bddc3164a03eb8f64bfa788e6ba95
SHA512 fee4d13ad14caca2cad27c771e5cb1e0d5103c0ca3dcb10335b900698d5b74c4a853582a640b9885d329dd3dc0f72c0acfc64c0dc98cfc1db718e6d3e9d83d44

memory/1976-237-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1976-243-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Njjcip32.exe

MD5 2f40b75dc51dfb45816070c945dccb43
SHA1 c4b11ada37ef32c658c763aad318295ca32dad20
SHA256 949481d729bf0770c3fef535ad622ee0f3adf9a3e0f099b0d3c06c1d2810179c
SHA512 2f189ab1ec0fe3c640f1c539e34d9a28cdc61a89151d5714e3fb08766feedad1a5da4a4c2b2b6d120adaae09e5aefd32f7a00d199469cfa8d408f7fd01ca0334

C:\Windows\SysWOW64\Oadkej32.exe

MD5 7fb5d27974f996a08028b6f3569c449a
SHA1 be48be65d84b6cd9c584dfccb7d71b907a70a119
SHA256 94bd335fe682af16d5fd5b6e983adde1fdadd9b809cdaed4c2b2f46154224505
SHA512 f67a6ba75e31f144ba9bd382c8b40207ddd5effd3ff68f7ac7b28feb62de66d1939bcf3a43c6a308e5f682c3bfbd9463085c2b9471839b4e722444adac550706

memory/916-255-0x0000000000400000-0x000000000042F000-memory.dmp

memory/916-261-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Odchbe32.exe

MD5 ff5107665062f0ebd7ab3797cfa1f062
SHA1 ee63dc3a5d0f02ba3eceef1883ff2938c9733835
SHA256 2540125d688b4aa340a1624fd736e5887c1f9047a51bc1dadb5cd9f22a7f37fc
SHA512 a90de2e1469c51c78eb7e9da5b303d37fb3873fca0235a844b402cb74368b03fca8f3b23e71eddf8c46f61cf6cf09c1048c95f2cc724863edde89ca78f0d1615

C:\Windows\SysWOW64\Ofadnq32.exe

MD5 8dd07129b9b59b8837a8a671135411a5
SHA1 2436d90738f976cdfc950bf5188739f84519a0a3
SHA256 d6c42cc66d3f745594180164128182d1384a265c26e5b0470ee5582125e98f46
SHA512 b0e6304cbeabe91c6dbb9619411e86c5728f84d3642bb109d8ba2da498a84cf63d5185b770cdb3a98644f77ac4e8f9518c7dbeb821e0af406d787b42ee6e06b2

memory/1536-273-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1536-279-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Oippjl32.exe

MD5 80a74b6dd811ef2a02518b78d7eaeabb
SHA1 eb8c142896558a7da8ea97809a7fe1f20917b537
SHA256 df3ed68cfd2de707ce0ff443be9cc7b4614c1a897beff48a51b408837cdd9f2b
SHA512 49aa3ad8683abea394bafa0465bd19515ddae08b3aa7bb1dc92bff18cdc2b9350622fd3468d050f9b25368625ffbfc8b6af2f4c1dcfbfae24b5179f15ddeb6fa

memory/2084-288-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Oaghki32.exe

MD5 bb0faf39c96bce96fcb8cc3d0ecee795
SHA1 4b7333eb3855b308459f5846e12dc7795d7c3067
SHA256 cf960f664b78a3912b0a6f6331ff8cc592401cfa2bb142f418e3537caa9c287d
SHA512 9b42e0040508db9761a5e44f03ab2a2d51e070a40fdbd02d022528d2417c89f9d116a07470583dd89d3cdbd9410b7fc75ac8ad0e1d0cd6950234fc3457b8472e

memory/2184-297-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Odedge32.exe

MD5 acaefd2437878ff5b48cb5ea613b8bb3
SHA1 6f896d17b89a9a452bb2d8db9f65f10fedf1245f
SHA256 2f4c8a2be39564015343f22a6677e438c758d565242e20f1bb2f6a2873a8b12d
SHA512 cdcfead30018de09ebc1d7783655f8aba37f7556e2c24ed2cc6c82f975c1504aa2bb0b076b480676631fca4ef0cc9bcbf4b103d3829b71fb484a5e2fe5ecdcbc

memory/2152-305-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Ofcqcp32.exe

MD5 14ec6a7c1dc0d60c873b96d6cd69da7d
SHA1 e5337e91c0b23cc56ee5daee7751fce4eef19ad0
SHA256 b061a64f7515ebe05831e1ad61e266c556a08e2ebd7edbb5abe7a51f8e6fe805
SHA512 95018205d5c70ad65af9c03cbdaf088f031b827b38be9d56f9016a9ef8d96dc544df1aa7dd41e3e7475c62938fe65c0f5c3c745262b28b4560e626fb6fc0808a

memory/1580-316-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Oibmpl32.exe

MD5 a0b1332faa3e87a61afde0f98d1d3386
SHA1 9b7f0d63caae9203a8cb37d371ccc948f8b520c9
SHA256 ab78141ba580ccfb47441e18a2163cf7227a27624e1f9f3ac1c7a0b686570abd
SHA512 0ae2998593e10b3fa0d6314289540ea583ec9d422437fae45aea00df1e64841025831c5eb945a4489154a9d4639c0c0a54db1ac786990c1e395ed5cadb01d48d

memory/2204-323-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2152-314-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2204-326-0x0000000000270000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Omnipjni.exe

MD5 eead89917ab0c8f8cffddd7bad3d3cad
SHA1 56d1792fb84b99c41926c7fe83bd8fccdc590c76
SHA256 59426d4c322ea8b930b4856914bba8a12a11425b16a607cc90465ce74707a59b
SHA512 df0b7189bb9f895d025cb44e2973bce61fb795293c9fa7afa8db86981181818ed54a3f3f80f80d9ae12bcbc5b95942299bfa9ca5d1f2b59ea7910ac34ac18772

memory/2204-330-0x0000000000270000-0x000000000029F000-memory.dmp

memory/2708-331-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2708-337-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2708-341-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Offmipej.exe

MD5 857debc9e76ad8e7ae045b4f6cd124f4
SHA1 e567ff6e2907632a4fc70aec600eb0ddc5f64985
SHA256 8f6a0d99358739e195379fd1e9a8c336a21c88b7fa877426e4d71810df0d6dbf
SHA512 349f343550caf51b8e6cb505c6844001f886bab431398a30fa978ff355015c9cc31c99d1e8d0c97011d8bac980c193299032d945ed823f5118b4b49a778b170e

memory/2692-342-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2324-353-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2828-355-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2652-354-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2692-352-0x00000000002E0000-0x000000000030F000-memory.dmp

memory/2692-351-0x00000000002E0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Oidiekdn.exe

MD5 c81764f5bf3a70f2aec888f78b6b3040
SHA1 e08c81b9918a1ace6567b959a5af0a3ee5d3c7c4
SHA256 6f249bb8b599c4387995cc4590dddf39027767ee29e751ce14b87ae0da0108f4
SHA512 b0f3113d6f0a877134c2de106e3daa7292b7d06e7be197f61f749c148b0d73c86a15166c1a745dd194d25061d632fa2dcbd74a5e389a86a774db67473041ae35

memory/2704-366-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2156-365-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ompefj32.exe

MD5 ccbef64874c0e0dcb09369fd5dd83429
SHA1 712c9841efd2541dff38176680d7926e5d988339
SHA256 bf13e16010100e2028acc4d96ab30a914600bef2992db11f7bfe60aea98b7ed6
SHA512 7fbe8e415e6fe7c3f1af09b67db46e6b5e237f2cc64f14d22edeba470a365a0276a9e6135a95f57dac77246e9b6ce1df5f113e4abf199c0163f3a1fa3c2aa164

memory/2324-361-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Ooabmbbe.exe

MD5 ad5f642fc8af3f6af07be334d8e86300
SHA1 f45fc86d44e998d4200a5c4f7cac12b633d2928c
SHA256 37fb4dd098e967a2d5cde213180950ee4fdb137622134d7364884115bd271057
SHA512 a415a0f04c6f4af6b323b6cbabed998329a2bc55f934f26b1eef48c422059b32fdd6279d93206ca6fa6e2812099ea692c9c9145f291426de5cdba1eef85447de

memory/2704-372-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2600-378-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3068-377-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2156-376-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Oekjjl32.exe

MD5 b015c05bd42452d70e638c125e686042
SHA1 f5a58da16231cedeb3a73788e6f5183da3c9d616
SHA256 386f7d7e98199fa2c2c26666db5c15681fc36228f06aa733ac6fa000177a68d0
SHA512 4b673e71b8f4fb03435075f8ea4ed35bd2ec4a99d352cb54e5d65f9ffce72b45a3576a001e9415a221bd28e3ccd76fc619996e9d66a75e62c4b527c0ff360b68

memory/2800-390-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2600-395-0x00000000002F0000-0x000000000031F000-memory.dmp

memory/1992-389-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1716-403-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2800-402-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1992-401-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1992-400-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Oiffkkbk.exe

MD5 6325049a846827e65510315e3334ec43
SHA1 7d690daedbebbf76e6f31d9cabdacd7937294dc6
SHA256 94dae62df724cc5ae80f8393af5964ef01379651328dc1e9f29034d6d02aa3cf
SHA512 08276567be60dbc55b7b7ba0d516afbbd6d5c349fb36c1cab804fdc2e7cb2931964ad3d09eb8fa00e49bb454415b958f578ff8d6c80860110f35211bb7e9de98

memory/2600-388-0x00000000002F0000-0x000000000031F000-memory.dmp

memory/3068-387-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Oococb32.exe

MD5 38df6ed4a3e5e36e18a2bf5580dec52b
SHA1 6f2ae9a240377fb75d8cf5b19a93fc56139a7c2f
SHA256 27e4907ec826e809be49b39eb1ca83ffdba932530109de6196093a520537e499
SHA512 fddd09b409b7b545e50d0e47755b5a1e03825f90728e91a7eaee7000ee9f5dc6f3b5f506ed1eed6589a2f15c2e7a25863351772ad4ae9739f1a2da2256b8f166

memory/2192-412-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1672-423-0x00000000002F0000-0x000000000031F000-memory.dmp

memory/1788-437-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1968-443-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2792-429-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1968-449-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/616-448-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3052-447-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/3052-434-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2580-432-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1788-431-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1788-426-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 a34522832c1481b4d9798a15985799f2
SHA1 c1655add5132808ac3bcdcda473a41d984f790de
SHA256 bd3ded25cf4b6254e425703ea273a08eb39089ba465fb01c389e3f9750c14677
SHA512 e0256cca4d333c963403d924f6f39bb60adf98a3cc394690ac2a91b2c49dbe828aa431764a7ad39b8d6b81927335172f4df42e7d21842e5a76f67d0178912a6a

C:\Windows\SysWOW64\Oabkom32.exe

MD5 bda58876c960c240f4bda277299a80d2
SHA1 8391403faa82f022e68f3ee98c7a24e13d17ad91
SHA256 e867325ea6ccb12ee58753ce3e6a72c840b5ec60bc68b0d773a580dcadfecf0f
SHA512 620acd6af035a37f61e2ba88bc0458cbd432fc4e923f70fdf904bc05efb15207ae1b0bd5d34b47ed8a6bd839a3cb04e4973919fc96a8d47d3a949efc271a2324

memory/1672-414-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2792-413-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Phlclgfc.exe

MD5 972b28b5c9df57b2d9abb26baa8e6d1a
SHA1 e6aca2468692634f47f6fb221498b938c740d641
SHA256 f97c827b2fcd8247d20319fe8c3f287a68c155e3414d2518c87a62331046e0d8
SHA512 7558d4515e42f006e26cb273bff99ec708c758998d3551509cc20f781801898c38977b117a153e2fedf4098f30b8c2371f00b2d1ae1c365b64448a220dcfc828

memory/616-455-0x0000000000430000-0x000000000045F000-memory.dmp

memory/2636-461-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/1712-460-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2636-459-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Pdbdqh32.exe

MD5 0eef58e177b6d0db40961748349bac83
SHA1 7b7652dc7aab1f9a181dfde3d68fc20a006fc1a0
SHA256 fdffcb6173c5d51866e8d283f46ac46969c76a9f6d9f616ef6bd462c7fe71131
SHA512 fc49ffe6fdd5e42e12726785e9e37b57a10f6e24356afdab6cb7b7ca132db3db51685b83d82c44c62415f01b96100b5a94b06c1b462b12500150e8b914b50f90

C:\Windows\SysWOW64\Phnpagdp.exe

MD5 fc00530c8bf89b63b8a475ef037f9da1
SHA1 9812489fe0fd483704696fabbcb698f0352c2854
SHA256 ba57ba05a5028296b22864d70f7c22c42281377a38b4b791e0db11e9ac31d903
SHA512 e57c72f23e38d936466a46ccdf38ca274a6f76590d73856f79c7f6f333583ce5097611d183ab519bbe9dede03ac8555b1cf5bfd1a4d8221e211a586d7ec824fb

memory/2664-470-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2796-471-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Pkmlmbcd.exe

MD5 a9ce88f138aef48318f335fba9486d69
SHA1 02650b9f3d98839cc431024ce94d20ae6aed993d
SHA256 1737a96081eae8bd18c98cc4ef7211659dccbfe2765292c93debcff1f20c593f
SHA512 eadea0d1677dce59a86440cbaa9b40db3707bbb05e6145c447ba1b61ab6554f078febadf7a77a5ce6371e9a86cc1e229c087c5546b9fd533f6f4196f2a70a1b0

memory/1712-480-0x0000000000260000-0x000000000028F000-memory.dmp

memory/2628-482-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2304-481-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Pmkhjncg.exe

MD5 6e4272d3993e6606aee2a45ac372b8d8
SHA1 7f23cd2c4a44e2b2a3af1f64d3b6a394b526f1e4
SHA256 0ff9c3f705001ddb4e3e5c209be7e4db177909a71c983e6adc85d1c7ce8f5d9d
SHA512 3ade3894bae7f7dee32b9cbde13875bbdabab360379c228ff4a6845fe945a26b6c12101d4328ceaca2c18786d1f34fc4e85df2c347a8b933a78e93b7bea582ab

memory/2496-491-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1364-492-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2496-498-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2260-503-0x0000000000400000-0x000000000042F000-memory.dmp

memory/868-502-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 b1181b9f5a9119483075248889fa000b
SHA1 80ef67f3a24f63c14b771492d92ec1e2b336ed8a
SHA256 7974cf4e522bb9592c314d0a9ce5f2a5f461eb33a55b41229c1b41e645181cf9
SHA512 231458b66fbebdbf69dbe002cdf787307414c8cb0875cf8cb48737f9462171e2e993a115f1c004a8f2d637697fce598fc961e5ded037353064cff577edb1fada

C:\Windows\SysWOW64\Phqmgg32.exe

MD5 504749750ebc2ee1dfc40ebef3e39d1f
SHA1 69ff6d93d00e2d29fbf96122bbb1449390376ce4
SHA256 c841802280ee19faf31ade7184d8954c87fc834c57459bae4b8c9083c967ecaf
SHA512 46e04909c632036665677b7f11f83ff5717cc0c48419549baa959807a1ad11aa4cd8ba14772497f75ba17c39861d9f6a6889a6d3cd70cbadace4ead6fadc392b

C:\Windows\SysWOW64\Pgcmbcih.exe

MD5 c52c0c8cbf71333aa0a1084ba7c5fff0
SHA1 f2e7b89c93512913c5ca5f264c34360b372c2ea6
SHA256 968d47357872182d1621668d111356262a4328c657249dafc01f86d4f5957cf3
SHA512 99efd7c1f45a0fd5f849f3739ea5ba53846557f1d83d0b0cc0bb30bfbaca2db05bd19cc169aad00fe2c57a71c416a655576ff5b548468864906d65076f426170

C:\Windows\SysWOW64\Pmmeon32.exe

MD5 e92327e6af5138ea53ac39ea3f0c23e2
SHA1 311913a068d48b0906aba9d9c1777976374363d4
SHA256 d4439a7f2011e94aeb0c3d38f3e8e024b0d8121ec67f5950c57a40e8a5ca64f1
SHA512 3d2ff6887351133d6f3b1a1b8ee51b0c8fa4d71a6000a16336f459ccf99285565bbc8ecf3b65294b98d4e09d80a940bcde502371e038da46a37e223c0241d090

C:\Windows\SysWOW64\Pplaki32.exe

MD5 52e4cec708ef4355e90891c8f00d814f
SHA1 448726a2869943d462090d9af40efdf3714a53ed
SHA256 7cd532af2e62b58c1ac6124f804cfb735c32512d13c9fd1efd384b21eb6a488c
SHA512 3185e4be30ecd2d2f4a71175ab685e83425b0526436afb1e464561e4d15963ff200d87792d5518fddd8caebe78ae5a5808752a2a1c17e127527cbd2e3ab0e73b

C:\Windows\SysWOW64\Pgfjhcge.exe

MD5 210c6bfac63c9524543cb101d2e59781
SHA1 54b4acdd214b951362464392e7a5916c6a3ffc07
SHA256 1c190b57340a24efc85285bbee270003ebfbf83155901244a2fcf5bef36ed761
SHA512 5996feac9115a99bbc6f77743b45b1d4aaffe7aeb0352a66a82d5c613dc4c3610dc19b6e0a7b3cdfcdb8fa796d51b84d8a46b93dfc3d2290cad9e57403fabb6f

C:\Windows\SysWOW64\Pidfdofi.exe

MD5 0c196f6baa9d01e6a477aa4ab43d1c73
SHA1 5c7c1cca496a8493d6f6aa27553db4752d9bbc98
SHA256 873a0b4326a387142231fdf2e63d7ca77a269707fdea647f05b813ac0040d6c0
SHA512 908178757a6daf8f2035f51e15c7a264218872f058b1abbeb8abb9b7376ef24131d343a3cccb2d881a1cf97b5a4fcadc03b932d99e15e4ee30c854c8bf2cf0b2

C:\Windows\SysWOW64\Paknelgk.exe

MD5 4e5a315b6a549248ee894f06d6dc4044
SHA1 3bb033cdbf097d16e645d2242bfb7fde84b4a3d1
SHA256 25f09b9e80fd6e95c113637075b1a56b97c984f4475eeb32faaafa099bd73a9d
SHA512 749b6e3fa08af781e0314ad85e9c59d00f60f4233805b74d3e22f54347f35373b0921e6336675d567038f5ff207c6e7a75507470e9cf87613c6040a30efd6664

C:\Windows\SysWOW64\Pdjjag32.exe

MD5 6c2d8a9a77e678e530384c7e6ab8d129
SHA1 2aa706743dd7b6e919d5e091b8f9da0f1a0673a4
SHA256 7ef5018191627b4e084daa91df33a05c32b7e8fdb4b8fd52b17ea44794c51d29
SHA512 de6c282244387459b274d8f7e605bda0024619ce28924095115fd6e7d5b5ed1943438a45b4bd8863adece421004fb70fc913037b9d54c524d6d6e7ead0dc7563

C:\Windows\SysWOW64\Pcljmdmj.exe

MD5 f03388698cc47cb72a71dc919a52161a
SHA1 e7aa5f38daa30e2acc546e4f9a49558c3683c350
SHA256 dd35cf19d700371df366bfd89ab516354ee5e1282576132c3d1cfb34c4b9a684
SHA512 1ad708409d1f2d6d606401b2e14ae6637acf7f5f6048a371c91f28b58396be77de14b56fab2c23ea269081c1fe3fbf8be065103a941688ac186f8e864970fc50

C:\Windows\SysWOW64\Pnbojmmp.exe

MD5 f40e888a1a5f15091dbdf011348adaaf
SHA1 9877a41fc7e35b4a0c58d5f4f7459ff7969d7f27
SHA256 1728d64b99aa73b4c6bcd4be3bcfafdc1e64847c2d1f25b75f24a6f8ff85c947
SHA512 d0dc42776c105e0deb4b09b7a0f28c0eef20f65c8de5da66de73d5f4443e0229db5092f2cecb5d7ca112bc2255f0657919a1fc73d129355c2cbf99142c5a0482

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 1f485068a4fd14007b52df3c0a8cf209
SHA1 10ebd4e1f6444f25386ea1485bcbfc80e33da67a
SHA256 27f31176e3c3d6e3c82f7d628b54d410bc14b075cec4b11f470108b1429f03ce
SHA512 de4bc1a29e1948d58e5603ebd9205cf2c95ec553f574c0a128dba5be451dd27d469ff5f5301e9d7c0bfb56f5aea8a494c07aa338789ffa442183771c1b2d24a0

C:\Windows\SysWOW64\Qgjccb32.exe

MD5 0472ee38f7b36206c2143dfc647b69d6
SHA1 f168e6ff61ab65250f3942b900993181004cfd24
SHA256 34719e7889e6cd6076ba371ac3956c24f181a198c51deb3b6c9cde40c30d573c
SHA512 596d33a6f7a4511f33919a63b2eb54e6edf33206407a7042ef9b333b02995df2cfb80bfc81a9e707775eb0af8a44829f5d72ef99fa389917377fb4ad4f82827a

C:\Windows\SysWOW64\Qiioon32.exe

MD5 149369eabdd5323d7f8427354ee77f69
SHA1 5def662a7bbe8916824e7c282d40d2bc9b3078dc
SHA256 68daaac9e13dd7fae3d46866aab46897c384eab59b54c5e56823247e5fa3a5c8
SHA512 d9d60fb544f7c679af45c8821bd1cc2d1cd9749c26cf8c6f7d7f16998b6ecc1540d872f132d2aebb7bb373607d7e4fe2a1e882bf42f63814dbce375ac82c5966

C:\Windows\SysWOW64\Qlgkki32.exe

MD5 61e43ffd5e3a6b90c1cd2967d2ec6175
SHA1 fe5173593b9638b2dd3ed9d71876a3820751a538
SHA256 9e04cc617b02ad95d63f5d05f884872241d7ad3646535a42227b584bed524ac2
SHA512 89702dc92ac2ee0d2596dc28fba4a468478aca4e2f5d48b0e45738221ad896d4ec1ef0df1f74a6e48e470951096a87b2b14b35aeb893ef6a40c6f319119a9a97

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 da718f75d5fe9b63e5dd2c50dcf261a5
SHA1 59d65996325f5d8c39b1808d1e27f76486570372
SHA256 34b41ad79d37ae9dabc0591e23b4df857f0bfa3bc335d52779906be116d46ec4
SHA512 1abb4bd4ee82f6e032c2cdffad8ad0dbb1d7e3b39b73780997b0d48769a07c678d3e502de07325abb6d91f01cd3e09e1fde9c83ed58328623e07d968e86d850e

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 c956587d5b69e69e68aedf35bfd69d13
SHA1 2795cb234ddbe2b1764671c5836fd73b45cc849c
SHA256 e03de4190757ad40e7dce1fc8ccade0ea6506a1f0d12ad757b92fa6cf9a9589e
SHA512 08e447c41accde286f87ac8f7786a0334be8057d49ae1749a93821f3fe9b26082d8efced636bb418fe4bc532abed53ecee15e52178aec63a259f7b449cb0cbb5

C:\Windows\SysWOW64\Qcachc32.exe

MD5 367eaf84a2234bf46aefd61b96c3333c
SHA1 8cb1c09bac84c32fdf0514744cc4e2430407bd19
SHA256 ff0aa97fdcf8b8d46bb21110f0d7b53beeee5324cb784decae6f1ca8403b6a14
SHA512 066bac41c6e92f76240df421b78c00cb084b6dafbe138cd93e5c9e11b16f52dabb23da3dc10fcc8964b10db6cd7dd87081d1a3d6eb86788911f65e5033675dbd

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 87272b491edf7c29657dfd3b107014b2
SHA1 3526bfa6b7d406eb5b076ef5fa66a111cb4c8c9f
SHA256 70d999e64d8bf500174b5118eb67db7ed83802de86509e66086c07bcf7dd50a4
SHA512 6cfe9df60918feec160befffba56b5b65fad75348eb407910951548953bcf1514c9bc2d24e46f2ab88f72ffbb753e8754ec168424d24c5fb07799ba42c93b022

C:\Windows\SysWOW64\Qnghel32.exe

MD5 c15f194edb7ae4ea7924b52108e6c2ad
SHA1 efb68693e296dc42e8fbf0d59c9f50041955ea82
SHA256 665b4f65bd1ebb9c8a7658c7b22c30189a95f275e28d69e8641fbe1d70c1355a
SHA512 0e78fde97d4c86b3c0aff9d5f9cb4ae99420ffb18f8cbf90b01e406d9d615e7eeae899a66c583689eeff77464f72f15c22f6aac619d6bf4c5818062943a115ac

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 93b9eadffd8c1f68d2e1061f84c8180d
SHA1 e320b2f769a58f01287f34209569e9f11da28bb5
SHA256 a1a55b8390a2d3b060f50a890645c02a40a745bb5fa3c9578c06b52526969178
SHA512 4d18ecf1d774323e6b4f8ae09578e05628c4ec64fe7a1b2c6b1bab5f334634415465a27da43fca3381e998907d9d33d3303cd52bf42bd365797fc214b39731f4

C:\Windows\SysWOW64\Agolnbok.exe

MD5 70e6152218cd7ef066a18db0a9d54914
SHA1 caa6d05d6702f2ab9e98fba0b538de806f286d88
SHA256 5ff4efb19a2414b5dfddb6e07d3a55254bbdb42a1cca3880e604fa9dd5af29f1
SHA512 d6bfbae32dbc6cc7e39b0194cbcfa428af6c025b5ba34963d2081150ac15dde5eeca2b475afe83b817c1a3c10ea7df5a02e449e379443ff9292d77601a1ff5b5

C:\Windows\SysWOW64\Aebmjo32.exe

MD5 dfec876526a379be9d644b7f3876f70e
SHA1 c7704deffa4b6861c18ae350b8cd7e0a813d9b18
SHA256 e08c460bb190c365ea045c553423d84d6dcfa89b89cc9cc591484ce628e9946a
SHA512 20b4f8dbcabe71f02fce2889b27cae6cd50f68fb752bc6fdddc2b67109f38a813ae7275e5c77842b7a4dbbed185d8532745962228db3e84893cb46331038820d

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 d8c7973c060fbb12a34804e01d9fca38
SHA1 7f53c3a69d9e141c9cc3229a50e0b14e74b2be27
SHA256 804e8ab1dc1d4bb8ba45219480f7a53b62ac40819fc06582a0dee41d249cab2a
SHA512 7faa8c3229e787eb78cec907fef2f169d41d774fa17e053c245191d92856e3be3ecc85cb408377552b6e789b38073a347f43fa57c7087049a4d80e844c8329a3

C:\Windows\SysWOW64\Allefimb.exe

MD5 f3b0d2a80cccc643cab820c9343e3bef
SHA1 6541d558fe818d6cb7c56ad6335b059809cd2da4
SHA256 8df0b90b683cc139ca155941a13c376fb4e4bb85a822b429f5687b562a092643
SHA512 65f995b0e004706d9b39a73afed33ee5641f1eb7b5b109e826e63095a85a7497ea7e43a30908d8fb6c5796652aaac6fa2d3480ef03a261679f40e1537ec3f5b3

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 84fc905d3fce40a46d9113a946c968f9
SHA1 0d37e1bc5c8632a44d8225f779868269b29580ce
SHA256 343350361f0cfb65fac04e94b5877a4036a564da3aac0cd84107925379e50e98
SHA512 5f81ead4082ad943ac4fbb2b2c5b545779e0ebd463ba2c413801e6c76e07a4c2c50e2607df0fde750fdb7a36c0731fc954cdb5195c4f1fd754491234fa538264

C:\Windows\SysWOW64\Afdiondb.exe

MD5 e25e79fb1fd3a569ef9b2ff64d5abdaa
SHA1 cf97ec35a3553ad0152d275f3b74552c26bcc66b
SHA256 409fc4f7ff45aafb5d396b1fa310cb15bd36705617020273e250f2e566d8fc60
SHA512 bb22848e3817e33d5950b6775ec688320087f23adaac110720ec80475f9ab97475fc06043d57246d7bfd1b82ef18a21df3294da3df519cece02bc8d050df6ab9

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 049b1476ca6fe69bf5834861fd062f21
SHA1 8b52c45e178bbd03cc13f9681b6cd0eafdccadc1
SHA256 ec3384b2fe5c38ccdf1e44fbb24bd9d1dcc216de573e4feb3e1bc58bb67dea8d
SHA512 9e58ea90b79f507ea017c6ce9b1327eca3cb93238800bed00f223717e35d5d7c53f58cf4dcc21f74f5c7a2781c2e8b829b4a71da195bc8792b768f3e679f9ab8

C:\Windows\SysWOW64\Alnalh32.exe

MD5 09ac7384e317f23d6068d124d418150e
SHA1 7edae9b2aa696e29d94ee07ea16769ffff775b7f
SHA256 43c6bddacd2f93c11cf71f5d108be81e59bc121907337c9889225a834e06f704
SHA512 1755d663bddddbccd428d4311a161c5d7cad3ecb6c96ca36caace7798a3cbe0ff7759e4bfee2ca89b59f5ff6b3c183d614485aaed2d13182edf9cd3322b56c64

C:\Windows\SysWOW64\Akabgebj.exe

MD5 c1176d82f46fa48a7270b3527acb09fe
SHA1 2b68db909fd38ae05bd2bc900f0ea78f2ab1c61a
SHA256 a7f52c59a9743471e5f1869e50a614a2793224221cd4396c9515a85d9c31ae26
SHA512 942a31b822bee793644ae988ab55587b3d1516987fae2ddbbabc8611a86124c9aa4d967df38325cb0ee380e1d6c8673043e5ededea6ef797bc8a924741f0761e

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 098281eadb895a71c86c12421d482e00
SHA1 10c9f76f9685cfa668d6663bd5f318d4154067e0
SHA256 f0196c89d6f44520ecff3bd329ba36af82d15cf70020d23c5c0358b654005de5
SHA512 e806a25e3aa63516d414979c41bdaa545881e81a5668d69dba1e26594f3867dca10bdb3e3e8895cb7fdde5a95b692c41d1693aa3d5056c410e5552951029e2f1

C:\Windows\SysWOW64\Afffenbp.exe

MD5 f479f54e20603bb5204de9eec5629082
SHA1 72ba4f5dcbe48da6bbb91805a39ea04d51b95058
SHA256 a7de24007aeab16c2dfd11bd9fb2b2304c4c050059ebad4e8e59b9c67fc81f58
SHA512 a71994681beeed1a47804e9a3da387be5ac8b2683b31b8181a05086e6f041bafdb71650b3a4b2f05e73da07dbc9bdf589a4d08e07c22fd46d1e67ea56022c68e

C:\Windows\SysWOW64\Adifpk32.exe

MD5 53f597ccda9860f88fc9bb9c7d4398b3
SHA1 17b7c9efa3caa6d40d21561dfe43a00d8d90bc1d
SHA256 5df32dba31f10d49f88589e6f0880e995f8adcbf4095958a5e0ce7d0de2b8e5e
SHA512 2cd7caad0f18e5093ba263569aee288e8e9cb339bfda78f8d74f32e879ec0912daafee30b6c4cf28c401645e665c60ed4b305891231337e3321e8011e892e5cf

C:\Windows\SysWOW64\Alqnah32.exe

MD5 3be112a14ac83605c7f94b6a6dbc761a
SHA1 442bec04c6a615ead4bd11c740cc373e74cbad3f
SHA256 6254278abfd76e6fee96f00250b6fd5d5f4ce5180042b163b3c874782b699168
SHA512 e51f712735ee2fb6d06f77345baa34e49011b4fb0b8b58838ff8551e0954e6c73879317d62f7898f8bd58292d491d7c10133644690285ce0053bd07c55182480

C:\Windows\SysWOW64\Aoojnc32.exe

MD5 e15cc255b6b6c8efa78e62d36845b51e
SHA1 374d90bad521ec4fecd1e6a00d8f5d3860fb99fc
SHA256 7a4513ba2ccd49b19a9e615800b5d870d1516706e423c759f49b4878b9180b40
SHA512 3bfebbeb5e65719805128b9bc4d7a3ea9566aede3ef76dac01c70f67a0239a874c7f441be271561cfc4389a2d89dd6a64617d3ef35d225866a29e560d4f398e1

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 c5133faa74c99252e19c801ffcca78b7
SHA1 6f4af5b6e7dbd14b8adb2d92b0397f259f705c57
SHA256 fc1b02c81be7d6d07cabc514ea7d21fcfe612e5f57ed17548a821a4c3c6512fe
SHA512 da74d399d8eaae36ef3fd032c42682c83b3e0be606492c80971f66435fe3ea114c9fed06c74cd28a0870d0e5c726926080a54acbbf1b5852de561ac9c379010d

C:\Windows\SysWOW64\Aficjnpm.exe

MD5 5514043d331f9981d69d3ac11874bf3f
SHA1 eade9adaf1180d4b34cf4ad2871a1c53f1179b10
SHA256 9c5d8f9948eca7da69002437b9d86724368a012f0786b3fbabd844a6419a7a5d
SHA512 a9515a98e04bb36e13d01bb4dc483e8b8276e830412e378f2bf8bd70002ab71ed028de608fd2eb5f0067cd4d55fa9347c2d2dd68d10f776d5c2969a784628d7c

C:\Windows\SysWOW64\Agjobffl.exe

MD5 72aa4450c4b4f99d4f988e9f827329fc
SHA1 455b8f824e41ac339b9b122ce35170eca96d7844
SHA256 4b93608dca292a4121d26c4dcc02039598b153cc99100717bc006bd362a0cfcf
SHA512 680cdf788891089c8a1e9470d7e9a0e37e1fa783700ae9d32881834834e460763dec87883b7fb6db8cd2646d01d80ab357e09d7922a3cbd70d5963cce9732e59

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 0bdd9052c7d9bfbe32b1be5bac21f510
SHA1 4ab1772b50beeacce7a3ada74526324b8b1b7baa
SHA256 c36a611de786f7dc1f6ee5e94e73b94f4a0f584d01f5ca0c6af1482d0bd66ff8
SHA512 01b39bf9006f90f6929ac37c321424cf38a69d772afa37483ff41b974674ff1bb954eb9f7bb02946e456ef673a5784af8f444cf85b38136ce5c2f3e312d5c293

C:\Windows\SysWOW64\Andgop32.exe

MD5 f7d01552d0bbb2dba9491747b03a00b9
SHA1 bcb2dc6227863895bb2da3f810ebd793df4bb63e
SHA256 2cd2fc0740b27f134cfc8940c81ecc415df873c5700ec8ea8cf9669ed98476eb
SHA512 cc84e74a6de29593747dded4018745a1e4df2c924d3b8a51f5b3e57749426f496a4ce8f0bf2a1938f86a7d5b4f7e08e5031451e98fabc7bfb773257de2ea337e

C:\Windows\SysWOW64\Abpcooea.exe

MD5 1d8fb92abaafc04e0228b92ea5910b17
SHA1 586d78066f70cfb44ddf4c58bc1d344902c193b8
SHA256 3eab0a5b31910a21a32575d0266e7e485ec3bf1298d45c809ec53a21bbac66ac
SHA512 0b1bcee6f93d3cfc8c9b398ba0ea8e82a7226aed8051a1fb69b3e08c6445dd0a833587213907acfa88a4cfd783c97a48518e1dc4e6aaf663e2ca9697a76a0e07

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 78479f66a3c707812aa4d8b566bef93d
SHA1 85e2198505e6a9a80bc4a9b1d68ce584d96ead50
SHA256 7a3e606ba6ffdf46601216ee0887aadfb2b86883a055199445d0303caab6374a
SHA512 0eec59022869ebc022402b3c0a8d5d3fbf4e7cc4a728a0dff23e0e0aa254c1d12063129a777a7cf886f2c0eb4f153abe0c171cf74174ed74ce43cdf1084655c2

C:\Windows\SysWOW64\Bhjlli32.exe

MD5 bbed0298102a3e48dbaba520c88cbc25
SHA1 523ff38165887024acc960488fe513660fd231e7
SHA256 be36950d8bb664be317b342ebae236e3ee1a805e0de5bd4a853368c5797aa6e1
SHA512 09744e48c7eeb4e4e765950a3bc3a51471ec9f053e4151130758b44fe965fa25be26d70d4e8ac40006c3ef5b708a053817c981e75a928eb84191bde3928a4377

C:\Windows\SysWOW64\Bnfddp32.exe

MD5 2c0960b9ef4fc93ff0c4becc119e6256
SHA1 9e85e4d138501578ee0ca05db4477b622dc7afaa
SHA256 4e516b040ea36f5969cd5cd7e3cb4f45003fc3b4de2202f81a5c21e195b97bfb
SHA512 4864442ef94df19fb17afeda5342e16c2060f25aa3acf01ed243934351eb424a42fb0049c49f401e91afe2f859bef9aba228294f0220dbfb4e446fd33ae64f9f

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 cb2b53c700efc1cf39b884824dccfbbf
SHA1 890e4f754accc4679d0683228ef4b8888b105799
SHA256 2ea3d9a8069c983361f5dfa24dcf480c74ad806f929d7f1eae93ac42bff8b5f3
SHA512 6edde2e07f96b6f244afd0ece350640fe1e6a746a91e3cb73817e155cc499c9e51c257d4b9570865c5f9f32a1558be6e55f13e1f4e8d965dd31788ce1793d78b

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 d877bec1c6131bd8cb166c2bd5bba7ed
SHA1 dff91d81a0e51ab9577a73f975c6f3fc9428c00a
SHA256 93631c1979c533426c7429a1017ea094ce7d9580a8b275e440c054388fb5c4c5
SHA512 b8be4373eb371794f5b4980c31a6239e247fea2d00294e23a6ccffc3e99ec4b4b38a193dbd4bcd8016482e80a4a8c7589699b509be8b0249114aa20616a4f1c0

C:\Windows\SysWOW64\Bgoime32.exe

MD5 cc58fa609db45de6773eafba38efd149
SHA1 820295b3423a8131a494d6c888211f450ab64726
SHA256 ed18529406f9c9b8ec550aa26d9522b279531356467aa316ea063d1a39e6d349
SHA512 db06e7555206a93f9e69414f1cd2b7add058fdbb1847419b5d11b3500efe18172ef6152f82494fcd8b42ac12d602e3820af8fa06b3224105a7ebeda26da59c55

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 af299e3626c92eee59e5f87d9103bcff
SHA1 d7ba7fdae8cd1bad58a6d527b03a226cebfde399
SHA256 57cac8e8c5f5151c9235f39c045eb38435bda4b546d8874c7fc40a5c05ddd121
SHA512 b799d6788c906530d958ca3bb669d5198697ebbf44eec0512de5e3c527ada0da2715b517f617ba36b629431293dbeae2e87ddaf52412834564043b8547d399e0

C:\Windows\SysWOW64\Bniajoic.exe

MD5 64a56a7ae3044ed344beae8193e5fb3e
SHA1 b3c014334ae1b6a88786863f93c1dbf36c44d717
SHA256 1be3540eaec7aaad7b02abc37a76690c966f9ce70478a474dd16ffa29a34be2d
SHA512 1d615740dfb9cf34aa22800489d0466f60a2dfa7ac576ef0469d1c45fa9e61ebcf990d429073db169935f8a7d71c5a864fcfad51b58b744623fc954dce5e5cde

C:\Windows\SysWOW64\Bmlael32.exe

MD5 68e6ed2c649764a2604080c656580ecf
SHA1 79e4510dcceceba0fb8949782d5f6aa59efafab6
SHA256 3b25b983e61dc857291092e770852dd4d824b69dfc9744addbd721498017292e
SHA512 c48bd3df8c3009fb15214ac5d4558c9dad6f8b066f42a19709b6b8427f43b12560900a5533b0faa1177926287df20e41186f9eb66b910bf37a67f72fe8c73ce5

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 1104758b60d20dab073a3481be6ed055
SHA1 503aa7380995ff243553140917a5f7a65c4ebecc
SHA256 b7f3c39de31b097ed9b9ddffbf56408363ac40cfb3aa39995802e47838367cfb
SHA512 ec21f9500734f8627568b043aa6f12d8eb5eeb2637af19d70c3776f28af681272b722028137b4308f18cb20434fb525373d8a9304a150966e9798a3ddde64400

C:\Windows\SysWOW64\Bceibfgj.exe

MD5 5eddbe572c8e8ebbbac5c74b2db00e6f
SHA1 8bae5d0a9db4c0cba6ae9bb97528d1433d2e8e0f
SHA256 d07cdb830de4e22865330c04ef1cbde02bbccabe2989a357e3146053329d3861
SHA512 8d20dd3e8cbbfcdf19efd4952d98bf12d814d36bade0fe5ff540393c3160473586311e7c0150ebff8e05ae20993ec6d34c057f953e7ebdfe7377ad384a858466

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 ebf3284a85e45bbfb0b0e08068f43d79
SHA1 d64efd9cfe5f85684f18917ae105bb88c77f3fc7
SHA256 b37df077acd5fb56d8d59e2155b16465b2d2b333eb09d8a42294ae5f565da2c6
SHA512 5e9c6c3773d7b4bb6c76be8848b5d1bdd18772b26c29969d0474844cb15aa357de00137395d6c1b6112df01804b699856ad88e923417c0c0eecb3d08a1535840

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 92b1ce9612be8c9edbd06e6ba55fbbbd
SHA1 639f534a8b37b068b4c82266f29a4bb769908339
SHA256 1dbd51a6bc1fc1f3830656127d046169b4894ee3dc3c56e38c6e558a1f49cdb9
SHA512 9b8d11bfe1a9619ab71a685f53b3b4b96709e7429713022a9a9f9b831ced3a3c331adfc49428e981a66903a504883ad7cc7054b971c4c1b16c4b45097db0eb68

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 0a33cb79260afe10b48a5fe2741a9597
SHA1 e3ce9c4ee1010bdd59b3efac2c8535d966302ca6
SHA256 4a6bfdd16ee8ce69739755d1bc322bb8bde140264e7b6895dc3ac09600384f77
SHA512 016faf0af042279937b08c5d81f40818fac4ca80e01e054a3d4f057e5f0b94f95791f0e426ef0db2ba7f7bc186ce6ed0c9e6ff11d23ac2cd7aa22fcb635cc6fa

C:\Windows\SysWOW64\Bmnnkl32.exe

MD5 6f5477d0b1a8f208a413d35a172a234e
SHA1 afac6786fa380775857bc9c515fd7389ca53ae34
SHA256 7ca36f319ce00d7af2427184d6fcdaf9b17b79ba71d4183c295ecc5bc2df48f6
SHA512 70809d86c41fc929029bf36da5548735b62255fdaf8e450e2f6f68898e4a36926300b16883c889cd2b17fa953bf5ff89f1c8ef68c6137d28c39411a3c271ea43

C:\Windows\SysWOW64\Boljgg32.exe

MD5 e85319687cb7b8c7c7ab5d5c91efc3e9
SHA1 8a50f04156d636aa506ec1c1140291a2bca4e613
SHA256 092a4c309be12bef772e5737c2a89886b8b23fbf7892c2e94d0c8de3ff96900a
SHA512 bd346c273d68fc96d427c115ed060455663db58ab62956ebb80853a6877bffdfc8273c98b2bc1b79c761505fbbcc3b1061cd07da197ddd7ff151333a2f88a090

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 13df8c3acf2915fb73ca692bc4cafa9e
SHA1 8c749745e0a3193dd34b9ad30e119e22200737b3
SHA256 0f618e32c2b35fc83b6a54b98954ee55674ce49f37200d419ccc6ec166114bb2
SHA512 31f008c172f6bd51bb41ad8e35788ec4d46ade410749184249c89859c01e22fc265c150b94930cf12821e51868c47a7d4d5204cebce2eda1f4c02af8818021f2

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 77fd3f4e180c71def9bbca8929593e86
SHA1 1a311aa39a233666d615c41e3e27d5631230e20b
SHA256 8e9c765a1a2f8f5c6bf5ac8f0861cd834936968f54785028a76af64129394641
SHA512 8ae9ccae7b6f15a5e653a1ebf162f393a2e72bd10cc12db286bfb3d8a3de4596d7c76d76b5e5bbc1355f440d467e63a432f0decff91941572e6d8082294890a0

C:\Windows\SysWOW64\Bmpkqklh.exe

MD5 fb425daf460d070be3bf1fc425401c90
SHA1 2947f09c2dfa80122348e8e13966529d51ef226b
SHA256 4a5a02716b1c96f844fd0312105042fffa81fff125d451e63b27d20d7fa44939
SHA512 c2e3754b7be58ec5c769ba4ff2e968ede0ed8fe157d47f12afefd2995b6a184f7a6acea1d3d235fccbea10a9899ff2e95309d43bf56c64c6534889ce544d1f17

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 3dc11d76c15dd78162972163a5ce54b2
SHA1 fd263dd2fbd6de07cc5855b5d43633ab19ca7637
SHA256 193e3b91d6c4d8c0b140f5242aa352cdfe77798aeb417d4291702371bcfe86de
SHA512 9f5cd79ad62a2bb081376e1d0371f1d7b8608b10aaa4d6fd3fa06b011bba561c3609ca9f66ada433bd0228f456594a23961f8967b1b60563158ee25b80d61744

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 0cb991b49033a411a8b1275ca9c8d61d
SHA1 329cf6cecd25688dfffe04c5b0c350870a8052ac
SHA256 cf390c1638f7dc689fb0dee252c6a7ce492bbfa211b7495378c41a3023cf18c7
SHA512 a35e0a8fdd65cca2eb729b521d88f63e35a7b73acc21639ce9e8c4cc0c9a3691cab17b196d289bfb903ac2f825bd5d7ecffe09e613dce71c401cca0b2c4a9638

C:\Windows\SysWOW64\Bfioia32.exe

MD5 1119f09e9d6f48d0eff5ac71afddaacc
SHA1 3afee6a53be022c40e534b132f0aa264d7382637
SHA256 6976f1ee314320fd569d4af80717e1283ee24d2e8efc968df0b24ecc25fc671b
SHA512 bf1743b190722f182633abc5d2822d4679a0e8433a03a41789cd733487bd9b864a04aaebe319f5cd9271a292fb750df37ddc8c6bb3e777c1cae7491a94dd5f37

C:\Windows\SysWOW64\Bigkel32.exe

MD5 ccbf208232687b5dd4fa8cb2cfb40c36
SHA1 8be41cd847d06637b06347d922fba09e182b8153
SHA256 543ed41d427edfcbaa2b92703a7177924b843859c8b11921c2da799177b68678
SHA512 18dfa223e43b44711b8ebbd7f534b53223236cab91d3aab77d5bd96f88e4dd57338ea0368c64f9de6ef8d0e8432f1942af363e7296b03ea41e8ba35dab1aa3e4

C:\Windows\SysWOW64\Coacbfii.exe

MD5 4f204551cd17c8443143b29a259e0eee
SHA1 a923381f62e2b276683870df4ba08d52e7dceadf
SHA256 c6b8b99150bddf4ddc55a13ae3a52c4df0594fe7816a9d56fa1cab8290eab500
SHA512 bc3e19d15baf76071e48c0766041da84b2abc1804315732bfc303663f194cb73142b03c94d95c3d7f76cc0d00214f16e91a66a342080b7a668fb785af1944f7a

C:\Windows\SysWOW64\Cbppnbhm.exe

MD5 3147cd8be2a2f7005a8b7077d3336841
SHA1 4eb2d48437bcd020778bb11c89aaf48b60477c01
SHA256 9fd36281aeb0fd4b3e6749a2bacbdc394f2a104a9787a1521dc0c0fddc958b08
SHA512 a48db6d7747bef287113b5a2409c5ccd5dbb1f5cd986db1709b94fa7c9e9a9bf8c9876504c9ff28327801a4b74a1bc4e99a9a26181654139583ff3af1183c92e

C:\Windows\SysWOW64\Cfkloq32.exe

MD5 7d73e38c79622ef8b249ec5709549e2b
SHA1 797e9a4f3011a07a505575c837f1cf613ba7ffa2
SHA256 a54a9a884e66da8e426a0f03dadebb17efbf21059b1ceec99ffdd63945a26222
SHA512 8fa9dafa896cc74b969c4089331e71b370e1da40644484f7481e460ce249b68f1902fe740b66f001659c3bb85a5621c3e13c792743eec5df5e6ed065a54cb326

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 f70820a628c8a5d801976d0356a74b62
SHA1 113f8ec7f8b3e39bdce29f45abfddb6cd0fc7ab0
SHA256 e5e1bd11f180000050a62fd20bedb8ebd00bbcd1f8c74138d229b52b09ac137a
SHA512 9f9c896a7c0955cefdcc63650306e1e0a1a08da8c57058fe803415aba0feef9369475a1636f0dd8af442f21d41b6e657e8bef6261d642a147fb6222192a64fb7

C:\Windows\SysWOW64\Cocphf32.exe

MD5 23fab0dfd2d1bb70bb3c7226c0997cec
SHA1 fb7fe7d5ee474af8da14dd20ddc7fe34c1ceabf2
SHA256 9850f8eb7a384190a468f863e70485edf173d0bd2a352feb3ba6ead31cf31fd1
SHA512 1a72fa8b85d46887965c60a2992a236db9599b836a6c86d6b649f7f0249d97e303011c302f5ed97712862f2a2516040ef1f5fcabecb1cb0ef7d299568fe2ee07

C:\Windows\SysWOW64\Cnfqccna.exe

MD5 5966f5fcec2a5d44697e560929ad6c6a
SHA1 d293afe7d3741e27e1ed767ca2adc1ba13deb63f
SHA256 f8f7f4205b3b1530cf776d62cd398f9f51a0e5ddae55fdecdf0350587c6c6d52
SHA512 2c5e6b4b68c2c2e28866e08a9f2bcb78fb41911e2f5fe017ae8f914e3d15fd5bb5d1a4a7e29bc246acebb32211f1e7721a17321b1ea9d8eeb5ea0869630315bf

C:\Windows\SysWOW64\Cfmhdpnc.exe

MD5 3b4aa090a77cd73a61a8e6160c7a22ae
SHA1 65b7c8b1959f6eabc6c4f5f3bf8becb376221018
SHA256 3ee7ecb280883a58754a8c7fa9f03f22cc41e3d3f9226b9b98971d0254297812
SHA512 25b2d75b526086756925d2b8b340fc518524c9683789a09ff04647b7b0c8bf773b2fc848771525627ed0f0c841e00f2ae4d2600f22803dcc842513a0c5be3c37

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 da8d39796fa8362d8ea8178ff9dcd708
SHA1 5aa43bb980472d8ae2efe0d7978e6fdc2ceba688
SHA256 e880fd0cb0ed9c1cfcf5b4a322be4bab32e37704048dc4a84a0852f34104b210
SHA512 9e2b7e2fedc770ee96aea77fe2400a7fd33f8efa2985021896fbbf6bc9f75fb1ea30e6947b61429f6ba23fa998612baff68f6db3c64c73b307a8b0e7da57f288

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 56f6f5311f2c13e5d0adcb8f7c660e04
SHA1 ef77617150975bce012117f1d8adbc42a96720a4
SHA256 b6abc0a15080cc6a526abf5c0ba7f769afd92f8d09a20ad8212b6d22699bd0cc
SHA512 6fb1978cb47191e6bf0182cd01689bfa986fa2dfd67fa31a5b118e53c6e57bb763b93408b87827c825f2b501779575aae501b32cd8f50582ea9f5df251357fcf

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 3a3264f155aea836e4e5382ad244bce7
SHA1 8953fb317e44d94fc609403a9514e3eb7df41c34
SHA256 640c84be01cc98ebf22cc9ab6885fe8e27f4071c56d1ee2e36e4aee3710b6959
SHA512 058a517e9c3829dee85cef78eaf0b905bc5cd10a4ef45472f61452709be5d3ca255dda39d680846e200d6d90163c59988bdf76ac8224f7dab1e09c454c1ab360

C:\Windows\SysWOW64\Cagienkb.exe

MD5 a65a52d15914eebaf3f195480bf2fd8d
SHA1 95beb75378efea6dd509b2da9fab01249ab69099
SHA256 a3fb0574d6e5ed1317fb575f60c48189177d00b34569253653adcbfaed9e2c23
SHA512 bb3b8d53654d3faa05048508424dba7b4f57c0a025ef1f785ae715f72721a618dc118d10bfdc91972a195aee75455991990f36c21f6cd8b51fb5e52622a9a97c

C:\Windows\SysWOW64\Cebeem32.exe

MD5 ba583c87eabe65b755c600d407ceff21
SHA1 5caff820afc301b52fc56b05ccec3a6d6da8a60f
SHA256 928fb8f5044345f2c98bfd88c76dc8050bbafd3188c0ad5a1ae8f22ac4a577c0
SHA512 95cd89f81f7d15cfff7253278e9ce0b432db08f74a6b7f05b9aaa21d791480416e931e64673c8c6b14098f90b2f0ebe43588241646e505c1c898b86f0c8022a9

C:\Windows\SysWOW64\Ceebklai.exe

MD5 36264fed3707011d79977843257dcf9d
SHA1 047cbbe54105d4e78007b70af2359800cec329c2
SHA256 0bf9ffa20187b3e72688f3c861e55f40fda02f06b65fb4f832e58d7b647db792
SHA512 3fb7cdf204770ce3af37ef01a6835ce557109777d0fc127465f942a89c1f466106968f5d91a6250d69160ce3640dffbeac5dada373b85697895187513e82b638

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 2e10806446f7a309dcb0824de432d164
SHA1 bf60a7f0a85176c2a4aabfaf38975db6ffa9d09f
SHA256 7945a8e8fe602b91b491a80e9dc5d81b23b4ab9faad76e63fbcf1d92c59d8495
SHA512 05b744867bd61d9f538474815f2eff48d397e51c801f7631cd6cb2ae4c88dec5af27d861ba322f35369fe8fff7819a0d3d7643fe97d7425e5c21b2c41ec9d9fc

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 149df10321375923380665b0f0ffc428
SHA1 05033185294bb6a4a15022318b5fc502d00f8a36
SHA256 816c4aa2478721b0e6a61fc7f5614bdd8235935af7283d6fb2bc755623f07ab8
SHA512 94f843a4a7418cae70effad3b9f180ec6a6ba63f2c57e8f9165eb8dae13e25f19f67fe4efa461fa5a426c5945054e28880dc45a4dc9e87935c861e04583abcbe

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 e1e797d1c8d02c27c39009fc6992b061
SHA1 138eb00655da865a8e5d58a42c4cff948ed2c7e6
SHA256 e407ae34d951041035a8a8daf28c8e1fcc77270ece28365660c0175ff17eb0df
SHA512 6eeaaf46d2bb80b3df98e7d0c4aaebd3666108c24b8a2f4ba8abfbf7e634868a392dc9a3f39059db5214b510965af5507da37b229cb736ce4222499642fcb1d2

C:\Windows\SysWOW64\Cjakccop.exe

MD5 83218df7c2a3337ce03c932a5f4a9963
SHA1 b2bfba060fdddca9b88236a2c975fadc4b7cd5bf
SHA256 25f05ef00a723cb8331bd7d862fbf18922dbfad49dff3fa3a729085cd8a7c383
SHA512 01a60f796e018ad7fceb953e47ba9322874f1cb46a06c67ae8daeb05df1a70fa7db9f5d3cbb17b6e7b82c4562034e8c12deee55ae28cd8546a7b98a26a0ab44c

C:\Windows\SysWOW64\Calcpm32.exe

MD5 f869a2f07ed3a2c8f329830c12fe1e58
SHA1 2487ea1a7f0393102d5384f5876715befaee16c9
SHA256 3619d60c312ae80f68a29cfc4b29dd52ee608037f6a5f83f86e136288fe5c83d
SHA512 a2425fdefea40fe4a0ac76f1d42658a50e037672670c3d61f071ba6cd200edc6f8ef5cc19956651d42ca14eeef4c1c9d22f88ee691f9d670437eed9d506d5709

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 c89f7ee701dc6e480198f1234ebada93
SHA1 323727c6819bf214564e4b2f0e993019a541972c
SHA256 4abd7f7d0e8d535351ec870d5152da1d07d638788e625d799b368c75aac862a2
SHA512 956afbf90993d7bbbe8c05fbdb7a8101f14c10e79b3544d118fed1911e96d6771208b5d975e72795d68634dca20ac7202cb1730609e2ac233efbcbda2db951f2

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 98ffadd442e0d58cc017b48b90b1a982
SHA1 15ad96f5ff35f92b0117edaa1d331610d120902b
SHA256 d5284f0e7ef5567821af84152747b741831b17a0422dc1ade502defb237cadd4
SHA512 5325be55712ed7f852e25abc370437c905a080af0313c30c662e24f680bd28a545a37d16a7f40d772f822bea64442c1bad9418d12bba1883f88950588094ae53

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 3b738512f87613277a9e9eedd39cc14b
SHA1 bc3f2761926a3b9be180cf92c349662eda40c8f1
SHA256 d3dc9672c0290d368242361075f8aac62fed689477f305f9011a4534d3a46399
SHA512 be364d5d3182833cf0188246399d7bf65bb883471ddc9f6a100cec0e236ecb8c593924e128e89adf9c166a3ba133a6f645984890719c0871ac15d2403ad77b69

C:\Windows\SysWOW64\Dnpciaef.exe

MD5 e7d20b1efe397b214dd4c22e3abc36fb
SHA1 a68053d64f9a3f244549bdd2c627df4cccbfc849
SHA256 751943f23e1a0bdda01afaa371d3fd0ac360ee1a36b40b2cccd91f0e52afde20
SHA512 c9782e445b072788908c3bd576fbc7d5f59969cdd3644250b418f1ff0698a12e6b0ab454c91f664ffd535c9e33e9498e585eba89d6704d95b380e614145dc054

C:\Windows\SysWOW64\Danpemej.exe

MD5 2c70aff738ab80fc768017437a64e647
SHA1 148e20e803edd8389c1eb421014043efd729415d
SHA256 fc321181132d60dd7e8b21cae10ab6601205920415621a1a1ed54066c5c0eab2
SHA512 a90743d14a5c5f3db3dc2f0fd0c12bddef2c1d6297267976a07da54ff26a233a66d78a2a5cfeeb0de5bed734c4e0a31d919c6dc245d56789f52d525bb7e4b217

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 82ec6c709abadd5ac5b09daec75e4c94
SHA1 d08b8d906ff2c3a92881d08349ef20cf371451b9
SHA256 15c0a95ffe5d5f661dffcdccbf17f6ffa26bc3a1f2b2021c25ba61d8c1f77eb0
SHA512 ab939fbedc11e1c0168cdc941db0c1bb8acf4845c930e442a14f15f2bcf7b1478e2fcee70cc9cc118e56c168e9e3ffc90d890a347dcdbc3f52547bac14a5a1f8

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 14:45

Reported

2024-09-16 14:47

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afceko32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cidgdg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hqghqpnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hegmlnbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcfmneaa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qejfkmem.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qihoak32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beaecjab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlncla32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dibdeegc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncjdki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oflfdbip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kemhei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmeoqlpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpllbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iabglnco.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lddble32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cekhihig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kaopoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbefln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfjeckpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkohchko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnedgq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmoagk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bppcpc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hnbnjc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidna32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnedgq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pofhbgmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfbmdabh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qfjcep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cekhihig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jelonkph.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdmcdhhe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbeibo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmjhlklg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qppkhfec.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akihcfid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpqlfa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ielfgmnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iloajfml.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmdmpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmoncl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdbnmbhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abcppq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpifeb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dinjjf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kongmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lojfin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbbgicnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cplckbmc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhknhabf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbcbnlcl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clbdpc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmjhlklg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afeban32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lojfin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mclhjkfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbimjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afeban32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcpika32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clijablo.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hgocgjgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbdgec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqghqpnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgapmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnkhjdle.exe N/A
N/A N/A C:\Windows\SysWOW64\Heepfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkohchko.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnmeodjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hegmlnbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjdedepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hannao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hghfnioq.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnbnjc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ielfgmnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilfodgeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Iabglnco.exe N/A
N/A N/A C:\Windows\SysWOW64\Igmoih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaedanal.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijmhkchl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihaidhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibgmaqfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iloajfml.exe N/A
N/A N/A C:\Windows\SysWOW64\Jehfcl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlanpfkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdmcdhhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Jelonkph.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnedgq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjkdlall.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeaiij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbeibo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffjgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kajfdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kongmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kalcik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkegbpca.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaopoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klddlckd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kemhei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkiamp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lacijjgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhmafcnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Logicn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddble32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lojfin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ledoegkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbhool32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhdggb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjldk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhgdmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclhjkfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdnebc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkgmoncl.exe N/A
N/A N/A C:\Windows\SysWOW64\Maaekg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhknhabf.exe N/A
N/A N/A C:\Windows\SysWOW64\Madbagif.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdbnmbhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mklfjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mafofggd.exe N/A
N/A N/A C:\Windows\SysWOW64\Mebkge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mojopk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nakhaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqloo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Qhomgchl.dll C:\Windows\SysWOW64\Jelonkph.exe N/A
File created C:\Windows\SysWOW64\Ebcgjl32.dll C:\Windows\SysWOW64\Akihcfid.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbeibo32.exe C:\Windows\SysWOW64\Jeaiij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kajfdk32.exe C:\Windows\SysWOW64\Kdffjgpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmdmpe32.exe C:\Windows\SysWOW64\Cfjeckpj.exe N/A
File created C:\Windows\SysWOW64\Mjfkgg32.dll C:\Windows\SysWOW64\Iloajfml.exe N/A
File opened for modification C:\Windows\SysWOW64\Mklfjm32.exe C:\Windows\SysWOW64\Mdbnmbhj.exe N/A
File created C:\Windows\SysWOW64\Abcppq32.exe C:\Windows\SysWOW64\Akihcfid.exe N/A
File created C:\Windows\SysWOW64\Bppcpc32.exe C:\Windows\SysWOW64\Bejobk32.exe N/A
File created C:\Windows\SysWOW64\Kemhei32.exe C:\Windows\SysWOW64\Klddlckd.exe N/A
File created C:\Windows\SysWOW64\Jjonchmn.dll C:\Windows\SysWOW64\Nooikj32.exe N/A
File created C:\Windows\SysWOW64\Ncmaai32.exe C:\Windows\SysWOW64\Ndlacapp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bflham32.exe C:\Windows\SysWOW64\Bppcpc32.exe N/A
File created C:\Windows\SysWOW64\Fbbojb32.dll C:\Windows\SysWOW64\Kalcik32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odbgdp32.exe C:\Windows\SysWOW64\Nlgbon32.exe N/A
File created C:\Windows\SysWOW64\Hjdedepg.exe C:\Windows\SysWOW64\Hegmlnbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndlacapp.exe C:\Windows\SysWOW64\Ncjdki32.exe N/A
File created C:\Windows\SysWOW64\Pcijce32.exe C:\Windows\SysWOW64\Pkabbgol.exe N/A
File created C:\Windows\SysWOW64\Cmbpjfij.exe C:\Windows\SysWOW64\Cekhihig.exe N/A
File created C:\Windows\SysWOW64\Edngom32.dll C:\Windows\SysWOW64\Hgocgjgk.exe N/A
File created C:\Windows\SysWOW64\Hnkhjdle.exe C:\Windows\SysWOW64\Hgapmj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilfodgeg.exe C:\Windows\SysWOW64\Ielfgmnj.exe N/A
File created C:\Windows\SysWOW64\Mafofggd.exe C:\Windows\SysWOW64\Mklfjm32.exe N/A
File created C:\Windows\SysWOW64\Hfdgep32.dll C:\Windows\SysWOW64\Ocfdgg32.exe N/A
File created C:\Windows\SysWOW64\Pmjhlklg.exe C:\Windows\SysWOW64\Pbddobla.exe N/A
File created C:\Windows\SysWOW64\Ldbeqlcg.dll C:\Windows\SysWOW64\Dlncla32.exe N/A
File created C:\Windows\SysWOW64\Eopbppjf.dll C:\Windows\SysWOW64\Iaedanal.exe N/A
File created C:\Windows\SysWOW64\Kalcik32.exe C:\Windows\SysWOW64\Kongmo32.exe N/A
File created C:\Windows\SysWOW64\Bblnengb.dll C:\Windows\SysWOW64\Hghfnioq.exe N/A
File created C:\Windows\SysWOW64\Lacijjgi.exe C:\Windows\SysWOW64\Lkiamp32.exe N/A
File created C:\Windows\SysWOW64\Qppkhfec.exe C:\Windows\SysWOW64\Qejfkmem.exe N/A
File created C:\Windows\SysWOW64\Qihoak32.exe C:\Windows\SysWOW64\Qfjcep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe C:\Windows\SysWOW64\Hqghqpnl.exe N/A
File created C:\Windows\SysWOW64\Bibokqno.dll C:\Windows\SysWOW64\Jdmcdhhe.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocfdgg32.exe C:\Windows\SysWOW64\Ollljmhg.exe N/A
File created C:\Windows\SysWOW64\Cimhefgb.dll C:\Windows\SysWOW64\Qejfkmem.exe N/A
File opened for modification C:\Windows\SysWOW64\Qejfkmem.exe C:\Windows\SysWOW64\Pbljoafi.exe N/A
File created C:\Windows\SysWOW64\Pkjhlh32.dll C:\Windows\SysWOW64\Cdnelpod.exe N/A
File created C:\Windows\SysWOW64\Oojnjjli.dll C:\Windows\SysWOW64\Kbeibo32.exe N/A
File created C:\Windows\SysWOW64\Lanhkb32.dll C:\Windows\SysWOW64\Alkeifga.exe N/A
File created C:\Windows\SysWOW64\Bejobk32.exe C:\Windows\SysWOW64\Amoknh32.exe N/A
File created C:\Windows\SysWOW64\Hlnecf32.dll C:\Windows\SysWOW64\Igmoih32.exe N/A
File created C:\Windows\SysWOW64\Dlncla32.exe C:\Windows\SysWOW64\Dfakcj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dibdeegc.exe C:\Windows\SysWOW64\Defheg32.exe N/A
File created C:\Windows\SysWOW64\Mckfmq32.dll C:\Windows\SysWOW64\Dibdeegc.exe N/A
File created C:\Windows\SysWOW64\Mhfdfbqe.dll C:\Windows\SysWOW64\Kajfdk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mebkge32.exe C:\Windows\SysWOW64\Mafofggd.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbddobla.exe C:\Windows\SysWOW64\Pofhbgmn.exe N/A
File created C:\Windows\SysWOW64\Nmdlch32.dll C:\Windows\SysWOW64\Lcjldk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amoknh32.exe C:\Windows\SysWOW64\Afeban32.exe N/A
File created C:\Windows\SysWOW64\Lfijgnnj.dll C:\Windows\SysWOW64\Cmmgof32.exe N/A
File created C:\Windows\SysWOW64\Haafdi32.dll C:\Windows\SysWOW64\Pkabbgol.exe N/A
File created C:\Windows\SysWOW64\Qkfkng32.exe C:\Windows\SysWOW64\Qihoak32.exe N/A
File created C:\Windows\SysWOW64\Afeban32.exe C:\Windows\SysWOW64\Ammnhilb.exe N/A
File opened for modification C:\Windows\SysWOW64\Mclhjkfa.exe C:\Windows\SysWOW64\Lhgdmb32.exe N/A
File created C:\Windows\SysWOW64\Nakhaf32.exe C:\Windows\SysWOW64\Mdghhb32.exe N/A
File created C:\Windows\SysWOW64\Ndlacapp.exe C:\Windows\SysWOW64\Ncjdki32.exe N/A
File created C:\Windows\SysWOW64\Pcfmneaa.exe C:\Windows\SysWOW64\Pkoemhao.exe N/A
File opened for modification C:\Windows\SysWOW64\Lddble32.exe C:\Windows\SysWOW64\Logicn32.exe N/A
File created C:\Windows\SysWOW64\Pkabbgol.exe C:\Windows\SysWOW64\Pmoagk32.exe N/A
File created C:\Windows\SysWOW64\Pbljoafi.exe C:\Windows\SysWOW64\Pcijce32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ijmhkchl.exe N/A
File created C:\Windows\SysWOW64\Bbefln32.exe C:\Windows\SysWOW64\Blknpdho.exe N/A
File created C:\Windows\SysWOW64\Dbkhnk32.exe C:\Windows\SysWOW64\Dpllbp32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dbkhnk32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mclhjkfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abcppq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aealll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afceko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ledoegkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlgbon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odbgdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcijce32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmdmpe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kalcik32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhgdmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpllbp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lojfin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Maaekg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfnjbdep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpqlfa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kongmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlqloo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ochamg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfbmdabh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ammnhilb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfcoblfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dibdeegc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hghfnioq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jelonkph.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkoemhao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Almanf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cekhihig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clijablo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oloipmfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeopfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjkdlall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nconfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddcogo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ielfgmnj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndlacapp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofbdncaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffkhl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkfkng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmkjig32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpifeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbkhnk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hqghqpnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnbnjc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbhool32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbcbnlcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhdggb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdghhb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncjdki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omcbkl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bflham32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cplckbmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgapmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Logicn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbbgicnd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbimjb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beaecjab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blknpdho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbefln32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmahknh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hegmlnbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jeaiij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkegbpca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mebkge32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pofhbgmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll" C:\Windows\SysWOW64\Cmmgof32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lddble32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimhefgb.dll" C:\Windows\SysWOW64\Qejfkmem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll" C:\Windows\SysWOW64\Jjkdlall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abcppq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll" C:\Windows\SysWOW64\Dinjjf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Logicn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll" C:\Windows\SysWOW64\Madbagif.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lkiamp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abohmm32.dll" C:\Windows\SysWOW64\Nconfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfnkfn.dll" C:\Windows\SysWOW64\Hegmlnbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igmoih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll" C:\Windows\SysWOW64\Ijmhkchl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkiamp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjdppe.dll" C:\Windows\SysWOW64\Mklfjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjkdlall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll" C:\Windows\SysWOW64\Lddble32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbhool32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidna32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlqloo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcjldk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfakcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dinjjf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dlncla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopbppjf.dll" C:\Windows\SysWOW64\Iaedanal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oloipmfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbebgj32.dll" C:\Windows\SysWOW64\Bbefln32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngllodpm.dll" C:\Windows\SysWOW64\Cidgdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfbmfbn.dll" C:\Windows\SysWOW64\Cmbpjfij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckfmq32.dll" C:\Windows\SysWOW64\Dibdeegc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlqloo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncjdki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abpcja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Blknpdho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiecbnd.dll" C:\Windows\SysWOW64\Cpifeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kemhei32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ollljmhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll" C:\Windows\SysWOW64\Defheg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kemhei32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfjcep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amoknh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll" C:\Windows\SysWOW64\Jeaiij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qbngeadf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfmahknh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cepadh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kongmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klddlckd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbnnelf.dll" C:\Windows\SysWOW64\Nlqloo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pehjfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndjmkng.dll" C:\Windows\SysWOW64\Bflham32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cidgdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbeqlcg.dll" C:\Windows\SysWOW64\Dlncla32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Igmoih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll" C:\Windows\SysWOW64\Kemhei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll" C:\Windows\SysWOW64\Pehjfm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdnebc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll" C:\Windows\SysWOW64\Qppkhfec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ielfgmnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnecf32.dll" C:\Windows\SysWOW64\Igmoih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll" C:\Windows\SysWOW64\Mebkge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllolf32.dll" C:\Windows\SysWOW64\Oohkai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mondkfmh.dll" C:\Windows\SysWOW64\Cfjeckpj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Hgocgjgk.exe
PID 4888 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Hgocgjgk.exe
PID 4888 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe C:\Windows\SysWOW64\Hgocgjgk.exe
PID 2556 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Hgocgjgk.exe C:\Windows\SysWOW64\Hbdgec32.exe
PID 2556 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Hgocgjgk.exe C:\Windows\SysWOW64\Hbdgec32.exe
PID 2556 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Hgocgjgk.exe C:\Windows\SysWOW64\Hbdgec32.exe
PID 2304 wrote to memory of 3956 N/A C:\Windows\SysWOW64\Hbdgec32.exe C:\Windows\SysWOW64\Hqghqpnl.exe
PID 2304 wrote to memory of 3956 N/A C:\Windows\SysWOW64\Hbdgec32.exe C:\Windows\SysWOW64\Hqghqpnl.exe
PID 2304 wrote to memory of 3956 N/A C:\Windows\SysWOW64\Hbdgec32.exe C:\Windows\SysWOW64\Hqghqpnl.exe
PID 3956 wrote to memory of 3940 N/A C:\Windows\SysWOW64\Hqghqpnl.exe C:\Windows\SysWOW64\Hgapmj32.exe
PID 3956 wrote to memory of 3940 N/A C:\Windows\SysWOW64\Hqghqpnl.exe C:\Windows\SysWOW64\Hgapmj32.exe
PID 3956 wrote to memory of 3940 N/A C:\Windows\SysWOW64\Hqghqpnl.exe C:\Windows\SysWOW64\Hgapmj32.exe
PID 3940 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Hgapmj32.exe C:\Windows\SysWOW64\Hnkhjdle.exe
PID 3940 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Hgapmj32.exe C:\Windows\SysWOW64\Hnkhjdle.exe
PID 3940 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Hgapmj32.exe C:\Windows\SysWOW64\Hnkhjdle.exe
PID 2896 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Hnkhjdle.exe C:\Windows\SysWOW64\Heepfn32.exe
PID 2896 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Hnkhjdle.exe C:\Windows\SysWOW64\Heepfn32.exe
PID 2896 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Hnkhjdle.exe C:\Windows\SysWOW64\Heepfn32.exe
PID 2036 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Heepfn32.exe C:\Windows\SysWOW64\Hkohchko.exe
PID 2036 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Heepfn32.exe C:\Windows\SysWOW64\Hkohchko.exe
PID 2036 wrote to memory of 1600 N/A C:\Windows\SysWOW64\Heepfn32.exe C:\Windows\SysWOW64\Hkohchko.exe
PID 1600 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Hkohchko.exe C:\Windows\SysWOW64\Hnmeodjc.exe
PID 1600 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Hkohchko.exe C:\Windows\SysWOW64\Hnmeodjc.exe
PID 1600 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Hkohchko.exe C:\Windows\SysWOW64\Hnmeodjc.exe
PID 5004 wrote to memory of 3380 N/A C:\Windows\SysWOW64\Hnmeodjc.exe C:\Windows\SysWOW64\Hegmlnbp.exe
PID 5004 wrote to memory of 3380 N/A C:\Windows\SysWOW64\Hnmeodjc.exe C:\Windows\SysWOW64\Hegmlnbp.exe
PID 5004 wrote to memory of 3380 N/A C:\Windows\SysWOW64\Hnmeodjc.exe C:\Windows\SysWOW64\Hegmlnbp.exe
PID 3380 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Hegmlnbp.exe C:\Windows\SysWOW64\Hjdedepg.exe
PID 3380 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Hegmlnbp.exe C:\Windows\SysWOW64\Hjdedepg.exe
PID 3380 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Hegmlnbp.exe C:\Windows\SysWOW64\Hjdedepg.exe
PID 1216 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Hjdedepg.exe C:\Windows\SysWOW64\Hannao32.exe
PID 1216 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Hjdedepg.exe C:\Windows\SysWOW64\Hannao32.exe
PID 1216 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Hjdedepg.exe C:\Windows\SysWOW64\Hannao32.exe
PID 2800 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Hannao32.exe C:\Windows\SysWOW64\Hghfnioq.exe
PID 2800 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Hannao32.exe C:\Windows\SysWOW64\Hghfnioq.exe
PID 2800 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Hannao32.exe C:\Windows\SysWOW64\Hghfnioq.exe
PID 2244 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Hghfnioq.exe C:\Windows\SysWOW64\Hnbnjc32.exe
PID 2244 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Hghfnioq.exe C:\Windows\SysWOW64\Hnbnjc32.exe
PID 2244 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Hghfnioq.exe C:\Windows\SysWOW64\Hnbnjc32.exe
PID 1572 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Hnbnjc32.exe C:\Windows\SysWOW64\Ielfgmnj.exe
PID 1572 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Hnbnjc32.exe C:\Windows\SysWOW64\Ielfgmnj.exe
PID 1572 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Hnbnjc32.exe C:\Windows\SysWOW64\Ielfgmnj.exe
PID 1520 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Ielfgmnj.exe C:\Windows\SysWOW64\Ilfodgeg.exe
PID 1520 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Ielfgmnj.exe C:\Windows\SysWOW64\Ilfodgeg.exe
PID 1520 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Ielfgmnj.exe C:\Windows\SysWOW64\Ilfodgeg.exe
PID 4484 wrote to memory of 4068 N/A C:\Windows\SysWOW64\Ilfodgeg.exe C:\Windows\SysWOW64\Iabglnco.exe
PID 4484 wrote to memory of 4068 N/A C:\Windows\SysWOW64\Ilfodgeg.exe C:\Windows\SysWOW64\Iabglnco.exe
PID 4484 wrote to memory of 4068 N/A C:\Windows\SysWOW64\Ilfodgeg.exe C:\Windows\SysWOW64\Iabglnco.exe
PID 4068 wrote to memory of 4696 N/A C:\Windows\SysWOW64\Iabglnco.exe C:\Windows\SysWOW64\Igmoih32.exe
PID 4068 wrote to memory of 4696 N/A C:\Windows\SysWOW64\Iabglnco.exe C:\Windows\SysWOW64\Igmoih32.exe
PID 4068 wrote to memory of 4696 N/A C:\Windows\SysWOW64\Iabglnco.exe C:\Windows\SysWOW64\Igmoih32.exe
PID 4696 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Igmoih32.exe C:\Windows\SysWOW64\Iaedanal.exe
PID 4696 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Igmoih32.exe C:\Windows\SysWOW64\Iaedanal.exe
PID 4696 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Igmoih32.exe C:\Windows\SysWOW64\Iaedanal.exe
PID 3784 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Iaedanal.exe C:\Windows\SysWOW64\Ijmhkchl.exe
PID 3784 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Iaedanal.exe C:\Windows\SysWOW64\Ijmhkchl.exe
PID 3784 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Iaedanal.exe C:\Windows\SysWOW64\Ijmhkchl.exe
PID 3604 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Ijmhkchl.exe C:\Windows\SysWOW64\Ihaidhgf.exe
PID 3604 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Ijmhkchl.exe C:\Windows\SysWOW64\Ihaidhgf.exe
PID 3604 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Ijmhkchl.exe C:\Windows\SysWOW64\Ihaidhgf.exe
PID 2316 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ibgmaqfl.exe
PID 2316 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ibgmaqfl.exe
PID 2316 wrote to memory of 2064 N/A C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ibgmaqfl.exe
PID 2064 wrote to memory of 3108 N/A C:\Windows\SysWOW64\Ibgmaqfl.exe C:\Windows\SysWOW64\Iloajfml.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"

C:\Windows\SysWOW64\Hgocgjgk.exe

C:\Windows\system32\Hgocgjgk.exe

C:\Windows\SysWOW64\Hbdgec32.exe

C:\Windows\system32\Hbdgec32.exe

C:\Windows\SysWOW64\Hqghqpnl.exe

C:\Windows\system32\Hqghqpnl.exe

C:\Windows\SysWOW64\Hgapmj32.exe

C:\Windows\system32\Hgapmj32.exe

C:\Windows\SysWOW64\Hnkhjdle.exe

C:\Windows\system32\Hnkhjdle.exe

C:\Windows\SysWOW64\Heepfn32.exe

C:\Windows\system32\Heepfn32.exe

C:\Windows\SysWOW64\Hkohchko.exe

C:\Windows\system32\Hkohchko.exe

C:\Windows\SysWOW64\Hnmeodjc.exe

C:\Windows\system32\Hnmeodjc.exe

C:\Windows\SysWOW64\Hegmlnbp.exe

C:\Windows\system32\Hegmlnbp.exe

C:\Windows\SysWOW64\Hjdedepg.exe

C:\Windows\system32\Hjdedepg.exe

C:\Windows\SysWOW64\Hannao32.exe

C:\Windows\system32\Hannao32.exe

C:\Windows\SysWOW64\Hghfnioq.exe

C:\Windows\system32\Hghfnioq.exe

C:\Windows\SysWOW64\Hnbnjc32.exe

C:\Windows\system32\Hnbnjc32.exe

C:\Windows\SysWOW64\Ielfgmnj.exe

C:\Windows\system32\Ielfgmnj.exe

C:\Windows\SysWOW64\Ilfodgeg.exe

C:\Windows\system32\Ilfodgeg.exe

C:\Windows\SysWOW64\Iabglnco.exe

C:\Windows\system32\Iabglnco.exe

C:\Windows\SysWOW64\Igmoih32.exe

C:\Windows\system32\Igmoih32.exe

C:\Windows\SysWOW64\Iaedanal.exe

C:\Windows\system32\Iaedanal.exe

C:\Windows\SysWOW64\Ijmhkchl.exe

C:\Windows\system32\Ijmhkchl.exe

C:\Windows\SysWOW64\Ihaidhgf.exe

C:\Windows\system32\Ihaidhgf.exe

C:\Windows\SysWOW64\Ibgmaqfl.exe

C:\Windows\system32\Ibgmaqfl.exe

C:\Windows\SysWOW64\Iloajfml.exe

C:\Windows\system32\Iloajfml.exe

C:\Windows\SysWOW64\Jehfcl32.exe

C:\Windows\system32\Jehfcl32.exe

C:\Windows\SysWOW64\Jlanpfkj.exe

C:\Windows\system32\Jlanpfkj.exe

C:\Windows\SysWOW64\Jdmcdhhe.exe

C:\Windows\system32\Jdmcdhhe.exe

C:\Windows\SysWOW64\Jelonkph.exe

C:\Windows\system32\Jelonkph.exe

C:\Windows\SysWOW64\Jnedgq32.exe

C:\Windows\system32\Jnedgq32.exe

C:\Windows\SysWOW64\Jjkdlall.exe

C:\Windows\system32\Jjkdlall.exe

C:\Windows\SysWOW64\Jeaiij32.exe

C:\Windows\system32\Jeaiij32.exe

C:\Windows\SysWOW64\Kbeibo32.exe

C:\Windows\system32\Kbeibo32.exe

C:\Windows\SysWOW64\Kdffjgpj.exe

C:\Windows\system32\Kdffjgpj.exe

C:\Windows\SysWOW64\Kajfdk32.exe

C:\Windows\system32\Kajfdk32.exe

C:\Windows\SysWOW64\Kongmo32.exe

C:\Windows\system32\Kongmo32.exe

C:\Windows\SysWOW64\Kalcik32.exe

C:\Windows\system32\Kalcik32.exe

C:\Windows\SysWOW64\Kkegbpca.exe

C:\Windows\system32\Kkegbpca.exe

C:\Windows\SysWOW64\Kaopoj32.exe

C:\Windows\system32\Kaopoj32.exe

C:\Windows\SysWOW64\Klddlckd.exe

C:\Windows\system32\Klddlckd.exe

C:\Windows\SysWOW64\Kemhei32.exe

C:\Windows\system32\Kemhei32.exe

C:\Windows\SysWOW64\Lkiamp32.exe

C:\Windows\system32\Lkiamp32.exe

C:\Windows\SysWOW64\Lacijjgi.exe

C:\Windows\system32\Lacijjgi.exe

C:\Windows\SysWOW64\Lhmafcnf.exe

C:\Windows\system32\Lhmafcnf.exe

C:\Windows\SysWOW64\Logicn32.exe

C:\Windows\system32\Logicn32.exe

C:\Windows\SysWOW64\Lddble32.exe

C:\Windows\system32\Lddble32.exe

C:\Windows\SysWOW64\Lojfin32.exe

C:\Windows\system32\Lojfin32.exe

C:\Windows\SysWOW64\Ledoegkm.exe

C:\Windows\system32\Ledoegkm.exe

C:\Windows\SysWOW64\Lbhool32.exe

C:\Windows\system32\Lbhool32.exe

C:\Windows\SysWOW64\Lhdggb32.exe

C:\Windows\system32\Lhdggb32.exe

C:\Windows\SysWOW64\Lcjldk32.exe

C:\Windows\system32\Lcjldk32.exe

C:\Windows\SysWOW64\Lhgdmb32.exe

C:\Windows\system32\Lhgdmb32.exe

C:\Windows\SysWOW64\Mclhjkfa.exe

C:\Windows\system32\Mclhjkfa.exe

C:\Windows\SysWOW64\Mdnebc32.exe

C:\Windows\system32\Mdnebc32.exe

C:\Windows\SysWOW64\Mkgmoncl.exe

C:\Windows\system32\Mkgmoncl.exe

C:\Windows\SysWOW64\Maaekg32.exe

C:\Windows\system32\Maaekg32.exe

C:\Windows\SysWOW64\Mhknhabf.exe

C:\Windows\system32\Mhknhabf.exe

C:\Windows\SysWOW64\Madbagif.exe

C:\Windows\system32\Madbagif.exe

C:\Windows\SysWOW64\Mdbnmbhj.exe

C:\Windows\system32\Mdbnmbhj.exe

C:\Windows\SysWOW64\Mklfjm32.exe

C:\Windows\system32\Mklfjm32.exe

C:\Windows\SysWOW64\Mafofggd.exe

C:\Windows\system32\Mafofggd.exe

C:\Windows\SysWOW64\Mebkge32.exe

C:\Windows\system32\Mebkge32.exe

C:\Windows\SysWOW64\Mojopk32.exe

C:\Windows\system32\Mojopk32.exe

C:\Windows\SysWOW64\Mdghhb32.exe

C:\Windows\system32\Mdghhb32.exe

C:\Windows\SysWOW64\Nakhaf32.exe

C:\Windows\system32\Nakhaf32.exe

C:\Windows\SysWOW64\Ndidna32.exe

C:\Windows\system32\Ndidna32.exe

C:\Windows\SysWOW64\Nlqloo32.exe

C:\Windows\system32\Nlqloo32.exe

C:\Windows\SysWOW64\Nooikj32.exe

C:\Windows\system32\Nooikj32.exe

C:\Windows\SysWOW64\Ncjdki32.exe

C:\Windows\system32\Ncjdki32.exe

C:\Windows\SysWOW64\Ndlacapp.exe

C:\Windows\system32\Ndlacapp.exe

C:\Windows\SysWOW64\Ncmaai32.exe

C:\Windows\system32\Ncmaai32.exe

C:\Windows\SysWOW64\Ndnnianm.exe

C:\Windows\system32\Ndnnianm.exe

C:\Windows\SysWOW64\Nconfh32.exe

C:\Windows\system32\Nconfh32.exe

C:\Windows\SysWOW64\Nfnjbdep.exe

C:\Windows\system32\Nfnjbdep.exe

C:\Windows\SysWOW64\Nlgbon32.exe

C:\Windows\system32\Nlgbon32.exe

C:\Windows\SysWOW64\Odbgdp32.exe

C:\Windows\system32\Odbgdp32.exe

C:\Windows\SysWOW64\Oohkai32.exe

C:\Windows\system32\Oohkai32.exe

C:\Windows\SysWOW64\Ofbdncaj.exe

C:\Windows\system32\Ofbdncaj.exe

C:\Windows\SysWOW64\Ollljmhg.exe

C:\Windows\system32\Ollljmhg.exe

C:\Windows\SysWOW64\Ocfdgg32.exe

C:\Windows\system32\Ocfdgg32.exe

C:\Windows\SysWOW64\Oloipmfd.exe

C:\Windows\system32\Oloipmfd.exe

C:\Windows\SysWOW64\Ochamg32.exe

C:\Windows\system32\Ochamg32.exe

C:\Windows\SysWOW64\Omaeem32.exe

C:\Windows\system32\Omaeem32.exe

C:\Windows\SysWOW64\Omcbkl32.exe

C:\Windows\system32\Omcbkl32.exe

C:\Windows\SysWOW64\Ocmjhfjl.exe

C:\Windows\system32\Ocmjhfjl.exe

C:\Windows\SysWOW64\Oflfdbip.exe

C:\Windows\system32\Oflfdbip.exe

C:\Windows\SysWOW64\Pmeoqlpl.exe

C:\Windows\system32\Pmeoqlpl.exe

C:\Windows\SysWOW64\Pbbgicnd.exe

C:\Windows\system32\Pbbgicnd.exe

C:\Windows\SysWOW64\Pmhkflnj.exe

C:\Windows\system32\Pmhkflnj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8

C:\Windows\SysWOW64\Pofhbgmn.exe

C:\Windows\system32\Pofhbgmn.exe

C:\Windows\SysWOW64\Pbddobla.exe

C:\Windows\system32\Pbddobla.exe

C:\Windows\SysWOW64\Pmjhlklg.exe

C:\Windows\system32\Pmjhlklg.exe

C:\Windows\SysWOW64\Pcdqhecd.exe

C:\Windows\system32\Pcdqhecd.exe

C:\Windows\SysWOW64\Pfbmdabh.exe

C:\Windows\system32\Pfbmdabh.exe

C:\Windows\SysWOW64\Peempn32.exe

C:\Windows\system32\Peempn32.exe

C:\Windows\SysWOW64\Pkoemhao.exe

C:\Windows\system32\Pkoemhao.exe

C:\Windows\SysWOW64\Pcfmneaa.exe

C:\Windows\system32\Pcfmneaa.exe

C:\Windows\SysWOW64\Pbimjb32.exe

C:\Windows\system32\Pbimjb32.exe

C:\Windows\SysWOW64\Pehjfm32.exe

C:\Windows\system32\Pehjfm32.exe

C:\Windows\SysWOW64\Pmoagk32.exe

C:\Windows\system32\Pmoagk32.exe

C:\Windows\SysWOW64\Pkabbgol.exe

C:\Windows\system32\Pkabbgol.exe

C:\Windows\SysWOW64\Pcijce32.exe

C:\Windows\system32\Pcijce32.exe

C:\Windows\SysWOW64\Pbljoafi.exe

C:\Windows\system32\Pbljoafi.exe

C:\Windows\SysWOW64\Qejfkmem.exe

C:\Windows\system32\Qejfkmem.exe

C:\Windows\SysWOW64\Qppkhfec.exe

C:\Windows\system32\Qppkhfec.exe

C:\Windows\SysWOW64\Qbngeadf.exe

C:\Windows\system32\Qbngeadf.exe

C:\Windows\SysWOW64\Qfjcep32.exe

C:\Windows\system32\Qfjcep32.exe

C:\Windows\SysWOW64\Qihoak32.exe

C:\Windows\system32\Qihoak32.exe

C:\Windows\SysWOW64\Qkfkng32.exe

C:\Windows\system32\Qkfkng32.exe

C:\Windows\SysWOW64\Abpcja32.exe

C:\Windows\system32\Abpcja32.exe

C:\Windows\SysWOW64\Aeopfl32.exe

C:\Windows\system32\Aeopfl32.exe

C:\Windows\SysWOW64\Akihcfid.exe

C:\Windows\system32\Akihcfid.exe

C:\Windows\SysWOW64\Abcppq32.exe

C:\Windows\system32\Abcppq32.exe

C:\Windows\SysWOW64\Aealll32.exe

C:\Windows\system32\Aealll32.exe

C:\Windows\SysWOW64\Alkeifga.exe

C:\Windows\system32\Alkeifga.exe

C:\Windows\SysWOW64\Abemep32.exe

C:\Windows\system32\Abemep32.exe

C:\Windows\SysWOW64\Almanf32.exe

C:\Windows\system32\Almanf32.exe

C:\Windows\SysWOW64\Afceko32.exe

C:\Windows\system32\Afceko32.exe

C:\Windows\SysWOW64\Ammnhilb.exe

C:\Windows\system32\Ammnhilb.exe

C:\Windows\SysWOW64\Afeban32.exe

C:\Windows\system32\Afeban32.exe

C:\Windows\SysWOW64\Amoknh32.exe

C:\Windows\system32\Amoknh32.exe

C:\Windows\SysWOW64\Bejobk32.exe

C:\Windows\system32\Bejobk32.exe

C:\Windows\SysWOW64\Bppcpc32.exe

C:\Windows\system32\Bppcpc32.exe

C:\Windows\SysWOW64\Bflham32.exe

C:\Windows\system32\Bflham32.exe

C:\Windows\SysWOW64\Bcpika32.exe

C:\Windows\system32\Bcpika32.exe

C:\Windows\SysWOW64\Beaecjab.exe

C:\Windows\system32\Beaecjab.exe

C:\Windows\SysWOW64\Blknpdho.exe

C:\Windows\system32\Blknpdho.exe

C:\Windows\SysWOW64\Bbefln32.exe

C:\Windows\system32\Bbefln32.exe

C:\Windows\SysWOW64\Bmkjig32.exe

C:\Windows\system32\Bmkjig32.exe

C:\Windows\SysWOW64\Cpifeb32.exe

C:\Windows\system32\Cpifeb32.exe

C:\Windows\SysWOW64\Cfcoblfb.exe

C:\Windows\system32\Cfcoblfb.exe

C:\Windows\SysWOW64\Cibkohef.exe

C:\Windows\system32\Cibkohef.exe

C:\Windows\SysWOW64\Cmmgof32.exe

C:\Windows\system32\Cmmgof32.exe

C:\Windows\SysWOW64\Cplckbmc.exe

C:\Windows\system32\Cplckbmc.exe

C:\Windows\SysWOW64\Cdgolq32.exe

C:\Windows\system32\Cdgolq32.exe

C:\Windows\SysWOW64\Cffkhl32.exe

C:\Windows\system32\Cffkhl32.exe

C:\Windows\SysWOW64\Cidgdg32.exe

C:\Windows\system32\Cidgdg32.exe

C:\Windows\SysWOW64\Clbdpc32.exe

C:\Windows\system32\Clbdpc32.exe

C:\Windows\SysWOW64\Cdjlap32.exe

C:\Windows\system32\Cdjlap32.exe

C:\Windows\SysWOW64\Cekhihig.exe

C:\Windows\system32\Cekhihig.exe

C:\Windows\SysWOW64\Cmbpjfij.exe

C:\Windows\system32\Cmbpjfij.exe

C:\Windows\SysWOW64\Cpqlfa32.exe

C:\Windows\system32\Cpqlfa32.exe

C:\Windows\SysWOW64\Cfjeckpj.exe

C:\Windows\system32\Cfjeckpj.exe

C:\Windows\SysWOW64\Cmdmpe32.exe

C:\Windows\system32\Cmdmpe32.exe

C:\Windows\SysWOW64\Cdnelpod.exe

C:\Windows\system32\Cdnelpod.exe

C:\Windows\SysWOW64\Cfmahknh.exe

C:\Windows\system32\Cfmahknh.exe

C:\Windows\SysWOW64\Cepadh32.exe

C:\Windows\system32\Cepadh32.exe

C:\Windows\SysWOW64\Clijablo.exe

C:\Windows\system32\Clijablo.exe

C:\Windows\SysWOW64\Dbcbnlcl.exe

C:\Windows\system32\Dbcbnlcl.exe

C:\Windows\SysWOW64\Dinjjf32.exe

C:\Windows\system32\Dinjjf32.exe

C:\Windows\SysWOW64\Ddcogo32.exe

C:\Windows\system32\Ddcogo32.exe

C:\Windows\SysWOW64\Dfakcj32.exe

C:\Windows\system32\Dfakcj32.exe

C:\Windows\SysWOW64\Dlncla32.exe

C:\Windows\system32\Dlncla32.exe

C:\Windows\SysWOW64\Defheg32.exe

C:\Windows\system32\Defheg32.exe

C:\Windows\SysWOW64\Dibdeegc.exe

C:\Windows\system32\Dibdeegc.exe

C:\Windows\SysWOW64\Dpllbp32.exe

C:\Windows\system32\Dpllbp32.exe

C:\Windows\SysWOW64\Dbkhnk32.exe

C:\Windows\system32\Dbkhnk32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6688 -ip 6688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4888-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hgocgjgk.exe

MD5 11dc3391ec1b3a1f33c9b52c2727dc82
SHA1 e36949fbf2bd540d0835ad611cab02277fb0f012
SHA256 8d6e26226ad4185cb7cf6446dee5eb54957ca37f8662034d10c2327403390c74
SHA512 b6f0e85f686d667b949063e1e46fc75c90b5b4b0d51187fb14d446078b371690c3fe2120fd8fcca59439570103253df872f2b05a98c566ef1c4b6ff0858b0435

memory/2556-7-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hbdgec32.exe

MD5 b404180d41bcf8be899b69dcfe312274
SHA1 3e0a04cd410b911aa16174ecb4812a243b4db47a
SHA256 bef2b9d307f8b5ef3bd999f9ce0a587258d3ff6159e5e7a56b73120b4fd31c45
SHA512 b2b1084d438c25c504b10b3ee10577f021313dd16486257e22def3f725f5be08a7bb3a9b519bba5a0d38cd15c7457eebb1123855f2a69be43b797da4c1ec2f30

memory/2304-20-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hqghqpnl.exe

MD5 f019a97e8b5e8e96e0f4257003c3dd6d
SHA1 a521c8c8830abffb704b43825390a37d65585c3e
SHA256 6986a045f1823a0b0ec855a3c3d608352634bb9b8839754e0d75453e427c7a37
SHA512 c2ca3a9540b80736f9b8d8e5e48c438816ee97dbf09503d0ba678ee4dbae23842a7b1bf02c1480bc992aa8c47362bc4a42b3562316ef736841fa87628fc63535

memory/3956-24-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hgapmj32.exe

MD5 78c476600d525115c64c4bee60741192
SHA1 91c5f1680b4db407e8e4d55c58d9297c0aba6a19
SHA256 dc1d0478831925331901132f5f53c3d848ae5c6388d376359acd34bdbf155d11
SHA512 7f374f00eb6be4c98fd723385f4dd13005b7eb19311f3f32bb39fb3defc805e21d4318e841d605abd83ed513f3fcf303c5810026e3e5170e7c87a358013c01b0

memory/3940-31-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hnkhjdle.exe

MD5 e24d04d280c4d3a04a2152db7a8980f9
SHA1 8be4357625a3a928888fa41204b0b269a58f6f1c
SHA256 8d70e6f9a32d78bf40ec4925c54419f7efd6823ca90ac6fb534651259e9f4c9a
SHA512 e43cba1848aa42b718e0b8498bbf192294b62ec21c17c9b816e2397ffd1bbd3453c6fe15171cb2cfb1554856307efe41557f56352d742f237f7c399f32471fee

memory/2896-39-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Heepfn32.exe

MD5 6b364c00f9fa3e2e6a23822d5c0a71da
SHA1 8a9c575871f0a8638e306083c601d476d08e4a2f
SHA256 9c5ef13f22266aff946eff799db8d03ee9b893fd45da024a88a4d4cedc1a37d1
SHA512 ec3257e6b9cbd1c3f6769991048bc6dd70a5eaed61ddfc8dd5b13265260dff2f8b06c5e1fbaf320196135249b68cda4bb9d454c3ad449a3024c9ea6dc6e988f2

memory/2036-48-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hkohchko.exe

MD5 f743df688c2ba1050c07836fc333660a
SHA1 0cc8d56f7af82558add0b4b913312b850e0a7961
SHA256 169236d51b1661063b55d7d65430cb36eebddf452249c63219f6d363d9fe34c9
SHA512 f0c6faaa9023832ba49f3f146dd4d93ff8b2972c7ebeb20b3284b945a15ad5512c91a20aa05d5a4d99f8a4c99d5dffe3c7b9cd4c5f47b7e28522c9f45f9b8efa

memory/1600-55-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hnmeodjc.exe

MD5 a64bb586d08d6bec4f385fff91d99ea0
SHA1 e02883c80657e1472ef7c00eb487364ed695ce9d
SHA256 c67e5a7824a7df7067980ebd0b895c502e3ad9a460abaf60d06cd0fcedf307e3
SHA512 10d26ec6aecc4a0fefa18b61f263b21b36e39f5d96098393ecbbafb404c72bfd70673b8944c9fcb955c9b12d883d5b262b0abd524a7a01d623234ad98c7ab02f

memory/5004-63-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hegmlnbp.exe

MD5 5c65dba6b8f0edb6a4f3a7ae7b872ec8
SHA1 1de30549281375bc17e0b94f636da41c159ec943
SHA256 f10fc23b36d10e65de3446dad04c696540f9af5fc4b1150eebecd413598345e2
SHA512 47e368587741fa215cca49cfdd7f1f29be603c9c6ef7f7e27dba2cc16db182a4bc393a48b698805b55bbeb513bf3359e03cd188f18b6f2a18d13757b3e685ab1

memory/3380-71-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hjdedepg.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Hjdedepg.exe

MD5 2d27b3affefd9fb483ad1e21b65dbd01
SHA1 77afc101da94c3455effbb486177c5cf3ecb4b56
SHA256 ef4b54514d62475df7485a16cbd9fbd88590bd13d47f5f56df279aa979df1921
SHA512 aba6d35db696c143834974ad78cb435802466e615d09f2d5494822a0dd977297055a283e3f8161b4cdab0424a02531e35ae903403573764b7520207b7fd73433

memory/1216-80-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hannao32.exe

MD5 2e71da18cbc556f7506a53cb0e203cdb
SHA1 91ed8706cbd52281d8808892fe1953a97b8619e6
SHA256 d2e21c140472a4da158c4d254a232afd09ac8c721fdea3e97890e6fab7157819
SHA512 2dd7d012c906741c369b634d2c67749fd1d39e0de181f3e48c09b059be69b6735d3c909c67d21511c8aacf1fff1b862a4894ac70bcc6e610dcd83dd068dc048f

memory/2800-87-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hghfnioq.exe

MD5 a8ceab32341146e797ec197a173f0623
SHA1 8ff121f001b9c8dec257b4a6d3fbd2eb83f92bce
SHA256 979d9017fd153f1d33c336ea92183c1f9e1187ff2c95594bf5bdb47b951e05ea
SHA512 40fb69e02058301bd817064d9d16b94d1c97a87befb3d9a3f3109aae7ef7786de9478ad943a425ac2cb3954af9095d3f9c6ad16de192cb2c65ed9d36044ae1d8

memory/2244-95-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hnbnjc32.exe

MD5 8a11efa373dc3d3b2edb6f5c5a9818b4
SHA1 1a6d0dde30074f2a9f3b53775c9ddd90f31ed16f
SHA256 913af578e20c834dbe05e739a81bf100aafd86ce8d803b17dfb7999035d36b64
SHA512 fd748f3749d274e79ff9d2841db5a4000f512033728f4e588da7d97489df07d84225eb6f12700e7b39e215e1a7de661315865d98ad86507bd3b239fde41a1080

memory/1572-103-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ielfgmnj.exe

MD5 29f3572612b134bdd11123798c04a1a0
SHA1 506042919307b38a3503f0b62bcc513140535f39
SHA256 c14db6aa19beeb451fc3058ec2762a94073aa29d2c749329aea2305771aad219
SHA512 30b5fb08fb1fdcf710eded59c91222de21eeca1a176bb603c0eef1ad1a5a77058eeba29cc27547c648092e72e9c2f88cc0ac239a876c5df64c9cf1c81707e633

memory/1520-112-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ilfodgeg.exe

MD5 676029837d84e36bf31ae3c83c2b0a05
SHA1 d93ae8823ec6b5f216520d49a39a6b4c1fab7df1
SHA256 f22d57ebd93ba41b8e73a3ca155a76812866565b2bfb6c423e0653cf5fd48423
SHA512 2984b5150f7c1544d276e2e14182b880d195e9a437a26d980da3832603713326d21926ed3b4d61a02b765e172984431b81fe1daabdb8d44c08e5d024fb670d69

memory/4484-119-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Iabglnco.exe

MD5 4ef23a283be95de1ddfa8d6bfed778eb
SHA1 118dbdf3cf1d501f8cd04743d683011cc36687a0
SHA256 b3c4f82c57b1afbac31b43066df44dc96eda0954450fd5597402766d1bcb66e1
SHA512 0f82f92dbaa046f266c618f9a1800a5ca0ba8e1305697a6a9550c3b4c6a332b74159c3283cebf3a0f9b2e6bba98786da9d8348e0f0d197084e455f344065c5e1

memory/4068-128-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Igmoih32.exe

MD5 a0c16ec34cde681ab64bd66ebd0522b2
SHA1 568e423e2aa2ae4b0d3c84bb201a00caded69071
SHA256 fce956f3cc12f56ba9daac50cac22976af9b313f683c69696d3c340d7ba3cf3c
SHA512 99899df5df97533fc0cf2a79757c9736f8170b700d117f6c862afbb19a31d2851842322a3cb570499fbcec54db5db32ecbc8e66930d9cef851257c77657efb62

memory/4696-135-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Iaedanal.exe

MD5 76c29813ccca3582047ef2152659a24a
SHA1 9570e2576764d16c4bb76c5997ce471e79705374
SHA256 3609fad1d5e46cd80e46dbd12e476a95896cdc5ef1fcd4ee444477c84bd330d5
SHA512 651fb5ddcd0296e9ee180b8d103a862490ff6b94ff30d748d66ebb3da0c42b7a564876df5b2ffc26751b40f9ca3c1667006ab9b51fe1c7272278deb0630ca2c6

memory/3784-143-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ijmhkchl.exe

MD5 d7b0064e180354cade7de4e4a06ea2f6
SHA1 eee238ce6f6c525c9c7084086223cd7a2796d750
SHA256 3807247ea28f6181d154903076679a1721767847453c21e12bd377efadd23e48
SHA512 9562e8fe427b102276e302a0ef5eacce86d44552054a448cd91e4bd06cb33aa1618d4f8fd5377dfc28ab6b2e9f8c21d1db60438cb8e2d052e4fc71bf6d050b4c

memory/3604-151-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ihaidhgf.exe

MD5 61aec923d51e3f20735dffc8351e9ee6
SHA1 40a430014464af6519de2c26eb964763b806deb3
SHA256 3f8600800bf071092cd3dca8ac46ad0b4e3f890a8de6f862039b56633e629537
SHA512 e8465be77bb2cffc7c9d6ae46ff9877fd156eee53c6fc1369db0af09500683b3302a229ed528d01b3e84fd625c7d80b051d7d6fec4d9aa63fb964aaf73d06ea7

memory/2316-159-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2064-167-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ibgmaqfl.exe

MD5 cda56ee700a4168eb7c686247324c3bd
SHA1 d7a71760bf17019d31af689b33e6e4bdbf5a4683
SHA256 28814d9b26e47f1d881d8ec3b4c460a0f6763665bbc07a6b12d6e3f76d10a6d5
SHA512 9c05af655fb45e3bf27be80bf16e37973379de910330ee996b165d9bfe48fc8de4099132ce59fa041e5ef593af8082df78e259d2e974e01418732d8260e86358

memory/3108-175-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Iloajfml.exe

MD5 d4db97cf7947b081100bf0cb3c51d844
SHA1 38c2e21595ad4755c148727d783d13fce84c3f49
SHA256 46606f4d6edbd7eba198b5264a5611ccc858251a383b09efe6f64d9d1c4e0809
SHA512 73203bc23521c4b8716697d5ad184016fb6a32cbc48ef3fdadb1f13aeab565c3757df288154484c5a12e8c71fd45f0fab1f5c00000beb5a4ccd642725c0ef7d1

C:\Windows\SysWOW64\Jehfcl32.exe

MD5 87a9653184f30ca341e93751f3c5a22f
SHA1 5c2cdb07f0e354ee607d3d5b0cf8996ebd442566
SHA256 acc163adb317ead924ac728556b7cf44d4ac63f5a523f3125111f3524dcd5ba4
SHA512 91aff5d5acd44b3e5b5cf7f141e904f0ef1f9d480bd32f9cc497a579f96724c22e9e7441684538e1e2a9666bbfa026888492df91e74037c8ceff73629c5747b3

memory/4632-183-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jlanpfkj.exe

MD5 917e46894cea90d5d16279a383bcff0e
SHA1 cb3af02e73e18fb79c18a097c8ec673b4309e514
SHA256 db986ffc5e84b831bf2e61310b761ddbc6031174069247c555b01077a790af37
SHA512 3e174774430b733e5c85af03bf516a2e5f1b1b09e1d4a3111a3d2af122cf3cb4a9924b4aabe6ff6e4eb61c1ced4805934fdc7307023d92c938ef79226f22a088

memory/1940-191-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jdmcdhhe.exe

MD5 b6df36773c6855f3250825f843c40c84
SHA1 96a6e7fd5388677e5dc6eb9f6955938cde7085e4
SHA256 9c53992ad78ba63d2d48bf6dfdaaaf2b217c9abddd8eb09a32ceaf886512ca8f
SHA512 37819e1ee43e67d8aa9ae101e0dfc586291697fe9a265ac17f50f883cc758f9ca1cb5d361285dd1a79b9eee24f2db1b05805969f5569defec8499a9a92acba69

memory/2252-199-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jelonkph.exe

MD5 fb1d89c191064b5222b05aff47852838
SHA1 02a16c8e58c04dfa4f01ca49bf2d636c74b6ce67
SHA256 8b8f7957ed70dae98dea5acf127c6833c6d23a5d90d0418d320b470d60ac1563
SHA512 bcb3b4835a20962af9acc8fb3b1a7bd835ef702a075917e064004909fc3e543a1b79990e582a50b504dffff7bbd8d03c2b5153f3e84152b23c3f25b9b16d2d91

memory/1932-207-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jnedgq32.exe

MD5 c77b44169b7b275c62cc4d688010a545
SHA1 0308a2ca96cdbf38b281080d04adef94197be4a3
SHA256 248d729d3415adcc6d016fb507eb1d7b34ab7560ce67dd5ed09d63a45520cbea
SHA512 6ecd71ed6ede3e6f72cb35fbe7cfc4406078885a69386661f86156cddc1140e4af2c3f7e150ee761163df34c3ffa4434f5fa370046e5fa70e58c50bc1d4a9aac

memory/4012-215-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jjkdlall.exe

MD5 58302e334f5876d6e02e3e77fecb1edb
SHA1 c194b466651b7b2c5bdf1126f6a38d0f266c41ac
SHA256 78250ab6f03e1d49b844c14a7fa8adec96431162b2d65ea5e4ff307e4820e7c2
SHA512 16a58dda91ee589441339c84a0d2d570ab5916cde9dbbef39a4fe6a42462e9cc5924c4a7f6f5ceb4df30dd991d82003ede856d9b3abcbc4f6f631c5204e84937

memory/4548-223-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jeaiij32.exe

MD5 5edec2b9088ca5995b4415b2314fb790
SHA1 22d0ae90b90637fb8da6d135b4dc87b0cd34c0ac
SHA256 eeb8cc67fe1a7fb760c4d672c7e86e73667377035a9da02d1cc2403802682872
SHA512 309e1133be743b543bd8338bc844c8d595670eae5664ab3275c419da8c43ccaa5e0573c5b4416f512001ed8b957bcc4224c5012ca5291ba85cd359f12ff9a9b9

memory/968-231-0x0000000000400000-0x000000000042F000-memory.dmp

memory/684-239-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Kbeibo32.exe

MD5 d74ebb62554457e8930cad282ea77b6b
SHA1 91bb2a91d962640f9b317ff395408f22224b94d8
SHA256 26689ed7fab060d3a42b2869fe605c76809ae3bae87ada6ea7908774b18f643f
SHA512 aee7d140e8ba9fa3bd32dc4a34c0a4b40a659053b64811145baccaf12f4c46ac79baddadbaf7fe1ecebc538e32c792d93d5fd6543306083f460fe050d3186219

C:\Windows\SysWOW64\Kdffjgpj.exe

MD5 ec644ac26725c966a65f3261d0bcdabf
SHA1 0fad629a3be01bd613df2fb1d2930619b3a5dd1c
SHA256 fe20b71911a1beb54618b9294074d9fd8e3bb241626477cf3c5cb61979f077e2
SHA512 b3c4a7f958e72e5ac51a13c085a4b304e20543c4d1d465241db55f350fde37462cc106655b52f090de01cb3ce75e926d7d9ad197b1a0cf6f463b1e5238bc4e47

memory/1156-247-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Kajfdk32.exe

MD5 c66c5b52d246e9f4ac43246a57b1de8a
SHA1 59ed82625b11d41c150bfdac67235fb0136302f7
SHA256 b9fd03c7b4fd5e1a3ecb04cd6e02b59359c2250f301d4ce73d6ad13cdfe4b1a3
SHA512 a9aa9ef3026f95d126cb6b18ce8fe7a104988805aa165ea63eb75e592c2c50d10f9b3a8ec758a5bdf119ab1687ad9f05cb9cad5ae0ff30459f7d7efeffe2bbe2

memory/3688-255-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Kongmo32.exe

MD5 2049727cb301c042c350c5dcd2a01657
SHA1 ddbc3037f357fffe76fe525a6f754ec1b87cff89
SHA256 38ab688eeafbf60232903317d6ea906dcaed4d7b356700aa15779ba18072d7d0
SHA512 1ee348b025cb59ea4ec0d040ea24a1a945ea4d8f3c8df018e27d1f4f494b731e4ad93f95485468b4141531537c163abf006b2a3b7a25cff9803ad1dd2c615bbb

memory/520-262-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5076-268-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Kkegbpca.exe

MD5 4507043779ec0d7d72cb6d36e86938b8
SHA1 94e349e76200e86c19717b62b17d78d151dd3d58
SHA256 c14d10fe8a866161ef1b0d4de2043d13231c19fe47a5ff315720b946d8cab126
SHA512 96121fe9b566a60067e318b0de0ce8924ecb989d6960d772cee806dc28e0c8bb77dd8388add5b1039f2af55ac6c02344d94047bdc78e653ca5801ccaa54d00f8

memory/3172-274-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5104-280-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Klddlckd.exe

MD5 fbb0bdf9486c1059664303f5e6fdabcb
SHA1 bba114e1b2a387240516c972a9b07a5bd91df67f
SHA256 9e701778a7184577d90f5a69ed202ae349352fd2b03c19e8144159eadece9da5
SHA512 a8e8baeabc7a5a0bf9320f507243eebfd28f4469aed72d99b9032626d8bf3abe53cb350b96283eba158bf620e272b6a70ce4cb7058ecd92014df9325fa53df52

memory/980-286-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1072-292-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2732-298-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1148-304-0x0000000000400000-0x000000000042F000-memory.dmp

memory/224-310-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Logicn32.exe

MD5 517fe7985862d84c34752efe39ccda9f
SHA1 8b08a822269eee91757918b5a1019a034e7ceb50
SHA256 220787374661d69e62c892047e56ca1f5dccfd84b36a7c63e9c5d11505108ffa
SHA512 8a12f8c7a7bffa4ebf75279dde73bc49c621720b6bb000b32bb0980d47d7cc62b84884d5577a0eef2f84e74b14605bec72359ec2fc39ffc09bf0bd84ebdd2ba7

memory/452-316-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2876-322-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3944-328-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4660-334-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Lbhool32.exe

MD5 8219516692953848a390655e2aadefb9
SHA1 184f2c5401b444599ef53b552325811638f5d2e9
SHA256 576f6d30b5d3dd8cd11b6790748f1a44d2062351c52655ee2c9b17bb4adedc4a
SHA512 75bb8c3215ae637de91ed27705abe70aa88265b5c02a629c822460a45fe2f024f47c450959a03ad2a4547d4980023400aa10bea3201b58201c55c3df358278c6

memory/4200-340-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4988-346-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2032-352-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2136-358-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4432-364-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4008-370-0x0000000000400000-0x000000000042F000-memory.dmp

memory/776-376-0x0000000000400000-0x000000000042F000-memory.dmp

memory/244-382-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1944-388-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2616-394-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1120-400-0x0000000000400000-0x000000000042F000-memory.dmp

memory/948-406-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mafofggd.exe

MD5 e72211c5b99a388901bd06523d02f913
SHA1 c5d3edc885a2916dd3a8c0ab58ad9d30dc6b2b53
SHA256 6e2cbeac7968d7502d98dbd2831bb8203fe02bb0c1b06cdb1b8742847d8017f0
SHA512 ec413e28cdc23dace360ac91228281cfeced68e802bb53c717e143a24d8a8be5b5724f8f23377aa5aa2206bd56cf4ce4382d3b5fcd97603d25a20fa4f5f36d00

memory/2424-412-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4576-418-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3832-424-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4560-430-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2224-436-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3464-442-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3516-448-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1656-454-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1784-460-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3524-466-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ncmaai32.exe

MD5 4a9d6bc383eb74b24682a09bc2412341
SHA1 2a9e3cf1a117d28362b10dc509ca2a74b0d5f549
SHA256 045bf6e201fc0c72c8b648ab5bdcf400a00f7784f2c5265213e9acf61f847600
SHA512 a310b8765921370db3661cb51eeb530eb9ca0fa6e777a3ec2ae01f8499bc7256d4ccc419768c8e577173a1d71226a2a88acca919e7ad687d350c148f3f5c72a6

memory/2060-472-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1848-478-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3428-484-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Nfnjbdep.exe

MD5 a12251259b965a61c7c38e3514c90c4c
SHA1 a2aa2b9baeff10183572b9cf529addfa450ea3dd
SHA256 8ec038fa461c77a672255f8c88c84f49560d818ad7c7091dabe66f99810a5756
SHA512 dfa1704f44eda8d5150c8c8015480a2ea1334719b9df8b6ab5d092dba96258953da4f1fe9666e848c06f2e0e65ccc8f383c7d5a6bdae09f1b0ed0dc1b3670270

memory/4924-490-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Nlgbon32.exe

MD5 796c38ecc6f3f2646c732b101c319442
SHA1 23b373575ddb661c99b650e8d56903704df13e2c
SHA256 2a638be6eacf5a8e31bb1b231c0536d9db8f9d4bd05c1cd59264986c7783b8ca
SHA512 758bf6d14e852606b078212996e0105e13b25e3b81d3d7e4ee40e269c05fe16f3f8c48c4171436efef842aadb8f69df2a5667176e7bcd73174ce273a83067e35

memory/5084-496-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3916-502-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4968-508-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1760-514-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3588-520-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5060-526-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1780-532-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4692-538-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4404-545-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4888-544-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2556-551-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2928-552-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1836-558-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3956-564-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4792-565-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3940-571-0x0000000000400000-0x000000000042F000-memory.dmp

memory/816-572-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2896-578-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3052-579-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2036-585-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3244-586-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1600-592-0x0000000000400000-0x000000000042F000-memory.dmp

memory/928-593-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5004-599-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Qkfkng32.exe

MD5 8f2aa2c5524993b0ed9a7d121abe4e8b
SHA1 6ec8e1ce0bb4db3305a5753696c542503b4300ce
SHA256 6f9b342b552d7c1c51681706fd6c91a9cb8a04b98f57cc1f469902720f6d17f1
SHA512 3c5a041b70e7aaa41cc3b57ab0b524446c61f62bd15c1d7cbf3b10f5ec712b4f22641f51f0f0d4e62e88b4b94322964a613f9de7d9ec3b68136b8e816293178b

C:\Windows\SysWOW64\Almanf32.exe

MD5 da4625b9ae1b43218bfc1ed488fedeb2
SHA1 c3b70add5d88beea8e06017066cc687aef7bd723
SHA256 5c5c7d5bc132b2355c9f86d5ac5aa46032832bbf3e477be38be5931399f432e7
SHA512 67776d8270b525e4f352c4d153c1e62c7e50bd208acc82cb45664682ec3b14cf065a295c680fa964b8750da51807cd6f280e78feb93c6432467c32920f407ab5

C:\Windows\SysWOW64\Afeban32.exe

MD5 be25f44bbc005df6864827b943e00920
SHA1 290dd18b1103d5ef6dd62a960c24d3094bd5d0ca
SHA256 357eb7595ef19e71afbcefed22024dc3ec07c6426fbeed932abae9ec14ce7a86
SHA512 594b2e824a161c05766601672ae7c7eaa13955fbd741a0a9d1bd4f0db1b678fb543e108f6dae055c683e37a3184fe7b2f85a3430c0e8b39913d7702cc8b21bfc

C:\Windows\SysWOW64\Bppcpc32.exe

MD5 0057fd992d9ad960e793047f55e6260b
SHA1 9c3ed5da687c9384404ba1ba6b799b229cb01d79
SHA256 af87621e138e6186ab668fd36ab51eaf0ddaa0a75d261f96b94749aa072db5a4
SHA512 8227f9a1e9ff9d1f0cce4a7cabd7250df2b8d90f17383b90ea478e1ac3b88393b2a32a2a7d4810246e5644d122b9cb4696539f993999553cb95dd23ceac303d9

C:\Windows\SysWOW64\Blknpdho.exe

MD5 9b1892c1f7d45b68b5a232b87f8e81ff
SHA1 24b36a65c989ea3e0442057c12a194fafbca4e79
SHA256 546a87582d273d2f0eeb1446309a5f31d67f4a3707f3b1bfaa879956e6da202b
SHA512 9289f40022525dc1a50203d491617e831fff5f2dd8aabb4b4ed0a60ffe914caa0850fe7f7e918540d80732f2a9bd37c12321bc6783b7a387bb31617019628ceb

C:\Windows\SysWOW64\Cmdmpe32.exe

MD5 2bc3622e593e83a1d530d3a8cdb08aee
SHA1 0889e365575b7a20b20da7550038009c315b9b5e
SHA256 a5f8c5e6cd18cf7933da67b4db3c11f8893a6ee76a27e83cdc0b54869bf1cbb0
SHA512 b196af988455c48d4459c8af46498172562aedcfcc0dc6d8d860272d9e5d69ad46b5e15fdf7bf1174273c373eca30b6f9ed287c494d408c2ec6025df610315a7

C:\Windows\SysWOW64\Clijablo.exe

MD5 4de8ada9497a841de511bed8b947a013
SHA1 c93cba46eb290389f606d87181d6de9becb322b6
SHA256 1cb87a7a27bfe14c05eed94a6b6ec001029340552bdc7759e7672f99d5c5296c
SHA512 bbf87ab0ccbcdd5e06e43509296634aec504acc6502f7d7c222e33826f1d2ed67150993ffac7791c86bb9637fd6c86da7d23b69eccec8fa897e1337ee6adf2ac

C:\Windows\SysWOW64\Dinjjf32.exe

MD5 4eb8cb54e1f7e93a8ccd633ad5d6b554
SHA1 a70cfcb3803fddfd521d0d13fe60eceed99c00ba
SHA256 2ef0251e9b03143d80086eec9411f3497af2d41111c8bed7e038694e843abdac
SHA512 894d467f24385a839bb8760b205c7e160b47a9d80f4dc12ba31821c050b6b58a55edc30fe47d7a885a2e68bdfcca1d549eb72f1c28a84fc654a2af828bb179e8

C:\Windows\SysWOW64\Dibdeegc.exe

MD5 997e57d494f68e33e5c076597dac7550
SHA1 53e45a0eae624501f443682f8e5c8204454d6d26
SHA256 70c06fa94ba5e6912787cf1d9d73df6a0de81fc6c36f436ac69072ab5586c536
SHA512 cdc1c689cbbe18f204b1f21c6a2541a83afc25425821bcac1af3000865199afd98b0a5b8bdd3144b61dce44634eb9f0f00914653aba34f1758776163ad962090

C:\Windows\SysWOW64\Dbkhnk32.exe

MD5 7cf55e17bb99a3662b8614d9f0d48da4
SHA1 2971558a62d91c4f578acbe38f72d79e1968a455
SHA256 5b69f01db9b721a9ad6cfa7ca2bfe42053c32765d6f02651be6d7d2c3478f7f0
SHA512 66e4cdeb7bc9e18aeee286018054a2e2be6ffb7217efa7adfb27b812333fdd49599179a30c5b958b9d3d368751b93cfd6e28afdabd288b797157a5072848348a

memory/6292-1081-0x0000000000400000-0x000000000042F000-memory.dmp

memory/6188-1083-0x0000000000400000-0x000000000042F000-memory.dmp

memory/6248-1082-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5636-1170-0x0000000000400000-0x000000000042F000-memory.dmp