Malware Analysis Report

2025-01-23 00:33

Sample ID 240916-ry1ktasgmd
Target Backdoor.Win32.Berbew.AA.MTB-1dc928f9fe3e0549844f947acfa62d6adaf1a2a2c8c543b27d62a561b90bbe36N
SHA256 1dc928f9fe3e0549844f947acfa62d6adaf1a2a2c8c543b27d62a561b90bbe36
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dc928f9fe3e0549844f947acfa62d6adaf1a2a2c8c543b27d62a561b90bbe36

Threat Level: Known bad

The file Backdoor.Win32.Berbew.AA.MTB-1dc928f9fe3e0549844f947acfa62d6adaf1a2a2c8c543b27d62a561b90bbe36N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 14:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 14:36

Reported

2024-09-16 14:38

Platform

win7-20240903-en

Max time kernel

33s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdnko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Achojp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agfgqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgbfamff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdaheq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blaopqpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oqcpob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pokieo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piekcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aganeoip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmhideol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqcpob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Okdkal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aganeoip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bajomhbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmlmic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmhideol.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbdallnd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olonpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bphbeplm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Behgcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeenochi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biojif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bobhal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aniimjbo.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohhkjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onecbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqcpob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaheq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpnbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aganeoip.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnfnfgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajbggjfq.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agfgqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afiglkle.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmhepko.exe N/A
N/A N/A C:\Windows\SysWOW64\Abphal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Acpdko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afnagk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmhideol.exe N/A
N/A N/A C:\Windows\SysWOW64\Blkioa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbdallnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bajomhbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdgjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bonoflae.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbikgk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Behgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkgocpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blaopqpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Boplllob.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohhkjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohhkjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onecbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onecbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqcpob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqcpob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaheq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaheq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfbelipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpnbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpnbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piekcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfikmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeaedd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjnmlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aniimjbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aganeoip.exe N/A
N/A N/A C:\Windows\SysWOW64\Aganeoip.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnfnfgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnfnfgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeenochi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File opened for modification C:\Windows\SysWOW64\Afnagk32.exe C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Bmhideol.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Pkfaka32.dll C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File created C:\Windows\SysWOW64\Chkmkacq.exe C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Mabanhgg.dll C:\Windows\SysWOW64\Chkmkacq.exe N/A
File created C:\Windows\SysWOW64\Olonpp32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
File created C:\Windows\SysWOW64\Pmlmic32.exe C:\Windows\SysWOW64\Pfbelipa.exe N/A
File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Bbdallnd.exe C:\Windows\SysWOW64\Blkioa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbdallnd.exe C:\Windows\SysWOW64\Blkioa32.exe N/A
File created C:\Windows\SysWOW64\Bajomhbl.exe C:\Windows\SysWOW64\Bnkbam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Okdkal32.exe N/A
File created C:\Windows\SysWOW64\Qniedg32.dll C:\Windows\SysWOW64\Aganeoip.exe N/A
File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Afnagk32.exe N/A
File created C:\Windows\SysWOW64\Lmpanl32.dll C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Bqjfjb32.dll C:\Windows\SysWOW64\Oomjlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cphndc32.exe C:\Windows\SysWOW64\Cmjbhh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cddjebgb.exe C:\Windows\SysWOW64\Cphndc32.exe N/A
File created C:\Windows\SysWOW64\Qeaedd32.exe C:\Windows\SysWOW64\Qodlkm32.exe N/A
File created C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pdaheq32.exe N/A
File created C:\Windows\SysWOW64\Bhdmagqq.dll C:\Windows\SysWOW64\Cphndc32.exe N/A
File created C:\Windows\SysWOW64\Lfobiqka.dll C:\Windows\SysWOW64\Acmhepko.exe N/A
File created C:\Windows\SysWOW64\Okbekdoi.dll C:\Windows\SysWOW64\Aeenochi.exe N/A
File created C:\Windows\SysWOW64\Mgjcep32.dll C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Bhfcpb32.exe C:\Windows\SysWOW64\Bdkgocpm.exe N/A
File created C:\Windows\SysWOW64\Blaopqpo.exe C:\Windows\SysWOW64\Bhfcpb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Boplllob.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe C:\Windows\SysWOW64\Bhhpeafc.exe N/A
File created C:\Windows\SysWOW64\Kgfkcnlb.dll C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Lbonaf32.dll C:\Windows\SysWOW64\Cddjebgb.exe N/A
File opened for modification C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Afiglkle.exe N/A
File opened for modification C:\Windows\SysWOW64\Pckoam32.exe C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe C:\Windows\SysWOW64\Bobhal32.exe N/A
File created C:\Windows\SysWOW64\Edobgb32.dll C:\Windows\SysWOW64\Oalfhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Behgcf32.exe C:\Windows\SysWOW64\Bbikgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdkgocpm.exe C:\Windows\SysWOW64\Behgcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnkbam32.exe C:\Windows\SysWOW64\Bphbeplm.exe N/A
File created C:\Windows\SysWOW64\Igciil32.dll C:\Windows\SysWOW64\Pcibkm32.exe N/A
File created C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Cbdnko32.exe C:\Windows\SysWOW64\Cpfaocal.exe N/A
File created C:\Windows\SysWOW64\Ckpfcfnm.dll C:\Windows\SysWOW64\Cklfll32.exe N/A
File created C:\Windows\SysWOW64\Pfikmh32.exe C:\Windows\SysWOW64\Pckoam32.exe N/A
File opened for modification C:\Windows\SysWOW64\Piekcd32.exe C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File created C:\Windows\SysWOW64\Plnfdigq.dll C:\Windows\SysWOW64\Pkfceo32.exe N/A
File created C:\Windows\SysWOW64\Gioicn32.dll C:\Windows\SysWOW64\Afiglkle.exe N/A
File created C:\Windows\SysWOW64\Abphal32.exe C:\Windows\SysWOW64\Acmhepko.exe N/A
File created C:\Windows\SysWOW64\Ifbgfk32.dll C:\Windows\SysWOW64\Ogmhkmki.exe N/A
File created C:\Windows\SysWOW64\Nodmbemj.dll C:\Windows\SysWOW64\Bphbeplm.exe N/A
File opened for modification C:\Windows\SysWOW64\Cklfll32.exe C:\Windows\SysWOW64\Cbdnko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgbfamff.exe C:\Windows\SysWOW64\Cddjebgb.exe N/A
File created C:\Windows\SysWOW64\Qjnmlk32.exe C:\Windows\SysWOW64\Qeaedd32.exe N/A
File created C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pokieo32.exe N/A
File created C:\Windows\SysWOW64\Pckoam32.exe C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Pfikmh32.exe N/A
File created C:\Windows\SysWOW64\Afiglkle.exe C:\Windows\SysWOW64\Agfgqo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe C:\Windows\SysWOW64\Chkmkacq.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Cilibi32.exe N/A
File created C:\Windows\SysWOW64\Jbbpnl32.dll C:\Windows\SysWOW64\Onecbg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Bhdgjb32.exe N/A
File created C:\Windows\SysWOW64\Eignpade.dll C:\Windows\SysWOW64\Bhdgjb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Achojp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Ajbggjfq.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cphndc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfdabino.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfbelipa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apoooa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceegmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdaheq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pokieo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pngphgbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeenochi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agfgqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acpdko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cilibi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oancnfoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Behgcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bobhal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfikmh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbdallnd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqcpob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afnagk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cklfll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acmhepko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abphal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boplllob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkfceo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aganeoip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onecbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aniimjbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afiglkle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beejng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oomjlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmhideol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biojif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbikgk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgbfamff.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" C:\Windows\SysWOW64\Cgbfamff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll" C:\Windows\SysWOW64\Pngphgbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aniimjbo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnkga32.dll" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qniedg32.dll" C:\Windows\SysWOW64\Aganeoip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll" C:\Windows\SysWOW64\Bonoflae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oancnfoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmhideol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" C:\Windows\SysWOW64\Bobhal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmhideol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cilibi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeaedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll" C:\Windows\SysWOW64\Bbdallnd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bonoflae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjnmlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbdallnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okdkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" C:\Windows\SysWOW64\Agfgqo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbdnko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pckoam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll" C:\Windows\SysWOW64\Oqcpob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll" C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cphndc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" C:\Windows\SysWOW64\Bajomhbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll" C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll" C:\Windows\SysWOW64\Pfdabino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cphndc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afnagk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agfgqo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfdabino.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2300 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2300 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2300 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Olonpp32.exe
PID 2908 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2908 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2908 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2908 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Olonpp32.exe C:\Windows\SysWOW64\Oomjlk32.exe
PID 2788 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2788 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2788 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2788 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 2648 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 2648 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 2648 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 2648 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 1796 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1796 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1796 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1796 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1048 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 1048 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 1048 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 1048 wrote to memory of 1868 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Ohhkjp32.exe
PID 1868 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1868 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1868 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 1868 wrote to memory of 768 N/A C:\Windows\SysWOW64\Ohhkjp32.exe C:\Windows\SysWOW64\Onecbg32.exe
PID 768 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 768 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 768 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 768 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Onecbg32.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 3056 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 3056 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 3056 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 3056 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 1984 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1984 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1984 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1984 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 2944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2944 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2508 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 2508 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 2508 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 2508 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfbelipa.exe
PID 1260 wrote to memory of 1308 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pmlmic32.exe
PID 1260 wrote to memory of 1308 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pmlmic32.exe
PID 1260 wrote to memory of 1308 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pmlmic32.exe
PID 1260 wrote to memory of 1308 N/A C:\Windows\SysWOW64\Pfbelipa.exe C:\Windows\SysWOW64\Pmlmic32.exe
PID 1308 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Pmlmic32.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 1308 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Pmlmic32.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 1308 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Pmlmic32.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 1308 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Pmlmic32.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 2208 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2208 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2208 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2208 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2344 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 2344 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 2344 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 2344 wrote to memory of 1676 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pjpnbg32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Olonpp32.exe

C:\Windows\system32\Olonpp32.exe

C:\Windows\SysWOW64\Oomjlk32.exe

C:\Windows\system32\Oomjlk32.exe

C:\Windows\SysWOW64\Oalfhf32.exe

C:\Windows\system32\Oalfhf32.exe

C:\Windows\SysWOW64\Okdkal32.exe

C:\Windows\system32\Okdkal32.exe

C:\Windows\SysWOW64\Oancnfoe.exe

C:\Windows\system32\Oancnfoe.exe

C:\Windows\SysWOW64\Ohhkjp32.exe

C:\Windows\system32\Ohhkjp32.exe

C:\Windows\SysWOW64\Onecbg32.exe

C:\Windows\system32\Onecbg32.exe

C:\Windows\SysWOW64\Oqcpob32.exe

C:\Windows\system32\Oqcpob32.exe

C:\Windows\SysWOW64\Ogmhkmki.exe

C:\Windows\system32\Ogmhkmki.exe

C:\Windows\SysWOW64\Pngphgbf.exe

C:\Windows\system32\Pngphgbf.exe

C:\Windows\SysWOW64\Pdaheq32.exe

C:\Windows\system32\Pdaheq32.exe

C:\Windows\SysWOW64\Pfbelipa.exe

C:\Windows\system32\Pfbelipa.exe

C:\Windows\SysWOW64\Pmlmic32.exe

C:\Windows\system32\Pmlmic32.exe

C:\Windows\SysWOW64\Pokieo32.exe

C:\Windows\system32\Pokieo32.exe

C:\Windows\SysWOW64\Pfdabino.exe

C:\Windows\system32\Pfdabino.exe

C:\Windows\SysWOW64\Pjpnbg32.exe

C:\Windows\system32\Pjpnbg32.exe

C:\Windows\SysWOW64\Pcibkm32.exe

C:\Windows\system32\Pcibkm32.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Piekcd32.exe

C:\Windows\system32\Piekcd32.exe

C:\Windows\SysWOW64\Pkdgpo32.exe

C:\Windows\system32\Pkdgpo32.exe

C:\Windows\SysWOW64\Pckoam32.exe

C:\Windows\system32\Pckoam32.exe

C:\Windows\SysWOW64\Pfikmh32.exe

C:\Windows\system32\Pfikmh32.exe

C:\Windows\SysWOW64\Pkfceo32.exe

C:\Windows\system32\Pkfceo32.exe

C:\Windows\SysWOW64\Qflhbhgg.exe

C:\Windows\system32\Qflhbhgg.exe

C:\Windows\SysWOW64\Qkhpkoen.exe

C:\Windows\system32\Qkhpkoen.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Qeaedd32.exe

C:\Windows\system32\Qeaedd32.exe

C:\Windows\SysWOW64\Qjnmlk32.exe

C:\Windows\system32\Qjnmlk32.exe

C:\Windows\SysWOW64\Aniimjbo.exe

C:\Windows\system32\Aniimjbo.exe

C:\Windows\SysWOW64\Aganeoip.exe

C:\Windows\system32\Aganeoip.exe

C:\Windows\SysWOW64\Amnfnfgg.exe

C:\Windows\system32\Amnfnfgg.exe

C:\Windows\SysWOW64\Aeenochi.exe

C:\Windows\system32\Aeenochi.exe

C:\Windows\SysWOW64\Achojp32.exe

C:\Windows\system32\Achojp32.exe

C:\Windows\SysWOW64\Ajbggjfq.exe

C:\Windows\system32\Ajbggjfq.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Apoooa32.exe

C:\Windows\system32\Apoooa32.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Afiglkle.exe

C:\Windows\system32\Afiglkle.exe

C:\Windows\SysWOW64\Acmhepko.exe

C:\Windows\system32\Acmhepko.exe

C:\Windows\SysWOW64\Abphal32.exe

C:\Windows\system32\Abphal32.exe

C:\Windows\SysWOW64\Afkdakjb.exe

C:\Windows\system32\Afkdakjb.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Afnagk32.exe

C:\Windows\system32\Afnagk32.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Bmhideol.exe

C:\Windows\system32\Bmhideol.exe

C:\Windows\SysWOW64\Blkioa32.exe

C:\Windows\system32\Blkioa32.exe

C:\Windows\SysWOW64\Bbdallnd.exe

C:\Windows\system32\Bbdallnd.exe

C:\Windows\SysWOW64\Becnhgmg.exe

C:\Windows\system32\Becnhgmg.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Bnkbam32.exe

C:\Windows\system32\Bnkbam32.exe

C:\Windows\SysWOW64\Bajomhbl.exe

C:\Windows\system32\Bajomhbl.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Bhdgjb32.exe

C:\Windows\system32\Bhdgjb32.exe

C:\Windows\SysWOW64\Bonoflae.exe

C:\Windows\system32\Bonoflae.exe

C:\Windows\SysWOW64\Bbikgk32.exe

C:\Windows\system32\Bbikgk32.exe

C:\Windows\SysWOW64\Behgcf32.exe

C:\Windows\system32\Behgcf32.exe

C:\Windows\SysWOW64\Bdkgocpm.exe

C:\Windows\system32\Bdkgocpm.exe

C:\Windows\SysWOW64\Bhfcpb32.exe

C:\Windows\system32\Bhfcpb32.exe

C:\Windows\SysWOW64\Blaopqpo.exe

C:\Windows\system32\Blaopqpo.exe

C:\Windows\SysWOW64\Boplllob.exe

C:\Windows\system32\Boplllob.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Bhhpeafc.exe

C:\Windows\system32\Bhhpeafc.exe

C:\Windows\SysWOW64\Bfkpqn32.exe

C:\Windows\system32\Bfkpqn32.exe

C:\Windows\SysWOW64\Bobhal32.exe

C:\Windows\system32\Bobhal32.exe

C:\Windows\SysWOW64\Bmeimhdj.exe

C:\Windows\system32\Bmeimhdj.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Cilibi32.exe

C:\Windows\system32\Cilibi32.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Cbdnko32.exe

C:\Windows\system32\Cbdnko32.exe

C:\Windows\SysWOW64\Cklfll32.exe

C:\Windows\system32\Cklfll32.exe

C:\Windows\SysWOW64\Cmjbhh32.exe

C:\Windows\system32\Cmjbhh32.exe

C:\Windows\SysWOW64\Cphndc32.exe

C:\Windows\system32\Cphndc32.exe

C:\Windows\SysWOW64\Cddjebgb.exe

C:\Windows\system32\Cddjebgb.exe

C:\Windows\SysWOW64\Cgbfamff.exe

C:\Windows\system32\Cgbfamff.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 140

Network

N/A

Files

memory/2300-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Olonpp32.exe

MD5 206cb52b62ce8490c15854ae7b3b3ce5
SHA1 b07eab7efc3868905dce6c131e2e6126fe0a636c
SHA256 071ef88f857ef0eafaec893c7414d4405c837647eba1ee43973024d3e0ecf419
SHA512 a3806aee377e2947de1a81cb84a14e668c3828b0777021acbec247330ca6c29429fea6a7bc8686fd16c3b08cd3e65beb8b95e1f50a64aa31890802cfe5eefbfd

memory/2908-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2300-17-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Oomjlk32.exe

MD5 e66e1cc29aa4573a5085e1dfa06779d4
SHA1 0a8b96135c2bc2614c22b57d5faf3fd80834ddec
SHA256 aaf3016e18633791744699d62c6bf33688d51a7d2b737895cfbf642f7db3fb06
SHA512 68e9cf1ceb5d8ef7947ab65120eb047a9cedd5b111e6d5eaf6ebdfe43ef148eaf00c5bc6203221960aa5cb8e546d9c4fccf548b3f965cf6e564c11159ae7a727

memory/2788-26-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Oalfhf32.exe

MD5 805f4101e708308f5b94a7f2d78a4428
SHA1 99541e2b4d786d3cdd824f4c05e6fb5c81f2a0a8
SHA256 6b9566cf3e2e7ea4aaf3d605f8b22023ecc5c8caea1228a625874f9d55dfccbe
SHA512 965ade8443ef8a4e02da4f808f088422c4b94be36e5d613cfd83f4744a97f6f583737136cee94cb6735d056a77cb522a31eefd74b9921ffc8c685de559e19397

memory/2788-34-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2648-40-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Okdkal32.exe

MD5 0e1aa22c34d6c069dc2d26211a61e036
SHA1 d04b6f69057cdd731c5ebbe7234ffd15319ae022
SHA256 7ada627652e82306e567b4ae15fe390142b708c2a547c8a7c1fbb4c7933aaee8
SHA512 45b0be163ddf5cb94bd188b223377c4a2c5cf0edc943c3cad1dcc4ec13b11c0811865672072e19c4d078beb2bd99e6ccb9d8ecee514b70841809a44f2c167f5c

memory/1796-53-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Oancnfoe.exe

MD5 01fbf0f248145a21cbbe10787eaf87f8
SHA1 014be7577633eb7ba4402e48f931883d13f12764
SHA256 c220b954d0c6eabd4045091876464bf89b53abfde5caa14a5a6b3fe9530418f1
SHA512 34f8aca489ae54dd7d9fe68690e016127ac2ba6f6ab34869321b4dca811ce71456bb47961f94f284d2aef05ef19f8ff8a4834d4a030b362d001081bd1be84647

memory/1796-61-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1048-72-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1868-80-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ohhkjp32.exe

MD5 dec1f5e1c60441fe513119f2e2c93fa0
SHA1 cfc3afe2cb18ce4ea5ca6b5c8734fa04408e2191
SHA256 c8c5591340408a0eca037cbf503a7e8745262a17495179324e39ec0ac3384182
SHA512 85a0eb9f463a78833beb1ef58880111f4663a7015d1718f05d1e1cde138a2db03b0fd24054be462e697d99aaf4aa04ef8fc7211c57b4a73962be4b05f3e9006b

\Windows\SysWOW64\Onecbg32.exe

MD5 7b21cc5d07fd04b41fc54b8c90e0f781
SHA1 f99c120190d90729af68dbe51f23b9644f401ebc
SHA256 f242450aa83485753f48408d5ed77278cca19d60b235c00007f835ea074a6ad9
SHA512 64d9270eba0a6048ca064c6970c930bd3099fabe3e86dabdf47a11805f0e2824a555add6e8d2787ce109b70f7b23efa077773765b91bacfab999dc49a6c3974c

memory/1868-87-0x0000000000250000-0x0000000000290000-memory.dmp

memory/3056-106-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Oqcpob32.exe

MD5 8a446836da20b72eb726dd7711d4646a
SHA1 b665265ead8dd0b0aac108d7498cf0b310100a7e
SHA256 69d7a1126c57e7cd0a654ab89b86b8ab6519265e91288ef4203b8850d2934f47
SHA512 1474de68ae31371bf5ea4bb5f34a185488b742bff23cfc3f4abab2fe707eca10e54e086620057169e6060335ce70b7b1dc99f19b2f33543b8247c232fee0790f

\Windows\SysWOW64\Ogmhkmki.exe

MD5 53ca75727f0e3043af7d29d97b1df889
SHA1 a84683e68297ce6c6ee763e8dabf33079474fdac
SHA256 44f85d2af0dedcd708689e242f35313d8cbd83fd71eecac8d3d6631bab6e6103
SHA512 d5fbf11c4b40a183fcf18e2419efbe0d81a443084982518995d224afee16cf66b60c01233831e8adc614866e57a31cfb4d56c8b5642088c617e2efee4ad02f2f

memory/3056-114-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1984-120-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pngphgbf.exe

MD5 37e8d9a5f01e385bcda413f6a151295d
SHA1 e72d9e0d31ae0b46c803e2fd1d2551846cc27ff2
SHA256 f617be06256bdb099d56a4b255825be4ace1268084e773c9d772701967637dea
SHA512 b61124e8f17c62082a7b3d43df1ce1fa31b682ecb57eb5f9e4b34cf703ab5500851d796b64bc8c1eba95abbfd866bbdb93b3efcbc82b016013e72c85e2097f19

memory/2944-133-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Pdaheq32.exe

MD5 65f5e7d02d72295109f09e63a320d839
SHA1 cc6de6be5396971c2f80a68e2dac5ace30d3437c
SHA256 a40eed9327e9bbc63e70db8d928401fc11408d519f5ac4840d73bcf8df29c001
SHA512 e5a4cedd3de9d3ef4a69f37e5beeea43dd41689d429f324f02a307583588027ff37a744d51d3ffa369fe4c796659695549f0ae4e360fdffff7287d9f382d6b43

memory/2944-140-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Windows\SysWOW64\Pfbelipa.exe

MD5 ca103ef868545c7ac90aea006d2d68b5
SHA1 2c9d91ab4ddcdc1eec2670b4a3a98b19dd106216
SHA256 efb4215383e99dea37ddd0981d566faf700a63654c1ac192f2611d6a6a5994ed
SHA512 353c1d420db6cb7b9a6644f287aa54d3ca9f917b2e527bb6bcee0d173f738cd84f5d2dd886779a8d4beb032acd27f9a4deb0156f0d214af501d27cc168099934

memory/1260-159-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Pmlmic32.exe

MD5 21549e868ccf7bf222d892741dbcb97b
SHA1 ab45f37e3dc0e80bcbe527925c9172063b2fd96b
SHA256 68b2c6adfd7b9672641677ec2374983340a17e890eb64da3b3a36eafee29b2cb
SHA512 84e9cbbc70ed7d0b0fa532e9eb9fd5102b9005d549c7e26e7e185774a1860cf96e26996a16f45c8aedb6e3766791f9f73c253d741f8212f7a6c0e2ee18dc7709

memory/1260-167-0x0000000000270000-0x00000000002B0000-memory.dmp

\Windows\SysWOW64\Pokieo32.exe

MD5 3e477aef5194993565d1940cac828558
SHA1 d4edc1946a30129eb23a7e18fe7c2a15aae71a39
SHA256 5506ce511f65fe610bc3f7dbb9d875b81a41b245ff44deb252f8f767248cca89
SHA512 82b9eaefbe68d99e2a8785e54faa437a051c41626db84dc9720515b05b0436c31f63b64d5ec5ce45a959dfe8b148110ff6924a4cdcfa24a19512314a473437d2

memory/2208-185-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Pfdabino.exe

MD5 332572df2dda7b1778d2dce6ce897ce0
SHA1 9b160089bf1758786debfe43225e74f242cb8ae5
SHA256 a6528189ad366286191534f7c1521f0941269d5c18592c4840ce1cae484bfffe
SHA512 0eadc6a0174f8f2eab6d5ccaf8e8b319772792b85dca3d4ec09c13e3f13ab53bdece532acffcf3c804e592e3892975d12ffc404d0b7557d38f5e296bec860dc3

memory/2344-198-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Pjpnbg32.exe

MD5 6380f013189c71629d91b06a75267168
SHA1 68a7e47a377671ee650a69ad3172fd3958702533
SHA256 aae006f0f69b6e9b3371345688bcdcdb6b60138773116a7f29788482178e3a31
SHA512 fac9cbbfe5be7056796d5835d8632a6a32237ead2577f13fcdd375d951feac99b0a5257118ed9a315d0fcb9b1519fe70f24482971e9a129fbe8bd875fd8ec1d9

memory/1676-212-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-210-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/1676-222-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Pcibkm32.exe

MD5 5524b3e83a3f8bca3a828b01755b6a09
SHA1 8f131da8ed533ee4c1cf1813438f740662408d62
SHA256 6fb9bee7cf4f9a252914114e8139d4080be0d8af452cd5c58d2dd717853c2378
SHA512 ef3ba88c7652fb103af288604dea47af2aca23d8c034f1f1d0248ca75cc27bffa9e041ea2a0c35144574ea41c1b19e596391c967aa5fdef09af15db7b7249666

C:\Windows\SysWOW64\Pbkbgjcc.exe

MD5 b08434ad396fa1aa55e6c15410d4749b
SHA1 b12228ac049eca2ff2b8563c4c1c7b4f284e0943
SHA256 29ad49bd6a5c2234a1473f28574e348c64c1e011053bdafb0743a67d19d5cdad
SHA512 5ec19d643cbdfc0af98604b87cff8e9e201258cd9cbc630c4248b743f9ff6e65a31301e6e99fbea5fd2866c3ed9e92f81f72c8f201b13bef8a8e92272c703448

memory/2028-231-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2028-237-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Piekcd32.exe

MD5 4c43a8ed4d13f24ae998a3c02f98f618
SHA1 220344bcaa785330edb13315aa82380b02a8bcd6
SHA256 eecebb5e9beded13b1696fb7e453d27f9a5d88118a11cc7b05233c363b9bfede
SHA512 4cc542e8f3896c56f2c8a6f4ea8f1c1ac2d1029cbba60a775bc12be965abea640f090f4443e3fc74ff8f5b50c9b17daa63846db012630f65d750d16e69b99bc9

memory/2028-241-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1632-247-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Pkdgpo32.exe

MD5 80cfd7d1228cd2e7e62e7732bd2c63c7
SHA1 6eeb6193201b1664bdbdefaff3855d660100e953
SHA256 a6f8a59bd1da4ee05f607812066401e18195d000d8496d9f09c7b60b916767d7
SHA512 0bae4c145cac0ae5a29cf7045ab5bdc95456b5de513e419489a1d3b1bbd4c06488d7fb8528ffeb9be948b5f73879b7c8a25a4068e96affafb9de012fe8165a6a

memory/1632-251-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1788-257-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Windows\SysWOW64\Pckoam32.exe

MD5 dcda7a53a023610fc43d6dc5d8112687
SHA1 8556b5b1fd47848e61fde522308ab86ce6a238e9
SHA256 7f1987d910a6e871d9022ba032702d40c1edaa9a270eddfed44abba74a54d6d6
SHA512 1c4828f873efb2955f68cf6d960149c4b65dd52f2d8674a12d5ca9c4b384113470bdbce747ad7c2b61fa16c972e5b7271e0ab3097799457ec5888a0ed45727fd

memory/1788-261-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/1880-266-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1880-268-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Windows\SysWOW64\Pfikmh32.exe

MD5 acfd0c5fc8c62c3c27fe929782b20922
SHA1 b8ea05632514d7c73ba4ce4f812762c1d72aae70
SHA256 16d67ff3b0474363df0e218f59b54f489f8ad315fc5084881818e7042057e1d3
SHA512 7343dbf8f18d91285092105694392f030d5082d2910bf7b2b27db84c3e6505f03fcfc3bdbd17293de606b43186f27547a0b16559114b19086749df8d3adc8b76

memory/1880-272-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/1280-277-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Pkfceo32.exe

MD5 be5612e2474adb3519ea23755f9d4c9d
SHA1 ddfad695d3cfad4637cfb8c8cdaad9ea0e503d5c
SHA256 07b823d0ad91aee773d105f062ce802fd471bd333becca1013bd55f74cd1d6e2
SHA512 637936049aa8c772d0c486827cf5685430940ba87025cd5f3891bf09cfe326ccd23309ef29a3b48360484cee6da610d863c59818f6086a620b8ea57038423f10

memory/1672-283-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1280-282-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1672-288-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1672-293-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Qflhbhgg.exe

MD5 17fd319ce59094346d7dcd30187146b2
SHA1 67d96946e3a1d8bc25f352b24db39b1f1f6d041e
SHA256 c4890faa668839716d54642564e4f5ae5740189631908b389d98d07b0d28488f
SHA512 1954d6701d470a78da04007e6dd5dd6980d9febbe2f07499c8c2628845efa9f2204c4bfafa98e019cc0766a0cd8377799338a1de16bf466499664f68485673d8

memory/2912-294-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2912-295-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2196-299-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2196-305-0x0000000001F40000-0x0000000001F80000-memory.dmp

memory/2196-306-0x0000000001F40000-0x0000000001F80000-memory.dmp

C:\Windows\SysWOW64\Qodlkm32.exe

MD5 f22b00150b96995fbe8de4ef67f155b4
SHA1 e60d60f859c6d6fb0956ee09010b877d0a96830f
SHA256 c0cf01387416a6c531155a660d211afacbc052661d238d066e21ed7fe49371d0
SHA512 89d92f5a8173f13a0ad3b96640afe57f0119f9bd8b5e2dc7e4804bf95157029d773c9a5f83d579d874a36311a657b9214e9febcaee762306664775e623b2beff

memory/2784-316-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2784-315-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/1612-317-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qeaedd32.exe

MD5 9ad3bd7dfa6c4ef89bd10b665a368f22
SHA1 353f1aba179ad64594ce6a1c9723aed139a0bc69
SHA256 5b3e9188240c258ad8f4efdbe29977d8595200ad2d62c191b01c9f702babd754
SHA512 4fa2b81cf8b125fcb12f4a369f002c5fb790e397235d3f324246fd4e382722e4ff4e9c74e36bab4c4ddd0d758d5fb15fa33ee1ba6811eebf567371378f4db81f

C:\Windows\SysWOW64\Qjnmlk32.exe

MD5 2e009e79167696fa7c44b12576e3afb1
SHA1 22d8ab9339badbb21e21246f798740901fca3066
SHA256 c394f17dc4eb2082e9d01b7089d91799e93fe4d4fa3fd45d37a12f5d9a51b4a5
SHA512 1ef8dd1e301d4b0702eddd08b607aedf8c4284953a63b130c1a87f8f476980e97a0c5fbba26afe398ff7ac72fe0cc38b37c599853b45d55c75f6d0c5e838d50b

memory/2692-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2300-328-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1612-327-0x0000000000300000-0x0000000000340000-memory.dmp

memory/1612-326-0x0000000000300000-0x0000000000340000-memory.dmp

C:\Windows\SysWOW64\Aniimjbo.exe

MD5 c0e913c1786833334af7db5b4e35dd26
SHA1 04d2bd4151dd858d342026699501ff2be9dfe118
SHA256 ec2744869906d0d4e13998828eb3998224929f4d52588d3c68cf4538ad730f6d
SHA512 00e7925fab3c6c4135bbb00f7cff91bc02a4f565660d87df4cb3acd8577235a8f82d8c8af6dd2c4aaede4024ee5558052f173765aa0415faa836b89d917106b1

memory/2692-338-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/320-339-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2788-345-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aganeoip.exe

MD5 f574b3d124153bad570d6d8962bad8c1
SHA1 9db9bda53c9e8e09dcbdfbb314597e3bb06c24d8
SHA256 3cc32a8e2bccf8ba59ab879b6fdbfae3e93d160ccf239dd1002c1f14b847b6f7
SHA512 de0cfd1888f9f5462ae053add29c09ddb048e049e357dfcd58aa89a05567b98ef91c8cfc9d1e159ca1db7ed21e9fc4cf8ce69f50b2b22708791265d23bc71476

memory/320-349-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/988-350-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-355-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Amnfnfgg.exe

MD5 86b794b633c4d484d0862654c87a0fda
SHA1 77b647eae0755ba9e50a6580dee3cef7b7bcab1a
SHA256 1340b7e56c62ee3a6250a64feeca063ffedf8206eaaa98427034ea8bb662b762
SHA512 f2595f71d7e9380f1493e3af05c854ed0632bc04f82e4f98bfffd7a76b27751a7ddfa440068913138f042eafea4198bcedec1bd693fa0409cf2353092a63a773

memory/1796-360-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aeenochi.exe

MD5 22b817b665167f1a48b7d4bfcc5e88fc
SHA1 52ca5a11467e34aac67f00995a63f1d3cc0088d4
SHA256 799bf140ffb030d50a4e6a5a46be6a0800da8492eddc17d77cfd57c9392c172c
SHA512 8f55c0a4412c255bc794542680229ce49674a585fc2ef74d231535797fe8a072b3d924393e08773d69fbb204cc114ae7b0afc69d66a4a363d170cbc6bff86bf3

memory/2012-372-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1272-371-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1272-370-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1272-366-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-382-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Windows\SysWOW64\Achojp32.exe

MD5 8a74c1902c99c7d194f91bbefa2db282
SHA1 fe26bd9ea429cf2cf18335d4ddf7fbb14956793f
SHA256 5ab538e6982c3b007ae7c5a975d670a6eaba0fdb18296e1908db8190e784dfb5
SHA512 27aa3787d1bec8780f27b2bb756caf8b01e8ac1c0af40cb799230fed14738c964f32582cd25f062a8b4c5668f26ecbbdc086fc5e3cf76219b031be103bfd4250

memory/2832-384-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2012-383-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/1796-378-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2880-394-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1868-393-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajbggjfq.exe

MD5 863a6f203629f6c345defbd466f73c50
SHA1 39470106f77d1b632f103eedbb5477001ae44170
SHA256 fc0dbdf6304ac3e32cfcc3abfd30a171010510e164bfb0eb18006aea8054a4ea
SHA512 70c470f071a0d277978e192b16d1225b17f195dbc8fd58e03e85a596a0b7e23b25036da4eff4ace173f41c3a58b39efd7455cea6cded7dada76960a101f75cc9

memory/1868-404-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2880-403-0x0000000000440000-0x0000000000480000-memory.dmp

memory/1524-432-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2944-435-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1524-433-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1984-431-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Agfgqo32.exe

MD5 20c4c8a485835747efd2fc4d4a4a0dcd
SHA1 d636a34c5f7a9442e0c44844ad6a9d2f1e55e1c7
SHA256 f96935ed0d875f4d7ce1b473b65a354f7af560d28d5d9067b2b7922a1678286a
SHA512 24504cf08df4e93cd03ab4ea92eafd4d30e998a519a5cbe6cdf6fca6b5a0c99fee818a3b1adb05834a8c48d717f5e40a8568e2d40c5d58e791e6d3aa84aea149

memory/1524-429-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2228-428-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/1440-434-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2228-427-0x0000000000270000-0x00000000002B0000-memory.dmp

memory/2228-418-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Afiglkle.exe

MD5 27ee270688b9fc975084bbc047f3ff57
SHA1 313a1f4d3cf771bb76f035913437a4bdeb6ea219
SHA256 d563cf109ee797fd98048c581fc4ac418c65d54943a6a5bbb2cee2fcb8e1412b
SHA512 6495c00e53cad736816d0ccdff2202e6618fcef82507bd430f19342eb8e2ac21bc8db5bc9f129e5e5062473e0cbe9da243610f984e1e2e2e46ba399713e452cc

memory/3056-417-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2508-445-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1940-444-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2808-416-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2808-415-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1260-455-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1940-456-0x0000000000250000-0x0000000000290000-memory.dmp

memory/1940-454-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Acmhepko.exe

MD5 f4a253a0800cb7057651edf59317f286
SHA1 06e0f4ce1a446a129b0ec53bb96e9c6fad83ae2c
SHA256 0c85940c15fd8a46ab080d479f2af31c36bef0547952c2b1281da6fbb6104e18
SHA512 54f8e6f0a5c38ddd3199145886fe9f441ec476f1d26072019fbd822f02fbe7f84b18e01a0a5b5cbd294ae1e77115592c7a6b9f7a938ca0835e79b68a5e182ba2

memory/3004-462-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/1308-466-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Abphal32.exe

MD5 6979bb23e964fb47bebaf19838eda981
SHA1 fbb985bade011fcb9dc01ddb00d681944c106b56
SHA256 69f744f23a4bddc01576624d1a771075bef1d838fc5e118ce080914e68038103
SHA512 3da431c7a6a767ef5ce5bd11a7c4e42ec4cfbff88d5834ddaa79729342983d7a8157bf55c3f77daf0e399fb0d0a5909e57b523a19cc23771a9378cd9dd0c8fb6

memory/1932-471-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Afkdakjb.exe

MD5 29d407b069d2c7bb2a47f4b5d4ada850
SHA1 1c13b9b3e3ed1757eba47482893ab1daba924e71
SHA256 390f46084b65c9cc96c60e95e37339db801211a9f7ca6633d8995a4543977b6f
SHA512 dbf7cb31fadaf36266839ec43d2309e9ee818ba8a393eff4b808c1613ebefcb8be2673f06bcdefac0859ea91f5f437ae940bf5e0d647c45760999390a57673aa

memory/996-478-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2208-477-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1932-476-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Windows\SysWOW64\Apoooa32.exe

MD5 8bd7cf8011c3880c7c2bff73523fa3c9
SHA1 f919253ee8dee404be61300b4612ab864ed4ab09
SHA256 cda10d83f40f36eb4800cb055655a3a11e527858ab059ecc33659e14471f93f6
SHA512 fc429a03f8f9a66ebf911b04ca2c846a30f750952955dfc0648d24f3cd406c33d1b063f695ee0ac601febb24f547de72d9b343b55bfd23026f8b75ff01633ec2

memory/2808-411-0x0000000000400000-0x0000000000440000-memory.dmp

memory/768-405-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 6e1e40e9dfc46ea529c70daf8e6bf36a
SHA1 dcad0058ea1e38dcf8a8ba67468e0b2dcb6ee57c
SHA256 a72084650edd90733abdf00156503a7b0bdcf2d26201dfa171174e6c687ecc78
SHA512 ab1fb733b6e8a8b39313d3d33b60311c1d54502120b31f9f2bd257bf52762e94420b8f3bc8d75b52bfc6af7891afdccdad940ecaacca24716747f6e9d20a1664

C:\Windows\SysWOW64\Acpdko32.exe

MD5 80725f2e5b1cec58df31b1feb43db3db
SHA1 840964a962400e3121e5304ddd457edb1872010a
SHA256 46256abac73a17e3ecca68b346d2506f1b6f199435befcecdc9bedbd1eadd89d
SHA512 e4ff4f5919e706864426f97da210958f0673d8fbab3096cc0f4821d745410982b1c2ddae14ebd38afb8f6723987b84419843528416957cebd14de1d1bc4ec877

memory/2344-487-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1160-492-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 5d7671f3b2956e8cbfe0dccadf65b715
SHA1 8acbf887be768a786eea1a7e661549aaf1951b6c
SHA256 61e47185e5cb27f19d0d778243f9752dd19092ab82fb87899c42a12eb97ee422
SHA512 48015ee7a18d601c29c43e66ced967e794fb03a4f9b1b2fed4a9e938ad178688f076e3931d42d25d358905c09c7639718acc3ef8714b1243ff422d06caa697ac

C:\Windows\SysWOW64\Afnagk32.exe

MD5 a4c38c2fb8fd233b92c4ea0512e73a77
SHA1 a41820291bf2b1eec0d7404d716932f13d25d811
SHA256 932c259cb3c7afebd6c1ac05eadccda0f54b4f8c59ff548ed66e620da9a96e1b
SHA512 79be350cf95ace59b0062ecce612c4c5c6a92832fff36585ed8374a63e20b29732414bc5a3fa30243178c433d5ef5c2a09aceb90a242c66c2c4117663abf2500

C:\Windows\SysWOW64\Bilmcf32.exe

MD5 021afba5db035a5a9155350c88e5171d
SHA1 bef8e8dd5789eaac40fea72a595946be79ae5679
SHA256 02bbcf9d0549d5c3592ab179f71852d2b2e3b028612e1594d4892846a0407a19
SHA512 59691cf7263d737a5547dc71d4d9261911e2c4803c3a1b9a895a2d36530fae625ff21752ca69325fc7f4e00857e224e8e55fb77c124bd90b55f8ff6c5d758da6

C:\Windows\SysWOW64\Bmhideol.exe

MD5 66418c80a7abc2c76cef0ecbbc94905a
SHA1 9a548db3bc323a0696a4c94c25837a2e256fb3b0
SHA256 327e6fa81c730fffd47cce4b810d62700a3a7ed12d9e0e2c74d72999c885abac
SHA512 459eca71cd443ac00bb728cbe8fac41aaad3fcaeda3afae67726f89b2669e49522f5069f5459193785954b372dc41564ca354d603358fcc85ea8f42a000c37e0

C:\Windows\SysWOW64\Blkioa32.exe

MD5 afab06f4d5a5830999a8fdc1fe6c8c4a
SHA1 5394614016c952c6e84529d582698d9d503bc14a
SHA256 a22a86b91ca67da492dc9389e89baad1f18523ffafbf42de2b92aab5054a1cfe
SHA512 ed13a42c92637599c1cac614ac3c4c9aed2e72739e9664ae2dcd21cf7c2a9135b6eafe4bf8be1fe086ea916f2c6f592807cc248f7319f2cc46c37a8f1017ddd9

C:\Windows\SysWOW64\Bbdallnd.exe

MD5 7e5358501a6bb53aa6557469d57c4b15
SHA1 d45274da7feab3f1871d9f631fa2d904560efd35
SHA256 9b7f30c09e18b815449bc26dc7f131d3fa33fd437b75498c8c2a0c5c090b343b
SHA512 049ac7331b7eeae5ff520c7378ce8caabfe4430c237a069941af85867d4dfa463935d0d0763a4242a5f02753d1e2ee5dc0b000f110d1ae2d5fe90941efb807a0

C:\Windows\SysWOW64\Becnhgmg.exe

MD5 bfe6b8c0e34843cb09cba8209d9c3048
SHA1 7bd5628a152f12b5c21615167547b8af00ab4100
SHA256 3a53d0b990df18bde970c474c68e278337c0a81d104cabd289d79765fe75aabc
SHA512 4e30d2fc923cec2ee4f5381359bf695d1b304707256ddd0103ec13d9f148b434d2582582498b2edf8885e51e8395783f2462b6e75e7f7b7a14ab9716c903c6be

C:\Windows\SysWOW64\Biojif32.exe

MD5 c696f98e5fde2569ba25decc3955cde9
SHA1 627df3bf8cba5c65ec6d8b32d324c8569e2388ba
SHA256 1c95bb5e09cd1f5fd698dc6c1668be0bafe8c6cbfe5cd444bbb4a4021ea39cff
SHA512 b4aa451fa62882934c39d1ba0709a9eaaa76c1f0a7888a35e79f7d5dd8fc1b00f689c40b5cec5857292a1d33c41c4e2290134152743fcbede7be118b989943a1

C:\Windows\SysWOW64\Bphbeplm.exe

MD5 b44911f597815a5bf19cc30771aa06e4
SHA1 49452f0aa7b3c3ae29802f8bac5af451fe06a980
SHA256 272cf086374657376512aa66a77bac0c6189a103903ada84cf25e550d9725d2f
SHA512 2d01d8e4f9005fad2babf4cedf7c8bf000c71ac2c920840e9332546debfe79972abec5162a0cc41ee07575f443c040c99e80112d81de631c4afbe7dc68da357b

C:\Windows\SysWOW64\Bnkbam32.exe

MD5 252b28bf768c7857e1156fce7660efa7
SHA1 9aacc96a3cf38a606047d328abb63138cb85c8e0
SHA256 0cb07487a0fb75caaa71a519364a16cb2005b41474bb87892c2ee0440cb10d91
SHA512 8f14a5594fcec03547644261ef540488010e226f2906080df69355acb4bcac9d4437d93745d12bbdec75e21f83865bb7994289396431896335b8255ad2998843

C:\Windows\SysWOW64\Bajomhbl.exe

MD5 e4e0f9b5cb4397573c2275c2070607ce
SHA1 a6ec5860250fda2b956c936843bcf91b84e2c6cd
SHA256 d2437fa7233d818aa6d06989a4084de0513d99e1d1b24d305e7550947e89a3be
SHA512 45a3bb7c44cc089f0f2d5341b639df84808966dadb6b586645e4ee1a05de7e11c73500f438efe840fd48bad098a099671ba6a1b54993ec0e5ad0fc90b0f04360

C:\Windows\SysWOW64\Beejng32.exe

MD5 5c0af8ee0c30c5641b1efab6cd2de2a0
SHA1 d7aae0eb271313b3a124c2b7706f817e1b8142b8
SHA256 454ca8b7e9813aae308cccdc07742abc10145a1b42daa3d7956fa6a3dce7ec24
SHA512 1f631cd004ce25558220559c4f0a97a08b85155d0f776a996b7ef60dd36242b6c518d872033dd8408036b0513915956c5f6206810588c7b1bc957fb028629a0a

C:\Windows\SysWOW64\Bhdgjb32.exe

MD5 dc5234da36e698af4d6d0a2cede231a7
SHA1 101a6308808c8c45be493ea194fe9e152cfdfd4b
SHA256 3e21dc0fb490a761216733996868ed18791ae1cc14eadded023fe4187f8ac114
SHA512 cd46c85529ba7e020181d933eceb960710e81a9c90126ee7131e3476e45628f3a46b34e44fec81b7bc9adffc50d2ad603de3cb62409d5a07cd68a75855242d2b

C:\Windows\SysWOW64\Bonoflae.exe

MD5 5cc9c186e86f8c346a771c46a9cc21be
SHA1 f8cf25177a4cad82a0adb075e3a841af6a7c1e0c
SHA256 78e5ee6f367a26112d3074562cc3009c19d9585f1ec4096a9ecb2d41f524b521
SHA512 a1e1d2ba6564cca469f56fa3e84da09d54fb42510849e8e3ab4b0db2b6884a5e3ab9b2749f1db920e7d977215387c931098c847f44061584f5e9d247e36376c7

C:\Windows\SysWOW64\Bbikgk32.exe

MD5 2a1158a19b69cf150609fa2b40cdb0b5
SHA1 1cf12debdc64212956a1a3efe8a7a29ef405140a
SHA256 7e6b1d7229c69ffa852fa971f70bd7f13a97cfacfb6754f24721e25c1a9093b9
SHA512 4588c2105cede67e066522fe8d1d3b900311bb568382554c05d16c170e024ec107dc5d0edfebd8f1e1e6ec88230d33156c3a0c925350511dbac10fbf51f1accf

C:\Windows\SysWOW64\Behgcf32.exe

MD5 6b954922eed27dc35aa9daebd7175a24
SHA1 3294ebaf0d2f0982a8062cde5d79a6f613130fe5
SHA256 ebbf7ae428cfb281bf6e3cd8d0818b78c235bc6cbbd9c6ccaaf9ae69bfd23b9f
SHA512 79e55abf676fbb85b469edeccef8451b059ad009b34051a1f1c7d3dbf72b0abc4e896663bd16f0214a2c69d96f77ebe3818aaa1e476ab247fbfbd34f66dee561

C:\Windows\SysWOW64\Bdkgocpm.exe

MD5 f23d268bd284e5e601096bec05ff418e
SHA1 490e61052d37e4ae3042fb725eb7c1998ce223d0
SHA256 2ad1df10c9b3c742d472795d20770d1eef78080af0e0806928007df2f06ade6b
SHA512 9ddce472bc7038099250beb265c6ca6e70395834ae6e143f817b44efb085f5044a640d0aebc198925840051a0c9565a7203bb87d0cfcf5ffb43cce6c6e440267

C:\Windows\SysWOW64\Bhfcpb32.exe

MD5 dcf0397ca896d80d59eb45b696a0b3b8
SHA1 f65b9860279208a1b733529ab8c137d0a881e94f
SHA256 6870548b7b9c6383363d44edd2d5bee0c28bcbe89efcedbdfdbf677538caf364
SHA512 7106d013d87da65ce69c23943271439e7e1260beb680579c50728efbb22e4284bd0aab414e3f12c2d97d07d2cafe1b0aab376eb5585fe0cbe7e5bbb620125964

C:\Windows\SysWOW64\Blaopqpo.exe

MD5 666b4a7b6e8bee7f0ce6c2db9c15e142
SHA1 c477354a7fe1588ca8a1e9ac87472688fb424390
SHA256 df8b25f8328d622d78de5f89f33838534b5c16374d2a1a8108df357b4c8078a7
SHA512 4aad9ca72859e63b695ba8a9ab5455495d595c59262e1ad8e2051ce7ce1d2b502c02c66736d3691bfd97377d3543b91249803b4f6cfd536a4435d71dcd6fb6c9

C:\Windows\SysWOW64\Boplllob.exe

MD5 9bfffcd669beb6aa9a9d5151c9601e1d
SHA1 a64a566b7ec274692281f84c9bed83a05e21ac44
SHA256 7445868a4790d35245a70fce1fd0724066c806f238adf6f1bd5eb493a2b45b35
SHA512 898ccbe458661c8a159fba8ecb6548b69106409457be3823e238f7de031c73441fcfab4ed52fcb15bf41d009601167891948f387c7c4d6a6a11de02925157ff3

C:\Windows\SysWOW64\Baohhgnf.exe

MD5 1ab75dcc3880d65b5fdd0812cbb66325
SHA1 4cc87a9efcfdbd16ebe0e42df51b35616403bddc
SHA256 716ea4aac236481259c99b4597490c55271e8d8074c2734e2449f31c8d948b92
SHA512 e356c8ecf32dfeabfefc0c3d4df4a6898f5b25eb6fd240d26b1895321643e35010306b28eb4b6130aff535eeec069259703f14699d27448400a3ff982f721b1f

C:\Windows\SysWOW64\Bhhpeafc.exe

MD5 bf365d8a81e881edd7ffaabde7dd2688
SHA1 2f36ec3b3f45a01714dde16f671495154dd0dad1
SHA256 a13dd0b872a7cc6741a8edbd5f0dbf62a9ab931b1998cb5bc0620f64365e0662
SHA512 2302976fa6f27aa719f961a4cddb6f7e61b237fd4185c23b7a262ec0a5fd03cf1b0902109510489cc33143ccfdf35177d5ca12c1bc0c69aa6344199979a193be

C:\Windows\SysWOW64\Bfkpqn32.exe

MD5 baa8f955af3d87662db8a9af3aac745c
SHA1 b864b65e880cb523c2886a2d6fcc313327ddbe7b
SHA256 0aedfd4448192bcff4c9612660e1957a31c043f47eee2d88a843c504650fd2f0
SHA512 a1d2cdc0b58d35df1dbad54431e8b76158c190965572fba0a3ecf211394671bce949e040f951873292554885d58fe5d5a0c119f8ae2c530033fe9ec221814e27

C:\Windows\SysWOW64\Bobhal32.exe

MD5 b91bbfab038cb60450bbc88e3ec38a05
SHA1 ae445581fe1bfa1d608b96643e147b25557be38f
SHA256 dccadf31a5fbc2934c5ac03cfba1f41768ffef2394b9232a5b604d65faaf0235
SHA512 910505e581222dfd5be600e0057ade95ee2fca0ac35dfbb880846fb0d88d7b7785dc10ee9728b6830f55a60c77885f7b0c70a6a8d8e37282d9e3bf4c992b4995

C:\Windows\SysWOW64\Bmeimhdj.exe

MD5 b6eca376ebd372fe636a86645bb63504
SHA1 fa6899d79cc7b44c7b6c12cc9fe9d73415cb2fea
SHA256 4689659ed3f621f23a1c70bef7075eb105f7cf81de33ca71b4c976bcbea4c069
SHA512 f3bf3d7f223f31c1fb01c08febc31a37ea3624bbbdfdb397de837d4815d1321037413cf899d8de63b5647e0691102f651cacdda5ee60c9e01d31afb5996e9a96

C:\Windows\SysWOW64\Chkmkacq.exe

MD5 d8e8a0393c9bf05052e926b9ee0e42b2
SHA1 6ef8fdd65b56467886e86c2f7ffe5d7355522b56
SHA256 87c15c9f5a91dae718188769af122242c6a5c7a283bbf8e6338ff09a311e5825
SHA512 b5c64bb0e1aef96f87cb68731e6fdd5bcb01267c0419d925799e14d62b6328e38f209aa0123a56d5351d34b3145bc7f94df912a0fd734412662ec4217c06087d

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 aacd736b0043dc38841099d0b854d701
SHA1 e0efed7a36dcd9164654ea1c20232b61d4a6ae2e
SHA256 bb3cb19900376eb27ec4852b21cc996e003de04121b554094f1c66f41e6a829d
SHA512 d3c334286168f90b78481c21a0343b4c175d4bd590ebd5a9075e336382076958bb9eec206c5fa912938c30a6ca4939bb4cd92780bb845456799f6d3493fa704c

C:\Windows\SysWOW64\Cilibi32.exe

MD5 54fbc61ea83352c53015d227c5cf797e
SHA1 b87ac8cf52713ef56bc6f9666d299b0d133ffdb4
SHA256 c348853b879348ea65fc98c9291e2115c2f9ad878551b6ab269651045b5c343e
SHA512 5d69c57eeaeb0567d481a70bd08f7c627ef8f0304b74cd7a6d63c14067a7141b8456197a131ed1d870e58589b086bbe8640a34ae4b1dca33d41bfa740e163b39

C:\Windows\SysWOW64\Cpfaocal.exe

MD5 512cd7dae8e7944c02c0b99884dd2308
SHA1 b9bf54f9169b936a63341f5f1c7db240c61beb5e
SHA256 47c75a0c61f20b3325877592f92b91dee6458faaca814136cfd299ff947aa453
SHA512 166366e5c94b8f08c7245c6ca9919c2060ad9982191bfdfa72397d4e0760676a8aed0e4f6193951104dd8926c502678f9bbfd71e63cc04e07a4f9cd62055c525

C:\Windows\SysWOW64\Cbdnko32.exe

MD5 62304b734b72ccca096dbdea3e70df96
SHA1 d1b23133fbca474da776f4ee73a305614bc6efd7
SHA256 39011da455ed7d99182b8f10614c579b3327d9f68432dd657bd3264ad4a9ecdc
SHA512 3a9b9500183e23b11987211ca37156e6ac0db8d5be2a6fc2b06dc7f1c5babf8acff2ec2490dc132ab9c6836a043245a3c71b45195d1e85cdcaebb8e50b875eeb

C:\Windows\SysWOW64\Cklfll32.exe

MD5 93b767c15040fc7a5a4521b122d23dbc
SHA1 a93b78e1e36434932ebd5d676c5b952da357d808
SHA256 1ff50f53d464015e73bbab6ffc51537b6e7d35746688beba30205c3002055bbe
SHA512 b5fad09637bdddfffe68aa56d59ac1ed563681d03a7415525e7bbb30956da9d69d8c1294dc4020d4162ea1d53cf7eb799eaff55495fbd329166c56b7da79a337

C:\Windows\SysWOW64\Cmjbhh32.exe

MD5 a5c58fbcfe798e6c07a86832062fc02b
SHA1 975114bae48bdbd90b87c2c41171094d93141b46
SHA256 c4d13426d3a1fde6285be38cb46ccfcd3c3a32e026a663bc949036a94612291c
SHA512 be0ab5baa67be939c9c161ea8576840c23706fcfae7a97d5493d6f8fb8e952de7bd78d9a6f2c5e3ae0a040d53e19d8905336c37165bed5114315db9687276c50

C:\Windows\SysWOW64\Cphndc32.exe

MD5 e2a940fbe81dbaa405d64ecc801ea36d
SHA1 c7858e9229c6ca04674a79b467775f92223a2fca
SHA256 ddceb4180b761456c446fbb8f2c815405c0feffc4caba91ddec90ebe33cf48d8
SHA512 f148eb386edbe16ae7c653cec7fccb0783b0f1b350f02f4cb4fc191c4aac62438a5ec496948831891561abc961fba7b02fde12b779137f5b43233abb71dcd7c3

C:\Windows\SysWOW64\Cddjebgb.exe

MD5 cd14693d395869bc8de118509b20876d
SHA1 8ad9cabd18bddc6e58a4dc7e22b28ff116d61edb
SHA256 8becf3ea6337c111b628ee608dc7c299e2e0d1a3509f9c04f270c2755abc9d1d
SHA512 bdbedc248af955b97d70d37732ab02c50d01cf8577c045de064ca7ba20cdff07a8a53f59a616b4879d3fbcc3b85897e5046c5333cc3925ad2559b68a3cb273fa

C:\Windows\SysWOW64\Cgbfamff.exe

MD5 9fdcfca3dd45fb19e1106fd458175233
SHA1 472eed129dc8c43f95cb36926b909d390466c8a2
SHA256 49af7c2138bd76917506234132545849dc66947e71487da44934444b72a10671
SHA512 634c538069f23b22f37ac408b3585d02ec8a920f4989fb1d5a208429eb29fcdef4b6c0889638913ae0aee21956b6f3556e42e2ae1b560bb808c617a8b5bc72c2

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 c54ff23c441cedaa56a2fa3d824a1241
SHA1 219b46a27bbfaf1a825ee8cd0a18c4c6516ee1b3
SHA256 ed9d4d857c5cf6261f9f560a3dd8862f843e7f540fed9fd23f42c30cc93f4701
SHA512 9d45bce6e8515c50e1381ec1694888340aeba44f0bd3ade45107f2c9fb7017f259dc5a72e95c248b60ba02f41e264699e4471b302e73a9bff004d36235bb8f93

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 14:36

Reported

2024-09-16 14:38

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jibmgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Micoed32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gnqfcbnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Igdgglfl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnlkedai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mejpje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdbnjdfg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpcapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnnjmbpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hekgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daediilg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eagaoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkfcndce.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Albpkc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdpjlb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcngpjh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcmlfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kijchhbo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbcjnilj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nagpeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alkijdci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocohmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpihcgoa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eibfck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpnkdq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poliea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fimhjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aihaoqlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oeokal32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bheplb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kcpjnjii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaplqh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obafpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmkgkapm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anaomkdb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlphbnoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oondnini.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjpjel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqhcpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghkeio32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iggaah32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnkldqkc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nemmoe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gikkfqmf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clchbqoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdagpnbk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdbpgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbkkgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmepam32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqaffn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdpaeehj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Difpmfna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmndpq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbelcblk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdhbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jqglkmlj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jibmgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eplgeokq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jknfcofa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjopcb32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pfgogh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppmcdq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckppl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phhhhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcmlfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjgebf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppamophb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgkelj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phlacbfm.exe N/A
N/A N/A C:\Windows\SysWOW64\Pofjpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgnbaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qljjjqlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Qoifflkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgpogili.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqhcpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afelhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amodep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdhbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajcdnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amaqjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aopmfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aggegh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aihaoqlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqoiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acnemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aflaie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aijnep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqaffn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aimkjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqdblmhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjlgdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boipmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boklbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjaqpbkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpnihiio.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfhadc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bggnof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpbbch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cflkpblf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpeohh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cadlbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpihcgoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjomap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Caienjfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgcmjd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmbbhkjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpqodfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Djfcaohp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dapkni32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjckcgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dikpbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpehof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djklmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daediilg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfamapjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eagaoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efdjgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eibfck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efffmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealkjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efhcbodf.exe N/A
N/A N/A C:\Windows\SysWOW64\Epagkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efkphnbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Edopabqn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hhfgeigk.dll C:\Windows\SysWOW64\Oanfen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofmdio32.exe C:\Windows\SysWOW64\Ocohmc32.exe N/A
File created C:\Windows\SysWOW64\Jajoep32.dll C:\Windows\SysWOW64\Aopmfk32.exe N/A
File created C:\Windows\SysWOW64\Ghmbno32.exe C:\Windows\SysWOW64\Gilapgqb.exe N/A
File created C:\Windows\SysWOW64\Cclnpmna.dll C:\Windows\SysWOW64\Kkhpdcab.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjmcnbdm.exe C:\Windows\SysWOW64\Jhlgfj32.exe N/A
File created C:\Windows\SysWOW64\Kijchhbo.exe C:\Windows\SysWOW64\Kqbkfkal.exe N/A
File created C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Paiogf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngqagcag.exe C:\Windows\SysWOW64\Nagiji32.exe N/A
File created C:\Windows\SysWOW64\Pnifekmd.exe C:\Windows\SysWOW64\Pfandnla.exe N/A
File opened for modification C:\Windows\SysWOW64\Piijno32.exe C:\Windows\SysWOW64\Pabblb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffobhg32.exe C:\Windows\SysWOW64\Fpejlmcf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkceokii.exe C:\Windows\SysWOW64\Dheibpje.exe N/A
File opened for modification C:\Windows\SysWOW64\Dahmfpap.exe C:\Windows\SysWOW64\Dgcihgaj.exe N/A
File created C:\Windows\SysWOW64\Okogahgo.dll C:\Windows\SysWOW64\Qqhcpo32.exe N/A
File created C:\Windows\SysWOW64\Kqmfklog.dll C:\Windows\SysWOW64\Alkijdci.exe N/A
File opened for modification C:\Windows\SysWOW64\Clchbqoo.exe C:\Windows\SysWOW64\Cfipef32.exe N/A
File created C:\Windows\SysWOW64\Hgfapd32.exe C:\Windows\SysWOW64\Hlambk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjkblhfo.exe C:\Windows\SysWOW64\Mglfplgk.exe N/A
File created C:\Windows\SysWOW64\Qekpedip.dll C:\Windows\SysWOW64\Fmikeaap.exe N/A
File created C:\Windows\SysWOW64\Ilccoh32.exe C:\Windows\SysWOW64\Ikbfgppo.exe N/A
File created C:\Windows\SysWOW64\Jencdebl.dll C:\Windows\SysWOW64\Ljhnlb32.exe N/A
File created C:\Windows\SysWOW64\Akdilipp.exe C:\Windows\SysWOW64\Adkqoohc.exe N/A
File created C:\Windows\SysWOW64\Aijjhbli.dll C:\Windows\SysWOW64\Cdkifmjq.exe N/A
File created C:\Windows\SysWOW64\Fmdmqp32.dll C:\Windows\SysWOW64\Lbkkgl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Poajkgnc.exe C:\Windows\SysWOW64\Plbmokop.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Dmoohe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmmbbejp.exe C:\Windows\SysWOW64\Cjnffjkl.exe N/A
File created C:\Windows\SysWOW64\Nmipdk32.exe C:\Windows\SysWOW64\Nfohgqlg.exe N/A
File created C:\Windows\SysWOW64\Imgicgca.exe C:\Windows\SysWOW64\Ibaeen32.exe N/A
File created C:\Windows\SysWOW64\Ibfnqmpf.exe C:\Windows\SysWOW64\Illfdc32.exe N/A
File created C:\Windows\SysWOW64\Epagkd32.exe C:\Windows\SysWOW64\Efhcbodf.exe N/A
File opened for modification C:\Windows\SysWOW64\Idcepgmg.exe C:\Windows\SysWOW64\Ilmmni32.exe N/A
File created C:\Windows\SysWOW64\Dgeofeib.dll C:\Windows\SysWOW64\Ojbacd32.exe N/A
File created C:\Windows\SysWOW64\Fqibbo32.dll C:\Windows\SysWOW64\Jgbchj32.exe N/A
File created C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Amcehdod.exe N/A
File opened for modification C:\Windows\SysWOW64\Pakllc32.exe C:\Windows\SysWOW64\Polppg32.exe N/A
File created C:\Windows\SysWOW64\Alkijdci.exe C:\Windows\SysWOW64\Addaif32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe C:\Windows\SysWOW64\Fihnomjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbiado32.exe C:\Windows\SysWOW64\Bkoigdom.exe N/A
File created C:\Windows\SysWOW64\Dpgnjo32.exe C:\Windows\SysWOW64\Djjebh32.exe N/A
File created C:\Windows\SysWOW64\Hflkamml.dll C:\Windows\SysWOW64\Madjhb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gejopl32.exe C:\Windows\SysWOW64\Gnqfcbnj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mlmbfqoj.exe C:\Windows\SysWOW64\Mahnhhod.exe N/A
File created C:\Windows\SysWOW64\Pgnfmhaj.dll C:\Windows\SysWOW64\Nijeec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nimbkc32.exe C:\Windows\SysWOW64\Nbcjnilj.exe N/A
File created C:\Windows\SysWOW64\Ingcceof.dll C:\Windows\SysWOW64\Oidhlb32.exe N/A
File created C:\Windows\SysWOW64\Hpchib32.exe C:\Windows\SysWOW64\Hiipmhmk.exe N/A
File created C:\Windows\SysWOW64\Ecgamkhq.dll C:\Windows\SysWOW64\Idfaefkd.exe N/A
File created C:\Windows\SysWOW64\Pdmkhgho.exe C:\Windows\SysWOW64\Paoollik.exe N/A
File created C:\Windows\SysWOW64\Hnnpaa32.dll C:\Windows\SysWOW64\Oimkbaed.exe N/A
File created C:\Windows\SysWOW64\Ncliqp32.dll C:\Windows\SysWOW64\Efepbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hfjdqmng.exe C:\Windows\SysWOW64\Hbohpn32.exe N/A
File created C:\Windows\SysWOW64\Jgnqgqan.exe C:\Windows\SysWOW64\Jcbdgb32.exe N/A
File created C:\Windows\SysWOW64\Pbbmemif.dll C:\Windows\SysWOW64\Bffcpg32.exe N/A
File created C:\Windows\SysWOW64\Filiii32.exe C:\Windows\SysWOW64\Edopabqn.exe N/A
File created C:\Windows\SysWOW64\Plejdkmm.exe C:\Windows\SysWOW64\Phincl32.exe N/A
File created C:\Windows\SysWOW64\Gpcfmkff.exe C:\Windows\SysWOW64\Gjfnedho.exe N/A
File opened for modification C:\Windows\SysWOW64\Aopmfk32.exe C:\Windows\SysWOW64\Amaqjp32.exe N/A
File created C:\Windows\SysWOW64\Poigcbng.dll C:\Windows\SysWOW64\Dbkqfe32.exe N/A
File created C:\Windows\SysWOW64\Phedhmhi.exe C:\Windows\SysWOW64\Pakllc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enbjad32.exe C:\Windows\SysWOW64\Ekdnei32.exe N/A
File created C:\Windows\SysWOW64\Lcnfohmi.exe C:\Windows\SysWOW64\Lqojclne.exe N/A
File created C:\Windows\SysWOW64\Amqhbe32.exe C:\Windows\SysWOW64\Aggpfkjj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmfeidbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmbjcljl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmjkic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqpoakco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjoiil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnkggfkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aahbbkaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjomap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdmmbq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djjebh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njinmf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paoollik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodjjimm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhfedm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Idghpmnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdnoplhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkhpdcab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcadhgm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knfeeimj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqfpckhm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqoiqn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Miaboe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pakllc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jkgpbp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amjbbfgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjffdalb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbgeno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjkblhfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cocacl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfodeohd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqkiok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boenhgdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pidabppl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljhefhha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Albpkc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdecgbfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hfcnpn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qoifflkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhpqaiji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Legjmh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qohpkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpgind32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpnihiio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obafpg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olijhmgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adikdfna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckclhn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nglhld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlmbfqoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gjfnedho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkokcl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibcaknbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjdjoane.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidhlb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmoohe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Addaif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdpaeehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngqagcag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmepam32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bljlfh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejalcgkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgklej32.dll" C:\Windows\SysWOW64\Haoimcgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejchhgid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjfai32.dll" C:\Windows\SysWOW64\Aekddhcb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbefdijg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igbalblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Innfnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" C:\Windows\SysWOW64\Aefjii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Albpkc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npgmpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajcdnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll" C:\Windows\SysWOW64\Oabhfg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Clchbqoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igliicdk.dll" C:\Windows\SysWOW64\Aoabad32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gfeaopqo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmfplibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amjbbfgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmeandma.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djfcaohp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Idahjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ppahmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chkobkod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Niooqcad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lbkkgl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Omegjomb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jgbchj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mqkiok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njhgbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qoifflkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" C:\Windows\SysWOW64\Epndknin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enbjad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll" C:\Windows\SysWOW64\Fbgihaji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmpcbhji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hbohpn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmeakf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdkgc32.dll" C:\Windows\SysWOW64\Nhbolp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bebjdgmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfbped32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agdhbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfandnla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndfbikc.dll" C:\Windows\SysWOW64\Blielbfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mahnhhod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpldkpc.dll" C:\Windows\SysWOW64\Nefped32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qohpkf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cofecami.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmechmip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igleoo32.dll" C:\Windows\SysWOW64\Caienjfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" C:\Windows\SysWOW64\Dmohno32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lqkgbcff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjohde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hfjdqmng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcmmhj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgnbdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgcjdd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjnffjkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lqikmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eoideh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnlkedai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdllgpbm.dll" C:\Windows\SysWOW64\Mmfkhmdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpeohh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alkijdci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll" C:\Windows\SysWOW64\Eblimcdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Pfgogh32.exe
PID 3160 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Pfgogh32.exe
PID 3160 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Pfgogh32.exe
PID 1048 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Pfgogh32.exe C:\Windows\SysWOW64\Ppmcdq32.exe
PID 1048 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Pfgogh32.exe C:\Windows\SysWOW64\Ppmcdq32.exe
PID 1048 wrote to memory of 1208 N/A C:\Windows\SysWOW64\Pfgogh32.exe C:\Windows\SysWOW64\Ppmcdq32.exe
PID 1208 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ppmcdq32.exe C:\Windows\SysWOW64\Pckppl32.exe
PID 1208 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ppmcdq32.exe C:\Windows\SysWOW64\Pckppl32.exe
PID 1208 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ppmcdq32.exe C:\Windows\SysWOW64\Pckppl32.exe
PID 3532 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Pckppl32.exe C:\Windows\SysWOW64\Phhhhc32.exe
PID 3532 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Pckppl32.exe C:\Windows\SysWOW64\Phhhhc32.exe
PID 3532 wrote to memory of 4092 N/A C:\Windows\SysWOW64\Pckppl32.exe C:\Windows\SysWOW64\Phhhhc32.exe
PID 4092 wrote to memory of 4804 N/A C:\Windows\SysWOW64\Phhhhc32.exe C:\Windows\SysWOW64\Pcmlfl32.exe
PID 4092 wrote to memory of 4804 N/A C:\Windows\SysWOW64\Phhhhc32.exe C:\Windows\SysWOW64\Pcmlfl32.exe
PID 4092 wrote to memory of 4804 N/A C:\Windows\SysWOW64\Phhhhc32.exe C:\Windows\SysWOW64\Pcmlfl32.exe
PID 4804 wrote to memory of 4192 N/A C:\Windows\SysWOW64\Pcmlfl32.exe C:\Windows\SysWOW64\Pjgebf32.exe
PID 4804 wrote to memory of 4192 N/A C:\Windows\SysWOW64\Pcmlfl32.exe C:\Windows\SysWOW64\Pjgebf32.exe
PID 4804 wrote to memory of 4192 N/A C:\Windows\SysWOW64\Pcmlfl32.exe C:\Windows\SysWOW64\Pjgebf32.exe
PID 4192 wrote to memory of 432 N/A C:\Windows\SysWOW64\Pjgebf32.exe C:\Windows\SysWOW64\Ppamophb.exe
PID 4192 wrote to memory of 432 N/A C:\Windows\SysWOW64\Pjgebf32.exe C:\Windows\SysWOW64\Ppamophb.exe
PID 4192 wrote to memory of 432 N/A C:\Windows\SysWOW64\Pjgebf32.exe C:\Windows\SysWOW64\Ppamophb.exe
PID 432 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Ppamophb.exe C:\Windows\SysWOW64\Pgkelj32.exe
PID 432 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Ppamophb.exe C:\Windows\SysWOW64\Pgkelj32.exe
PID 432 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Ppamophb.exe C:\Windows\SysWOW64\Pgkelj32.exe
PID 4148 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Pgkelj32.exe C:\Windows\SysWOW64\Phlacbfm.exe
PID 4148 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Pgkelj32.exe C:\Windows\SysWOW64\Phlacbfm.exe
PID 4148 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Pgkelj32.exe C:\Windows\SysWOW64\Phlacbfm.exe
PID 4372 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Phlacbfm.exe C:\Windows\SysWOW64\Pofjpl32.exe
PID 4372 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Phlacbfm.exe C:\Windows\SysWOW64\Pofjpl32.exe
PID 4372 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Phlacbfm.exe C:\Windows\SysWOW64\Pofjpl32.exe
PID 3860 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Pofjpl32.exe C:\Windows\SysWOW64\Qgnbaj32.exe
PID 3860 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Pofjpl32.exe C:\Windows\SysWOW64\Qgnbaj32.exe
PID 3860 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Pofjpl32.exe C:\Windows\SysWOW64\Qgnbaj32.exe
PID 2780 wrote to memory of 3748 N/A C:\Windows\SysWOW64\Qgnbaj32.exe C:\Windows\SysWOW64\Qljjjqlc.exe
PID 2780 wrote to memory of 3748 N/A C:\Windows\SysWOW64\Qgnbaj32.exe C:\Windows\SysWOW64\Qljjjqlc.exe
PID 2780 wrote to memory of 3748 N/A C:\Windows\SysWOW64\Qgnbaj32.exe C:\Windows\SysWOW64\Qljjjqlc.exe
PID 3748 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Qljjjqlc.exe C:\Windows\SysWOW64\Qoifflkg.exe
PID 3748 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Qljjjqlc.exe C:\Windows\SysWOW64\Qoifflkg.exe
PID 3748 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Qljjjqlc.exe C:\Windows\SysWOW64\Qoifflkg.exe
PID 1536 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Qoifflkg.exe C:\Windows\SysWOW64\Qgpogili.exe
PID 1536 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Qoifflkg.exe C:\Windows\SysWOW64\Qgpogili.exe
PID 1536 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Qoifflkg.exe C:\Windows\SysWOW64\Qgpogili.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Qgpogili.exe C:\Windows\SysWOW64\Qqhcpo32.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Qgpogili.exe C:\Windows\SysWOW64\Qqhcpo32.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Qgpogili.exe C:\Windows\SysWOW64\Qqhcpo32.exe
PID 2412 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Qqhcpo32.exe C:\Windows\SysWOW64\Afelhf32.exe
PID 2412 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Qqhcpo32.exe C:\Windows\SysWOW64\Afelhf32.exe
PID 2412 wrote to memory of 4852 N/A C:\Windows\SysWOW64\Qqhcpo32.exe C:\Windows\SysWOW64\Afelhf32.exe
PID 4852 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Afelhf32.exe C:\Windows\SysWOW64\Amodep32.exe
PID 4852 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Afelhf32.exe C:\Windows\SysWOW64\Amodep32.exe
PID 4852 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Afelhf32.exe C:\Windows\SysWOW64\Amodep32.exe
PID 4592 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Amodep32.exe C:\Windows\SysWOW64\Agdhbi32.exe
PID 4592 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Amodep32.exe C:\Windows\SysWOW64\Agdhbi32.exe
PID 4592 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Amodep32.exe C:\Windows\SysWOW64\Agdhbi32.exe
PID 3372 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Agdhbi32.exe C:\Windows\SysWOW64\Ajcdnd32.exe
PID 3372 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Agdhbi32.exe C:\Windows\SysWOW64\Ajcdnd32.exe
PID 3372 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Agdhbi32.exe C:\Windows\SysWOW64\Ajcdnd32.exe
PID 3640 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Ajcdnd32.exe C:\Windows\SysWOW64\Amaqjp32.exe
PID 3640 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Ajcdnd32.exe C:\Windows\SysWOW64\Amaqjp32.exe
PID 3640 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Ajcdnd32.exe C:\Windows\SysWOW64\Amaqjp32.exe
PID 3004 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Amaqjp32.exe C:\Windows\SysWOW64\Aopmfk32.exe
PID 3004 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Amaqjp32.exe C:\Windows\SysWOW64\Aopmfk32.exe
PID 3004 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Amaqjp32.exe C:\Windows\SysWOW64\Aopmfk32.exe
PID 2684 wrote to memory of 440 N/A C:\Windows\SysWOW64\Aopmfk32.exe C:\Windows\SysWOW64\Aggegh32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Pfgogh32.exe

C:\Windows\system32\Pfgogh32.exe

C:\Windows\SysWOW64\Ppmcdq32.exe

C:\Windows\system32\Ppmcdq32.exe

C:\Windows\SysWOW64\Pckppl32.exe

C:\Windows\system32\Pckppl32.exe

C:\Windows\SysWOW64\Phhhhc32.exe

C:\Windows\system32\Phhhhc32.exe

C:\Windows\SysWOW64\Pcmlfl32.exe

C:\Windows\system32\Pcmlfl32.exe

C:\Windows\SysWOW64\Pjgebf32.exe

C:\Windows\system32\Pjgebf32.exe

C:\Windows\SysWOW64\Ppamophb.exe

C:\Windows\system32\Ppamophb.exe

C:\Windows\SysWOW64\Pgkelj32.exe

C:\Windows\system32\Pgkelj32.exe

C:\Windows\SysWOW64\Phlacbfm.exe

C:\Windows\system32\Phlacbfm.exe

C:\Windows\SysWOW64\Pofjpl32.exe

C:\Windows\system32\Pofjpl32.exe

C:\Windows\SysWOW64\Qgnbaj32.exe

C:\Windows\system32\Qgnbaj32.exe

C:\Windows\SysWOW64\Qljjjqlc.exe

C:\Windows\system32\Qljjjqlc.exe

C:\Windows\SysWOW64\Qoifflkg.exe

C:\Windows\system32\Qoifflkg.exe

C:\Windows\SysWOW64\Qgpogili.exe

C:\Windows\system32\Qgpogili.exe

C:\Windows\SysWOW64\Qqhcpo32.exe

C:\Windows\system32\Qqhcpo32.exe

C:\Windows\SysWOW64\Afelhf32.exe

C:\Windows\system32\Afelhf32.exe

C:\Windows\SysWOW64\Amodep32.exe

C:\Windows\system32\Amodep32.exe

C:\Windows\SysWOW64\Agdhbi32.exe

C:\Windows\system32\Agdhbi32.exe

C:\Windows\SysWOW64\Ajcdnd32.exe

C:\Windows\system32\Ajcdnd32.exe

C:\Windows\SysWOW64\Amaqjp32.exe

C:\Windows\system32\Amaqjp32.exe

C:\Windows\SysWOW64\Aopmfk32.exe

C:\Windows\system32\Aopmfk32.exe

C:\Windows\SysWOW64\Aggegh32.exe

C:\Windows\system32\Aggegh32.exe

C:\Windows\SysWOW64\Aihaoqlp.exe

C:\Windows\system32\Aihaoqlp.exe

C:\Windows\SysWOW64\Aqoiqn32.exe

C:\Windows\system32\Aqoiqn32.exe

C:\Windows\SysWOW64\Acnemi32.exe

C:\Windows\system32\Acnemi32.exe

C:\Windows\SysWOW64\Aflaie32.exe

C:\Windows\system32\Aflaie32.exe

C:\Windows\SysWOW64\Aijnep32.exe

C:\Windows\system32\Aijnep32.exe

C:\Windows\SysWOW64\Aqaffn32.exe

C:\Windows\system32\Aqaffn32.exe

C:\Windows\SysWOW64\Aimkjp32.exe

C:\Windows\system32\Aimkjp32.exe

C:\Windows\SysWOW64\Bqdblmhl.exe

C:\Windows\system32\Bqdblmhl.exe

C:\Windows\SysWOW64\Bjlgdc32.exe

C:\Windows\system32\Bjlgdc32.exe

C:\Windows\SysWOW64\Boipmj32.exe

C:\Windows\system32\Boipmj32.exe

C:\Windows\SysWOW64\Boklbi32.exe

C:\Windows\system32\Boklbi32.exe

C:\Windows\SysWOW64\Bjaqpbkh.exe

C:\Windows\system32\Bjaqpbkh.exe

C:\Windows\SysWOW64\Bpnihiio.exe

C:\Windows\system32\Bpnihiio.exe

C:\Windows\SysWOW64\Bfhadc32.exe

C:\Windows\system32\Bfhadc32.exe

C:\Windows\SysWOW64\Bggnof32.exe

C:\Windows\system32\Bggnof32.exe

C:\Windows\SysWOW64\Cpbbch32.exe

C:\Windows\system32\Cpbbch32.exe

C:\Windows\SysWOW64\Cflkpblf.exe

C:\Windows\system32\Cflkpblf.exe

C:\Windows\SysWOW64\Cpeohh32.exe

C:\Windows\system32\Cpeohh32.exe

C:\Windows\SysWOW64\Cadlbk32.exe

C:\Windows\system32\Cadlbk32.exe

C:\Windows\SysWOW64\Cpihcgoa.exe

C:\Windows\system32\Cpihcgoa.exe

C:\Windows\SysWOW64\Cjomap32.exe

C:\Windows\system32\Cjomap32.exe

C:\Windows\SysWOW64\Caienjfd.exe

C:\Windows\system32\Caienjfd.exe

C:\Windows\SysWOW64\Cgcmjd32.exe

C:\Windows\system32\Cgcmjd32.exe

C:\Windows\SysWOW64\Dmbbhkjf.exe

C:\Windows\system32\Dmbbhkjf.exe

C:\Windows\SysWOW64\Dpqodfij.exe

C:\Windows\system32\Dpqodfij.exe

C:\Windows\SysWOW64\Djfcaohp.exe

C:\Windows\system32\Djfcaohp.exe

C:\Windows\SysWOW64\Dapkni32.exe

C:\Windows\system32\Dapkni32.exe

C:\Windows\SysWOW64\Dhjckcgi.exe

C:\Windows\system32\Dhjckcgi.exe

C:\Windows\SysWOW64\Dikpbl32.exe

C:\Windows\system32\Dikpbl32.exe

C:\Windows\SysWOW64\Dpehof32.exe

C:\Windows\system32\Dpehof32.exe

C:\Windows\SysWOW64\Djklmo32.exe

C:\Windows\system32\Djklmo32.exe

C:\Windows\SysWOW64\Daediilg.exe

C:\Windows\system32\Daediilg.exe

C:\Windows\SysWOW64\Dfamapjo.exe

C:\Windows\system32\Dfamapjo.exe

C:\Windows\SysWOW64\Eagaoh32.exe

C:\Windows\system32\Eagaoh32.exe

C:\Windows\SysWOW64\Efdjgo32.exe

C:\Windows\system32\Efdjgo32.exe

C:\Windows\SysWOW64\Eibfck32.exe

C:\Windows\system32\Eibfck32.exe

C:\Windows\SysWOW64\Efffmo32.exe

C:\Windows\system32\Efffmo32.exe

C:\Windows\SysWOW64\Ealkjh32.exe

C:\Windows\system32\Ealkjh32.exe

C:\Windows\SysWOW64\Efhcbodf.exe

C:\Windows\system32\Efhcbodf.exe

C:\Windows\SysWOW64\Epagkd32.exe

C:\Windows\system32\Epagkd32.exe

C:\Windows\SysWOW64\Efkphnbd.exe

C:\Windows\system32\Efkphnbd.exe

C:\Windows\SysWOW64\Edopabqn.exe

C:\Windows\system32\Edopabqn.exe

C:\Windows\SysWOW64\Filiii32.exe

C:\Windows\system32\Filiii32.exe

C:\Windows\SysWOW64\Facqkg32.exe

C:\Windows\system32\Facqkg32.exe

C:\Windows\SysWOW64\Fkkeclfh.exe

C:\Windows\system32\Fkkeclfh.exe

C:\Windows\SysWOW64\Fphnlcdo.exe

C:\Windows\system32\Fphnlcdo.exe

C:\Windows\SysWOW64\Fknbil32.exe

C:\Windows\system32\Fknbil32.exe

C:\Windows\SysWOW64\Fhabbp32.exe

C:\Windows\system32\Fhabbp32.exe

C:\Windows\SysWOW64\Fibojhim.exe

C:\Windows\system32\Fibojhim.exe

C:\Windows\SysWOW64\Fajgkfio.exe

C:\Windows\system32\Fajgkfio.exe

C:\Windows\SysWOW64\Fdhcgaic.exe

C:\Windows\system32\Fdhcgaic.exe

C:\Windows\SysWOW64\Fkbkdkpp.exe

C:\Windows\system32\Fkbkdkpp.exe

C:\Windows\SysWOW64\Fmqgpgoc.exe

C:\Windows\system32\Fmqgpgoc.exe

C:\Windows\SysWOW64\Fdkpma32.exe

C:\Windows\system32\Fdkpma32.exe

C:\Windows\SysWOW64\Ggilil32.exe

C:\Windows\system32\Ggilil32.exe

C:\Windows\SysWOW64\Gigheh32.exe

C:\Windows\system32\Gigheh32.exe

C:\Windows\SysWOW64\Gdmmbq32.exe

C:\Windows\system32\Gdmmbq32.exe

C:\Windows\SysWOW64\Gkgeoklj.exe

C:\Windows\system32\Gkgeoklj.exe

C:\Windows\SysWOW64\Gmeakf32.exe

C:\Windows\system32\Gmeakf32.exe

C:\Windows\SysWOW64\Gaamlecg.exe

C:\Windows\system32\Gaamlecg.exe

C:\Windows\SysWOW64\Ghkeio32.exe

C:\Windows\system32\Ghkeio32.exe

C:\Windows\SysWOW64\Gilapgqb.exe

C:\Windows\system32\Gilapgqb.exe

C:\Windows\SysWOW64\Ghmbno32.exe

C:\Windows\system32\Ghmbno32.exe

C:\Windows\SysWOW64\Ghpocngo.exe

C:\Windows\system32\Ghpocngo.exe

C:\Windows\SysWOW64\Gahcmd32.exe

C:\Windows\system32\Gahcmd32.exe

C:\Windows\SysWOW64\Hkpheidp.exe

C:\Windows\system32\Hkpheidp.exe

C:\Windows\SysWOW64\Hajpbckl.exe

C:\Windows\system32\Hajpbckl.exe

C:\Windows\SysWOW64\Hhdhon32.exe

C:\Windows\system32\Hhdhon32.exe

C:\Windows\SysWOW64\Hnaqgd32.exe

C:\Windows\system32\Hnaqgd32.exe

C:\Windows\SysWOW64\Hhfedm32.exe

C:\Windows\system32\Hhfedm32.exe

C:\Windows\SysWOW64\Hkeaqi32.exe

C:\Windows\system32\Hkeaqi32.exe

C:\Windows\SysWOW64\Haoimcgg.exe

C:\Windows\system32\Haoimcgg.exe

C:\Windows\SysWOW64\Hdmein32.exe

C:\Windows\system32\Hdmein32.exe

C:\Windows\SysWOW64\Hnfjbdmk.exe

C:\Windows\system32\Hnfjbdmk.exe

C:\Windows\SysWOW64\Hjlkge32.exe

C:\Windows\system32\Hjlkge32.exe

C:\Windows\SysWOW64\Idbodn32.exe

C:\Windows\system32\Idbodn32.exe

C:\Windows\SysWOW64\Ijogmdqm.exe

C:\Windows\system32\Ijogmdqm.exe

C:\Windows\SysWOW64\Iddljmpc.exe

C:\Windows\system32\Iddljmpc.exe

C:\Windows\SysWOW64\Igchfiof.exe

C:\Windows\system32\Igchfiof.exe

C:\Windows\SysWOW64\Idghpmnp.exe

C:\Windows\system32\Idghpmnp.exe

C:\Windows\SysWOW64\Ijcahd32.exe

C:\Windows\system32\Ijcahd32.exe

C:\Windows\SysWOW64\Idieem32.exe

C:\Windows\system32\Idieem32.exe

C:\Windows\SysWOW64\Iggaah32.exe

C:\Windows\system32\Iggaah32.exe

C:\Windows\SysWOW64\Inainbcn.exe

C:\Windows\system32\Inainbcn.exe

C:\Windows\SysWOW64\Iqpfjnba.exe

C:\Windows\system32\Iqpfjnba.exe

C:\Windows\SysWOW64\Ikejgf32.exe

C:\Windows\system32\Ikejgf32.exe

C:\Windows\SysWOW64\Indfca32.exe

C:\Windows\system32\Indfca32.exe

C:\Windows\SysWOW64\Jdnoplhh.exe

C:\Windows\system32\Jdnoplhh.exe

C:\Windows\SysWOW64\Jjjghcfp.exe

C:\Windows\system32\Jjjghcfp.exe

C:\Windows\SysWOW64\Jqdoem32.exe

C:\Windows\system32\Jqdoem32.exe

C:\Windows\SysWOW64\Jhlgfj32.exe

C:\Windows\system32\Jhlgfj32.exe

C:\Windows\SysWOW64\Jjmcnbdm.exe

C:\Windows\system32\Jjmcnbdm.exe

C:\Windows\SysWOW64\Jqglkmlj.exe

C:\Windows\system32\Jqglkmlj.exe

C:\Windows\SysWOW64\Jjopcb32.exe

C:\Windows\system32\Jjopcb32.exe

C:\Windows\SysWOW64\Jnkldqkc.exe

C:\Windows\system32\Jnkldqkc.exe

C:\Windows\SysWOW64\Jhpqaiji.exe

C:\Windows\system32\Jhpqaiji.exe

C:\Windows\SysWOW64\Jkomneim.exe

C:\Windows\system32\Jkomneim.exe

C:\Windows\SysWOW64\Jbiejoaj.exe

C:\Windows\system32\Jbiejoaj.exe

C:\Windows\SysWOW64\Jibmgi32.exe

C:\Windows\system32\Jibmgi32.exe

C:\Windows\SysWOW64\Jjdjoane.exe

C:\Windows\system32\Jjdjoane.exe

C:\Windows\SysWOW64\Jbkbpoog.exe

C:\Windows\system32\Jbkbpoog.exe

C:\Windows\SysWOW64\Kghjhemo.exe

C:\Windows\system32\Kghjhemo.exe

C:\Windows\SysWOW64\Kjffdalb.exe

C:\Windows\system32\Kjffdalb.exe

C:\Windows\SysWOW64\Kqpoakco.exe

C:\Windows\system32\Kqpoakco.exe

C:\Windows\SysWOW64\Kkfcndce.exe

C:\Windows\system32\Kkfcndce.exe

C:\Windows\SysWOW64\Kqbkfkal.exe

C:\Windows\system32\Kqbkfkal.exe

C:\Windows\SysWOW64\Kijchhbo.exe

C:\Windows\system32\Kijchhbo.exe

C:\Windows\SysWOW64\Kkhpdcab.exe

C:\Windows\system32\Kkhpdcab.exe

C:\Windows\SysWOW64\Knflpoqf.exe

C:\Windows\system32\Knflpoqf.exe

C:\Windows\SysWOW64\Keqdmihc.exe

C:\Windows\system32\Keqdmihc.exe

C:\Windows\SysWOW64\Kjmmepfj.exe

C:\Windows\system32\Kjmmepfj.exe

C:\Windows\SysWOW64\Kbddfmgl.exe

C:\Windows\system32\Kbddfmgl.exe

C:\Windows\SysWOW64\Kecabifp.exe

C:\Windows\system32\Kecabifp.exe

C:\Windows\SysWOW64\Kkmioc32.exe

C:\Windows\system32\Kkmioc32.exe

C:\Windows\SysWOW64\Knkekn32.exe

C:\Windows\system32\Knkekn32.exe

C:\Windows\SysWOW64\Lajagj32.exe

C:\Windows\system32\Lajagj32.exe

C:\Windows\SysWOW64\Lgcjdd32.exe

C:\Windows\system32\Lgcjdd32.exe

C:\Windows\SysWOW64\Lnnbqnjn.exe

C:\Windows\system32\Lnnbqnjn.exe

C:\Windows\SysWOW64\Legjmh32.exe

C:\Windows\system32\Legjmh32.exe

C:\Windows\SysWOW64\Ljdceo32.exe

C:\Windows\system32\Ljdceo32.exe

C:\Windows\SysWOW64\Lbkkgl32.exe

C:\Windows\system32\Lbkkgl32.exe

C:\Windows\SysWOW64\Lghcocol.exe

C:\Windows\system32\Lghcocol.exe

C:\Windows\SysWOW64\Lnbklm32.exe

C:\Windows\system32\Lnbklm32.exe

C:\Windows\SysWOW64\Lihpif32.exe

C:\Windows\system32\Lihpif32.exe

C:\Windows\SysWOW64\Lndham32.exe

C:\Windows\system32\Lndham32.exe

C:\Windows\SysWOW64\Leopnglc.exe

C:\Windows\system32\Leopnglc.exe

C:\Windows\SysWOW64\Ljkifn32.exe

C:\Windows\system32\Ljkifn32.exe

C:\Windows\SysWOW64\Meamcg32.exe

C:\Windows\system32\Meamcg32.exe

C:\Windows\SysWOW64\Mlkepaam.exe

C:\Windows\system32\Mlkepaam.exe

C:\Windows\SysWOW64\Mniallpq.exe

C:\Windows\system32\Mniallpq.exe

C:\Windows\SysWOW64\Mahnhhod.exe

C:\Windows\system32\Mahnhhod.exe

C:\Windows\SysWOW64\Mlmbfqoj.exe

C:\Windows\system32\Mlmbfqoj.exe

C:\Windows\SysWOW64\Miaboe32.exe

C:\Windows\system32\Miaboe32.exe

C:\Windows\SysWOW64\Mbighjdd.exe

C:\Windows\system32\Mbighjdd.exe

C:\Windows\SysWOW64\Micoed32.exe

C:\Windows\system32\Micoed32.exe

C:\Windows\SysWOW64\Mnphmkji.exe

C:\Windows\system32\Mnphmkji.exe

C:\Windows\SysWOW64\Mejpje32.exe

C:\Windows\system32\Mejpje32.exe

C:\Windows\SysWOW64\Mldhfpib.exe

C:\Windows\system32\Mldhfpib.exe

C:\Windows\SysWOW64\Njghbl32.exe

C:\Windows\system32\Njghbl32.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nlfelogp.exe

C:\Windows\system32\Nlfelogp.exe

C:\Windows\SysWOW64\Noeahkfc.exe

C:\Windows\system32\Noeahkfc.exe

C:\Windows\SysWOW64\Nijeec32.exe

C:\Windows\system32\Nijeec32.exe

C:\Windows\SysWOW64\Nliaao32.exe

C:\Windows\system32\Nliaao32.exe

C:\Windows\SysWOW64\Nbcjnilj.exe

C:\Windows\system32\Nbcjnilj.exe

C:\Windows\SysWOW64\Nimbkc32.exe

C:\Windows\system32\Nimbkc32.exe

C:\Windows\SysWOW64\Nbefdijg.exe

C:\Windows\system32\Nbefdijg.exe

C:\Windows\SysWOW64\Niooqcad.exe

C:\Windows\system32\Niooqcad.exe

C:\Windows\SysWOW64\Nhbolp32.exe

C:\Windows\system32\Nhbolp32.exe

C:\Windows\SysWOW64\Nkqkhk32.exe

C:\Windows\system32\Nkqkhk32.exe

C:\Windows\SysWOW64\Nefped32.exe

C:\Windows\system32\Nefped32.exe

C:\Windows\SysWOW64\Nlphbnoe.exe

C:\Windows\system32\Nlphbnoe.exe

C:\Windows\SysWOW64\Oondnini.exe

C:\Windows\system32\Oondnini.exe

C:\Windows\SysWOW64\Oidhlb32.exe

C:\Windows\system32\Oidhlb32.exe

C:\Windows\SysWOW64\Olbdhn32.exe

C:\Windows\system32\Olbdhn32.exe

C:\Windows\SysWOW64\Oekiqccc.exe

C:\Windows\system32\Oekiqccc.exe

C:\Windows\SysWOW64\Oldamm32.exe

C:\Windows\system32\Oldamm32.exe

C:\Windows\SysWOW64\Oocmii32.exe

C:\Windows\system32\Oocmii32.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Olgncmim.exe

C:\Windows\system32\Olgncmim.exe

C:\Windows\SysWOW64\Obafpg32.exe

C:\Windows\system32\Obafpg32.exe

C:\Windows\SysWOW64\Oeoblb32.exe

C:\Windows\system32\Oeoblb32.exe

C:\Windows\SysWOW64\Olijhmgj.exe

C:\Windows\system32\Olijhmgj.exe

C:\Windows\SysWOW64\Obcceg32.exe

C:\Windows\system32\Obcceg32.exe

C:\Windows\SysWOW64\Oimkbaed.exe

C:\Windows\system32\Oimkbaed.exe

C:\Windows\SysWOW64\Pojcjh32.exe

C:\Windows\system32\Pojcjh32.exe

C:\Windows\SysWOW64\Pedlgbkh.exe

C:\Windows\system32\Pedlgbkh.exe

C:\Windows\SysWOW64\Plndcl32.exe

C:\Windows\system32\Plndcl32.exe

C:\Windows\SysWOW64\Polppg32.exe

C:\Windows\system32\Polppg32.exe

C:\Windows\SysWOW64\Pakllc32.exe

C:\Windows\system32\Pakllc32.exe

C:\Windows\SysWOW64\Phedhmhi.exe

C:\Windows\system32\Phedhmhi.exe

C:\Windows\SysWOW64\Pkcadhgm.exe

C:\Windows\system32\Pkcadhgm.exe

C:\Windows\SysWOW64\Pamiaboj.exe

C:\Windows\system32\Pamiaboj.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Plbmokop.exe

C:\Windows\system32\Plbmokop.exe

C:\Windows\SysWOW64\Poajkgnc.exe

C:\Windows\system32\Poajkgnc.exe

C:\Windows\SysWOW64\Papfgbmg.exe

C:\Windows\system32\Papfgbmg.exe

C:\Windows\SysWOW64\Phincl32.exe

C:\Windows\system32\Phincl32.exe

C:\Windows\SysWOW64\Plejdkmm.exe

C:\Windows\system32\Plejdkmm.exe

C:\Windows\SysWOW64\Pocfpf32.exe

C:\Windows\system32\Pocfpf32.exe

C:\Windows\SysWOW64\Pabblb32.exe

C:\Windows\system32\Pabblb32.exe

C:\Windows\SysWOW64\Piijno32.exe

C:\Windows\system32\Piijno32.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qkjgegae.exe

C:\Windows\system32\Qkjgegae.exe

C:\Windows\SysWOW64\Qcaofebg.exe

C:\Windows\system32\Qcaofebg.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qljcoj32.exe

C:\Windows\system32\Qljcoj32.exe

C:\Windows\SysWOW64\Qohpkf32.exe

C:\Windows\system32\Qohpkf32.exe

C:\Windows\SysWOW64\Qaflgago.exe

C:\Windows\system32\Qaflgago.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Aojlaeei.exe

C:\Windows\system32\Aojlaeei.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Aomifecf.exe

C:\Windows\system32\Aomifecf.exe

C:\Windows\SysWOW64\Ajbmdn32.exe

C:\Windows\system32\Ajbmdn32.exe

C:\Windows\SysWOW64\Aanbhp32.exe

C:\Windows\system32\Aanbhp32.exe

C:\Windows\SysWOW64\Aoabad32.exe

C:\Windows\system32\Aoabad32.exe

C:\Windows\SysWOW64\Abponp32.exe

C:\Windows\system32\Abponp32.exe

C:\Windows\SysWOW64\Aleckinj.exe

C:\Windows\system32\Aleckinj.exe

C:\Windows\SysWOW64\Aodogdmn.exe

C:\Windows\system32\Aodogdmn.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Bhldpj32.exe

C:\Windows\system32\Bhldpj32.exe

C:\Windows\SysWOW64\Boflmdkk.exe

C:\Windows\system32\Boflmdkk.exe

C:\Windows\SysWOW64\Bfpdin32.exe

C:\Windows\system32\Bfpdin32.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bbgeno32.exe

C:\Windows\system32\Bbgeno32.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bbiado32.exe

C:\Windows\system32\Bbiado32.exe

C:\Windows\SysWOW64\Bjpjel32.exe

C:\Windows\system32\Bjpjel32.exe

C:\Windows\SysWOW64\Bfgjjm32.exe

C:\Windows\system32\Bfgjjm32.exe

C:\Windows\SysWOW64\Bopocbcq.exe

C:\Windows\system32\Bopocbcq.exe

C:\Windows\SysWOW64\Cihclh32.exe

C:\Windows\system32\Cihclh32.exe

C:\Windows\SysWOW64\Cijpahho.exe

C:\Windows\system32\Cijpahho.exe

C:\Windows\SysWOW64\Ccpdoqgd.exe

C:\Windows\system32\Ccpdoqgd.exe

C:\Windows\SysWOW64\Cbbdjm32.exe

C:\Windows\system32\Cbbdjm32.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Cofecami.exe

C:\Windows\system32\Cofecami.exe

C:\Windows\SysWOW64\Cbeapmll.exe

C:\Windows\system32\Cbeapmll.exe

C:\Windows\SysWOW64\Cmjemflb.exe

C:\Windows\system32\Cmjemflb.exe

C:\Windows\SysWOW64\Cjnffjkl.exe

C:\Windows\system32\Cjnffjkl.exe

C:\Windows\SysWOW64\Cmmbbejp.exe

C:\Windows\system32\Cmmbbejp.exe

C:\Windows\SysWOW64\Dfefkkqp.exe

C:\Windows\system32\Dfefkkqp.exe

C:\Windows\SysWOW64\Dmoohe32.exe

C:\Windows\system32\Dmoohe32.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Dblgpl32.exe

C:\Windows\system32\Dblgpl32.exe

C:\Windows\SysWOW64\Difpmfna.exe

C:\Windows\system32\Difpmfna.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Dlghoa32.exe

C:\Windows\system32\Dlghoa32.exe

C:\Windows\SysWOW64\Dbqqkkbo.exe

C:\Windows\system32\Dbqqkkbo.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dmfeidbe.exe

C:\Windows\system32\Dmfeidbe.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Djjebh32.exe

C:\Windows\system32\Djjebh32.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Ejlbhh32.exe

C:\Windows\system32\Ejlbhh32.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ebhglj32.exe

C:\Windows\system32\Ebhglj32.exe

C:\Windows\SysWOW64\Eiaoid32.exe

C:\Windows\system32\Eiaoid32.exe

C:\Windows\SysWOW64\Eplgeokq.exe

C:\Windows\system32\Eplgeokq.exe

C:\Windows\SysWOW64\Efepbi32.exe

C:\Windows\system32\Efepbi32.exe

C:\Windows\SysWOW64\Ejalcgkg.exe

C:\Windows\system32\Ejalcgkg.exe

C:\Windows\SysWOW64\Emphocjj.exe

C:\Windows\system32\Emphocjj.exe

C:\Windows\SysWOW64\Epndknin.exe

C:\Windows\system32\Epndknin.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Ejchhgid.exe

C:\Windows\system32\Ejchhgid.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Fbajbi32.exe

C:\Windows\system32\Fbajbi32.exe

C:\Windows\SysWOW64\Fpejlmcf.exe

C:\Windows\system32\Fpejlmcf.exe

C:\Windows\SysWOW64\Ffobhg32.exe

C:\Windows\system32\Ffobhg32.exe

C:\Windows\SysWOW64\Fimodc32.exe

C:\Windows\system32\Fimodc32.exe

C:\Windows\SysWOW64\Fmikeaap.exe

C:\Windows\system32\Fmikeaap.exe

C:\Windows\SysWOW64\Fpggamqc.exe

C:\Windows\system32\Fpggamqc.exe

C:\Windows\SysWOW64\Fmkgkapm.exe

C:\Windows\system32\Fmkgkapm.exe

C:\Windows\SysWOW64\Fbhpch32.exe

C:\Windows\system32\Fbhpch32.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Fplpll32.exe

C:\Windows\system32\Fplpll32.exe

C:\Windows\SysWOW64\Fjadje32.exe

C:\Windows\system32\Fjadje32.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Gfheof32.exe

C:\Windows\system32\Gfheof32.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Gbofcghl.exe

C:\Windows\system32\Gbofcghl.exe

C:\Windows\SysWOW64\Gjfnedho.exe

C:\Windows\system32\Gjfnedho.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gingkqkd.exe

C:\Windows\system32\Gingkqkd.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Hpjmnjqn.exe

C:\Windows\system32\Hpjmnjqn.exe

C:\Windows\SysWOW64\Hbhijepa.exe

C:\Windows\system32\Hbhijepa.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hgfapd32.exe

C:\Windows\system32\Hgfapd32.exe

C:\Windows\SysWOW64\Hienlpel.exe

C:\Windows\system32\Hienlpel.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hlegnjbm.exe

C:\Windows\system32\Hlegnjbm.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hcblpdgg.exe

C:\Windows\system32\Hcblpdgg.exe

C:\Windows\SysWOW64\Hildmn32.exe

C:\Windows\system32\Hildmn32.exe

C:\Windows\SysWOW64\Idahjg32.exe

C:\Windows\system32\Idahjg32.exe

C:\Windows\SysWOW64\Igpdfb32.exe

C:\Windows\system32\Igpdfb32.exe

C:\Windows\SysWOW64\Ilmmni32.exe

C:\Windows\system32\Ilmmni32.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Innfnl32.exe

C:\Windows\system32\Innfnl32.exe

C:\Windows\SysWOW64\Ikbfgppo.exe

C:\Windows\system32\Ikbfgppo.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Jjgchm32.exe

C:\Windows\system32\Jjgchm32.exe

C:\Windows\SysWOW64\Jpaleglc.exe

C:\Windows\system32\Jpaleglc.exe

C:\Windows\SysWOW64\Jkgpbp32.exe

C:\Windows\system32\Jkgpbp32.exe

C:\Windows\SysWOW64\Jnelok32.exe

C:\Windows\system32\Jnelok32.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jgnqgqan.exe

C:\Windows\system32\Jgnqgqan.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jlkipgpe.exe

C:\Windows\system32\Jlkipgpe.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jklinohd.exe

C:\Windows\system32\Jklinohd.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jddnfd32.exe

C:\Windows\system32\Jddnfd32.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jknfcofa.exe

C:\Windows\system32\Jknfcofa.exe

C:\Windows\SysWOW64\Jnlbojee.exe

C:\Windows\system32\Jnlbojee.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Kjccdkki.exe

C:\Windows\system32\Kjccdkki.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Kggcnoic.exe

C:\Windows\system32\Kggcnoic.exe

C:\Windows\SysWOW64\Kjepjkhf.exe

C:\Windows\system32\Kjepjkhf.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kcndbp32.exe

C:\Windows\system32\Kcndbp32.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Knchpiom.exe

C:\Windows\system32\Knchpiom.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lqikmc32.exe

C:\Windows\system32\Lqikmc32.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Lqkgbcff.exe

C:\Windows\system32\Lqkgbcff.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Lgepom32.exe

C:\Windows\system32\Lgepom32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lclpdncg.exe

C:\Windows\system32\Lclpdncg.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Ljhefhha.exe

C:\Windows\system32\Ljhefhha.exe

C:\Windows\SysWOW64\Mglfplgk.exe

C:\Windows\system32\Mglfplgk.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mnkggfkb.exe

C:\Windows\system32\Mnkggfkb.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mmbanbmg.exe

C:\Windows\system32\Mmbanbmg.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Nmenca32.exe

C:\Windows\system32\Nmenca32.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Nmigoagp.exe

C:\Windows\system32\Nmigoagp.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Odjeljhd.exe

C:\Windows\system32\Odjeljhd.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oanfen32.exe

C:\Windows\system32\Oanfen32.exe

C:\Windows\SysWOW64\Odmbaj32.exe

C:\Windows\system32\Odmbaj32.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Olfghg32.exe

C:\Windows\system32\Olfghg32.exe

C:\Windows\SysWOW64\Oacoqnci.exe

C:\Windows\system32\Oacoqnci.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Oogpjbbb.exe

C:\Windows\system32\Oogpjbbb.exe

C:\Windows\SysWOW64\Peahgl32.exe

C:\Windows\system32\Peahgl32.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Plmmif32.exe

C:\Windows\system32\Plmmif32.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Pehngkcg.exe

C:\Windows\system32\Pehngkcg.exe

C:\Windows\SysWOW64\Phfjcf32.exe

C:\Windows\system32\Phfjcf32.exe

C:\Windows\SysWOW64\Popbpqjh.exe

C:\Windows\system32\Popbpqjh.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pdmkhgho.exe

C:\Windows\system32\Pdmkhgho.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Qhkdof32.exe

C:\Windows\system32\Qhkdof32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qachgk32.exe

C:\Windows\system32\Qachgk32.exe

C:\Windows\SysWOW64\Qdbdcg32.exe

C:\Windows\system32\Qdbdcg32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Amjillkj.exe

C:\Windows\system32\Amjillkj.exe

C:\Windows\SysWOW64\Addaif32.exe

C:\Windows\system32\Addaif32.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Aojefobm.exe

C:\Windows\system32\Aojefobm.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Alnfpcag.exe

C:\Windows\system32\Alnfpcag.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Anaomkdb.exe

C:\Windows\system32\Anaomkdb.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Anclbkbp.exe

C:\Windows\system32\Anclbkbp.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Baadiiif.exe

C:\Windows\system32\Baadiiif.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Bkjiao32.exe

C:\Windows\system32\Bkjiao32.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bnkbcj32.exe

C:\Windows\system32\Bnkbcj32.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bahkih32.exe

C:\Windows\system32\Bahkih32.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Blnoga32.exe

C:\Windows\system32\Blnoga32.exe

C:\Windows\SysWOW64\Bomkcm32.exe

C:\Windows\system32\Bomkcm32.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Camddhoi.exe

C:\Windows\system32\Camddhoi.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Clchbqoo.exe

C:\Windows\system32\Clchbqoo.exe

C:\Windows\SysWOW64\Coadnlnb.exe

C:\Windows\system32\Coadnlnb.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Cdpjlb32.exe

C:\Windows\system32\Cdpjlb32.exe

C:\Windows\SysWOW64\Ckjbhmad.exe

C:\Windows\system32\Ckjbhmad.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Cfpffeaj.exe

C:\Windows\system32\Cfpffeaj.exe

C:\Windows\SysWOW64\Cljobphg.exe

C:\Windows\system32\Cljobphg.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Cdecgbfa.exe

C:\Windows\system32\Cdecgbfa.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dnmhpg32.exe

C:\Windows\system32\Dnmhpg32.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Dmohno32.exe

C:\Windows\system32\Dmohno32.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Dheibpje.exe

C:\Windows\system32\Dheibpje.exe

C:\Windows\SysWOW64\Dkceokii.exe

C:\Windows\system32\Dkceokii.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Ddligq32.exe

C:\Windows\system32\Ddligq32.exe

C:\Windows\SysWOW64\Dkfadkgf.exe

C:\Windows\system32\Dkfadkgf.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dodjjimm.exe

C:\Windows\system32\Dodjjimm.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Ekkkoj32.exe

C:\Windows\system32\Ekkkoj32.exe

C:\Windows\SysWOW64\Enigke32.exe

C:\Windows\system32\Enigke32.exe

C:\Windows\SysWOW64\Efpomccg.exe

C:\Windows\system32\Efpomccg.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Eiahnnph.exe

C:\Windows\system32\Eiahnnph.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Emoadlfo.exe

C:\Windows\system32\Emoadlfo.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fmfgek32.exe

C:\Windows\system32\Fmfgek32.exe

C:\Windows\SysWOW64\Fngcmcfe.exe

C:\Windows\system32\Fngcmcfe.exe

C:\Windows\SysWOW64\Fimhjl32.exe

C:\Windows\system32\Fimhjl32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Glbjggof.exe

C:\Windows\system32\Glbjggof.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gfjkjo32.exe

C:\Windows\system32\Gfjkjo32.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gpbpbecj.exe

C:\Windows\system32\Gpbpbecj.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gfodeohd.exe

C:\Windows\system32\Gfodeohd.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Gpgind32.exe

C:\Windows\system32\Gpgind32.exe

C:\Windows\SysWOW64\Gbeejp32.exe

C:\Windows\system32\Gbeejp32.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hfjdqmng.exe

C:\Windows\system32\Hfjdqmng.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hpchib32.exe

C:\Windows\system32\Hpchib32.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Ibcaknbi.exe

C:\Windows\system32\Ibcaknbi.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Ibfnqmpf.exe

C:\Windows\system32\Ibfnqmpf.exe

C:\Windows\SysWOW64\Iedjmioj.exe

C:\Windows\system32\Iedjmioj.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ickglm32.exe

C:\Windows\system32\Ickglm32.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jgmjmjnb.exe

C:\Windows\system32\Jgmjmjnb.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jgbchj32.exe

C:\Windows\system32\Jgbchj32.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kcidmkpq.exe

C:\Windows\system32\Kcidmkpq.exe

C:\Windows\SysWOW64\Kjblje32.exe

C:\Windows\system32\Kjblje32.exe

C:\Windows\SysWOW64\Kpmdfonj.exe

C:\Windows\system32\Kpmdfonj.exe

C:\Windows\SysWOW64\Kckqbj32.exe

C:\Windows\system32\Kckqbj32.exe

C:\Windows\SysWOW64\Kjeiodek.exe

C:\Windows\system32\Kjeiodek.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kjgeedch.exe

C:\Windows\system32\Kjgeedch.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kfnfjehl.exe

C:\Windows\system32\Kfnfjehl.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kgnbdh32.exe

C:\Windows\system32\Kgnbdh32.exe

C:\Windows\SysWOW64\Kjlopc32.exe

C:\Windows\system32\Kjlopc32.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Lnldla32.exe

C:\Windows\system32\Lnldla32.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Lfgipd32.exe

C:\Windows\system32\Lfgipd32.exe

C:\Windows\SysWOW64\Lmaamn32.exe

C:\Windows\system32\Lmaamn32.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lqojclne.exe

C:\Windows\system32\Lqojclne.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Modgdicm.exe

C:\Windows\system32\Modgdicm.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mqdcnl32.exe

C:\Windows\system32\Mqdcnl32.exe

C:\Windows\SysWOW64\Mcbpjg32.exe

C:\Windows\system32\Mcbpjg32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mqfpckhm.exe

C:\Windows\system32\Mqfpckhm.exe

C:\Windows\SysWOW64\Mcelpggq.exe

C:\Windows\system32\Mcelpggq.exe

C:\Windows\SysWOW64\Mfchlbfd.exe

C:\Windows\system32\Mfchlbfd.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mgeakekd.exe

C:\Windows\system32\Mgeakekd.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nncccnol.exe

C:\Windows\system32\Nncccnol.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Nfohgqlg.exe

C:\Windows\system32\Nfohgqlg.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nagiji32.exe

C:\Windows\system32\Nagiji32.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ofhknodl.exe

C:\Windows\system32\Ofhknodl.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Ocaebc32.exe

C:\Windows\system32\Ocaebc32.exe

C:\Windows\SysWOW64\Pjkmomfn.exe

C:\Windows\system32\Pjkmomfn.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Paiogf32.exe

C:\Windows\system32\Paiogf32.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pjdpelnc.exe

C:\Windows\system32\Pjdpelnc.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qhhpop32.exe

C:\Windows\system32\Qhhpop32.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Amjbbfgo.exe

C:\Windows\system32\Amjbbfgo.exe

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Afbgkl32.exe

C:\Windows\system32\Afbgkl32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Amlogfel.exe

C:\Windows\system32\Amlogfel.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Ahdpjn32.exe

C:\Windows\system32\Ahdpjn32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Adkqoohc.exe

C:\Windows\system32\Adkqoohc.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bgkiaj32.exe

C:\Windows\system32\Bgkiaj32.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bhblllfo.exe

C:\Windows\system32\Bhblllfo.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cnhgjaml.exe

C:\Windows\system32\Cnhgjaml.exe

C:\Windows\SysWOW64\Cdbpgl32.exe

C:\Windows\system32\Cdbpgl32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dgcihgaj.exe

C:\Windows\system32\Dgcihgaj.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 220

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3160-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3160-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Pfgogh32.exe

MD5 83fff2e3b2c754b4236e64246e932f7c
SHA1 fc808c797e31b59fbd1a6e07e182ac57c80210f5
SHA256 f2c690d6a60b1e1911501738f83ef71a783f59daa720e88c2f731d460e60d9a8
SHA512 f48e80369ef5fefdb9ee95402308881c29f4fd45a3f8c2a4f75555d4cb2da977e108782e438c140bd8e5d143f8ef05848807b550282ca721c51adf31cc0f290a

memory/1048-8-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ppmcdq32.exe

MD5 6b6746de38020934a9353d678f8cdda0
SHA1 2839841af24d3baa42f6dd20afa26c7a14cb5ac1
SHA256 822104cb383ae52a32d62414efda6f1316a53b7fdc4ef89a59a30f27ca381ba6
SHA512 6711ae8ddb9d87852c41eb87d1a2f6171cf65519ebc2ccdec2d3d861a2048ebf4c21d81495043166da118249bf5d04a51a5f78ffd79ee2ed4d73c5d6c914d8ab

memory/1208-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pckppl32.exe

MD5 d35a8867ea738a7b080a9aa9eac6c9d4
SHA1 d02707822b8da369faaacf176c3f8d604be7192f
SHA256 52a848d414b3c4c8a7b7909f35c6536e56d712d31f1330fb6e8e612c2ee15524
SHA512 7ae12b83e5324fae1bd3bf6246f95fa62dc1319279085373016bc50dffba50cd8d00406f462b0f3bf6cda0fec5e6867dc731478ba010400775a30ab98f29fb3d

memory/3532-24-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Phhhhc32.exe

MD5 c966d19a4e5460e57c20c9d888ac49d3
SHA1 4baa3c496c09f377cbeb581dd53eecf64e58487f
SHA256 0afad0637cc7c9af7cc58ec7732274beb0328dfc46b9611129819eedb32cddd5
SHA512 8755c5eddbed4c52d56dde464b47420ef1090ff867250b0aaed8564fd291c1d353440e59a432e4db58988a7be68e7e34aa5b880d44ba883573e516c0e8e1647a

memory/4092-32-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pcmlfl32.exe

MD5 6d27d63469e44b0529fe87bba1be1a4d
SHA1 6d76d5d7f4e2119e3f6946591b371cc44553e868
SHA256 8047d3edb0af86fdd112e52bacc1fe0f8f8e2dde5fc8fe0e630d7315e647da33
SHA512 ad469f509d52b203aec9e25db099b80d232b53a08fca0223841505e19e093a396f645dd2addb77b1911ce76575e2c60c112a751780a6e06f8dae736fa4badf48

memory/4804-40-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pjgebf32.exe

MD5 d98a0fa71a494fe433c1f53524997d62
SHA1 ebb5c6bc6326d6afcb47b6344fbe688bfc21014d
SHA256 77998309b9d3346078fc30ffc9c1932b7e103467b4318828d9250d44018c1c51
SHA512 cb6e8bb1a31069d9c0b99fd0fecb4af3022d227f75196c93b65d818a54fbc663dff5942ee7fd4fa5c61f3a1d47924d1e4d2677339edffb652c96e47cbd2ac84a

memory/4192-48-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ppamophb.exe

MD5 905f0164de83511a0d1e17bbeea89f48
SHA1 06664f31c5fa637df971badcdcb6b076b2d0e5af
SHA256 22fc60d80de8e0e698b56f164bcdc86eafc5fae1df0fa882bcd1f8c4328ce31c
SHA512 7648c5a85a2a920c0c5f32a7da442c777defb7ba2ffeec1bf189b3010c5d2ffd7a246da402b21a3c93402a49a4ee56a0935736c275f348e42e96efb01f01ce8e

memory/432-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pgkelj32.exe

MD5 634cfa1221a339d5387cf702c5206825
SHA1 c0b58b82e2de20accdd2f0267842040a0ec4471a
SHA256 0182d8560f6c1ffa3ff5aa30a097ea0d5a33ff8ac1e556a2b466ae0c0799400d
SHA512 59f4c9bbf613e463a9d249212e55910feb414d00044373a4280faf41d0fef27e6b8d660fa9460d52a9dc38ce8e75ca7aca6e997f7c0822b15485da369b13d7d0

memory/4148-65-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Phlacbfm.exe

MD5 98711b47c5fca59b544f5fb48597edaa
SHA1 959d46e5200d230a74d87b54148ab10c066b8b30
SHA256 0546b0363f2e96c138a8d46441c32e4d7e7c267a546242b5bbc6a5346f14c73c
SHA512 19168b5533caf02451ce5817824b9131b75b5003be949230ca5bad9f6fa8ba284597bbb7382fc8f8327cfc555f18e1174d3ffa4ce8ae76767c41c1340d682b52

memory/4372-72-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Pofjpl32.exe

MD5 295f97e6e8f6146da5c24284b46b2d98
SHA1 3a8076de2667841d2f255f56023979610e05118e
SHA256 c63d24db2da120a39273d955115733db79abf19b817c249525280026ad060ca9
SHA512 31cd1e8817becfe232892d3cccfa9289a19aafac36afc7d1f3feb107b7937a90d2b1fba7a717c8dadc0620083302de5b8a823ad9ad15127b2101237c36a8cf6c

memory/3860-81-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qgnbaj32.exe

MD5 54b7839356c5d803af1b729f7119374c
SHA1 8e1c5fd8213cf034e689cab6ca7e01939c692f70
SHA256 7304fdc0b4672dc8d0556412c115bc8679abac1e27031306a000a044874115ce
SHA512 408642de48e3017081ad1c431bb0e6a64e1b961280df3220ef70d013a3437847f39aaa396d30ae6c20a016f381590c8a94b5e8e96f73475851293bd59b1a119c

memory/2780-89-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qljjjqlc.exe

MD5 e2b7f3687e935c15b403729ffd87b29b
SHA1 eb1772772e638247e92821a98061fe5c5bcdaeec
SHA256 fda1ccb842a4733d356981b5da08a90df6d5789e56f82e6aa6181781e667437c
SHA512 aa4fbad21f6f3f6b63c92930c2924492a47e9d2fcd1e9dfb388575ee9c0547882ee7c0c39fba0ef9f014dc17c794289cc7a9b2a5e11b40498c1e332cda3b4648

memory/3748-97-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qoifflkg.exe

MD5 ce57c5cf2ca6e3273401438b61c6d7e6
SHA1 2d877afdbe7bb45c2a375c0197605e4c3756b53b
SHA256 2f26035b827d79bb6ca398bb2b8fe1fb619bea8f731b0bb5f1d35e267e63c47b
SHA512 de40fbf1c429b0559eaf656af2912479c278d84acbfce6636f710fa9586d5e9335631e5414a21d2d0bda8c81b63b13cedea8e99497aecca1ff2ce1aedaf6889b

memory/1536-105-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qgpogili.exe

MD5 bc035444f75826c3b2a2d5d551f93e55
SHA1 6a019a6e94d8b2c0d200d62e360e60f8a67d1f18
SHA256 c7817d5db1bee75562061725ff223eaee880562436122a8dccc92441f83e63ab
SHA512 d953a9a070b87eddafab12d330467b60f37753bf25c7298c150bca22edae26850b4a9170af5c58215d0a3531e1a2ebd8029c57977199352ef80a2c6452c2b3bb

memory/2536-112-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Qqhcpo32.exe

MD5 7f07775a1dfd071863db15d3feed0a82
SHA1 0e582e3d5f8fa7816c50d8f46e2bfa44e0de9a47
SHA256 8f314be1c40392dd20eb5a15785041f998de9cb249eec5a9e2ce8c47e91a4844
SHA512 fedcb96d92e40e8bd1598ade194498a9db05b779813391155a4af98b230f35a799e54dca46d7d7dc1a36be183143f8b8912f831c418fdd73ea07f2536ea91d81

memory/2412-120-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Afelhf32.exe

MD5 774b3a018c0f15eb08191fbe38fcacf4
SHA1 ddcac7063d65c862ceb0382b16a0770554c1dc09
SHA256 4e35ef19158b78df5fd45d1fc28a3e87a93ec96c91019c962f17436175b798a6
SHA512 331ce0a5edc085e4ab871624a03e4e6154cfc6ec2840b984b254e91f499d6f175c3e3fc576c66d4221d39e33deb6e950a9688ddfd04fd48688a86e3f46bb27a2

memory/4852-128-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Amodep32.exe

MD5 ba84747f96807b72ab7e1637be2b4ef4
SHA1 b06d828fba57b5e38395695e15a83996e4f11423
SHA256 58887a8f764aeec92f24d68185e34f9202abc218c8877631afb0b776f2e3bb2d
SHA512 156d4078b6509ff735a204bfe68d0a53a23d94bdc6f98d4131b6d25c9eeee85368430b3297f4c556ea7b4ac2d233a66dd09f36b2e73f202aaf22113388e1fc4f

memory/4592-136-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Agdhbi32.exe

MD5 f1bfc475224736a27859eaa5574c203e
SHA1 37cdb75bff5342b35a9c87568a081ffe5be2d0c9
SHA256 ec79ec0e9143ecf4403914d15b3f555e97c357f3f3d0b7d65ac8ca4bac49e1d6
SHA512 fad2e56a35b88f4e7c2841e5cf84a1f6475624290772bc6d6bc139893c5ebbd2666cce5d5a02bb9a05ab4d9087373ed28a7da41e25ee8c10b63804827d9843a9

memory/3372-144-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ajcdnd32.exe

MD5 d58c461760493f77d0e718eac06b1557
SHA1 1fc5f6779fb8271e8405b7b00a00ec21874c5902
SHA256 b0933ae76aa4ebcea78b61d6edc121001b27481608fe988ca891949c7bbfaf96
SHA512 a25363eb0232a435500be93cea1a4cb4998cf661e566c709853d690a494294d2806b13e4c5e5e8cbed1c86a5f84fd7a64770690a785ada960bed2668fbcab858

memory/3640-157-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aopmfk32.exe

MD5 2f1ed5f52372b894e763e3d1e2418654
SHA1 cec2a665119f0e69dddb0f4c35ea7ae7868e43b9
SHA256 c640708f71027503c044a3614676137feccf96c65487f7d2faa7b8ea7bab1605
SHA512 931f4c3921d677501589b22574e33ca822d78815ba1ba7271eb392b364a1e0976e8e679be5ac44895ec813e767bb4cdc967fbe1cf549d77293f2ea7d55b9bcfe

C:\Windows\SysWOW64\Aggegh32.exe

MD5 7e0fa7889ae6c30595a07373e07f9182
SHA1 e304c9a12e4efea4d1fa504fff43f2379c94420b
SHA256 a4117638ec66864d92178e7a25c973a7f1ec24401fd55583e0801b9b8e9b8074
SHA512 f8393c2dc939a8d9998b0947e2b0f4ce5b86675c39cc4cb291cdf0e5c3575a250aa99a9d07c34c01ae9ede007d6df91f1d2e7f4b550f3b779330432f8c389af7

C:\Windows\SysWOW64\Aihaoqlp.exe

MD5 8d1bebbae7b9bf291b1f6135b1d65512
SHA1 40fa535e6237f2015eed85f23bbefa5f918c539d
SHA256 4ce88faef727714a617ad0b95bbfad6061c5b40147b16548de9eb9cb23d0ba16
SHA512 101757a67469a81aafa9725c84882440d639fa793de93e53f60ff74104f948c42f0fdaf22ded789bb68187fe1c537bf35dbcf0f448cce09863cbd79831b05b28

C:\Windows\SysWOW64\Aqoiqn32.exe

MD5 7819e61438727e2faa907d4a04d1faf1
SHA1 b682e8a36d1fb5408216717660d53bd354569a68
SHA256 435f34523863ce429ba6068bd6dffaae93dab37c3e7248ca09298de2bdfc5b00
SHA512 92d964570b52b6b9e6f66bc0bafefbf3f5a8fad93c6a76ce73575feeca98aca2a506ca40db4d34e623e077bd46ca650423fdb189d0c2f64b9b12ce9692bd8b89

C:\Windows\SysWOW64\Acnemi32.exe

MD5 efffceb63fff929b74c5888fb3e6b8c3
SHA1 8cce8b3ca4947fbeb73a386b1c565d7a1827d13b
SHA256 b3cbf9775d8a8e5f522c38995ca32cdb529eaca5bb3b1be74156802100195904
SHA512 1373aada6400031e5d2f530930d9694fa6b66fd396d5becada0ce419fc93f18867a302f4f8894a7cf70178e82d67625055f82e700e3592010fab8818e1d75830

memory/4536-193-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aflaie32.exe

MD5 4a5a5b76cf52ff47a884ec0d44582211
SHA1 33a6819fedd7a896d6bfd1fe711ff44e0efb7a0c
SHA256 4454ff9ad79f4c6e9c402f475f1adcc9ac4c118cb659057ecde5016be1dbb7a9
SHA512 5796a400638bb2f678f3393b7e0be5c8e0413975c3cd6b6d22dceb0312ac4f2323bc25c560c54626c5bafec84f11d0e4be6920ee768ef81f0da9ed5236943088

C:\Windows\SysWOW64\Aijnep32.exe

MD5 2301c8a92689f18e0208827671bf945b
SHA1 f3c31aa866284e9ae4879b98730e37d35e1b70d1
SHA256 4ed73abb9c59d111764626b19ecb8ac243d1a494f268752d6cd3afb1ee4b946e
SHA512 86d14a1e6d6dba68d61f3e65494cf7e5ed30bdf0048df3b4ccb30864b20a35593c90fc7f8fe52943c0468668fd8cbc29dd6e288ce61ae4c514380572272f4b0e

memory/4900-221-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2212-209-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1016-201-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2028-189-0x0000000000400000-0x0000000000440000-memory.dmp

memory/440-176-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4348-225-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aqaffn32.exe

MD5 c27e1deb7f73d4e16676a4c7c59f15fd
SHA1 17307eb154ce2feeaf87d1150bf7784876fa50c9
SHA256 0eb2783f75db00c0537cd395cf68055b3888ee2fd79b1c8c9a43b65c24d47b49
SHA512 48c5492ce40b5bf110b13603cc5bcb4799b5b28de08a5f1d408db074945ab50c34ab7bfca02ebae3fd375ebbf84b02d9f702206a3af53f6086acf29f9669b315

memory/2684-168-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Amaqjp32.exe

MD5 b769af42a315d7579d4a8119d1e2d73d
SHA1 b292faa2486ddde534a2bbf7b6e6a000fd59deee
SHA256 6bc1edb9ac883dad7bd772229a2f99fe417367a16d15981576800fbec259455d
SHA512 1629bfbd9b562031dc892d265f96117b4040b00d49faab02b8ec93be7d9740b025b04cf71679f6dd2c18d59852be211413e4158a35314a96ff19d262dca307ae

memory/3004-160-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Aimkjp32.exe

MD5 d91447efbc813fb0da3908634e677d06
SHA1 500a41061c93b8a70851f15e14fb9cec2a01f05a
SHA256 0cd80bffe8f47516aa2aec3974b8d6476b01b5b09fdc82ea59a7cfa5c427b594
SHA512 6dd223d45d80d6acdc4460be96071f10f3b86f5178fa20ccdb0d85daacc1ec84deeadb6760b12d277f320d07cabb3a561c9ec8b58effb9599de7fa5638309e70

memory/3084-233-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bqdblmhl.exe

MD5 cfcdeab2de97ab9cae0d7b3b0d4b1255
SHA1 b99474d8df75c3150c8c8ff99addb90f27092d6e
SHA256 6b48a21d2cdcb98ff1294cfd28baf2df31bcedfdd4b24a7debd3101aaa3c2694
SHA512 15ec8f93f0216ab8b58fc6eb7b84b0f1a5c31dd053250677c4aa691305b285cb123344843e3d5bcd141be0b3eba7528399bb08eac5cb4aa042b619af0e824172

memory/3724-240-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bjlgdc32.exe

MD5 12945afb15b8c6c0ff5a28d0365aa2c9
SHA1 5c4bb1b69f34ee80545faa5fd3b135ac11de86f3
SHA256 243f8412c36ecfe82a48606be807db899af36c78ce947ce2185fcb0e1ec2fc6f
SHA512 6101d17897c8c01f81f0cde922330af3f1cfce34d3ab515a1649c22b2fa1f9ac8087d811e69bff0e62a4f5d912c630d936fa5beae038e20c2c3f977ab422c852

memory/4040-249-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Boipmj32.exe

MD5 b10e1cad1d37de66520bc01d13e6bb84
SHA1 5e19f6e2a247545711bce6843b30724565912b62
SHA256 58699352dab926a55f1f27d1b0ea862ec250d071ac60139d36650b3b2fd9fba3
SHA512 225798e2e6edde61a8eb99143200472a0a23fb868264fa693d3c7e455bd2563dafb3e3931aa7f076416f1f10a0557533fcd8458c0ee4d40caff1f604b20a8f60

memory/684-256-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1432-263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3612-269-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Bpnihiio.exe

MD5 f99b4ce831475880e149daa075235b28
SHA1 c9e07ef01c9a8b22bd5f1b997a8a24665cb0e0af
SHA256 1c8f096558e99f4f671acdeb0f7f2ff96b101d8cee8f92a907280d1ee13f482f
SHA512 93ca2705b15820541c5c7b0dfcbf8d50654a3b46c3dba4a9ef20afb903f3f57598bf07fc8975aeeabbadfe52288e6f49bbef05d35c56fce174b704a2ac3ee59d

memory/2036-275-0x0000000000400000-0x0000000000440000-memory.dmp

memory/540-281-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4800-287-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2116-293-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1084-299-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Cpeohh32.exe

MD5 6fd4e1b26d1ecae6039c0b99aaf663af
SHA1 e12de85c6bd36a4d908490783a477b06d63c5493
SHA256 b2e311d62cf10b770782a54c63a89c7085058dc0a2684c1aea93301aa1354f97
SHA512 9a50a6b6d6075bd8c6fef302418206f999cba4bfd5fd00de006beadc53243970dcfde1a93f3779073530aa0851051c805c3bc2fdda161cf19f174ed525f1a210

memory/4364-305-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3816-311-0x0000000000400000-0x0000000000440000-memory.dmp

memory/888-317-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3732-323-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4276-329-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1440-335-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2220-345-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4848-347-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2260-353-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3264-363-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4324-365-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4668-371-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2936-377-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2592-383-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Daediilg.exe

MD5 6bfc5b50e3353f89484527f03fbdac2b
SHA1 69448ce4d36f39d71c99d5c990eaca31d0a31b89
SHA256 618f41077272c54bf6f7c47b5ae2e409a8fbcf5a0738ee1283eda4b0a753f4c7
SHA512 9ae71adc2afa252a2782b4bb73e7ddbb232296b690926226d1b4bcf66fb1fa5030626b8cbc9a17efba5fb1a49cb9c5a04738d9e8a1c2163067319d4eb836f245

memory/2504-389-0x0000000000400000-0x0000000000440000-memory.dmp

memory/988-395-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1260-401-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4520-407-0x0000000000400000-0x0000000000440000-memory.dmp

memory/396-413-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Efffmo32.exe

MD5 9eb62ebeba78e0c4d4a305ec2b70e6a4
SHA1 81463312bb7e01a7b84ecb1d1fb10457788a3d7e
SHA256 862415461a24273fa5a5ff7e573421f9006b3a1ee7fec42ba065716f51d11c34
SHA512 7debdb38e2da225289cd16aa9b5c6c0552f9f29802cf4df98c1eb256b20c4b350a01ad3a940e99c885dcfe56210020bb451bba68cdd3d56305696ae42615a990

memory/1756-419-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2784-425-0x0000000000400000-0x0000000000440000-memory.dmp

memory/444-431-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Epagkd32.exe

MD5 889a96ffaa12f6725ee9c2fa4a6f6915
SHA1 4eff40b1746bd9b74970cf4ee623de6f820adec1
SHA256 b806c7b139a02b2a962ec19cc7e2e701d3996714fe1666a77f9f7f09735c0e24
SHA512 1913f972778824eb89d0aa33c51381dbbbc48eec78f675dece448e7b64c08526ee56db8b3a214a384006af0645990deb5a5896dd3d65678db930bd49cf6c55b4

memory/2200-437-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1284-443-0x0000000000400000-0x0000000000440000-memory.dmp

memory/220-449-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Filiii32.exe

MD5 1b6f999aadb7b989a7970f6845f27819
SHA1 fd6e593d4b6dfb5a57a52d5cee4cbacd4d9f01cd
SHA256 6b7c05f77292cb6eb3c583ac2238e8612a486324e08dd09057ab312751812335
SHA512 4493a0930c5bd35f4797c9fb7d8ea160037da15d14b7d4679c8742632f6af462a811b7b08fbfcda5d73d294da6cb722434c51cb394dffd84560e18b2d1a6ff2e

memory/4716-459-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1288-461-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2336-467-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fphnlcdo.exe

MD5 a16500b7b469d414f39cd26431a53d35
SHA1 955f5f9debbed98bb1cbfe0aa39745f30ea600ac
SHA256 a99164f5cdd2d32e2a50c7349bb58a3c2c798b57f9b02d3960417439eb5d2067
SHA512 8dfa619e08b1d6cfe67d96cc39b03494ac72e84f00be4f444191aadae0f61aa174734d4292628de2404a0e5111527e5969283df68378c02445a3c9be5292215f

memory/872-473-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3016-479-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3728-485-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4384-491-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3980-497-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3808-507-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3068-515-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4140-514-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Fdkpma32.exe

MD5 39b2fa1d08de65164bd6bf96a37e5632
SHA1 df537146cc664c2834f1f8a520c07c23df524d0a
SHA256 2e7a406c6fc4a591eff6b5feac06dcc52f3c165a243d05b7a268ad6d01607bfa
SHA512 ee102e58b2d4a040ba447d69459e07746e591461f0c24f4c73e376a36f379db86287e99cd5e9bc2f7907247e1f3626f3347b0a68075d067caa49d2fc2566d09d

memory/2612-525-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3768-527-0x0000000000400000-0x0000000000440000-memory.dmp

memory/212-533-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3160-539-0x0000000000400000-0x0000000000440000-memory.dmp

memory/772-540-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1692-546-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1048-552-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2776-557-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1208-559-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2572-560-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3532-566-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2512-567-0x0000000000400000-0x0000000000440000-memory.dmp

memory/844-574-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4092-573-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Ghmbno32.exe

MD5 9a67b84129a07939cc126b2264c7b85c
SHA1 8d65c80ed5cb0778cb68d49601cb06620921f5f0
SHA256 0f09b8d32b470ff98969e5127dfeadd119fdde98e0bfe9d9822826e9c1531973
SHA512 3c35eb907c0ed0d3ecef9f5901dcedf6f99090364911db48abee24b22a715456c01c19775a5eaa3f3904096b8b142cd362155eff88ef9d92eede1f8de92bf53a

memory/4804-580-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2352-581-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4192-587-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3900-588-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Gahcmd32.exe

MD5 0e15df1e8d20418de2788a4b951fc1d6
SHA1 da1d744cc48f283e2d36452c41c2f8aefe13691b
SHA256 9fac7391e26f5f11327b9d0b13916c2f610bf67013e61161241a78546a37513a
SHA512 5c0d943e672677a94847ff324bdb0949c46b6abdacc5f74af73826fd5baacd1b3db7fe498b9afc8563fe650c4119af9f90a72b91130dc2e9d85e07e2b9c54d0a

memory/432-594-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Hhfedm32.exe

MD5 9bcd961e3aada8f55ca43fa54eb9accd
SHA1 16eee16d229ee3d0c53834c5c0dc268a784731af
SHA256 82a30d43dd1f75fcbfe3267dd84d426f8c8d981b5bbf0ec27808db02a2959965
SHA512 89ef6f84468102e8f82dc9dd8f7dd1a3bfbb5cf84c561c7ac6a2d3a7cb68dcd458b8a10aa6066a693caf5e525b7c184aeb6a6a0f8ac5ba348a3c798ab2daee86

C:\Windows\SysWOW64\Haoimcgg.exe

MD5 5712f35d3c4e52e7e1da17d0e197d8da
SHA1 91717b93f71fbcad7eb09eee9e7656be8caa3271
SHA256 15c19d73d17780c47ebb728cfaede1c1453262319549bcd61d502d4b997d0e31
SHA512 bd291ab0072e1d61be5b3d2b61bcd6bc75238e905f4e8baa77366dbbc41752c6062395c8a8563ae9f18c42d35f405cacba19b4e7e1d665b6e5c37dd20bbbbe22

C:\Windows\SysWOW64\Iddljmpc.exe

MD5 b9fd355028fcf3ab4c4bedba1a97dfd8
SHA1 4ebba735fd13d5a330162168543dbae6ad1de41b
SHA256 006790e6da3356b327ae59aaaf1f55a40b3b821e55b94cb6365910cc89928836
SHA512 ce28bdd15fbf114bb7cc3068d5574635ad921da3c93c4a1282a10ae15365a24782dbcb19c2133c6eb85445e057db61d62979fe14c2c901aea667a0b97b324fac

C:\Windows\SysWOW64\Ijcahd32.exe

MD5 4973598c05d169b3f6c4f722d207e9cd
SHA1 dc98b24f3e9847d9aedb3b32cf63704469f792ef
SHA256 47a69c178e726236f6e34c5d09992faa4d4ad9fe908ddc68f34a79dc7a6e0353
SHA512 69cbbf2849265f77b3c6da6f027189c20e0538d476e4c0beaca89bc519aef7d4d51eadb4ec685f1704b4861f650c82014b797e6bac10e1d68c7804dbce8b9a0d

C:\Windows\SysWOW64\Ikejgf32.exe

MD5 d9d63ef3e54a70e6eab1aef54d9d300c
SHA1 5989a65f723a2012251e8ed8e51ca53f43689fd0
SHA256 568c695c2ec8c694cd84bdbce2d1c5057dc39a77adca939386e1b0bbdc6789f0
SHA512 ab740028ad6252fade220c5ee5fbdf2ced363cf6e11aa09c0eebcd5e23270088a6c80b8d92a69224a7bec4ec89bd93d4639377d90e79b4415066f3c3d0b0850b

C:\Windows\SysWOW64\Jqdoem32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Jhpqaiji.exe

MD5 e6612df87172f819111f0817c0e7b4a8
SHA1 c6b194ccfbd2683496d64375a2af6f3f9286fd7f
SHA256 530c73efd938a6724b71ecf01b0dc16cb3492d4ab7e449a1abff717420a1550f
SHA512 9d676911460047ff1db8bf71e171c86cfa3b1bb323f8a17e2190ff632738cca955e91bf7150cbb7bf7f8480b7b8903b1adbed5d4d86b4870d854ce439720f40c

C:\Windows\SysWOW64\Jjdjoane.exe

MD5 b4b30864e14fdcc7f8c1454139cf2db1
SHA1 e4bc4d3ad3b625d6dc69dc4a60a01ca761d5d958
SHA256 0d9da47f32f0af0a413d8fe67c189d3f8b00943d66c42a652fe87cb80798d47a
SHA512 3f46de52a4fe7710003e10cfd6e8f3289ffbc4c40728d2312439a374c37ac2dcade15d06ca68521f65fae6be3df0102b956c8675d0cacfb4a5cec80b826fab4c

C:\Windows\SysWOW64\Kijchhbo.exe

MD5 066df107a44a7621a4b67961e5984836
SHA1 f4fba179e77031084a66a0ae9404726c4990ac12
SHA256 5d2df77eb685cff05aa995c545428cb5420df72d94ee9350dd89b2614de2046b
SHA512 5e068520843e441ed36636c2fe70bad5b0fd1857aa00d986292589654a038dc33443333e2edc916f4d5c849cfe1d18bc99a82b492127c3b326e96b8cf217233e

C:\Windows\SysWOW64\Kkmioc32.exe

MD5 ffa8c3f06e4baba1955460709f70dd1f
SHA1 17bb4bbb144de74c87732938f280c1165131fd01
SHA256 190757d8dd087a197b5ebd90359bb8883ab8cc7c965b6e64d106d5e5d860af8c
SHA512 43dba0e0cf95dea12e7bb240c37aab336387df09f2de776ec70ff1e1a222a8223ec71ce534b4b347a608678a9b61cfd7985d9218c3365b1853bcf069c0eb131b

C:\Windows\SysWOW64\Lnbklm32.exe

MD5 08c84264bfbf46dc07bd685cc87b715f
SHA1 ac2e6e238d7341592a178f5abe6cb243ac0cc7b4
SHA256 5bf1ed6a48cee7f7e831d4db1820cbc707825ca29a6b4fdd0c1745337e1c6b21
SHA512 2aeb0350bf8196b55c06c99bd0218514c7e45bebc33184bdecd20a428b3cb167125c275b01f4added99a07c8618e3e64f25c8707d62783b63ffdfe592e7ed736

C:\Windows\SysWOW64\Mlkepaam.exe

MD5 6f22f9a042348ce6f5891a976ba26d97
SHA1 337f730de4e814ce49f15f3121b9fd83f138362d
SHA256 4a28f23b7bd63e53314d54704f6a2bb928fd87eb795cddc7f0ebfb6b0b8646cc
SHA512 3f9ccb33c9d25a7e4bcff7788f4c5b43f6bfae6e5fca4ec9d64be38720eba7811bd8ab5001d1851f7361b70ece0248b83b79a67e4f80a959a892f43e385bc679

C:\Windows\SysWOW64\Miaboe32.exe

MD5 5689df2fcb991a8f09f147a36dc1ee4f
SHA1 708f8d1e350bdc6e019028adcd0a565c5e57f367
SHA256 6393ce902815cfe77ae1eaab8e5b4ed74051d02fc0892fddeeed3b45341d53e7
SHA512 d2b80ac04faa8620e5aebdf801e4da5bf54ab5c7eebc21277a8a450ae741ce83fd24d4e403cc56e6655034bbe37efa46ce65e2ea67d382f44dd480ca439794e2

C:\Windows\SysWOW64\Nemmoe32.exe

MD5 547ade95cdc76c32bded5b4e67db6753
SHA1 50abf72761ec1a0bb829291a4816d40d708302f2
SHA256 021ca5a06b49b3e5f882039d512ace587d21763112f18b16d4dec0892a8fa400
SHA512 93c895d9a1a5ad9aa6347ecb90c214506230ca9882422d4d7cffd83008d34bd791287904b3c32cea3e67ed9b16e74dd92c78be50c8cf19b34ada524451c0fec5

C:\Windows\SysWOW64\Nijeec32.exe

MD5 accca4e4ff31a80e7ed06592eda0a785
SHA1 25df3fe34723ed21e5f2945efc5d2a2dd489861d
SHA256 d53fbb7699b786ac63dda6a9ff19b29cc3820f2e739619eb47e8d1f9a31145ed
SHA512 b42f35d32d117d010a61490243689f4d843dcc47244dca36b9584cf5ea516bca337f56461ef2a5388dfc3ce26674098e35da48b26bb6c9dc3e10137aa86eacc7

C:\Windows\SysWOW64\Nimbkc32.exe

MD5 fb42a4f2962e736cf8e5cfa65988aebf
SHA1 6e15a1dcec071101be0387364f67c314795d06f6
SHA256 5ddab8b3d11441ec8bcf957de26c2527bb6b2b06ff910785437d648cdfe26e99
SHA512 9013cf59e92b6a3725c4c59b77ee39733cdebd693a129fd1f57d09399b32ba98f9f1445fb4e9017d23a16972f7b31ba3dfe710f6a57840e7f607a346e6342eee

C:\Windows\SysWOW64\Nhbolp32.exe

MD5 0a6278546346be1ea3ae9bc19051d235
SHA1 9c7ec8919b8120fd69d32f2321766a5068b230d7
SHA256 c858504aa745a184f5116a96518ba96f347dbd74db0dfb0956565a8b370ac1de
SHA512 b75afe682b553552b0927532e72b1f6b4ba026c4eebd9f6c28d2ba865bc9a09e3c4aecf051cd7284d5ecf7c9dffdcc683f6b75649a9f910df14727f1c76ef4a9

C:\Windows\SysWOW64\Nefped32.exe

MD5 797fdb97e0d2008bae619b7da962fb4c
SHA1 0444866b4e4f85270ef6273ad34ba428d8743b4b
SHA256 2c56dde4c47dbeeb96ac385ca8cfffe1a1907726f7dc02fb96b6d3b76e14d32a
SHA512 5e6965d656b5d7a62e64549b99fe528a124a50cfbeb858f68e7aae2692f87589b43e00a74311b8c5919834c17d88d96cb55cf7558c696e28964f489dfd614cf4

C:\Windows\SysWOW64\Oidhlb32.exe

MD5 5c68b32d8fa97f3d62651ca20544fe7b
SHA1 f60135dfa4416f9b285cda6e9f995b3c509258a7
SHA256 76f1e61273bb7998d85b2d1cce6677d2fc8c5968213e744ab53c36bf2b880498
SHA512 655c850c6be785687682c5998af685893aae29f3b731a67705085764fdd3e608d2504ce22de9b5d13ed28aef782d75caeb1c30aa03d6232e6719dfbbc9fe1d40

C:\Windows\SysWOW64\Oekiqccc.exe

MD5 bcc62bf11a7b30b9e5ca8a7323345739
SHA1 7b6b5c15dcb772874f0d4e6d40287f23ac3de0e1
SHA256 065fc5d6d7357990dceb8a26c42c7acb44ba598c0def27e7df87db6341ccf7fd
SHA512 c328e4a992ee37d43d2cda27ed38be3573ceb6e9a30145eb211fb0c6498303fe70d1d2d5b8fa24271c2af18b8f1d7639c323b175522e70c6928b07f1388c4ea1

C:\Windows\SysWOW64\Obafpg32.exe

MD5 272c1a156a93ae9a973b14c521929b69
SHA1 3676449fb6e4cbcd42f43ddc9889c0f708a9a099
SHA256 8f80678dfc22b12658410fffcd4c7736067928a7c712a82b305aec629dbc37e2
SHA512 4990c5991b6bdcdceebc410045987b8fcf5e084a637acbad10a66b9b3f6b279b2a223d4fcd9ab96b1c262704d32e042aa0b870f785ccb460cbebb7102918ede4

C:\Windows\SysWOW64\Olijhmgj.exe

MD5 847bd343d9487e7d897cc4d0a9ee5d07
SHA1 081c9cd7c84500baa412f935436a1610d59c6f00
SHA256 7858baa65cf842bdde61f474e6d63385cde08cd9bf1b07fe335a55946f1652c5
SHA512 6c5066484678b914ebe73bcb9021e73d8f24420473d432a4ec6ec1bfa17649b133c45e49c6b1bab6e5481e57a264e23966efb2d7b50f27950ab32a0c7d713277

C:\Windows\SysWOW64\Plbmokop.exe

MD5 4c12c22bb21986821d3248174c5ea4b8
SHA1 d161fd393ece90a02e9ef5494917b65129c4f061
SHA256 91b198149d1896511ab27f2ca073011bbef7a73d1ab5849f03effd52426bac81
SHA512 7846a3812680977a617bd0f325d1ea519c10369fa1e9e962c6f2a6844fc1a00201973523776abec44d599b5f3cdff44d4431f03729be48eb9a645dfcb97cb002

C:\Windows\SysWOW64\Piijno32.exe

MD5 bba27374e8c052e7555f58aab8f35cb1
SHA1 bd4688604a0224406335fab866a803a4c36d347f
SHA256 302742da61923fc5bdd8444481115f55dbbc348eed367d5c5048ca000083bfdd
SHA512 18e7181c87d5bae450b4876cb70065a7e86070af3a5b5501438773f30e8ee2397d9c604915fd3a5acd989364896863d6e00dad85a35ddfc1a3a95e7b29c35592

C:\Windows\SysWOW64\Akoqpg32.exe

MD5 80c546bba68e852e04f2e795ff0b3160
SHA1 485f50a1fe117ab86e395c19831fea9a5dd0bc27
SHA256 610344c79dd0bf5f377d21bf4e7fe90a67772eabcc1de952bc92ffda81d5943f
SHA512 e60983dc9125e997448ac31a0948cd99258cf19f619f937ebc5c8d8a2b1886ddffee6ccb92374335ed87dd668f5fb01a21a57c3c59dce17166926ec42d7c42b9

C:\Windows\SysWOW64\Aomifecf.exe

MD5 cb7b1046634c3f630639c2d871ad395b
SHA1 4a8674efec30c5df36dd85e60b85110f3002debc
SHA256 846fa3aaee7cd2f05471084960f79c28b6448e1820067594e85cc957cb423460
SHA512 8ff78a1d8affa531ad685078191e793b82f2c7dc7c976bcecdb4f9dfdffd1136ec3630aa99556ecac067b7b1501b9aa258b626ff0a52cd8bed11bf9d1ed4a60f

C:\Windows\SysWOW64\Aleckinj.exe

MD5 1717944c4791f291d8a647bc2e33fe1d
SHA1 5a32df28f059204e29af3ae0427f5fb169af580f
SHA256 d9cf7c825ab40ffa99729fe8987773ec9f09f3855e4eda66b41f92a92899ab33
SHA512 50431838140bcf6435c5083b034d74f2c525e98c9abc3155c03014f2756c85e973f1573928589a7a2588e5ac70a6f9165edc917f3ae6f4eab7edc7a15cb6d377

C:\Windows\SysWOW64\Bhldpj32.exe

MD5 5d54bd505e5de40d5461832160fb7e08
SHA1 b3d7121acd63859c11ad02cb1d2646007d4617eb
SHA256 ba2036fb515f071fffff66cc98204502621780cc03d222151379cead6b4ec93b
SHA512 3bf1ee7d1a3fec55d45b0200dcd07f50e9cc6e992a5bd7b10d5989d67e64be1c277f5369daf090dcd4c2656ea836cd19dade1e914f48126b7b49dfdb456660eb

C:\Windows\SysWOW64\Bfpdin32.exe

MD5 30236c355205de8a7c16583863aa7a8b
SHA1 13c70f92667f0c868e5908fe2aeeefd4ae2a919d
SHA256 64fd5e755496c73c10179bf46ea29053f21b14578d80baf1a35621cb87a56c22
SHA512 5c8c92a4562ae26d07fde4172fd59ad36dcb6e1fa737ea39a8c1767356842cc223d3ebe45152e0b3fe1bb92eeb34961c43411ef4f270e771790c7625a12263c4

C:\Windows\SysWOW64\Bkoigdom.exe

MD5 a12b274df5f61cc998d28939ab4e50b4
SHA1 0e3abe9edccbccffad61abe21409814bb3535bb6
SHA256 f8ce1e5b914ef87f290663d48de1e900b561521b1b0b55e0125ab2c515894835
SHA512 8e893cfa308b8decc6ed3d9d465ff1175755d14776adab1d75500ed43d6f3e0e4519406c58765acbd7941f57a557cb482b9a4afce2adad5d3f751e0549e50d14

C:\Windows\SysWOW64\Bopocbcq.exe

MD5 f6e94a1f8aba1f423db4e62a43dced75
SHA1 5a85916262dec62b37853153eccfd7c80889088b
SHA256 bf9355fc7b1e24a59f6938e97880dba2b64bbd59c602fb9d58d8f6afefc0d8f2
SHA512 4e3d2afda470b86eaebffeaa26a273bb21d7ba6ea0027dd1d236645a8006c8d5894c4f8b7e304fb351f3a9ca6931cf0717d1875bb2e6999b2415a9ba1f2c8870

C:\Windows\SysWOW64\Cijpahho.exe

MD5 c9445b72e1ceb1b1795b7055c6ca6b39
SHA1 37f6230368847d468e81061a30583f9d85e40e42
SHA256 56343f7d7b5bfac0b160ee364058a4ac1b1a210cc797fa165489c97e7aa72ce5
SHA512 ec7670f162ab5dc999056acefb5af9eea8856a8f1b9eef6af075d2c1f5fff9c7e3eb44a116fc726276eefa384cb9e8e48f91fa15c8c40020d4152df5a4c558c9

C:\Windows\SysWOW64\Cmjemflb.exe

MD5 25107fe624342e55ace2a275c4ae8e4f
SHA1 6fdf36beeb495562df2b3c0e0597e8a3e8e445c2
SHA256 c134866e15ea3ac1ef5fb5522a09ec5c5d899b8cd600d935a2cf219507793b06
SHA512 fe19260976154ff06fc63df9739a28fcc7b8c665324d3c7bbf7b27462ab2820bad40481c454643755c34809af0659480e8fea7ba9d1fc3958e18666d22b54eeb

C:\Windows\SysWOW64\Dfefkkqp.exe

MD5 ce319c5e0d17d7a4d51e40c4bec38c8d
SHA1 bdeb524db5bb5d335ad52460b4e45bb9365b3339
SHA256 aa3bb76b56a665d53e582ee02488a7f8930449cc0eb543d2e3b72452914e79da
SHA512 18ea5780881c9bf4ab4f3cce7f2737c396f7d7e81dc49751447bf623a05cffd31120212a74801062c0a4fefbaab927d45bbabe085901c4fcfcfb5011a774edf4

C:\Windows\SysWOW64\Dblgpl32.exe

MD5 fb7e2db93ddd1e387692cab8554da2a0
SHA1 f78ec1b74f9b0114417aa63e5415773e39c854ef
SHA256 af236f3bdc5fa821a6c60f4cbc872ae31464bb9a1211f7fa07ca9527204c833a
SHA512 b5a9624f3eff457ffc339c9263f4ea2216aeb101e75295b137072d69268f01c7b9e82d894d64c07f83fc1e89eab7f6fc3534ed40aafe0d2b51a4ecab1b05d372

C:\Windows\SysWOW64\Dckdjomg.exe

MD5 2aad7ba3c3c45f3f8d5c04c5df43e483
SHA1 c123174bfc3796b508d7b971ec9387e1b56a518e
SHA256 533995368740fbaf1384b4bdce52d18a44f89b8d240dbb3d559da99a22bb4f86
SHA512 893aac507a6123871e18a58625d5f0965b1c2b935d01a2ec8ed181556ad2054dbd845872f63f92cacef19c383c77ba717858483e3e49f3b2077d2b3c1eb0d252

C:\Windows\SysWOW64\Dfoiaj32.exe

MD5 95bcebadbe7590ffcc91a725e8e07a5b
SHA1 ab991853683f4533dfeb2be1690ede7b48373788
SHA256 0e7c520d950425dad99080098bc8e9422b12814dd9c699725ac571524fd65b87
SHA512 512e3ff977d23fef161714710bca416a28ef7b4f862db5d5e9448b52d29ea1c1095735d8a9e8666df7510a977fd77fa7e1269bf5b1124351bc898ba7b3b7d7b8

C:\Windows\SysWOW64\Eppqqn32.exe

MD5 e98b356ae1eef5b473a485cfb4afb19b
SHA1 646406d61ea101a9149f9d9e8e7a6d531fbd4ae4
SHA256 d36c20174b78653d5ea107dc1bbfb45fa15339685e6a6fabfb5edd4d3f4527ac
SHA512 0ee8ffe8f92d7539f11841d73bab5c0a4d83d8ce3deb97a9b2c6839f9fce83b2bdecaa218b148d33e7958ec0dbcb2aa2e89898f628adb22e88c198ac2b3bc499

C:\Windows\SysWOW64\Fbajbi32.exe

MD5 c0d01db7748bfb4efd19ba149b3ce4db
SHA1 3434a4e0b0e8c21a9c68880cffdc29297f0b227f
SHA256 ebcf72da916f97be0451342476001972a0694e0b68c743b2f1f27768c9d78f31
SHA512 1413e24eebe031fc52ca10ef9dc7c4e311e61de9d7259013d1ba1941eaecc7dc6f3c58668f3ade599c2fb7a4bfdb3aaeee1b443a0227a2c6f967cff0c6c959b5

C:\Windows\SysWOW64\Fmkgkapm.exe

MD5 56c818de30970fb24716f1c650f26f41
SHA1 b84bb64fff83f62bb0c1e3be2051d43e4e45dfe9
SHA256 681dde3ae9eeb2473639b512c5c6c8cfd62dbb2dc849030fd7e126a1d446cab6
SHA512 89585c0a97a60f99417f9dcfd797563d982c93015e5340689d31440aca713d33dc4cc67d7e8b4a308bac41f5b91560ac2130868259e189d35f03c81c3d01bdf1

C:\Windows\SysWOW64\Fjadje32.exe

MD5 42c98bb2e04273f1aac65264f1df31a6
SHA1 0d8648410a225b67e1acddcd7700a95fc41d94b2
SHA256 1aee190f2a15c9d5311938a0d085dda1433b213a281367414590329cda668382
SHA512 06e379d5a10f571ec02151d6b337f734038aa1e4a595c37f956684f0fdfb5ff73ef41341fd55184da5591746fe0361134a403871c774bc733926451378a617d5

C:\Windows\SysWOW64\Gjfnedho.exe

MD5 1abd3e71bdb12209436825c94943e425
SHA1 1133ea1d6a26cf21106b554df050914af45119d8
SHA256 8b98249ccd85e06391fdedf4af198c46c0910cff26a3187c034efc2b0ea9859f
SHA512 93805c6ac95a2a2d1a4c0684d5638df6ebc2c867bccbe8d3e9e3948dbbd32071aabc885b864ae54746dd7bac7944d01fcf90ed5a64da830f844b6f482105d1d1

C:\Windows\SysWOW64\Hpofii32.exe

MD5 682f6815042c4ff01944b28357e0fb22
SHA1 12d84a23d25c0a13c3b55367b353aecf9db9c487
SHA256 39670515dddfce122673002e3436c965a09074b9351b6c1ba9d35ab1cd789efa
SHA512 389e9899c86264c0d863afcb52e2ca8538f1de1a37d7e4bb240244b931fdab87ec2d4a2059097ae97666f4e79174c22d48205d4e1c1f3ce0b8de5808650fa43c

C:\Windows\SysWOW64\Hlegnjbm.exe

MD5 4ac0d0ddc3429080d01eb14473c37365
SHA1 2e054977e0b9106d0dde26410684997439e59dba
SHA256 7396c98b73213450197ad00e4e0710590713c287ebb719d907662c0dd71df099
SHA512 74ebd8e4c1486b7359f8c73c55d9757fb05444eb7d56f5551a034f281661b80f84ae515afd266e35d373dd12ed1ca0e9749815b028d158d34398d3a8b7073b8a

C:\Windows\SysWOW64\Idahjg32.exe

MD5 5b8ffb8fefc847d3d8c23da3aaa87c2a
SHA1 6693b2536f4517db66b47c57dbfe0554a1404940
SHA256 46f033b9338ac831c62dc116026344bdf047d4dc509bd47acf45124660ea50ed
SHA512 706f595cdd66190eb82695c13c327c2c1a48009b5d6eb5990a081d32a20a94374d48f5b9b988edd384ce86747986ab9716cdd8b5b54571eab200ae513e57735a

C:\Windows\SysWOW64\Ilmmni32.exe

MD5 ef3be239a9c10a146771fe009bb968a4
SHA1 4952da2e65432f27ddd8a84d9ca8674305759617
SHA256 5bba1b224eabd17c35f603644ce4bbee01802b99f76b8cc8a231f0d0a47db396
SHA512 0ec21413b6cafab8ee9ebc859eafc302eef6559f63ea67f4e9440fb5cee006c9b88d851b845647f3f13d3699c1fbda69a1368bbcca55ae21b24aa862a4bff36b

C:\Windows\SysWOW64\Ilccoh32.exe

MD5 a14de654faf1f5c7c26b81077d6960d3
SHA1 8cb76e874388c359a76fac775df941ef5ede7f78
SHA256 486b2162f3d6c2c20c21af6825d6d99c200abe3fe6edd5eae2d608cf8ad9a853
SHA512 6f61956f02211cf3058b9c356fa081d4ef1cd7267d0bba6d14974b3f9b0559f5c19b5af45c2ca7f62975ae6e7614c5de3bc59cf079f975b08444560b947b368b

C:\Windows\SysWOW64\Jjgchm32.exe

MD5 fdfc7a2bb4fc58a17d4394db80fd8cb6
SHA1 884e1036ae66c4f9af5d88f1a3353b933e716d60
SHA256 40651930b8993401c7e69fbf76c42c6864887b2aeb83f00c7c67a507d17469cc
SHA512 e19245d43c89451fcce45dd42bd0d25c07e319c73da3835d154f02b028d79fe09a3c8edbc8ca54a0d5e04a9955ab504e2f6a1c9306c617cab96dcb28544580ac

C:\Windows\SysWOW64\Jcgnbaeo.exe

MD5 23646e48ef192beeaf0e127908b8d5f0
SHA1 c1f87d743f4ccb4f9d9ebe8259dfb69bf02c196e
SHA256 d872c374428bf84f8d3cb906eed3763da783aca9af92f83c7d94bbc3eee05394
SHA512 c108c4c50bb1f41d2108ad8e7ab953a329667ea8512bc5656311a8f9b005f93372e339d7317f250c6198d97fb6d5e8cf52431a69a8995b0e889b26178ebaa65f

C:\Windows\SysWOW64\Kmfhkf32.exe

MD5 ee0cc8416ed1544434ef75a31cf76a51
SHA1 af0036927ebcda16dcb8ab3e614fdc79c6c393f6
SHA256 8822ac2a4c317823f4cc7a50f1d68651b14d29d6dc12dce8b11907d12acd12ea
SHA512 a2d549bc51594452618f05fecf466d48a019d8fd829589cc95f7353d3d6505cc37fd08d3c73fa217eb8175d91d6e7fabec7d8e183b61b35944d6b624edc5abc0

C:\Windows\SysWOW64\Kqfngd32.exe

MD5 b933bcbb7188a86654e64d73e1b8579f
SHA1 3818f69120c927866af7a52a610bce3ed4af3fbf
SHA256 463ca2dc8769062d73bbbe7baf1d710a7f6d254c8f5d7f49ed47254308d9aebe
SHA512 83844564a4a6159b8d7ea7314ce47c55dc32296e8a144b49251349173171fef5cc66cd8207bb9d4db9aeb252ecf58fe0ef3f35263a8b51cd7fdfc222e6657eeb

C:\Windows\SysWOW64\Ljclki32.exe

MD5 4cddf736cc8210b380af70221da78964
SHA1 4ca07a9b9eea31fb91e6e2200e109fb2a42eeca2
SHA256 d96f176423bc6282b0941855e27d95dd2ac9714a6f607ea1bbed5846dc553477
SHA512 0ecfefa6b4d0544c99d217512e36aae69c17e1bfb2c45712f3ce60d64568471d76f344e4d5076a2810523a1625281e54a8e9ffb61b2200447f40a22b5abe1576

C:\Windows\SysWOW64\Mkjnfkma.exe

MD5 d7ed55bb7591b6e4bf5d902602863b74
SHA1 b3dcdb3704853b229716a13364353da891f00e34
SHA256 3aebd515b125d8dcc55db960d9bc1efb6a460bda82d1cda7684c693f02a64771
SHA512 3ad0b9b14d0974d4c13e9baeb6fc28b444b9737504a87ab343f4eb349a8aa84b4f2f85888302f3b6b71102998d6afda4149cce0dd53b5c8d5615a4ab0d9dc5a5

C:\Windows\SysWOW64\Mchppmij.exe

MD5 3a391f36c08348f0536198708d3c52f0
SHA1 a4dd669784c40b8aa38da0ceb29b8e177fc2903e
SHA256 d6d706c406cee6c92af6aa324bc60cfff007fab7403b7e548b27fd81f73a9d5a
SHA512 2fafe2d02b4564b06f79cf3ef1769c523d9cc4b01f173f394919718117db2eaa12ef30ff03a24f6f752fea4bfd7592da5e097fe2770a807665f879a75ced2d7f

C:\Windows\SysWOW64\Nmenca32.exe

MD5 a0a0f61f145dbbba5e6f1b7a0679a6a7
SHA1 69286fb86510c0d7b44ef5543421c887262a552f
SHA256 85947d3d290b5a7c922dcc3bcea39cc9fdd555987bc2d09a1fd999fff71f5766
SHA512 b506c8c32e001cc4ab4ded32af93d08138191839fd67cf0bea09f77373d8c28a61e755e735062ddb555125d1304323f6dd7fee3dbf0992697957c0022fd205c2

C:\Windows\SysWOW64\Nnkpnclp.exe

MD5 2dd0e0da1a51c492f6d85d3fd24366bb
SHA1 1ff91e7150790891548fbad701b669b91a150b61
SHA256 1b309a6546ba917f67a837af81f67dadc2a5a139019294c258bb7a9f9342621c
SHA512 57eeab519a2416772c248bbe9f5b4e7e33607d03bb65a42b18a470eef787c34463d2a186f47e7ebae8cc9e017bc6a21a040ce56137a6d4a41fe2dc78ce214d46

C:\Windows\SysWOW64\Odjeljhd.exe

MD5 5e086e776d144248244e5a949c25c6a1
SHA1 4249284e7837859465246c336f39dac517eabd8f
SHA256 903d426aa28d684e2de6a56e346d29c26c366a5cb869c611c8a95d3ed986e36a
SHA512 88fed63b12e168e157e15957f59299e6459e17783a2409eb652b13ee02d5d309f6a21a3403e05ae95e9d91f0a0302d1433bec03b711039034bbf37a5cd3d8fe6

C:\Windows\SysWOW64\Okkdic32.exe

MD5 e2e17d718c11565333975c23b71b5f86
SHA1 c7a144f982ecd22cac1e3643abcfcd7f9956b99c
SHA256 00eff215ab2e4dedc0d0004c52db82b075e83ce91feb7275bd19d1ffc68ce08f
SHA512 3fc0d96740d1a14bff0547951554e4f8c6b419b87c75637dd851dc2ba674ad0db77b6108f989c64ad71b7220614d15fff55b9fe3fd121d61f4671e919a561611

C:\Windows\SysWOW64\Pahilmoc.exe

MD5 57267b03aea44fc2be706a4550f5eb6c
SHA1 37ee09896732cdb163f299fd190d9868ee73ad89
SHA256 683621c5e4ba71e48868aecf77fc348ec5a309b27008fdaaa0bbafa4b89275f9
SHA512 00e838c7328ce3f90103fbf9eceade7504f1226ac04c0ef9ed0ccfbd17e9e7066b69c07149cb772a12c7939bbaa9a310bfd03052f44ec17152b51f0fc273ec5e

C:\Windows\SysWOW64\Phdnngdn.exe

MD5 1aae4065b8730c981fcf1446758443e0
SHA1 29ef3c1d2d1dacb01eab56f4f3baafae80e06b9a
SHA256 5c980bed81cab984395fb1b4cf486696f39026276d595cb17510f753051dea04
SHA512 1d6d58d573c6560216dc293d0abd183084cfbb39521a94062e2bcd82dd314367a71c1a208459dc3d7383faa451eeb6e50815badd4553004cb4f2a5afc28c4845

C:\Windows\SysWOW64\Pdmkhgho.exe

MD5 33fc9a5da2586cb20e21c2a9b2d52127
SHA1 ce4da52f22baef7d684e497d3a842fc53e0a3ced
SHA256 28da99e962781e69fc2e0619fc7e7342a931071374dd9f07153c8dc761c8b228
SHA512 2b3b09ae5f2fa440934ed82766d8e33ec296f68c82280bae745a62755b56b6d3b9921d646d910ac7ea7d3fb767536be4cb549fee9373a6939299313523bac4a3

C:\Windows\SysWOW64\Qmepam32.exe

MD5 1dc5a171d9544e4058a104b4f799914b
SHA1 c49543819482c437ac634166d279901657b98c7c
SHA256 6d6be3b7a72534567e1ca417fcea773f02b35df6d1aadc18c0d8490a73ac433e
SHA512 788020c8ecbd23408e26a7c9b0a3a9a903aadada0d785e82400b1653b13df31cca9c1cbef5754923e91b7c33a041a7d26ac455657ed5fc8d19da5fdcd439e29e

C:\Windows\SysWOW64\Qoelkp32.exe

MD5 86f7ab9a81f043f949e8c91edc022f77
SHA1 4e786b4ea0bcb51da39e8ffc8b28625960d5aaa6
SHA256 84badf270ab62fdd465e22d840c084d14cb0300fc2f821cd47ab728f89adf9fe
SHA512 9d27d491341633424904ed794a3c144c9ff9f6ceea202823a088d4b917b0d3c60a34eca6d0478cb476398c2141b46f35b14a0357ea1f925d3a7190c0aed8ebd2

C:\Windows\SysWOW64\Qklmpalf.exe

MD5 a52e37806c3fc61ab8f918e675b65b86
SHA1 9eac85bdd273cb3f5024deff89da9c8c647e26a1
SHA256 b9f5b61324ec50c8ea77179f0a71de0073ad2771c3697102e71e3d78e1360c2c
SHA512 d3c4c46183910e54d9771ebbf89efc7a271881f99e8f0a9b56b572e065e404e26764bd29e70bce0151d324223299b516a59fd44b74e2fb8433e4d20054b6e867

C:\Windows\SysWOW64\Alnfpcag.exe

MD5 07af03a06e4f333472dc247d315dabe4
SHA1 c6797a18651a37e0e1b38e9360f441771d461930
SHA256 5343bd8a102504c08ce1b3698fc757fa4aa5a4cdd41aab5db6332ad6202c9a45
SHA512 c52a80b8f0725f78cf6b0baba1bc1b39d71cc185dbf784e14e3df82bb00120eeca2e0fa49dbac86a486181313951220b56fc0f1c5476bfa951b772ab72536de9

C:\Windows\SysWOW64\Anaomkdb.exe

MD5 762825261d8aeb4f025e345644df5322
SHA1 1afda35e32851cdd5ad2515a466975595e7ee6a5
SHA256 4adf6e547cb0d9756901078618479ed418404ed422a424354112297495eb3f7c
SHA512 9050805d65bd05978e6954e3e6eca1ea5f5a812d0a71772a3c87d535983aa0c4baf951d18636fdb3f2bbe5b1d01517f7ea3e73c0b697db90f851f3b349bb16de

C:\Windows\SysWOW64\Bkjiao32.exe

MD5 4d2ffd3aa4a250f535c7c0aa59b6e4b7
SHA1 f9b2f43b0e6608d50d50de323b82bc908045e6be
SHA256 b8fe68d0fd544ddadcf9d55521793a7b8af7ce8a35dd5034838e84713c9b88a2
SHA512 7aa44c74a619cc1676b8412be317390b9dd66dcb5dd9770e93b3ebd8c2523e323d8735fd798b571b092aa6d5c365c37e66c96bdff64dc31ea613f22d378dc661

C:\Windows\SysWOW64\Bnkbcj32.exe

MD5 0658f18c73f2d99886ae90f2cc406459
SHA1 4c5f5eac210679b14c6c1c6ab022f82674cc318b
SHA256 a72c739dc26b78b5b5ef280f830b3572104ba73f0dc183d2dc52729418c25964
SHA512 93cb54317838b9ab0d725067353380e8dccaf41ee160f0663df675c8ff5b95b376c220ab44e7e1487f9421dd886f68415907b1c891e76c28da32f026ada2332e

C:\Windows\SysWOW64\Bffcpg32.exe

MD5 54e22923ef584b23b35ccbbed7fd930c
SHA1 32edff7d650a67c10139274b7e658cd872185c73
SHA256 162b038dad1a14d4d908c1cd8c03c4acfb7bd74fd1fb31f93b51616766f7b072
SHA512 4a4a05db58eba54e198ad0f588702e771321a86f90340d6b652080d6616e6b56546aac8d4f49a0b11888c90c4c43b80d266a0e625aa45f1c9234c0b1a40c9f4b

C:\Windows\SysWOW64\Clchbqoo.exe

MD5 e5f0451ce0170ab283dab7be74251fb5
SHA1 f8c6fdc9c75ce3fcc6480e40d814bee5bd9ff5d1
SHA256 4ddd8ee2b39764159e698f2a0cbd79d29284486344f7acf6ade9025b2b8086ba
SHA512 e75299eca93a1f386fd63f7e74479b9f6e3b26a3df637b41fa4b12f2a757594d0cd28b8a5f04f7d3276e66b56ff2ddf32896c748bd2a007099d16043cffd354f

C:\Windows\SysWOW64\Cbpajgmf.exe

MD5 0e64e8633af41e4a4365ac03a9730632
SHA1 9d87ae7b1b699f34fa2bf49144dac3026cec330d
SHA256 c866d4184e0d31bba08713765854ad02157d5a1dd4dd073637feee9f280c9f97
SHA512 9f79325ff80b84be6f8775251a91ffaf8582adf08e84109aab4884af0ee58a6b8bcf535ec0dd14271d02e301a3cf8fcc7079b464fa4b85d7d6589664c64ee611

C:\Windows\SysWOW64\Cbfgkffn.exe

MD5 547d15a37a1a88a7e4ed8b6445f951a8
SHA1 e99f3d3a7a0f6885a2c5c1b2bc7d2a615927ddae
SHA256 5c729fa51dd17ec8669f2e61d4a8ef429ec02d2252c207d6d888eb274b027d2e
SHA512 5806df870392c80702c7a77582c64a38e7bf85514f961d29c38a692259bc2c61f4a1b13a909d91e777d9fc48853b056ed492148bed909ab6f5cc8e547bd2d448

C:\Windows\SysWOW64\Dfiildio.exe

MD5 e117fe69afabdf8dbf6dbdf71a67ce24
SHA1 494ad20e605a3552b7b97a5a42f4c7196c837fdd
SHA256 fc73aff20acd98f8bf89150b5edbb2c905af1eca67cf7b7bcee7d925c6726af1
SHA512 b3a1235462ac50e415926aae7c12eeaae4afa6c5cd3410200146cd815037db0c7af190bb62cf1d37d7105a8b01ed6bfbf4102391f70c561a1666035dc9ba1433

C:\Windows\SysWOW64\Dkfadkgf.exe

MD5 90b140edf51770e66771818eef163f25
SHA1 6b4a440d491981c0bd016785a6e5bb5a199fa811
SHA256 5bb034129147cc55ea5a0f92ab753cac84975d75bcf99adbee4a2e0bd678c5ab
SHA512 41b25bf5258227a69f0333f6c310a2d13c39e5e39a48e4c220c33f0848b0a4d3e77e42d1451ef1e8a622c60672eb0eab5faf8fb7b2b05a53a3235da64cd21ebe

C:\Windows\SysWOW64\Ddnfmqng.exe

MD5 c1da68821607eedefa2dd63c3082fedd
SHA1 b115943cb437a30202dbcd499f76df150fb02330
SHA256 bea3d6a107bce1e1ae32fba4c57bde02420075f7e1015949250a8f9941110441
SHA512 b037b2a2c0146d9e843707b9541c33fc019d3e97748e5405f986341b4c7af949cf512b4ce9ce73328bbc90a6d40b1dfde65ca89490a03bffd709d1f52b01b2eb

C:\Windows\SysWOW64\Dodjjimm.exe

MD5 9b03ef6aafb7eb425caf647b9c2ff6e0
SHA1 c14b7806201a98ba71812d651b712a385f375c78
SHA256 43dd15ee21144c2fe65ba224d4b2d5d255fa67ba4aab5693da33d12b0d1f2264
SHA512 b58ff7580ddf9559d5abef0c95dbbf9fb34648703594a826a75a2112d4a4a7e7f7f0d2be96d8b518e5e523c16083d25a60a3c70c885878a68abb1ae0e3a19e28

C:\Windows\SysWOW64\Eoideh32.exe

MD5 68bc1cbfc8775a92dff73aee10a7d298
SHA1 6893c365606a0b49f25740b2f7eaa69e05275bbb
SHA256 0e720b3a3192cba3dd16b0f9105abe2cea4a09fed53210ba339d30b8443d1096
SHA512 b6ca5bc185330ea421138c6d82a5cf23b39d8fca3a361cbf13bcc5f51c60c1f8201632cb2f5db4a580bfbf0fdca289187925dd59e8d5397aef2531feb44d5c2c

C:\Windows\SysWOW64\Ekodjiol.exe

MD5 5be4f8eda3caf8a381dc772be5d04540
SHA1 e447820494d819c17b4d2f473e1b09b9ddf71f98
SHA256 53acd26790a7a618194c4110f379735f0b59e875bf0d4c817d4340b332637211
SHA512 2a5f9242d37a18aa7fdfec888ee625459f30fd108f493319e829ab91d9b1716c4276d004895299eb628db0c1e29726d29ed6e4a98efbae17982dd2d92ca1a16b

C:\Windows\SysWOW64\Fpbflg32.exe

MD5 7dc4de5e45dbc4cf7d9868cc64ca9365
SHA1 7188241e8ec0c3961e354120abe369f28c8b470f
SHA256 a221205632d6268bea1377ca34fe23a2d79559f5fe51334acf84e439dfa0de6a
SHA512 dc265dc7a721a8dfa83971fe3c18a4e3f25f0ea760035560ffc9fc90368a562f6f0b7e07f927d153147f0e87c95f19a544d0ffb0191ad87ee91536cbf67720b3

C:\Windows\SysWOW64\Fimhjl32.exe

MD5 97ada8741a39a8ef4d8ff4a81f0fa341
SHA1 49c5f048da84b529b33a50e657d5cc808bdddb2f
SHA256 6353dbe1778fe61fc76892ec0e55aacc97ee59b1ef5f3c2639ae640244840692
SHA512 e5d75bcb2027be0b5c439150d7e2bf59c025b338b1b9d7e39739f5e820c8e59a1f2d34a2123633a3be8fbf41193ba6188c304d1e6b28c2706c242b2b161704c6

C:\Windows\SysWOW64\Fnnjmbpm.exe

MD5 16c91ac842f832987a8072a81a8bd6f6
SHA1 4343a7f7d07d99a6a218f12fa0896f1ce2cb273b
SHA256 fb9b58a3a503420d4cea06a8d11c83c4c9fccd4a951eee6e53aacc37715b26d9
SHA512 c2300c63053dc9c8b7a886e97787a62f041c2b751153c5982561e26ae3b37e54ca3c1caa44e5c4094c7dc02e1ea26c5463ce77e074292a08e7a42133877efd04

C:\Windows\SysWOW64\Gejopl32.exe

MD5 b5c23c5a1c137031ab42c33fe133a423
SHA1 75f671b1936a46a8c6cd7483f2134b3ad7d0146f
SHA256 d589192f56e64f809c6715f348cb98878d800ee7a2a8957aee23961b603431c7
SHA512 5dcaf36d06fc6d78004f2931bde3f616e6b8fd2b3ae065ebe7fbc811b61cbccab9661d8e60e8976e1667ed5e69fbd2e74b05ca73ed79fc6a58f821d8e44e8087

C:\Windows\SysWOW64\Gfjkjo32.exe

MD5 2e470cc6f08347daed29313444b5c29d
SHA1 143e3d7a22d532f459e4fe4be975f478bc899d29
SHA256 2dd1e4fd8d9df80df8934b74dc7b9a0447787af3c9bbecc7bede7fe314f61d3c
SHA512 75b7268f9226f9a3ea644d31e9c06b008b267ca5dbcb67453d016b52dbf14142f5b6ed9b7a229b63c7d27ce3d99f6cb4747a153bbf1d251cdf247a269266b4db

C:\Windows\SysWOW64\Holfoqcm.exe

MD5 1695d8d53507f3492d1303d38398df70
SHA1 e3fa0558c61eee32d78b85f1556730814e1c3ab5
SHA256 24cae7767cfa90326b91c62adc61e379c18eebf1756ef2bd6ab6d760cb5f8b26
SHA512 435ed09ec498d97c4eab892aed93104e92f2ca02f23df3bc11db03c4dc9113120745884899275455b193b3172f231cda1e52deef2c298a20ea19bb81ac8cff66

C:\Windows\SysWOW64\Illfdc32.exe

MD5 fae465356cb20cf947f26bf218790763
SHA1 ffbf1361cf3b2aac45724af3bdf89fc7909fbcfe
SHA256 c4958f692774c12b5b2ff822131600f9f2b8a5a8dde37c2c548e2cefe93f5b5c
SHA512 22ec855d6eb9c37ad2a4c98599fa6615c9dfbf3a5a3dc2b4ef6cdcf5989dbc74303f44ab7feb53654d5ded339cccf2087028b27c50a57f4ac97636cb1da8e919

C:\Windows\SysWOW64\Iomoenej.exe

MD5 1f381b4349fa2f680f6cce111840813b
SHA1 d51ba849e4c56bd1da4d6723ab1d85866f67ee16
SHA256 c71bb0983928ccab3c8da98389375e47d6ea690fb426f51bfd26359928e1f8fb
SHA512 f30655de425494fdb2bcb3e98a85f661160dcc344cea91dbe6356a25d3eae812bb9424c9207447bdb4b0e08b59ae44704f7bf7160f04cf2c98fbd864a090e7da

C:\Windows\SysWOW64\Ickglm32.exe

MD5 833b2b407f17bdbd3b9b6dbcaec8a4d8
SHA1 e0de14da149d87eba969e94e246f2143ae33e3f0
SHA256 16f88fc3bf5da2f0a1bcc489cffa3e7f5856c08e45c19a731f72487a4e16176e
SHA512 500d05b177cf8729637df50f389b4c1d4c8cbfd4c0964e408e11a19b554ead8b3308601710f35d8dd1d53023873c2a909ee85ca4ca62255bb7bee9f19c6a2937

C:\Windows\SysWOW64\Jgmjmjnb.exe

MD5 9fb032343e1823b882bb958693c47565
SHA1 b62365d85ea77c251908c7e0ddfbf67cee341fab
SHA256 be8060bb19b3fa08fb2d0a24c89e358a559999eb0b804248e782e5a4c932c509
SHA512 f2c6ffa3037e2ee618a1359e679c406d505b5f40de20c4bb9c594079b09f6b0c526c35d3044605445fb74c2ea0af2378e09e8b567d956b6ffe942b0d2c97944c

C:\Windows\SysWOW64\Kjblje32.exe

MD5 0c494eb17d54400472c6b9d32c4cb518
SHA1 beb2606f104e9493516bb339f79b8810fba6c506
SHA256 33d03b9fa85a5b7b2183bab8feb27a501f1269add70075b040ca7116585ba706
SHA512 851ea4d0c1531b4586c1674f64443a4134a5b31ce3d6d44712d0b2b5325c9114322870bcec917cc023eb34ef9df30815269e4de13c2aea06a4eebbfcab202287

C:\Windows\SysWOW64\Lcdciiec.exe

MD5 c44ac09255078c8e6e3c17cc31aee313
SHA1 72aa05991c56143613700281cc458fe0af642125
SHA256 09a47a988d5856d6ccabf9d1da98850ed17cbe1a6cbd23723f0bb1467dedc9b3
SHA512 1cfc8f3b007f31f9bac3bc85fd5d1ed8977c241ae2582402c256e376f16462b4f7d2e577ceea0dec7b08111c1c5111588c8d7efec25bf24e9b96ad5d08fdbcad

C:\Windows\SysWOW64\Lnldla32.exe

MD5 3c36fe30a16ef41c50c47e982fa52b89
SHA1 cf7baa8261c6ae30f3ca12d37025b67e18fe0b32
SHA256 85d5c3015301ba0b1d4bc18a913eb625f875629df5213327d02ca53682d2a829
SHA512 c65c78ddd8cf94bb490a4444337b1ede2f2d8ba3222d9261397e36de33889e1019fe6a48843117bfb819a1731343f795cca9ae6991223ebf71b70b2d3a83b2d5

C:\Windows\SysWOW64\Lmaamn32.exe

MD5 dfc27c1e9d3dbc5155d6e98c0e80d3e5
SHA1 08b1db7ea2b7ef5c385275644e869af5a6f5ccfe
SHA256 76dd651a2e4fdab5a636ddbb588f2161d88b0756cbb185a020f098f56be9c7e5
SHA512 365254d9a30f9d15413733876145d53a457e5c5592e56d301acc8f4cb2ab84db34bdf48108a9bf0e748d2f288708c83e3e068527c55f43a518919856f6273e31

C:\Windows\SysWOW64\Lnangaoa.exe

MD5 95fcce266403cfa46151717bb2aa50b3
SHA1 67b2de78311a29471def6f728806c18ddf90cb1b
SHA256 406d9a60fb613a4393608d3002dda73ebca3b3024ae500ef56fd26db6c712a3e
SHA512 22e8a64b1aac21df3567657ae13ff22addf7c5283e8f57fd08b0a9bfb3dd61c724db904f9512e8d8e72208f51ce24274f9bb19cc0d5000514d7657d7fd04e739

C:\Windows\SysWOW64\Lcnfohmi.exe

MD5 5df8a8933969686d0947976374d3b3d1
SHA1 16f8c9832cf230cdb8b48dbd910402bc199805a5
SHA256 e49ee159cde356ff69e832f4fe00e5969902e58203cb0e3c0812f4e169158f31
SHA512 8d79eb2cdbf480ebf13a2ce844f33c4c7f48d269c5bf91ccddf0106a4890d1ae25d9274756bf64061d4588bb2fd76b3f1e080ed383d8c9669e06022543f532e7

C:\Windows\SysWOW64\Mnegbp32.exe

MD5 1bde3c877d161532b6c2c06d1760e465
SHA1 2066147bdd7f7c70e89aa63be3d17220319e746e
SHA256 7b9779f9794eed691d934f7f357b2b52bf197aea51d3ce7d3c85f588441460f8
SHA512 204d28944676a28d6cbdcc47025a29f166128c1d9c70b363e78117d5e73ea4916a1caddff3bbee2d76fef0659810afdb3739f06a026497ed01f7614c006b84a9

C:\Windows\SysWOW64\Mjlhgaqp.exe

MD5 c8ef60c2b037e66ea40e7efd2d9462fb
SHA1 0ae16c3ebdaabc3159384cd2344dd48a6e7c975c
SHA256 240a087e8d219c2ef36c592f3ba879e43880dc2c80cfeefe34bd2f9da125c235
SHA512 2ad9cb49f9fcd509be57872e0db27d212031aef7a3fe27792b246fa0f57cdc64b6face3ad4f927c062453f7ddce9e05fc5b8b1a1641e9638fa3b8a2f5201764c

C:\Windows\SysWOW64\Mgbefe32.exe

MD5 21e519741f72e7f2df52495074fc4ff8
SHA1 9ad48b3b4f3650d21ab1c5a72bc63d331ce10c46
SHA256 9412cd355b839d23f5e2762618be2ac40efad026d540c8e11102b7f9a88a0c7d
SHA512 964289453165f1d9a183933969fe8c268fa86bd57f711ca3e4c5e80d1819bf8a34627364c4d003ae49f475f54e05b6e2771fb1dac8d67fefc1499ff5a3fc93c3

C:\Windows\SysWOW64\Nopfpgip.exe

MD5 a540d9cc4f2b07dd94a06c1ddb7a2815
SHA1 3127c10a881672a5b8deac10a9eb8d6037a6d035
SHA256 879283ad57d57545fb85bdb6b4575ccbed5a2094d9ad07cd49de0f557c19d8e2
SHA512 3c7131978b860d3da4e08be2ac957b6b900a2fd759db52bcfd5d2c516d4f31ded91eba2699818f4d5a4c93b072b385260cd0e4051a2c238ce45d7fef490e1ea8

C:\Windows\SysWOW64\Nnafno32.exe

MD5 934da9e8fa2a7dcfa7bcea92746e5f11
SHA1 3ee4e05439d3a4e7260d8f2f6b99ae5099be4c26
SHA256 f0b4c595366cb511a8ec7a481a9a5d7200e0489897a5c3355554b96e7d9eb81a
SHA512 c32c619ea1416521af79b726c36b217a32ad8fd935d464689e669b28b5b3683b05165f98a5674d28c4f2fcb7b54f4964efcf6b5ef2920feaf5186f293ea14750

C:\Windows\SysWOW64\Npepkf32.exe

MD5 5e5b080ff16a64849f60d81a22ff7a2a
SHA1 c7958d777a8d1cd0161901819d141eb3cc31e4f1
SHA256 83ae9fba872e3547df785bb8ddbb78bcfae6b8702ed0413e35b002cfa88bfd38
SHA512 500ecfd814fe8257319bf8a1cad26f98defc640007974b467c8dc1d84a0184f235e82b1782ab3cc50a460bed012dcb63ebd6465e009fbbeff567a2709f555e2b

C:\Windows\SysWOW64\Npgmpf32.exe

MD5 9fed3bfb4d45dd93995408debfb19697
SHA1 6217906688a6d8fbff077a34596ea457d851136d
SHA256 31a5debfd6a512ea1962845185eda720305d5a646f3f788dcb79c617ab84baa4
SHA512 e5cefca4e985d373d697e70b37a526e932a34b49d0d4f9ab084a6f98bd51d6f7500cc74533bea64209208d08ecdf47bd9a6822d8fcffe6f14d94fa05c8e7ab64

C:\Windows\SysWOW64\Omnjojpo.exe

MD5 0956e68a09014875b0434144e5411a7c
SHA1 d345834b84ba97f3d28948584e2746c0f76e4855
SHA256 65a58e22a92f9390e34be7addcb10d235f13ae44832aa5fa0259991c1b6fb1e9
SHA512 50f09822cb330efb3bbbb6fc59fce4df1f8f568d2e076fa248b50157ece9cdd8a1493d7e7baed95b825b6bc8008bcfad4d531cb8f4e3d2f315d6b4e17383ce52

C:\Windows\SysWOW64\Ofhknodl.exe

MD5 eff5cb1ea74186fe0054fa19095e869f
SHA1 d6e9f9044e2ecfe0cdca2e8718cf27f5a262af4c
SHA256 f49152ce67240c9dbe6fab49f099a83e27522503dec8339eac85fe18875979fa
SHA512 a9c461a932ad36af186d0d4ac8c7a1bc66760ce44b8b5845aa520a5dd622ff5399369a47da4c848e5ddecda0f556c164bb0060e966500a3008430ca3b7c82618

C:\Windows\SysWOW64\Oaplqh32.exe

MD5 b0c9c9393e6f2a96a9bf6c09d9ae100e
SHA1 6396f152cdfa56a8d2abd24ca104106045d2181c
SHA256 52d0e6e67cb491d54e898b66d6d4b5b4bb21fdd56a6ea3bf84b576cca3c696c2
SHA512 2a3fb391a8264c89e3f309493ac3bef09fd39d6d6011116fb02dbf0937dc71dd3a19a26a7d148975455b0bd355255d4fffb11b038f1d55a7682b3e443315f0d2

C:\Windows\SysWOW64\Oabhfg32.exe

MD5 43b5c125b14faabdc9fbb03f5c431f51
SHA1 70d044780b770f0f1757fab2efe059a9fff86a01
SHA256 9fb24bd71524c3a1f4b83e145f5d7c881f3fdfd1ef96c2e7ef9eb961f85f00cc
SHA512 368860ee8523e872557277722074069789cc495a2e09cdb9183d491a5bd4807fc256937e947c0240d9d361b3431788967251b9b532e0e9b005b0b417185ef841

C:\Windows\SysWOW64\Ocaebc32.exe

MD5 a49547fbf33d10b884b5125eb95a13bd
SHA1 948426ace6071a316439162a06da025684ca4869
SHA256 a82c946e8e49914eddcc462c72278e25aaeeab3213d16f688708cb32635bd965
SHA512 6446d35f1e4a0b5439bc708390481fc13ee40f52fad122ffa16b672ae9e51a3a46b81c1cad039a1b795cb705d12cdb87c16016e1ab20941c5e15d06b6dd7a7d4

C:\Windows\SysWOW64\Paeelgnj.exe

MD5 2fa93e8e6b2518d1092d4ecbda4f8811
SHA1 0f59819eac73bff157ba61707d70c694a84ef5a3
SHA256 c1ff908179e641232573294194657cca26c33e240c847e27b48430a14a2bc41c
SHA512 369d516a80544d8785aeec5b0443552a1f76666a4620fcc1e2e5e5b248c889a8c5ba22c328b460d191d912bf01e5b1e14196f9cd8b3b27d722276c0857f9b3d1

C:\Windows\SysWOW64\Ppjbmc32.exe

MD5 9fbf2138035d3e6392c8ff070fcdc220
SHA1 56089bf2504a5957c9a54bd25c62b1435eb05e38
SHA256 e40e495d658e7d03f9c5359c0b74e059c5a88df2db579ce01f19240edcd69caf
SHA512 9dbdd5fd336e20ad8d448966ce11dbcc4177426e1b16e8e13a80ef50fba107925b7f06525e577eab98d3fc8145e4b1e2df098bcebf478f644cbd0943051face9

C:\Windows\SysWOW64\Phfcipoo.exe

MD5 f496df3a579c6e860109e0193745e532
SHA1 7564fd7cf97862084f1163864393b1fb4baa4c9b
SHA256 e40b9ee5b28d37ef8544cbcf14650f1d44e3bd785b4dcba9015dfccde318298b
SHA512 6339cde9d6274db9cdf8156fa1b8b6a1bf27f9d1f19cd5df9f3cc60d5474be8ab4e59390764518adaae958268cbaae27707516e3b70a5529073832a1298630ee

C:\Windows\SysWOW64\Qmgelf32.exe

MD5 52c5d9e7677d04c692af2d96737092a0
SHA1 0dc93b54cb4ec4f56c3e338d28b031f6bd85d94f
SHA256 c0adf9243e7df4c7d0cdb4b81f6d87e0d27ad5c394f3a5cc2a71a2a4351e0389
SHA512 d89166aa88c101e974df349e05150c707b412ab51eba7a9e58f9de2cea60c4bc45eebf3b18fb0f7a6626d6afff2955507e816c461ef78a78377e32186bc7528f

C:\Windows\SysWOW64\Amjbbfgo.exe

MD5 302f87d9574881372a9ca7db267dc9fd
SHA1 a5e1cf3bc1ccad73589e4df12898b6f0696dbb2e
SHA256 37afd7abc302eb06ba58ed45eb0ac3a95eebc5e5732c791fa72f9d78b7564e58
SHA512 d6e5cd9a8fb536e5aceba19ff06505ab31059099db27e2324e911ad2e7586d3e59bd1a1a31d31d69f70add127b2d6c66f3d6f06f41240c21396d2dcad5147da1

C:\Windows\SysWOW64\Aajhndkb.exe

MD5 faf2b4dc0396b89779b5fbf809df13a6
SHA1 451c7256d0fe8e77cc7edfa37b04e1d6b9037600
SHA256 fedf8eca828323ddd1e075dbf7ae2dbb3e5f935ee223184c4ba315ff07e368b7
SHA512 6d782583fa21d7790d99e39ad836d93a551a7eee5bfb8646271ae8e0d595d9a2bdf85cb60713f31f8b53aa0f8962d1f0bc14979c5a49ac774e03751356e02f88

C:\Windows\SysWOW64\Akdilipp.exe

MD5 93aaca0a9513888ce68ebe92681c3386
SHA1 0914fc7a83fa1e338955072c614173aade5fb159
SHA256 4d76fb34cf10856c1f200525a21111da6297ab92b7b4058a760efec1b209fc16
SHA512 04493c67b7db0bf827fbb2de6c7e0b765f87abca5ea11e83dd6ecaa65ece05aa05747f07d977758975426e4ed0987d00d579b91f20c703d7ae8ad4b3454555ea

C:\Windows\SysWOW64\Bpdnjple.exe

MD5 cc60f18566d22efcfa685ce2d0b7ca26
SHA1 58e8c1b83434ba3322d3c64d7ed7c3b591b1c224
SHA256 2cacd2ce601e761c3faa33e0d7963d528e3a18a2ec9c906a6293c2333d2f6415
SHA512 4e187b95a25e8b7d0479e308db1be89ac8af7c523c597b4ffbda6222dc58b4d278c191eb06bd3da9d6c6ad2fa2a34bce8413d21d53bbb94bab050a8ddb79b83a

C:\Windows\SysWOW64\Boenhgdd.exe

MD5 8abb4f3df833121b988ce671b5f4de71
SHA1 020887f3d260bf05e4188dfede8eaa9eb56d9e06
SHA256 180331115bac2f42bece0d014a3983452370824adce7bacbb94a25a92b7ba7e0
SHA512 6b6e068f9ea3d102e8997edfe3d3b62ff0240db7374c66ecd1791e9ca4fed3438a6e74c494825fb243c039f8d43164f52cb37ea2af24911f3f4770a7a5f7bfff

C:\Windows\SysWOW64\Bklomh32.exe

MD5 9fbd4cba874c80ea5f185fb29e78e88f
SHA1 d8a7231f8c9af8cda1616cd5b685dbbba9186304
SHA256 1e57bdc047dcd07a21292fcfa945e11a7dea8132f89b1185554532ae56c3d7f8
SHA512 be0f0a2c71ecd474f7945b456aa8e1ec761fb11e48e63e3a847509e6954d1ff4f0199a550e488b483b48ed0cb677e702940bc82b42f495a120f7128a44cfd18b

C:\Windows\SysWOW64\Boldhf32.exe

MD5 cf45b8291469ea9209907ae41d3db26f
SHA1 fa9dd070870d7e4ff74cb31f7cc975b33e7ff522
SHA256 c33770cff153027fc5ea181aeaf61664069993a9041f7b206743f427b2cc7416
SHA512 93bb3c3060780fa3f1ad01c00af6739d1fa09eb6dbb4ac1059a41b46df3b8e7860d255d162a0300125c9ee51e28e89178f9c8979cc9ecfc11f90dbd9ad78f619

C:\Windows\SysWOW64\Ckbemgcp.exe

MD5 60930575d4e7b54c174e0d631aa367a4
SHA1 fb8642c35b44ee209d4d4fac555fe32fafe46575
SHA256 e8778b35ae59cc70db0c30ef3fd9b8b914c6a3c611d121a52c6411c6db63d70c
SHA512 71ea79c148d5d1a0d0cbd4af061c6baf1dcef58702ed34e14f01c770c187e01963285fe309c1de47aff765bb6b97bb0355ae7eac0fa49024953a1f915ad364bc

C:\Windows\SysWOW64\Cnhgjaml.exe

MD5 0ac2484ede3d5ed1250116335e1d1360
SHA1 e02a7ca211ce02ebce43b2775c11cd988e18ea92
SHA256 e8130e8881ce8f7e0a5b29b98ad18b0df4aa9e04c71ff1b9d032dae4aca4e8a1
SHA512 6c01896e51ce8e471835c629e403d04c5b0bd255effc7c44353c8ae88c7f2e86948f8982307ede8917af6e769652e48921b517660f149b9b4ce24aae30f96f31

C:\Windows\SysWOW64\Cogddd32.exe

MD5 402aee287242cee2fc32fe50c7737a0e
SHA1 3caa9ffe11120e1384fd3591e211f43cc9a6ae0e
SHA256 a1f716403bb408e664f2d07ef068b37c7a6d63e5e5cdda44be52c9c214bd8b7a
SHA512 1c722d1d67a46b3ff978e22c327e0196e74660493d9bb06804821640f8a68f50d23901c3786b01a01aa9a8f5fb8fec310d278ad18767c2d573628d754f3f75d8

C:\Windows\SysWOW64\Dahmfpap.exe

MD5 6a08dd49628f07228894ce5b0e617b36
SHA1 003aa1502ff4d6dcbcd97a4958a09e54c82b0e4c
SHA256 3dafefffe52080cfb08f195e0427ea6ddf7f396ca188979d2dcc0a3bc3c3fe18
SHA512 bbabbffffcf576f77a309889f8a6d004a0680a79b4d403514b0e9dc3cf2a354384353e44202d6b3ec62cd6d00c681e7ff75db02dbfb165c069707c01f4926b83