Malware Analysis Report

2025-03-15 08:31

Sample ID 240916-s3d32swakm
Target Backdoor.Win32.Berbew.pzb4fc0befdf4a2c8a9f4aaf98732f61e9049f5c614f91d185e2ffd0ab0378291bN
SHA256 b4fc0befdf4a2c8a9f4aaf98732f61e9049f5c614f91d185e2ffd0ab0378291b
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4fc0befdf4a2c8a9f4aaf98732f61e9049f5c614f91d185e2ffd0ab0378291b

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pzb4fc0befdf4a2c8a9f4aaf98732f61e9049f5c614f91d185e2ffd0ab0378291bN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:38

Reported

2024-09-16 15:41

Platform

win7-20240708-en

Max time kernel

145s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmggnm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qepdbpii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afkcqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbhepfbq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Affjehkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnbkgech.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jifmgman.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kiponlic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfjipe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlbadj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlejhmge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oqnfbo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnflff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omdfgq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Paelcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bedjmcgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bghcjk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgoojgai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbfllc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oipdhm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oghnoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Okoqdi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqnfbo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogjkei32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adjkol32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfjmaapg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kamahn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nohpph32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbfllc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkoepj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bomneh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnpmgq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onaflccf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdqhin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apchim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgeppe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jiiimmok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpidii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfhefc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhcfiogc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlbadj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Noajoihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdqhin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afhgkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjkpegic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bebmgc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkoepj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnpoaeek.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmaego32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhnkdjhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omgcmp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocakjjok.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhecnndq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mammfa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odgennoi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adeadmna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jandikbp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klnljghg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmdamojp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgobkdom.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aibjlcli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bpqgcq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmaego32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncjijhch.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jnmlgpeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgeppe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jifmgman.exe N/A
N/A N/A C:\Windows\SysWOW64\Jandikbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjmaapg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiiimmok.exe N/A
N/A N/A C:\Windows\SysWOW64\Klgeih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfmjfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikfbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhnkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbcjkbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Khpccibp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kllodh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfgab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kiponlic.exe N/A
N/A N/A C:\Windows\SysWOW64\Klnljghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kakdbngn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kakdbngn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kheloh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Koodlbeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmaego32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kamahn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdlmdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfjipe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loaaab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmdamojp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldnjii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkhbfcii.exe N/A
N/A N/A C:\Windows\SysWOW64\Likbap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgobkdom.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmikhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lllkckme.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpggdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpidii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loldefjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgclfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhehnlqf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjmkdpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mammfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mideho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlbadj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdnfhldh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkhnef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnfjab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Membbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdpbnlbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgoojgai.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofgkebk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnhgga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Madcgpao.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhnkdjhl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjohlb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mafpmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdelik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mchldhej.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkodfeem.exe N/A
N/A N/A C:\Windows\SysWOW64\Njadab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlpamn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndgiok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncjijhch.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfhefc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnpmgq32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnmlgpeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnmlgpeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgeppe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgeppe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jifmgman.exe N/A
N/A N/A C:\Windows\SysWOW64\Jifmgman.exe N/A
N/A N/A C:\Windows\SysWOW64\Jandikbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jandikbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjmaapg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjmaapg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiiimmok.exe N/A
N/A N/A C:\Windows\SysWOW64\Jiiimmok.exe N/A
N/A N/A C:\Windows\SysWOW64\Klgeih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klgeih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfmjfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfmjfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikfbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kikfbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhnkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhnkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbcjkbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbcjkbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Khpccibp.exe N/A
N/A N/A C:\Windows\SysWOW64\Khpccibp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kllodh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kllodh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfgab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbfgab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kiponlic.exe N/A
N/A N/A C:\Windows\SysWOW64\Kiponlic.exe N/A
N/A N/A C:\Windows\SysWOW64\Klnljghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Klnljghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kakdbngn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kakdbngn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kakdbngn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kakdbngn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kheloh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kheloh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Koodlbeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Koodlbeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmaego32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmaego32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kamahn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kamahn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdlmdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdlmdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfjipe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfjipe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loaaab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loaaab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmdamojp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmdamojp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldnjii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldnjii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkhbfcii.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkhbfcii.exe N/A
N/A N/A C:\Windows\SysWOW64\Likbap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Likbap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgobkdom.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgobkdom.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmikhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmikhn32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Kakdbngn.exe C:\Windows\SysWOW64\Klnljghg.exe N/A
File created C:\Windows\SysWOW64\Pffopjqh.dll C:\Windows\SysWOW64\Kamahn32.exe N/A
File created C:\Windows\SysWOW64\Jgeppe32.exe C:\Windows\SysWOW64\Jnmlgpeo.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfkblc32.exe C:\Windows\SysWOW64\Nclfpg32.exe N/A
File created C:\Windows\SysWOW64\Adeadmna.exe C:\Windows\SysWOW64\Qagehaon.exe N/A
File created C:\Windows\SysWOW64\Bpnkmadn.exe C:\Windows\SysWOW64\Bakkad32.exe N/A
File created C:\Windows\SysWOW64\Dqcapm32.dll C:\Windows\SysWOW64\Omdfgq32.exe N/A
File created C:\Windows\SysWOW64\Qhcjfb32.dll C:\Windows\SysWOW64\Qhoqolhm.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpggdj32.exe C:\Windows\SysWOW64\Lllkckme.exe N/A
File created C:\Windows\SysWOW64\Mcjmkdpl.exe C:\Windows\SysWOW64\Lhehnlqf.exe N/A
File created C:\Windows\SysWOW64\Ncaokgmp.exe C:\Windows\SysWOW64\Nkjgiiln.exe N/A
File created C:\Windows\SysWOW64\Okfedq32.dll C:\Windows\SysWOW64\Oibanm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pegalaad.exe C:\Windows\SysWOW64\Pbhepfbq.exe N/A
File created C:\Windows\SysWOW64\Qfaqji32.exe C:\Windows\SysWOW64\Qhoqolhm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpnkmadn.exe C:\Windows\SysWOW64\Bakkad32.exe N/A
File created C:\Windows\SysWOW64\Bihojb32.dll C:\Windows\SysWOW64\Ofohfeoo.exe N/A
File created C:\Windows\SysWOW64\Abadeh32.exe C:\Windows\SysWOW64\Apchim32.exe N/A
File created C:\Windows\SysWOW64\Cpamgobk.dll C:\Windows\SysWOW64\Bainld32.exe N/A
File created C:\Windows\SysWOW64\Bnpoaeek.exe C:\Windows\SysWOW64\Bomneh32.exe N/A
File created C:\Windows\SysWOW64\Ndjqeogf.dll C:\Windows\SysWOW64\Mlbadj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mafpmp32.exe C:\Windows\SysWOW64\Mjohlb32.exe N/A
File created C:\Windows\SysWOW64\Nfhefc32.exe C:\Windows\SysWOW64\Ncjijhch.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhlkmnmj.exe C:\Windows\SysWOW64\Nfmoabnf.exe N/A
File created C:\Windows\SysWOW64\Magdnija.dll C:\Windows\SysWOW64\Bdlccoje.exe N/A
File created C:\Windows\SysWOW64\Connaf32.dll C:\Windows\SysWOW64\Mideho32.exe N/A
File created C:\Windows\SysWOW64\Nohpph32.exe C:\Windows\SysWOW64\Ndblbo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbdakh32.exe C:\Windows\SysWOW64\Bkmijk32.exe N/A
File created C:\Windows\SysWOW64\Apchim32.exe C:\Windows\SysWOW64\Ahlphpmk.exe N/A
File created C:\Windows\SysWOW64\Aocloj32.exe C:\Windows\SysWOW64\Apakdmpp.exe N/A
File created C:\Windows\SysWOW64\Kegkdc32.dll C:\Windows\SysWOW64\Bomneh32.exe N/A
File created C:\Windows\SysWOW64\Kllodh32.exe C:\Windows\SysWOW64\Khpccibp.exe N/A
File created C:\Windows\SysWOW64\Lddffk32.dll C:\Windows\SysWOW64\Lpggdj32.exe N/A
File created C:\Windows\SysWOW64\Poedhn32.dll C:\Windows\SysWOW64\Mjohlb32.exe N/A
File created C:\Windows\SysWOW64\Nbfllc32.exe C:\Windows\SysWOW64\Nbfllc32.exe N/A
File created C:\Windows\SysWOW64\Gmhamo32.dll C:\Windows\SysWOW64\Pigghpeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bebmgc32.exe C:\Windows\SysWOW64\Bbdakh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bomneh32.exe C:\Windows\SysWOW64\Bhcfiogc.exe N/A
File created C:\Windows\SysWOW64\Klgeih32.exe C:\Windows\SysWOW64\Jiiimmok.exe N/A
File created C:\Windows\SysWOW64\Kakdbngn.exe C:\Windows\SysWOW64\Klnljghg.exe N/A
File created C:\Windows\SysWOW64\Oghnoi32.exe C:\Windows\SysWOW64\Oclbok32.exe N/A
File created C:\Windows\SysWOW64\Plnmcl32.exe C:\Windows\SysWOW64\Pipqgq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhnkdjhl.exe C:\Windows\SysWOW64\Madcgpao.exe N/A
File opened for modification C:\Windows\SysWOW64\Plnmcl32.exe C:\Windows\SysWOW64\Pipqgq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pibmmp32.exe C:\Windows\SysWOW64\Pegalaad.exe N/A
File created C:\Windows\SysWOW64\Bkdokjdd.exe C:\Windows\SysWOW64\Bghcjk32.exe N/A
File created C:\Windows\SysWOW64\Lhehnlqf.exe C:\Windows\SysWOW64\Lgclfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkhnef32.exe C:\Windows\SysWOW64\Mdnfhldh.exe N/A
File created C:\Windows\SysWOW64\Nlejbdin.dll C:\Windows\SysWOW64\Mdpbnlbe.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofohfeoo.exe C:\Windows\SysWOW64\Ocakjjok.exe N/A
File created C:\Windows\SysWOW64\Lbnbahfe.dll C:\Windows\SysWOW64\Lkhbfcii.exe N/A
File created C:\Windows\SysWOW64\Mdnfhldh.exe C:\Windows\SysWOW64\Moanpe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oibanm32.exe C:\Windows\SysWOW64\Odgennoi.exe N/A
File created C:\Windows\SysWOW64\Pqhpil32.dll C:\Windows\SysWOW64\Plecdk32.exe N/A
File created C:\Windows\SysWOW64\Jmnbjpib.dll C:\Windows\SysWOW64\Aplbin32.exe N/A
File created C:\Windows\SysWOW64\Foknlg32.dll C:\Windows\SysWOW64\Aillbbdn.exe N/A
File created C:\Windows\SysWOW64\Oqnfbo32.exe C:\Windows\SysWOW64\Okamjh32.exe N/A
File created C:\Windows\SysWOW64\Injhic32.dll C:\Windows\SysWOW64\Ocakjjok.exe N/A
File created C:\Windows\SysWOW64\Bdmlne32.dll C:\Windows\SysWOW64\Apakdmpp.exe N/A
File opened for modification C:\Windows\SysWOW64\Abadeh32.exe C:\Windows\SysWOW64\Apchim32.exe N/A
File created C:\Windows\SysWOW64\Kbfgab32.exe C:\Windows\SysWOW64\Kllodh32.exe N/A
File created C:\Windows\SysWOW64\Eepeckpm.dll C:\Windows\SysWOW64\Kllodh32.exe N/A
File created C:\Windows\SysWOW64\Mkodfeem.exe C:\Windows\SysWOW64\Mchldhej.exe N/A
File created C:\Windows\SysWOW64\Eonpin32.dll C:\Windows\SysWOW64\Nclfpg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Okamjh32.exe C:\Windows\SysWOW64\Oibanm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Bgkppkih.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plecdk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebmgc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnbkgech.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbcjkbdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pffnfdhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omgcmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plcfokfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpqgcq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlbadj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njadab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppjidkcm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afdmphme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bomneh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgobkdom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oghnoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mafpmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjmqldee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amnemb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahlphpmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbfgab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Moanpe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kheloh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Madcgpao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oibanm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paelcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klgeih32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kakdbngn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncaokgmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcchoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aljinncb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bokapipc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jandikbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nclfpg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nohpph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogjkei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pibmmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbokaelh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlhpjk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkhnef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjohlb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Okoqdi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odgennoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pndoqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adeadmna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abadeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kikfbm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mideho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbmoke32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qepdbpii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Loaaab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofohfeoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kamahn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Likbap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpidii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Membbo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndgiok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbdakh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kakdbngn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koodlbeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdlccoje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmggnm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfjmaapg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhnkdjhl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgkppkih.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lllkckme.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqnicl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknahbdc.dll" C:\Windows\SysWOW64\Oipdhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oipdhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jgeppe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Khpccibp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Klnljghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldnjii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocakjjok.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Paelcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhcfiogc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bomneh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Membbo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oeloin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jandikbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmjkh32.dll" C:\Windows\SysWOW64\Omipbpfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bghcjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onaflccf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ampbbbbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkdokjdd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbcjkbdi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Likbap32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnfjab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njadab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpidii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mchldhej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfiiea32.dll" C:\Windows\SysWOW64\Odgennoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mandkeki.dll" C:\Windows\SysWOW64\Apchim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kiponlic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olihibek.dll" C:\Windows\SysWOW64\Oghnoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pbokaelh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjmmkgga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Piejbpgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qhoqolhm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apakdmpp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemike32.dll" C:\Windows\SysWOW64\Ldnjii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgclfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdpbnlbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmqbqb32.dll" C:\Windows\SysWOW64\Nfmoabnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpinhgdo.dll" C:\Windows\SysWOW64\Bebmgc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mofgkebk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Onaflccf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plnmcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pibmmp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ampbbbbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcgcbof.dll" C:\Windows\SysWOW64\Bakkad32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jgeppe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celocqfm.dll" C:\Windows\SysWOW64\Mdnfhldh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nclfpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qagehaon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konfmebl.dll" C:\Windows\SysWOW64\Okamjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofohfeoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnbkgech.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinjbgkb.dll" C:\Windows\SysWOW64\Lmikhn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhinhn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhnnoqd.dll" C:\Windows\SysWOW64\Nlejhmge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nohpph32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfjipe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Plcfokfn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bainld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiiimmok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfoijcpb.dll" C:\Windows\SysWOW64\Kikfbm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhfpomn.dll" C:\Windows\SysWOW64\Lfjipe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obiiacpe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jnmlgpeo.exe
PID 2904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jnmlgpeo.exe
PID 2904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jnmlgpeo.exe
PID 2904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Jnmlgpeo.exe
PID 324 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Jnmlgpeo.exe C:\Windows\SysWOW64\Jgeppe32.exe
PID 324 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Jnmlgpeo.exe C:\Windows\SysWOW64\Jgeppe32.exe
PID 324 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Jnmlgpeo.exe C:\Windows\SysWOW64\Jgeppe32.exe
PID 324 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Jnmlgpeo.exe C:\Windows\SysWOW64\Jgeppe32.exe
PID 1296 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Jgeppe32.exe C:\Windows\SysWOW64\Jifmgman.exe
PID 1296 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Jgeppe32.exe C:\Windows\SysWOW64\Jifmgman.exe
PID 1296 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Jgeppe32.exe C:\Windows\SysWOW64\Jifmgman.exe
PID 1296 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Jgeppe32.exe C:\Windows\SysWOW64\Jifmgman.exe
PID 2028 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jifmgman.exe C:\Windows\SysWOW64\Jandikbp.exe
PID 2028 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jifmgman.exe C:\Windows\SysWOW64\Jandikbp.exe
PID 2028 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jifmgman.exe C:\Windows\SysWOW64\Jandikbp.exe
PID 2028 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jifmgman.exe C:\Windows\SysWOW64\Jandikbp.exe
PID 2840 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Jandikbp.exe C:\Windows\SysWOW64\Jfjmaapg.exe
PID 2840 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Jandikbp.exe C:\Windows\SysWOW64\Jfjmaapg.exe
PID 2840 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Jandikbp.exe C:\Windows\SysWOW64\Jfjmaapg.exe
PID 2840 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Jandikbp.exe C:\Windows\SysWOW64\Jfjmaapg.exe
PID 2876 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jfjmaapg.exe C:\Windows\SysWOW64\Jiiimmok.exe
PID 2876 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jfjmaapg.exe C:\Windows\SysWOW64\Jiiimmok.exe
PID 2876 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jfjmaapg.exe C:\Windows\SysWOW64\Jiiimmok.exe
PID 2876 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Jfjmaapg.exe C:\Windows\SysWOW64\Jiiimmok.exe
PID 2960 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Jiiimmok.exe C:\Windows\SysWOW64\Klgeih32.exe
PID 2960 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Jiiimmok.exe C:\Windows\SysWOW64\Klgeih32.exe
PID 2960 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Jiiimmok.exe C:\Windows\SysWOW64\Klgeih32.exe
PID 2960 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Jiiimmok.exe C:\Windows\SysWOW64\Klgeih32.exe
PID 2588 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Klgeih32.exe C:\Windows\SysWOW64\Kfmjfa32.exe
PID 2588 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Klgeih32.exe C:\Windows\SysWOW64\Kfmjfa32.exe
PID 2588 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Klgeih32.exe C:\Windows\SysWOW64\Kfmjfa32.exe
PID 2588 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Klgeih32.exe C:\Windows\SysWOW64\Kfmjfa32.exe
PID 2216 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Kfmjfa32.exe C:\Windows\SysWOW64\Kikfbm32.exe
PID 2216 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Kfmjfa32.exe C:\Windows\SysWOW64\Kikfbm32.exe
PID 2216 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Kfmjfa32.exe C:\Windows\SysWOW64\Kikfbm32.exe
PID 2216 wrote to memory of 2368 N/A C:\Windows\SysWOW64\Kfmjfa32.exe C:\Windows\SysWOW64\Kikfbm32.exe
PID 2368 wrote to memory of 840 N/A C:\Windows\SysWOW64\Kikfbm32.exe C:\Windows\SysWOW64\Knhnkc32.exe
PID 2368 wrote to memory of 840 N/A C:\Windows\SysWOW64\Kikfbm32.exe C:\Windows\SysWOW64\Knhnkc32.exe
PID 2368 wrote to memory of 840 N/A C:\Windows\SysWOW64\Kikfbm32.exe C:\Windows\SysWOW64\Knhnkc32.exe
PID 2368 wrote to memory of 840 N/A C:\Windows\SysWOW64\Kikfbm32.exe C:\Windows\SysWOW64\Knhnkc32.exe
PID 840 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Knhnkc32.exe C:\Windows\SysWOW64\Kbcjkbdi.exe
PID 840 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Knhnkc32.exe C:\Windows\SysWOW64\Kbcjkbdi.exe
PID 840 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Knhnkc32.exe C:\Windows\SysWOW64\Kbcjkbdi.exe
PID 840 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Knhnkc32.exe C:\Windows\SysWOW64\Kbcjkbdi.exe
PID 2936 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Kbcjkbdi.exe C:\Windows\SysWOW64\Khpccibp.exe
PID 2936 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Kbcjkbdi.exe C:\Windows\SysWOW64\Khpccibp.exe
PID 2936 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Kbcjkbdi.exe C:\Windows\SysWOW64\Khpccibp.exe
PID 2936 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Kbcjkbdi.exe C:\Windows\SysWOW64\Khpccibp.exe
PID 2928 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Khpccibp.exe C:\Windows\SysWOW64\Kllodh32.exe
PID 2928 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Khpccibp.exe C:\Windows\SysWOW64\Kllodh32.exe
PID 2928 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Khpccibp.exe C:\Windows\SysWOW64\Kllodh32.exe
PID 2928 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Khpccibp.exe C:\Windows\SysWOW64\Kllodh32.exe
PID 2796 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Kllodh32.exe C:\Windows\SysWOW64\Kbfgab32.exe
PID 2796 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Kllodh32.exe C:\Windows\SysWOW64\Kbfgab32.exe
PID 2796 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Kllodh32.exe C:\Windows\SysWOW64\Kbfgab32.exe
PID 2796 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Kllodh32.exe C:\Windows\SysWOW64\Kbfgab32.exe
PID 2136 wrote to memory of 916 N/A C:\Windows\SysWOW64\Kbfgab32.exe C:\Windows\SysWOW64\Kiponlic.exe
PID 2136 wrote to memory of 916 N/A C:\Windows\SysWOW64\Kbfgab32.exe C:\Windows\SysWOW64\Kiponlic.exe
PID 2136 wrote to memory of 916 N/A C:\Windows\SysWOW64\Kbfgab32.exe C:\Windows\SysWOW64\Kiponlic.exe
PID 2136 wrote to memory of 916 N/A C:\Windows\SysWOW64\Kbfgab32.exe C:\Windows\SysWOW64\Kiponlic.exe
PID 916 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Kiponlic.exe C:\Windows\SysWOW64\Klnljghg.exe
PID 916 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Kiponlic.exe C:\Windows\SysWOW64\Klnljghg.exe
PID 916 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Kiponlic.exe C:\Windows\SysWOW64\Klnljghg.exe
PID 916 wrote to memory of 1044 N/A C:\Windows\SysWOW64\Kiponlic.exe C:\Windows\SysWOW64\Klnljghg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Jnmlgpeo.exe

C:\Windows\system32\Jnmlgpeo.exe

C:\Windows\SysWOW64\Jgeppe32.exe

C:\Windows\system32\Jgeppe32.exe

C:\Windows\SysWOW64\Jifmgman.exe

C:\Windows\system32\Jifmgman.exe

C:\Windows\SysWOW64\Jandikbp.exe

C:\Windows\system32\Jandikbp.exe

C:\Windows\SysWOW64\Jfjmaapg.exe

C:\Windows\system32\Jfjmaapg.exe

C:\Windows\SysWOW64\Jiiimmok.exe

C:\Windows\system32\Jiiimmok.exe

C:\Windows\SysWOW64\Klgeih32.exe

C:\Windows\system32\Klgeih32.exe

C:\Windows\SysWOW64\Kfmjfa32.exe

C:\Windows\system32\Kfmjfa32.exe

C:\Windows\SysWOW64\Kikfbm32.exe

C:\Windows\system32\Kikfbm32.exe

C:\Windows\SysWOW64\Knhnkc32.exe

C:\Windows\system32\Knhnkc32.exe

C:\Windows\SysWOW64\Kbcjkbdi.exe

C:\Windows\system32\Kbcjkbdi.exe

C:\Windows\SysWOW64\Khpccibp.exe

C:\Windows\system32\Khpccibp.exe

C:\Windows\SysWOW64\Kllodh32.exe

C:\Windows\system32\Kllodh32.exe

C:\Windows\SysWOW64\Kbfgab32.exe

C:\Windows\system32\Kbfgab32.exe

C:\Windows\SysWOW64\Kiponlic.exe

C:\Windows\system32\Kiponlic.exe

C:\Windows\SysWOW64\Klnljghg.exe

C:\Windows\system32\Klnljghg.exe

C:\Windows\SysWOW64\Kakdbngn.exe

C:\Windows\system32\Kakdbngn.exe

C:\Windows\SysWOW64\Kakdbngn.exe

C:\Windows\system32\Kakdbngn.exe

C:\Windows\SysWOW64\Kheloh32.exe

C:\Windows\system32\Kheloh32.exe

C:\Windows\SysWOW64\Koodlbeh.exe

C:\Windows\system32\Koodlbeh.exe

C:\Windows\SysWOW64\Kmaego32.exe

C:\Windows\system32\Kmaego32.exe

C:\Windows\SysWOW64\Kamahn32.exe

C:\Windows\system32\Kamahn32.exe

C:\Windows\SysWOW64\Kdlmdi32.exe

C:\Windows\system32\Kdlmdi32.exe

C:\Windows\SysWOW64\Lfjipe32.exe

C:\Windows\system32\Lfjipe32.exe

C:\Windows\SysWOW64\Loaaab32.exe

C:\Windows\system32\Loaaab32.exe

C:\Windows\SysWOW64\Lmdamojp.exe

C:\Windows\system32\Lmdamojp.exe

C:\Windows\SysWOW64\Ldnjii32.exe

C:\Windows\system32\Ldnjii32.exe

C:\Windows\SysWOW64\Lkhbfcii.exe

C:\Windows\system32\Lkhbfcii.exe

C:\Windows\SysWOW64\Likbap32.exe

C:\Windows\system32\Likbap32.exe

C:\Windows\SysWOW64\Lgobkdom.exe

C:\Windows\system32\Lgobkdom.exe

C:\Windows\SysWOW64\Lmikhn32.exe

C:\Windows\system32\Lmikhn32.exe

C:\Windows\SysWOW64\Lllkckme.exe

C:\Windows\system32\Lllkckme.exe

C:\Windows\SysWOW64\Lpggdj32.exe

C:\Windows\system32\Lpggdj32.exe

C:\Windows\SysWOW64\Lpidii32.exe

C:\Windows\system32\Lpidii32.exe

C:\Windows\SysWOW64\Loldefjf.exe

C:\Windows\system32\Loldefjf.exe

C:\Windows\SysWOW64\Lgclfc32.exe

C:\Windows\system32\Lgclfc32.exe

C:\Windows\SysWOW64\Lhehnlqf.exe

C:\Windows\system32\Lhehnlqf.exe

C:\Windows\SysWOW64\Mcjmkdpl.exe

C:\Windows\system32\Mcjmkdpl.exe

C:\Windows\SysWOW64\Mammfa32.exe

C:\Windows\system32\Mammfa32.exe

C:\Windows\SysWOW64\Mideho32.exe

C:\Windows\system32\Mideho32.exe

C:\Windows\SysWOW64\Mlbadj32.exe

C:\Windows\system32\Mlbadj32.exe

C:\Windows\SysWOW64\Moanpe32.exe

C:\Windows\system32\Moanpe32.exe

C:\Windows\SysWOW64\Mdnfhldh.exe

C:\Windows\system32\Mdnfhldh.exe

C:\Windows\SysWOW64\Mkhnef32.exe

C:\Windows\system32\Mkhnef32.exe

C:\Windows\SysWOW64\Mnfjab32.exe

C:\Windows\system32\Mnfjab32.exe

C:\Windows\SysWOW64\Membbo32.exe

C:\Windows\system32\Membbo32.exe

C:\Windows\SysWOW64\Mdpbnlbe.exe

C:\Windows\system32\Mdpbnlbe.exe

C:\Windows\SysWOW64\Mgoojgai.exe

C:\Windows\system32\Mgoojgai.exe

C:\Windows\SysWOW64\Mofgkebk.exe

C:\Windows\system32\Mofgkebk.exe

C:\Windows\SysWOW64\Mnhgga32.exe

C:\Windows\system32\Mnhgga32.exe

C:\Windows\SysWOW64\Madcgpao.exe

C:\Windows\system32\Madcgpao.exe

C:\Windows\SysWOW64\Mhnkdjhl.exe

C:\Windows\system32\Mhnkdjhl.exe

C:\Windows\SysWOW64\Mgalpg32.exe

C:\Windows\system32\Mgalpg32.exe

C:\Windows\SysWOW64\Mjohlb32.exe

C:\Windows\system32\Mjohlb32.exe

C:\Windows\SysWOW64\Mafpmp32.exe

C:\Windows\system32\Mafpmp32.exe

C:\Windows\SysWOW64\Mdelik32.exe

C:\Windows\system32\Mdelik32.exe

C:\Windows\SysWOW64\Mchldhej.exe

C:\Windows\system32\Mchldhej.exe

C:\Windows\SysWOW64\Mkodfeem.exe

C:\Windows\system32\Mkodfeem.exe

C:\Windows\SysWOW64\Njadab32.exe

C:\Windows\system32\Njadab32.exe

C:\Windows\SysWOW64\Nlpamn32.exe

C:\Windows\system32\Nlpamn32.exe

C:\Windows\SysWOW64\Ndgiok32.exe

C:\Windows\system32\Ndgiok32.exe

C:\Windows\SysWOW64\Ncjijhch.exe

C:\Windows\system32\Ncjijhch.exe

C:\Windows\SysWOW64\Nfhefc32.exe

C:\Windows\system32\Nfhefc32.exe

C:\Windows\SysWOW64\Nnpmgq32.exe

C:\Windows\system32\Nnpmgq32.exe

C:\Windows\SysWOW64\Nqnicl32.exe

C:\Windows\system32\Nqnicl32.exe

C:\Windows\SysWOW64\Noajoihl.exe

C:\Windows\system32\Noajoihl.exe

C:\Windows\SysWOW64\Nclfpg32.exe

C:\Windows\system32\Nclfpg32.exe

C:\Windows\SysWOW64\Nfkblc32.exe

C:\Windows\system32\Nfkblc32.exe

C:\Windows\SysWOW64\Nhinhn32.exe

C:\Windows\system32\Nhinhn32.exe

C:\Windows\SysWOW64\Nlejhmge.exe

C:\Windows\system32\Nlejhmge.exe

C:\Windows\SysWOW64\Nocfdhfi.exe

C:\Windows\system32\Nocfdhfi.exe

C:\Windows\SysWOW64\Ncobeg32.exe

C:\Windows\system32\Ncobeg32.exe

C:\Windows\SysWOW64\Nfmoabnf.exe

C:\Windows\system32\Nfmoabnf.exe

C:\Windows\SysWOW64\Nhlkmnmj.exe

C:\Windows\system32\Nhlkmnmj.exe

C:\Windows\SysWOW64\Nmggnm32.exe

C:\Windows\system32\Nmggnm32.exe

C:\Windows\SysWOW64\Nkjgiiln.exe

C:\Windows\system32\Nkjgiiln.exe

C:\Windows\SysWOW64\Ncaokgmp.exe

C:\Windows\system32\Ncaokgmp.exe

C:\Windows\SysWOW64\Nbdpfc32.exe

C:\Windows\system32\Nbdpfc32.exe

C:\Windows\SysWOW64\Ndblbo32.exe

C:\Windows\system32\Ndblbo32.exe

C:\Windows\SysWOW64\Nohpph32.exe

C:\Windows\system32\Nohpph32.exe

C:\Windows\SysWOW64\Nbfllc32.exe

C:\Windows\system32\Nbfllc32.exe

C:\Windows\SysWOW64\Nbfllc32.exe

C:\Windows\system32\Nbfllc32.exe

C:\Windows\SysWOW64\Ofbhlbja.exe

C:\Windows\system32\Ofbhlbja.exe

C:\Windows\SysWOW64\Oipdhm32.exe

C:\Windows\system32\Oipdhm32.exe

C:\Windows\SysWOW64\Okoqdi32.exe

C:\Windows\system32\Okoqdi32.exe

C:\Windows\SysWOW64\Obiiacpe.exe

C:\Windows\system32\Obiiacpe.exe

C:\Windows\SysWOW64\Odgennoi.exe

C:\Windows\system32\Odgennoi.exe

C:\Windows\SysWOW64\Oibanm32.exe

C:\Windows\system32\Oibanm32.exe

C:\Windows\SysWOW64\Okamjh32.exe

C:\Windows\system32\Okamjh32.exe

C:\Windows\SysWOW64\Oqnfbo32.exe

C:\Windows\system32\Oqnfbo32.exe

C:\Windows\SysWOW64\Oclbok32.exe

C:\Windows\system32\Oclbok32.exe

C:\Windows\SysWOW64\Oghnoi32.exe

C:\Windows\system32\Oghnoi32.exe

C:\Windows\SysWOW64\Onaflccf.exe

C:\Windows\system32\Onaflccf.exe

C:\Windows\SysWOW64\Omdfgq32.exe

C:\Windows\system32\Omdfgq32.exe

C:\Windows\SysWOW64\Oeloin32.exe

C:\Windows\system32\Oeloin32.exe

C:\Windows\SysWOW64\Ogjkei32.exe

C:\Windows\system32\Ogjkei32.exe

C:\Windows\SysWOW64\Ojhgad32.exe

C:\Windows\system32\Ojhgad32.exe

C:\Windows\SysWOW64\Omgcmp32.exe

C:\Windows\system32\Omgcmp32.exe

C:\Windows\SysWOW64\Ocakjjok.exe

C:\Windows\system32\Ocakjjok.exe

C:\Windows\SysWOW64\Ofohfeoo.exe

C:\Windows\system32\Ofohfeoo.exe

C:\Windows\SysWOW64\Oindba32.exe

C:\Windows\system32\Oindba32.exe

C:\Windows\SysWOW64\Omipbpfl.exe

C:\Windows\system32\Omipbpfl.exe

C:\Windows\SysWOW64\Paelcn32.exe

C:\Windows\system32\Paelcn32.exe

C:\Windows\SysWOW64\Pcchoj32.exe

C:\Windows\system32\Pcchoj32.exe

C:\Windows\SysWOW64\Pjmqldee.exe

C:\Windows\system32\Pjmqldee.exe

C:\Windows\SysWOW64\Pipqgq32.exe

C:\Windows\system32\Pipqgq32.exe

C:\Windows\SysWOW64\Plnmcl32.exe

C:\Windows\system32\Plnmcl32.exe

C:\Windows\SysWOW64\Ppjidkcm.exe

C:\Windows\system32\Ppjidkcm.exe

C:\Windows\SysWOW64\Pbhepfbq.exe

C:\Windows\system32\Pbhepfbq.exe

C:\Windows\SysWOW64\Pegalaad.exe

C:\Windows\system32\Pegalaad.exe

C:\Windows\SysWOW64\Pibmmp32.exe

C:\Windows\system32\Pibmmp32.exe

C:\Windows\SysWOW64\Pplejj32.exe

C:\Windows\system32\Pplejj32.exe

C:\Windows\SysWOW64\Pnofeghe.exe

C:\Windows\system32\Pnofeghe.exe

C:\Windows\SysWOW64\Pffnfdhg.exe

C:\Windows\system32\Pffnfdhg.exe

C:\Windows\SysWOW64\Piejbpgk.exe

C:\Windows\system32\Piejbpgk.exe

C:\Windows\SysWOW64\Plcfokfn.exe

C:\Windows\system32\Plcfokfn.exe

C:\Windows\SysWOW64\Pnabkgfb.exe

C:\Windows\system32\Pnabkgfb.exe

C:\Windows\SysWOW64\Pbmoke32.exe

C:\Windows\system32\Pbmoke32.exe

C:\Windows\SysWOW64\Pigghpeh.exe

C:\Windows\system32\Pigghpeh.exe

C:\Windows\SysWOW64\Plecdk32.exe

C:\Windows\system32\Plecdk32.exe

C:\Windows\SysWOW64\Pndoqf32.exe

C:\Windows\system32\Pndoqf32.exe

C:\Windows\SysWOW64\Pbokaelh.exe

C:\Windows\system32\Pbokaelh.exe

C:\Windows\SysWOW64\Pdqhin32.exe

C:\Windows\system32\Pdqhin32.exe

C:\Windows\SysWOW64\Qlhpjk32.exe

C:\Windows\system32\Qlhpjk32.exe

C:\Windows\SysWOW64\Qjkpegic.exe

C:\Windows\system32\Qjkpegic.exe

C:\Windows\SysWOW64\Qnflff32.exe

C:\Windows\system32\Qnflff32.exe

C:\Windows\SysWOW64\Qepdbpii.exe

C:\Windows\system32\Qepdbpii.exe

C:\Windows\SysWOW64\Qhoqolhm.exe

C:\Windows\system32\Qhoqolhm.exe

C:\Windows\SysWOW64\Qfaqji32.exe

C:\Windows\system32\Qfaqji32.exe

C:\Windows\SysWOW64\Qjmmkgga.exe

C:\Windows\system32\Qjmmkgga.exe

C:\Windows\SysWOW64\Qagehaon.exe

C:\Windows\system32\Qagehaon.exe

C:\Windows\SysWOW64\Adeadmna.exe

C:\Windows\system32\Adeadmna.exe

C:\Windows\SysWOW64\Afdmphme.exe

C:\Windows\system32\Afdmphme.exe

C:\Windows\SysWOW64\Aibjlcli.exe

C:\Windows\system32\Aibjlcli.exe

C:\Windows\SysWOW64\Amnemb32.exe

C:\Windows\system32\Amnemb32.exe

C:\Windows\SysWOW64\Aplbin32.exe

C:\Windows\system32\Aplbin32.exe

C:\Windows\SysWOW64\Abjnei32.exe

C:\Windows\system32\Abjnei32.exe

C:\Windows\SysWOW64\Affjehkb.exe

C:\Windows\system32\Affjehkb.exe

C:\Windows\SysWOW64\Ampbbbbo.exe

C:\Windows\system32\Ampbbbbo.exe

C:\Windows\SysWOW64\Alcbno32.exe

C:\Windows\system32\Alcbno32.exe

C:\Windows\SysWOW64\Adjkol32.exe

C:\Windows\system32\Adjkol32.exe

C:\Windows\SysWOW64\Afhgkg32.exe

C:\Windows\system32\Afhgkg32.exe

C:\Windows\SysWOW64\Aigcgc32.exe

C:\Windows\system32\Aigcgc32.exe

C:\Windows\SysWOW64\Ambohapm.exe

C:\Windows\system32\Ambohapm.exe

C:\Windows\SysWOW64\Apakdmpp.exe

C:\Windows\system32\Apakdmpp.exe

C:\Windows\SysWOW64\Aocloj32.exe

C:\Windows\system32\Aocloj32.exe

C:\Windows\SysWOW64\Afkcqg32.exe

C:\Windows\system32\Afkcqg32.exe

C:\Windows\SysWOW64\Aendldnh.exe

C:\Windows\system32\Aendldnh.exe

C:\Windows\SysWOW64\Ahlphpmk.exe

C:\Windows\system32\Ahlphpmk.exe

C:\Windows\SysWOW64\Apchim32.exe

C:\Windows\system32\Apchim32.exe

C:\Windows\SysWOW64\Abadeh32.exe

C:\Windows\system32\Abadeh32.exe

C:\Windows\SysWOW64\Aaddaecl.exe

C:\Windows\system32\Aaddaecl.exe

C:\Windows\SysWOW64\Aillbbdn.exe

C:\Windows\system32\Aillbbdn.exe

C:\Windows\SysWOW64\Aljinncb.exe

C:\Windows\system32\Aljinncb.exe

C:\Windows\SysWOW64\Bkmijk32.exe

C:\Windows\system32\Bkmijk32.exe

C:\Windows\SysWOW64\Bbdakh32.exe

C:\Windows\system32\Bbdakh32.exe

C:\Windows\SysWOW64\Bebmgc32.exe

C:\Windows\system32\Bebmgc32.exe

C:\Windows\SysWOW64\Bdemcpqm.exe

C:\Windows\system32\Bdemcpqm.exe

C:\Windows\SysWOW64\Bkoepj32.exe

C:\Windows\system32\Bkoepj32.exe

C:\Windows\SysWOW64\Bokapipc.exe

C:\Windows\system32\Bokapipc.exe

C:\Windows\SysWOW64\Bainld32.exe

C:\Windows\system32\Bainld32.exe

C:\Windows\SysWOW64\Bedjmcgp.exe

C:\Windows\system32\Bedjmcgp.exe

C:\Windows\SysWOW64\Bhcfiogc.exe

C:\Windows\system32\Bhcfiogc.exe

C:\Windows\SysWOW64\Bomneh32.exe

C:\Windows\system32\Bomneh32.exe

C:\Windows\SysWOW64\Bnpoaeek.exe

C:\Windows\system32\Bnpoaeek.exe

C:\Windows\SysWOW64\Bakkad32.exe

C:\Windows\system32\Bakkad32.exe

C:\Windows\SysWOW64\Bpnkmadn.exe

C:\Windows\system32\Bpnkmadn.exe

C:\Windows\SysWOW64\Bhecnndq.exe

C:\Windows\system32\Bhecnndq.exe

C:\Windows\SysWOW64\Bghcjk32.exe

C:\Windows\system32\Bghcjk32.exe

C:\Windows\SysWOW64\Bkdokjdd.exe

C:\Windows\system32\Bkdokjdd.exe

C:\Windows\SysWOW64\Bnbkgech.exe

C:\Windows\system32\Bnbkgech.exe

C:\Windows\SysWOW64\Bpqgcq32.exe

C:\Windows\system32\Bpqgcq32.exe

C:\Windows\SysWOW64\Bdlccoje.exe

C:\Windows\system32\Bdlccoje.exe

C:\Windows\SysWOW64\Bgkppkih.exe

C:\Windows\system32\Bgkppkih.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 140

Network

N/A

Files

memory/2904-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jnmlgpeo.exe

MD5 42c5c90a04117e169f4637b4d1c138b4
SHA1 b4996fe3404f5b78dbcdba5d6890df8782200b28
SHA256 09218007a6a3eada9ebe873c40db07bf92e236e9adc4ca7a1de0563c03d5700d
SHA512 32a5df32f6c5344f7cedbd58f06904347dafc82ae7436899c96acb467645cf2ebc4e7336ab18d403b22c760972b30d0ead99d1990d759b2ddfc5f8515e6d56a9

memory/324-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2904-13-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2904-12-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Jgeppe32.exe

MD5 3e91b89c310775493ce3c028563ed098
SHA1 ec6f20235f07252783efa4487bf8e5addfbbd601
SHA256 664a05a36b66b6528e3124cb3841e21299f31d8e47644128cb2d0c1f2fa3184b
SHA512 ce327fafcfd93945833a054fa688b7b12dde035986cccd9234a046ca2038ab764a81c02663e1e2c0ca15592c91f534205dbad0a3f8deac01619b8990a60c096a

memory/1296-28-0x0000000000400000-0x0000000000433000-memory.dmp

memory/324-27-0x0000000001F70000-0x0000000001FA3000-memory.dmp

\Windows\SysWOW64\Jifmgman.exe

MD5 4ead5a0f183a72cf4975a4d139475d5f
SHA1 4a3e917def4ebfa1ed6fe474d210f0ed29302ffb
SHA256 8144daff3af19e89213696e2bd0e0e068ac4bc2c6653522220db973991b462fc
SHA512 441796bf71d6103b0f48548412986c2c6e07c5f4718979c7e3a00f3c2fa32034cde91969ac1c107295d06de50268ab8bc87222748f90be8141bcaa84e211b466

memory/2028-42-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1296-41-0x0000000000300000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Jandikbp.exe

MD5 d3b1f599c146d445c2f2acc48d37a919
SHA1 779bc379005be7d67f73be7a8df90280410755ce
SHA256 03dd3931bfdd170f3527e6741120d9b8932812e42f07924aaf08c4ef622a40b9
SHA512 0e03f0feb47a06ead0ec2f56e4a45b2042e5f9f52a463441c6b0b8a60bb6efe8ddc6a65aac894cdb92e1922ad700f4214fdf773ede0fe83a6ad5e9c20d206520

memory/2028-49-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Jfjmaapg.exe

MD5 6bfa98f34e8de49e378347b59d7803d7
SHA1 c6f2f58a78e7f61ea313a15b864220727979f97f
SHA256 5cb7156c7fd6669e985d0267fcc4b4db08bd29ac7e390228829e950056d69da0
SHA512 4bcd95849fca0df0de50eaac4069b002f92bf2cb8a19096a14f60f5a57a0c26a3f6aa2d6f053686ace2c9feee5af69f842b99bee8f0372f051c0251aca3f8552

memory/2876-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2840-68-0x0000000000270000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Jiiimmok.exe

MD5 b442437368fb5cd3d501954bdcfbf927
SHA1 11412e18395abea17bd2bc19defebae595758b0a
SHA256 0d952116f94d241be0671f31909ab84e5c3a4f53517b167461b317490c087509
SHA512 8ccfdbdaa3a4ed364ddf0b39f2c3bd7357a240cffbea4edd595b46dc37e10be77ec95e673c7e18a6eab086de7c3c39b36944c62bd0d02ea58526fca04e22e266

memory/2960-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-81-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2960-91-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Klgeih32.exe

MD5 84b55bf7d530af15d8893e82d7df7f56
SHA1 4ab51b036e75a843b841b5a47909babf4746881e
SHA256 fe349d5f6f6f952b4c072aa582bdb954ba35cf441748fd6823482d0ad4b0412c
SHA512 3f9523be793c2b1e8a09061a1f3a7d89fdd7851e1e6a83ffbf15a2b536b1f254468dab4dccec7cee3f89b36680dfc2d2731889f922bff9d4b6fdfb4826bdf470

memory/2588-97-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2588-104-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Kfmjfa32.exe

MD5 9e4883f955e26414a80f2b176676a5d7
SHA1 c516e0262df497f89800f96901eb8e94af863ee9
SHA256 6933858b5f59ba1bd950719581ed9b0e29db334c156d2395b00b0877adbfc111
SHA512 6d38b9edb2ec7934466101654990d5108a3ca8405ccee5986d95285f2e10cfedc83d2ba59271b5402aa0957934fc095e20fc95594a654a7fc7a52e7f510113f4

\Windows\SysWOW64\Kikfbm32.exe

MD5 402ee2087bb60cc3a8efd6861c28cd4d
SHA1 10e314da24db643881066d6e659105eaafbadb2c
SHA256 d2f8d08074109ae058a0ff23133106bbc969e12fac40362249e7e615097ea520
SHA512 0d273d65bd26f008cb599074da976193aa17f7fbcb3b939d82ee62acc25226c05be4f0daefeacca8dca87cae669b403aab59a5b54be08a37b89f116d61bf6705

memory/2216-122-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2368-124-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Knhnkc32.exe

MD5 093965556527e05ab622f9da7c86742a
SHA1 6257d75f9bfff8e461f4481bcf2fea214266865d
SHA256 88cb093e9e1a66337a42f594e061547c2d44c108e06ccc6b17d294759bc12715
SHA512 cf35ad67fef12ea0e9716d03ddfcb7735a285c9a10dc0c05acdca005f5de1f58d867e32cb3b39cc1c81935d1720abdcc9f3d71d69cc27bed32fbde734d2b893e

memory/2368-131-0x0000000001F40000-0x0000000001F73000-memory.dmp

memory/840-138-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Kbcjkbdi.exe

MD5 a47f77808c77331ce22e6a9338058d73
SHA1 c29db4673052e83b1b1913033df1cc387033c4fd
SHA256 6e7bce3725f3daf8aacf70fce0a71f42c2a11c51966566493b6ae20936c8ff78
SHA512 23cb2341e737d8c5b6d2c8a44959d9e5aa06b8fdd84477cd16d18b6c9b143948b10698101e41492a2f79115dc241eb8de0ff7045a07fefb23b952edc2c4c6c79

memory/2936-151-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Khpccibp.exe

MD5 df4d667db3bafaa843bf751bf7008fd5
SHA1 0b1192028d526a9e8c7499dc36f29e621c36be5a
SHA256 dc97d764cd50d9d2cfdd2c2a3a58a7ff83151159be609d1548dea40f64fdf8eb
SHA512 375cc7b174f00f6ca27a8bca88c64aa834d510024c7962c8b7e3323045ef3b23ef6a459c489f2a93620651edfb7e792524293c8d330c4c00197914422c4ed005

memory/2936-158-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Kllodh32.exe

MD5 8f42d516dbfa02c4f6f3ccd4f8c9126a
SHA1 b14314466e3f4a5e4b23e9845576d1939cde3a75
SHA256 886a026da4992078176c3236e8d01d16370e26bf7fad5f963b220945462b2beb
SHA512 10f6782a4bb2ae50ba0cdcd1b8ba3e49623f7b3838e10be069656cf743910bb8f7f46c43e37270c5b4f2a7faadb551a955ac727a382f25db4ca71c9b9c04a0a5

memory/2796-177-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2796-185-0x00000000005D0000-0x0000000000603000-memory.dmp

\Windows\SysWOW64\Kbfgab32.exe

MD5 02d915e16a3e42cf917f1ccefe65c78b
SHA1 f6ce7e07d92783ffddc2390019a42e4a11097875
SHA256 d8110c4968163896224e4ec1e5ca340222d5aa2e4c2ebf40094c5fa9e6da22af
SHA512 389a4493aeebb689a3ea29b02f64c4c95a576cb9945e27302130bceca3c61d0cf0c3efd6e2b96f37e2a5393dec0aa0d2571a9288e1f4d8eb8b9d56eb508b1af3

memory/2136-191-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Kiponlic.exe

MD5 b6bc514cb7f843adf6cd2c3a88e113e3
SHA1 048ccb4f6360e1fd65d24ec9ad8df0685f7f20b5
SHA256 1eefe6760b2bf154e84ad8df746014bdb71f3ad9c212b2d1e5b736e6b9429813
SHA512 2573896662e685b269d2347ee1c3501a2aeff057ec5e9a552d7d6b00fbd3b8b655ec850a4eb3494f653aee2d44dbcb890d9a5950e584a664fa0d84f5535928b1

memory/916-209-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Klnljghg.exe

MD5 ee10a11109b59795ad05777d423772b1
SHA1 477c45931cc172e18f923734abfcadb52fb017d9
SHA256 1305a6f654c9c93ff3fc7882331ff690a5c0ddbbe45ab19add128514fb55b9da
SHA512 eba4b7721065cc228e1a6cba002a8a00dfc4fa4611f9586a5e6f2b95c6ec7b51622a3037f2a8ddf325c0b83d0c5ef85e6ae2161ad3a2df1583050e1869aaeedf

memory/916-211-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Kakdbngn.exe

MD5 773ee1514e8f5abea1072a1dd4cb34a6
SHA1 ea082a1e03a04ec13a08f4bd7da0bd480f304d6b
SHA256 cda2ca8757cc0c964425cf06ccfef269c72feb4c1088ffe190eddd5a84aeef92
SHA512 9e03e345b89c4abe07bdac331739cfb6f774ef6135a0767fb7f4d1cb49a55d7341cecf228eceeab3388a140504a071e96b93de75dd6804b1af2a6292e5d293a4

memory/1188-229-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1044-228-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1044-224-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1188-231-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2860-232-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kheloh32.exe

MD5 db928c943ba239dc272f6621ef74ea62
SHA1 551e78717c98f9490b7be5f05d10e21d056431ba
SHA256 6d0cc9b3bb031a74b2c5e38d6093a1d2ed7ec02121fc05f826f43e592520a8d0
SHA512 bb6442525fb46633422fd9e09d47a1248ac0965a6cbbd87fc65af572f083870a9912d89022bba2734b0dbc99badadbf37c2223225b233516fd95cfa3265dbfb1

memory/1880-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1880-247-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Koodlbeh.exe

MD5 289a993d12b5c2f727bab9132aef7c72
SHA1 daaeed437b24957226374632884e9670b97ee29f
SHA256 c24044af7c6cd12d4543a9c011b54f81cda12070d55a88630cacc90c0a041539
SHA512 95c9bd19c0c2ceda2e4fcdcb234186864475e2e48a7ef154a1dc803017d204e1d5e6d1169a67984fcf9143a02cb69ddb52d854d37e1141e7bbc858ee5296fdee

memory/1916-259-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kmaego32.exe

MD5 afe7cebc6414045e6dd5459131139918
SHA1 10bfef0e9206fd507d1d1b4656293f18ad6fcac8
SHA256 fd55526b8d7fb78b0492c324897092e0e08e632389377bc4f85ecc0159671c3b
SHA512 dc47f276b6f2ae0a51fcf55319e4ef9c66213901de02c21831aef9e1fc24611ed57da669d3e95e76b27a95f8afea93f4e3564dd555f1a134239febd1a367c021

C:\Windows\SysWOW64\Kamahn32.exe

MD5 8512c82f6b34a0dafa6109745077f253
SHA1 f47c9d678e800ad43186e678fb1439c7224f11c3
SHA256 a2605491b3669988b42559799ec313ec08374ea34d44837b3433ede07cfaf400
SHA512 74a8bd962c38d4cc1984c0aa1a1a30fbaa17e65512630b7b5cd77ac340c94a9ab4b477d7b2b5b650f96fb0b39e2a2f00597a58fcd200a6b6e0a4f544a9a23d7b

memory/1484-272-0x0000000000400000-0x0000000000433000-memory.dmp

memory/596-277-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kdlmdi32.exe

MD5 9b56a1452113c6122343c8e9be53b0cc
SHA1 4e72d9609416592a890bf1a8b1b50eb171cd7c13
SHA256 0a94e801abd8019287b61159a8c875f1bab819101c959b6c673086d985cc5e79
SHA512 45c275ae1f29ba42f4784283fde7fd544d6d2b36e93a8e55f6efb6e8ba7fbcbfab59c214fbac2e8246189bf27bd0258c3b2af677e2ab7bb9156d3af6e383d3e5

memory/596-283-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Lfjipe32.exe

MD5 1448dfe8fe7f2af6b5b79f5056c546e0
SHA1 954d02e246a443da4676b29fb69c4a7c8123a12a
SHA256 4d8f65987071821798445e5e8aef6a24082eb61212b3dbdeaacea40c47a2ba46
SHA512 68835f885b3cbbe9fe0cc39566dbacb511ebf807fd9df0e1c463d86eaa06459c06406e4c3a0e867f57dcddf722d34f4b29fc2bcd2763664d1a9875bc388c68b2

memory/596-287-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Loaaab32.exe

MD5 96a5e19c9a3e3f6989da4c6d39f7d434
SHA1 cd2a7a964e25e449d2e378b53c41d1664aca9559
SHA256 4aeac94d26d61ba120d18f5d11aa8fd515bf3e7ba2c11d6c790ccb1ac510c712
SHA512 18fa7d6cccb7f80531b20daf41db35cf179d9174f56fe9f40898f0570fe23e9bf60bfb3f7467021590e03440e6ab47636e470671c5318eded9a807043ba8189d

memory/2120-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1984-297-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/1984-296-0x00000000005D0000-0x0000000000603000-memory.dmp

C:\Windows\SysWOW64\Lmdamojp.exe

MD5 a441cd43e334863416dc298e4a63ce25
SHA1 af702f61bd17e0dfae77d86291693a1c74cb79ce
SHA256 91ce8b948d840fe0222c91815689bcae26472efd8af778f3de8fb7de63510ca7
SHA512 d360ed23c91ea1915286c018541a7c205b483e3effd75da6d2bfcfa04666ea9f4015e34adb57b8337f936738d0a51a0ed74cc90ff728c89be215b77625e3b0f2

memory/2376-313-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2120-312-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ldnjii32.exe

MD5 c30d6723ebf4084865314c5fbf4e55e9
SHA1 3a88dc8e80ef96134e64525cc3d7932e9100c2da
SHA256 b081fbdc1b8a874538ee82d1fcc0525a850c876e67b81a238a957fd83c1da483
SHA512 80ef279e75c5fb6b74f9e8b20c93a7d453aabcc5350c768dc227a1ff631a3ae3e57b7006c41f0f3f21e4d3274f484f253a2a6d1587cadd648287f92cc757aa5c

memory/2120-311-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2020-330-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2020-329-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2160-331-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lkhbfcii.exe

MD5 a061fbd429710cffe1d0b20bec1474f8
SHA1 f89ab1dcfef0fa084a49888a52966e239a0b3a25
SHA256 7b8c712a934c080fbaeb5201a5754ee6164f70046aaf1a7f449e786d266dff3b
SHA512 5e35f89c50dd3c621ae997c6be92bbf06cc50ec34fd65dfbb3db85eddd2daab0fe83848df77b7530d402c4c1e20643edf452759441f844c289f0271ef0bd1f34

memory/2020-325-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2376-323-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2376-318-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2088-342-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-341-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2160-340-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Likbap32.exe

MD5 19e7bc8910d17fcba6559a6183eab408
SHA1 6f237738c70ea4736d25531885d1da58bf9382e7
SHA256 b0b62ade3e4cf85168198b2c458339c2352f5b1d8fe6e9717dfe5b8b89db29b1
SHA512 5d223d224436f4d1cb5fff97374dcf7b227171b1b90603a0b13d500e1f5469d4b0e26455b6f4d2a068d23435b958d90d5c0a92988ad80ba9c6c435ac3af2dfc4

C:\Windows\SysWOW64\Lgobkdom.exe

MD5 5e7260da85186b51addce90ea4d1e4f7
SHA1 fa75953e30d806fac03be1c204937d78d79fadb4
SHA256 2735e291245c61809ead23487d9e577d15cc148982876c9d27f6a52bdba2f4c6
SHA512 afa9b88f82f5e5f459f861b46aae5ee8d8517f6094bcc0272b146ca5293aeebcf7e96ae5836969b43ca0416a458ff3f3fd19a88e12378f96292873947d41d38d

memory/2088-351-0x0000000001F30000-0x0000000001F63000-memory.dmp

memory/2844-352-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lmikhn32.exe

MD5 bbbb223a70d675fa988fa0e8f31a06cb
SHA1 22293f10407eff2f12f288f982c7d0047dadf223
SHA256 8670b00f1be01c3b8dc415b52592cf064051270ad7fc97a0b00b7ff1b2ebe741
SHA512 53a175e3ae3d40686718a872e5ca5aa613410b7395d9c69da8ee716692110bef09e1f2cce3f24192f776b71e41a76bf5f702b0de7b556904867423e52d870b0b

memory/324-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2904-374-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2904-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2988-369-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2028-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1296-386-0x0000000000400000-0x0000000000433000-memory.dmp

memory/324-385-0x0000000001F70000-0x0000000001FA3000-memory.dmp

C:\Windows\SysWOW64\Lpggdj32.exe

MD5 6054f7f5b03a8ab1b75ae665ae329f3c
SHA1 aa918160db4369a17019c5b8edf814c194010caf
SHA256 3530ad992cbcc45267c60ec1ddbdadf6f49c9e2429a2efc093fce0baec3fec3a
SHA512 f9e8d0f7f26d2ee33391a9afaeaab2c1adfcfd571bb3c928d571b537bde234d84377c4dda021c8f5343c0a60987452918eb5bb191fe27a9f0be191ac39ab9482

memory/2988-365-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lllkckme.exe

MD5 86422dbc846a6f6be1906fb72fe68475
SHA1 96533e3ec9b8b14249cd2827b0ec15f26af178fd
SHA256 9c7cf36b78c51d1b0a6bdac9f38d963b00397c0ed036bf03b2f6fc2308f9ce2d
SHA512 cb92cc1d245f075aa5f66fed0257f5777229029c140d76cc281e92cfe9e7dde142cce5ef2c1ebe92946f5e12c705922b95fe8e716a12c29ecba2190f591e090e

memory/2844-362-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2844-361-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2952-380-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lpidii32.exe

MD5 c9641378e71d3f0aa09e61eb46a28178
SHA1 0f3fa7807c19968cd254a3fc71a1b0864c1bc6f9
SHA256 1cc3ce7d07831d326a2ce5660b3da487c42d4f0567dfb2b8acbb504d0bd20013
SHA512 1992eced140b92d35c2ec597a9f969588d70e388940008489a59a489454d105909e9c7007512796a8659274dc15a09197a598053da633ca7f1b8b0c0fff480b5

memory/3060-398-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-397-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Loldefjf.exe

MD5 fcfe8bb561647401996b7989001af546
SHA1 6b882f88ed1c2c63346b3e795d2f35036fcc83c1
SHA256 8f6b4a81aa1b8de605873823d3e2d67277a2a8114f63a882cb95f5a0de3f9521
SHA512 4af5a0f785846e0e4bde58e98e76a4bf01928becf518dc335974229bcc9504615ace8b9be9225a1c7292f0e10dcdff4d745fb73e1ad46213272e536f073dae42

memory/2840-408-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1908-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-410-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-409-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2028-403-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Lgclfc32.exe

MD5 a07a5f61ff6b60721e7f537bac76a7da
SHA1 fc66d908fe3b2f3d212921f4a73c2538ebd7acc3
SHA256 3446268c8bab339c141510b32f26076b944622d7f5f6beaa858bc59efcb19f51
SHA512 8039cef966f3607745031f68a25f8599ac8f78e1d4bcdf1c9753867f55ab46186b03b588abd00e3f538df10ca53588aa77c253683a8038ba50640bb43ea900bc

memory/960-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-423-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2960-427-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lhehnlqf.exe

MD5 7e59e84d0282f6c5ba1a11dc2c31a2ed
SHA1 8fafbb70cb06d594c8c3e52fa5801814504d7661
SHA256 4541e5e71c9db4ec4686e5d1af44d9799cc91c5e0938c2d3e91aa397974d3685
SHA512 74a159cad6e1397c04f5b63cdf86f8bb2b1e051144155e365eff8e04fbc6724c669c6b1c0b3f831ffba7db9e1448917336c19b6ef59b7bed8a429c01a24565ac

memory/2588-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2960-433-0x0000000000250000-0x0000000000283000-memory.dmp

memory/960-432-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/960-431-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2692-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-444-0x0000000000280000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Mcjmkdpl.exe

MD5 5dbf985be7c4a898e2aa0718e8289c99
SHA1 28f100e1e67ee3ffcad6096c0f6e6c0d11d6a69d
SHA256 02572fe714837b0e058a725c56da0b74a021cf96f1e9ae235f0fabef9de356b2
SHA512 05a6433ddf6c58bdc0aaf065823995a27fd1e3e5f3bbd4e671bd22ffa788f0b884d37404ac7f941def33ac0ec6263bd2679b0e6e61baa647443e5ad6669949cc

C:\Windows\SysWOW64\Mammfa32.exe

MD5 9edebdf769d2fbf7749bf63f7201cf7f
SHA1 2e17d98a42606901a08ac27acbf01ee709d41b8f
SHA256 76aecad8363a95521e4c715bc8b3d2cba0dec5e596532a3a1c51a7e1a9c9ca9f
SHA512 0e5ffde47298b1da916843d36efa81207750a61de413c64a37bdc11c64d27ebde28a066e5e473cca582855385225928f8aa09c130a9e8223e8ff73040d9aa734

memory/1704-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2216-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1704-461-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2368-465-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3044-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1704-466-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Mideho32.exe

MD5 06abe5f97cdebce91fddbc5e395bc326
SHA1 9a11d70003cc89f34db53ab30a90f837d128a496
SHA256 34e7abe6d0a2bf64084a91d8c8488e096f51f109dcd622661eb4d5199f188f8c
SHA512 539e3b59ed1815d4060be1c7f9409af98c032cbbf7fc2cd3dc2590a17b4e1c78ff1f46ef72fb713e7ec43aed7648e1ad72193d2d8b65807b6617c1dd1b39509d

C:\Windows\SysWOW64\Mlbadj32.exe

MD5 8e9767092d4d73287527ab2406b96947
SHA1 e2fb81b330973116081c1dec14e6453bd6fd8cc2
SHA256 0629a8650e72fbb9da22648257f6d1751e156647f6749cbf508921d8b9be0c11
SHA512 cfb46342e233142d60ff7e810b267afbbb3df4d8976a17f1ea4e2713461b40fc52ef27e89222c84f9be1ea5cd84113516617bd252bcfddd33571c08b99df3393

memory/3044-478-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1828-477-0x0000000000400000-0x0000000000433000-memory.dmp

memory/840-476-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Moanpe32.exe

MD5 072c5eeda2c31f67043576465e634bf9
SHA1 4fcf4288d5162345a34a585e6c33db146c4e5572
SHA256 1cd85219a9fc549b08a13de25253e81cd33fe911bad78e30984c7a50f1a99dc4
SHA512 f00f5096f27c6c5069f2583b3f876ff364119d233969b9ebcbdcf93dc54ceab01d17b632490c373ca0967efeaf4845081d341df4723574dd97e16ba974d78736

memory/2936-491-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1208-492-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mdnfhldh.exe

MD5 ecdbd769be7aee5f69a358f296349adc
SHA1 d36eb5557bb28c147a652459d90dc579f89cb823
SHA256 1be5ba3d1324627583b1116a227c0a046d7b23e4de68a313e9437c40ef5703c3
SHA512 ef91072bd7b6110ea457f16cf4b8b790278374ac610e81b0b00bcf1fa727f269bc6b0dba705bb5e07ff00457054149d3879c869691cd4a0424a5a8f1929048a2

C:\Windows\SysWOW64\Mkhnef32.exe

MD5 c393fb2fd72b0cd453459598af4db72f
SHA1 e8e7d36bb9d28b6674c6fb9741711184870a3313
SHA256 b1267f4ad380a7073783562b451380a47e7397134e6a60a4f4b065a817805d0c
SHA512 a5215be7b3cc15345f0c4c39798d051fe9a75a3ad684af62ef9386ab85ee849f60528b3cf1cddfe7fa43e3e84990025fd9939d72e6cf56b76130e5edb4e2538c

C:\Windows\SysWOW64\Mnfjab32.exe

MD5 9825ec64ad338b602e5718353486718c
SHA1 f987e2d40b5b0f921d8465b8e9faa52899d4d950
SHA256 d1219b951e30439920882ee337970c3f74236d80edaf4f572c2e24ee6670578a
SHA512 405037046f92196afb940b8bf83e682249c366ad19d919f7c69ae9287f301dd0c7c6b3dce786209cc83a8454b674c513082c76e20f9522cc74d7452ed6beb90b

C:\Windows\SysWOW64\Membbo32.exe

MD5 c98aa557267153c1a2af7f9522dfeed2
SHA1 38817f58dcf4dd88f14301e11c3ed99601a654ee
SHA256 1f364b860b17bbe92e9cc69b44337f6fb20a3b759f6ab11e53701d7b531dbdb2
SHA512 2b25fa411000553dfe3407d6f46ba5076b871f10f49666e252976679dc43792b987aeace1a790284cbe945d2134fdb8b5bd8f90bc4fc5b421def52cbe939a329

C:\Windows\SysWOW64\Mdpbnlbe.exe

MD5 14955804d29fb38f3ec80dc4929afec2
SHA1 938d57db24f59c1dae9e7322e11c0100f4750c22
SHA256 9873ccf93b637ab8ef8e52e6a537f4807fcb4e24ced81a4e53143a4d4272bf80
SHA512 57acab95005b6a37ec6764f012e50c77a42308ce2fcd09ec6f6f2c628114cc2d043404ce2e360c91999aba490d04933bb45fc4e2126d5acbd498af19d7f6a9a6

C:\Windows\SysWOW64\Mgoojgai.exe

MD5 745f2625230ee1cc22e5483817a72027
SHA1 e701204157f8aa66c3258966a479727f930d0502
SHA256 b2dadc09fcb9f8e63d9eeaaceb608bc748993db1a2d8451f6c312556825b0d62
SHA512 54c5d6dfe564a2308b38d22e55e945a87a3dba030bddf1218cde3ec8864b873dc5a45d99dc44f6d617ded7558ce9e0104467d18d7a14dc88fd18fa1d8d18cd66

C:\Windows\SysWOW64\Mofgkebk.exe

MD5 c50f2f0d48d7fc4fed6631155632606f
SHA1 5665a18cd0d164068f75d8ac4eb5decbe87a9a69
SHA256 5b89e887c724322b99c31d0ba8a3a35adc40db5e0dc930fe9936c7dfb667e89e
SHA512 4bce1f383d87e4beb673141b7c55a22fd9e930626b83a4f11fd56d0313079168f4964a6800f8534eb4629dd0c8ea386df1688c25ced8786731e7804d1b377c90

C:\Windows\SysWOW64\Mnhgga32.exe

MD5 fe9bab4481fef2c38c5e1032c99a918b
SHA1 f95ca0ecaf0469340e17815c704c4c957cd28965
SHA256 fc59d4817b1f6db6c3e10f184fec39788606dfd93c9739e1cffc9f4798548a0c
SHA512 dc5532d170e9c014231df3c36fb4828833119d382b17bf486ba3912ca43c5323e5a92ec311bd1b7c53dbd5314f9e2beca1c3e4748540d1246bbc3b9edfbf10c0

C:\Windows\SysWOW64\Madcgpao.exe

MD5 c616cdd6b2af8de645aecebeda3a45eb
SHA1 00e4292eee7b9cb9c5e147522488e231cae21c0b
SHA256 cdbdcc25f035b1a48204905c8d14025189d1a4f568e8c6f22d4dc4406f18b538
SHA512 5844b223725b43177fe10bdf597358b071393e9ab630520e7e0353fbda924a16bc4eb0c76f8f4d05f7c1fd58068f3f8f7270afeb5987b429503f38ee00eb03e6

C:\Windows\SysWOW64\Mhnkdjhl.exe

MD5 ed7e5977e41007aede08d42940015ec0
SHA1 99303ed23bf99ac7b6336322a95c0b4a291f49bc
SHA256 9cde1a6eda1edfe81d37826a9d00c4b98b356a752f6a0357952b6776c0641840
SHA512 c3270611dd0fcd942e841e3766867f839ff26ba4fc316b7c7427354fad3a7e473487513d4365b36bdba7662d2989d3e12f553a58c573a81e34760503f6375658

C:\Windows\SysWOW64\Mgalpg32.exe

MD5 a852731edefc31dd6be09ab7a6a674be
SHA1 beb2284b4587f67e8850f1d7c29501b200eb6436
SHA256 cfdddfbaacca8a82b4a7353c012b842eb38885fc5c6d9e1a29e1e5696dfd20b6
SHA512 749d16822f12d0a740c49fcddef3e1b4188814df55d2d8eb1d29f89c7e1d68fab91a0fa96848b667f8f349b7295b1720fba209bc5f6a800c1d46ddc6a172d1e6

C:\Windows\SysWOW64\Mjohlb32.exe

MD5 e722c41515d8e6e8444f4890f68d8a62
SHA1 b262dcc00b9cb42606237c3a7a5b5771ed327c26
SHA256 88021af7e9f43ccfe10c7524c314cbda9a8b945aef7df7aafb5c7c2e00ee0e54
SHA512 28e295bc4c1f9616a0d715a1c4bf8dd762ae1e049501f069a892e7b2cb20b0616a60a06939667c687a1a29fcffce2a4870bfa50c4368c1ea89a1ced417eb0953

C:\Windows\SysWOW64\Mafpmp32.exe

MD5 399b04222457fffd1ec46a2e44a28f22
SHA1 eab461aee8246173ea386b4551bc8b25ee1d3cf9
SHA256 f57a302576d555c35c25924d11e9a3faf51e14f92b8b5bf9015cd195c6beca84
SHA512 894dca17f7d17f30b4943562b71a4372febc17074ae8f73eb23fe815cd90850903dea6b95b97c31b0553cfa049328eb6aea102d74fa8d59031144ba1b6154912

C:\Windows\SysWOW64\Mdelik32.exe

MD5 306d2f4d6182bd1b3b990bbdf9884b5e
SHA1 214b0e6eab0526cc6345febfd9eee1518d654c48
SHA256 4e53423c5a06575a8cc4df9bb425ffe87ae2d9cd52af166117f72adaa41409a6
SHA512 6f6dc5916ae1a1a9f070b631c12975a81b7283a8a7352dd021e183ebd06d1eb107c05992322a3d4038148757a0e4eb716878675a920fd5c849a133536d6b180b

C:\Windows\SysWOW64\Mchldhej.exe

MD5 37e7b3a15d5785a4b2cc38b9443459cc
SHA1 cc50dfebf40d59fddd62de70c84239d2eaa48033
SHA256 ff21ac1abee9504a4503f50e149d6cc7dafa4d4e0ad693515569f6881b7e4ef6
SHA512 94cf7738fded8744f354b97fcbe2a0ca41371cd9a59f331421d0fa3b16d3a841e7435c385a18574e2df6b44c923617fe7f27c5ffc09d8eb62721d350c14b7171

C:\Windows\SysWOW64\Mkodfeem.exe

MD5 3dc561fddf6b62bdc156673807d3bd7e
SHA1 2f27e435ea6089bbe5a6f87ab3d3da77fc7b7008
SHA256 382aaeb73bf71374438f77f26256726dd7660b521b78c3fd6c7bdfffa6d07515
SHA512 2562914e5dbfdf8869fffa79952c4acbe83a0bb22684dc4afc640ebad5f0bfe61cfb0e25a4c18ada200903328a7e7d6159b45785cd1c4741f36e7a1590ccfd0e

C:\Windows\SysWOW64\Njadab32.exe

MD5 08fe3d4d05a10222a89568a1a46d9ff1
SHA1 fd714b693ddbf0feeee86f7f9ec0f419ee2ab2c8
SHA256 faaeb8a6a99c9292a977a19188325e22da781900e771eb701f4a6b3537dc34e5
SHA512 a3b0de03d90116483ab0b2fe3cb212781c534ec7823670091fcc7ce820effb4a3627881c875a741d6ddd3ddac07c734f1805b6c78b07e4329349d6bd308e63f4

C:\Windows\SysWOW64\Nlpamn32.exe

MD5 3636685490f22801345b59720040e75f
SHA1 a356359fdf38fbd8c4e6477f1a776bfe5dfec342
SHA256 a95cc3c1f061ba1240616ea4b06ac382c719b683424fb7878a557999ab4b2757
SHA512 29f5a6d3f9ea1d6e3c657b7004e97e9654c076927246141d8b586ecd66367fe01d27c6b665435960c483e5eb4ad1243d7de7b6bb951eb38e18dc65226228cac3

C:\Windows\SysWOW64\Ndgiok32.exe

MD5 9dece54af1a82702856ec1f30db9bdfb
SHA1 d52c6cde01198066a819c59eabcc1e49d0fb1de7
SHA256 c7cc88c6cbeb465002229b69a5fc4eb78529ab2a0acd786bbbba20e8c3f66fe1
SHA512 33df9d489d2d19561302469f4c2f0a7c9b334719698ae7e024ecfafb9b25a5d8b31ecee87ab2a5886f958ab53f2dd99d6ffb0831b708515fe2c2acec7475ff2e

C:\Windows\SysWOW64\Ncjijhch.exe

MD5 3ccccdef44d08cdda0f9860777d3ff77
SHA1 d90cb4038a324249432fe3f0b7d93be89a3559b4
SHA256 ce6b5c37b75e1a0b6ed662901f0a840c24c14e0d22be6dd780c4fc4fb380bdc3
SHA512 a7a51b0a1e2dbcb27733b020c305f99a66ebf7a6260627e1e9ed94db8df2ee52a1d54bf5205bab72ea53647fc80faa5435aa86a0d35561a4fc82c8e577e6409c

C:\Windows\SysWOW64\Nfhefc32.exe

MD5 0cac48d7254d287b442226a2c61b27bf
SHA1 b926d4f1c7636484d6e88b8d2783c75e3bdd8452
SHA256 241111e8fae21412d1a28e7a7d5036fbcc87d19af006597da30597e70f39df0f
SHA512 7f3b1d2dd8a91b4a4461cd5d6a73dc26013254e25e70c3dce9aac1f18711923ff14f870b554c930feebd538821140127a0e173471c3f9b6dc1a0a683ea80a849

C:\Windows\SysWOW64\Nnpmgq32.exe

MD5 202aedf671829db46abc6d3c54c9cafb
SHA1 45310febc43bbd4ac55a9bb8c46c9f27272712f5
SHA256 1e9c7e5cafbf44d4747182cdf6b9bf2d1266cbc7347cdb262e60b9a6e7a62b9b
SHA512 f64d4ddb3784149c32f11bc883542bdea44943ce3256c0ecd5974d6e211aa75e58f319351820cf477057f448f827a7bc0c101fea81f3fa555b61c2305d5c95bb

C:\Windows\SysWOW64\Nqnicl32.exe

MD5 1f3a9e40d59206b999d2b5dfec1329aa
SHA1 57befada93625ef140011a659bb9e2d88ff21ea4
SHA256 7583dded2f93674c2982b5ec023ae49c928f2b6a860052a7495bdcb3f59b122b
SHA512 f65567bee908e65b7bf8ce9f2148926bc714937fe1773acc347e192ce578fa846e54e5fb90692ab5c58358bb681287240bafa4ed2c05976a943c183904269342

C:\Windows\SysWOW64\Noajoihl.exe

MD5 511c1ef0cf0e041b9db531abdd808d1e
SHA1 609760483caadfd9b4d58f27917643c94d85a5b5
SHA256 839fb0458d14c64f87a58d0494990b67c3e6b2486e6bd405282625263f8ec4d9
SHA512 0dfddc13c1438f91195f5dddaedb4eba1369da45ad4a76a97f881192cdf1117f03eaeebdf6f93eaccb8e85a29904478e1d6ba84385038710a5b970112aa0e757

C:\Windows\SysWOW64\Nclfpg32.exe

MD5 86cb6733a3f1097cc932f9e9e656e1c3
SHA1 0229fb2a350393bc1a29645237978322f546d64c
SHA256 e0983a0197e2ea634284b8a1cb78caa917b1c6d93d1e2095e22a4bf6772bdad5
SHA512 0cee8a4491c6b662bbed4a482e2bf3f9a7ceafc5eb3d1ae6aec093b61a232433f6b7a351864b6bb3a35d0760b8803c5788661cba24cb68f2d02a5b8835012edd

C:\Windows\SysWOW64\Nfkblc32.exe

MD5 93f278d25c4c9aee2e0e40f510f35969
SHA1 3f5323c889578f666cb68001caeebcf6ebc30a4b
SHA256 dc818109170930bf9e1888f8ff2601029f58e2a210d645027a05df5a0c374ab9
SHA512 868df03040fd5947cd135fe57d94f2744d710ad8bf545429bcd726a9a643e24fdf7aa1bf8dc24895b65a8ffec459404293606c5c0b06dc43ae146ff54af5e292

C:\Windows\SysWOW64\Nhinhn32.exe

MD5 e41f6eebd3080018d3196a92e261dc6f
SHA1 ecb3662608fb3686acd1517fdb2cee756ddcb079
SHA256 afd3c95cedb6583e08370181e8248d83fede661f8d7edc997fb0415d8be923aa
SHA512 43afc04777eb627448b9be743b6beb4477ab83a15b997be79fa11c4ceccc2acdac2ef6e895e705576b64074aeb97b24fc3c207c783ae7e41edede5b19d725e76

C:\Windows\SysWOW64\Nlejhmge.exe

MD5 4e7702cc16a9ee97943c38732c837dc3
SHA1 9c957f2bcbdb005b2fa5ab7ae166c6bd2d3bcc9e
SHA256 326facaa675bc262d3bcb80ecb9447e913b69001cb4896511794b8c249f97283
SHA512 3dc513f5e0cd4a8da0b85db5d5286cc973e68d80abd35db4cd8e89297786977608a472fd1f9b027e7f8de5b38d20dae24552af80f46c273eba9fde33176daac3

C:\Windows\SysWOW64\Nocfdhfi.exe

MD5 0cd965d9d5548b3c41f836cc1af41cb5
SHA1 d17dce7477f8dd4edb10d85d7c8cc4f6b129fd83
SHA256 f618928d42e001b181742888a0708047e69eea002e9e2f618dabdf1c7627d193
SHA512 1a83f2a66c0423ba5bcf5807311d4b617b62feeee551617aec65a08b99c7d76abff31a62b2901a6a7e160bd508b2d219a4cb37beb96cc98ef975243811697b1d

C:\Windows\SysWOW64\Ncobeg32.exe

MD5 17bfdae44b300226a7a872c53e9ad408
SHA1 26e9fa8d04eab8bf4b039b0fefe68804d10a9fae
SHA256 982a620c37237229d5ed13280ec31824b6bccd42a9d47949701351e3f1b21ae4
SHA512 275490b566c8274a2663e213f9c40c1b30087c0973e9d283cef3a7c2dff3b448622158a48fbfed263b6b36056b109b9f3f0db62fbd68f4bf39d42289dad99f31

C:\Windows\SysWOW64\Nfmoabnf.exe

MD5 43ae8794995c16f05628502965c0c121
SHA1 9ac5facbaf4042c905ed4e5bcbc8ef32aa38c635
SHA256 0dd8d3f229ec7ef68d965deb995e57e692393573fbb57b8175c5eb87bea81789
SHA512 1913911ea1e0e02fc4be0ab08778c001f9cd2dd5f7f19cd4deac7e38841bf124e983009b373b6f20e25ff0b7244e23c442623426381d877b24013733cdf0a3e7

C:\Windows\SysWOW64\Nhlkmnmj.exe

MD5 ac633942b206eca15e07a4f7f7bd27ee
SHA1 463a3cfeb42d71e2c36cbf67abadcd80885692bc
SHA256 1e55bc42cf9312fa860c6a46d127888fd6e733215e5c89844f974d75f2970e0a
SHA512 7d673b04505f3180324d1a728005eb3ad28677b28b7d4c0ee15c8a80521edf8759f65b85c3224b6a7da29763af8c71b7543d742261a9e953162bb836f1ea38ae

C:\Windows\SysWOW64\Nmggnm32.exe

MD5 9250266548c3e2dec91d4fc3e3eaea2b
SHA1 41baa4de70e047ada7d1ffada8f47c26c901ddce
SHA256 ee415a671f883b3d122233fce21aa93d6bccb48c7e841bc325b9a7152a964510
SHA512 9b0bc93045b89b8e8ec43273f5f7c6c5249d6962d786c5029e5fa837cd413003caaaff77cff193ade2320b38f00eb5b59e4b63483ff1ea4c2e71f21ff07d7599

C:\Windows\SysWOW64\Nkjgiiln.exe

MD5 165eb971aa4de80dc51fb7b5699dc22e
SHA1 3129ce61c70098a05ae97566052cfb71be3f2c53
SHA256 b7ad4e21892f8871ca65129e62eb2ed1a19ac219d27581c709fa5c98ec343ae0
SHA512 e91011dbf7e41df83259413e9f8f2917d13a105c5ce6e518fd10c9626dc98b017e6a627f8cc510e78f4e35369c3691e73da447746ca244ebcbd05c40ca3ea361

C:\Windows\SysWOW64\Ncaokgmp.exe

MD5 7db9099f779fdf3ec685e13735c3b493
SHA1 b5da97c425dc392549170fba4f4632545a7dbcd6
SHA256 5077d1533d3d55bec2c5dee30a00e7d0e6c53879cdb067a3714513575dc41cf7
SHA512 e13ccb77ed8f9e81f2551e62b1818c61cb8b293854d9f524585188cb920a599ddc7179964458cb3c45caecf5b39e6a255dbc3cd5e4b280894426047cc08e42ac

C:\Windows\SysWOW64\Nbdpfc32.exe

MD5 866955a36d02f364bade34e237b1d465
SHA1 84ad31a358b3df9e2a54f110cccc823df2464419
SHA256 535c35d470159b2c1203df36376eced2f5021c9fe42db27124a481f49477dd22
SHA512 92128d074a70763005f7a92dfbe5d133b3e618a8d666fec0dded6ef0fb5c9b3b144adcdbd42d63ce92e1fcb38324016094b673b9b7f985993cde377ddc440bbd

C:\Windows\SysWOW64\Ndblbo32.exe

MD5 ab06fb458b610538c1e17e2025335138
SHA1 cde73451ff8acd023f2ace80e64d5456ca3314cb
SHA256 c89afd450333c20dad553aad697636dcaaac67fe06f68fddd05a23c2e2d7ecd4
SHA512 dbb08627b2bbfccc024cc177153d6482c7e9a7882061e16715ec0b2732f0ac4704981255ce0f6c41ca365a817e4530656c97814119773e31dfdcc611870ad42e

C:\Windows\SysWOW64\Nohpph32.exe

MD5 1e262ce731cb8f034264dbffa9a40a97
SHA1 e1a7ee4eeb25aae85fbcdfaef77502f0b005afce
SHA256 03fbe557a5ddba53e53954373261aa3feae5b67f43c932cbedba80eb19cf26a3
SHA512 42f0fa75448899500d47ce443fcc7b6afd618a550b78d433a4f64036f5ff802377423f5f69cbe2bf96d96800e4dc2a22584778106b9a987dee2381d0a626b83a

C:\Windows\SysWOW64\Nbfllc32.exe

MD5 b3acd69404a6fbbabc4485536fb4c141
SHA1 cf5a73034ea7838b963c0a88b6d2b9f04eb718ed
SHA256 26a1ac048633bdea6fff74d0caa4c1a3f1cc86fc2a22807e7f8ee94978a696dd
SHA512 064cea079c54c9986a76700708fb03f3360f46c223ba4861070b6863e103edccdee0bcbd8ced72d454c211406b90974bdeefdeab5549c060af68b56bd183a6a8

C:\Windows\SysWOW64\Ofbhlbja.exe

MD5 365c5cf0acab0fc46ed16c4fbd577d7e
SHA1 276a4c3d6a43636e7add4abd0ba97281442a7bac
SHA256 87e5af6222a3e2b222baa67291e115cd8c9398f9a479b1664b1523dc2531744b
SHA512 919bb8b93f2d60e61d60eae9accaf9117b3c0273ede87dbcc3bc22feabcef1bbdb6baea495a7919ade8969d6eeff2c3fc9c24e680a9f019c5ef2f1359faa3535

C:\Windows\SysWOW64\Oipdhm32.exe

MD5 7153bf619e8d0ace413ba05f4e940835
SHA1 e441b4feb7666bb784efba8a784a44b13854c26d
SHA256 725ac70626857c3116fc478325a4ab96095c0546107b0d78e926262d312ba91d
SHA512 bac072898a2eb8a7654485b46d7e9b9846ce51c42361dac7184d83f3577f81ca2b4c7f2e3da7bdd19d3535a8faaa936414fcca081c7bf18d910102c62eb97b6c

C:\Windows\SysWOW64\Okoqdi32.exe

MD5 f8bff56a26927aaf5b420326777c520c
SHA1 b00318c0e98154a0a1955b11395e3e6c84a45cb0
SHA256 13fbfa32731cec84f5f2d7904d4919ce418a061fc5cc9a8c394de42b7209bb64
SHA512 ec16445ea3e55e1a9b8040da014a8b9a7df9abb23b44418cc767b2df5b21c45bdc6ee26e96c88150c41aa7b7e3019deab9ebba41d43ced679bb918b6d1340a2d

C:\Windows\SysWOW64\Obiiacpe.exe

MD5 886e0753de51898c2675f7a96f9c54a8
SHA1 7ab35c6663bce5461d4e78fa0842f658e9cc242e
SHA256 a6a6382a16fb2ee603b2f2a9dfcdfc2d1e089b9ffd80b6acc5617eed14b7ab36
SHA512 70d824b6e69cfc0c287c3d39673ff3bad424823417b24a6b9321350f79e1b3ff0e04541ba2d1df0d7f580ee1fedfcd4cc133f984fa2ca20958be8e311a3d7b20

C:\Windows\SysWOW64\Odgennoi.exe

MD5 9c38ef9b8c4f7e0701e56b3df9aa9a88
SHA1 3b1d817fb5947275cbba280e254e32623c2266ac
SHA256 7bdc8f03c28c4b65349ad5712fe2c0f702a5c58769db6e272878a7a64eb83e86
SHA512 a4a69a6d1114bfd2be331bd8e5458a6ece13330fc5b0602a67f26d9401480a844d50d1fd5816dcbc423a3105773d8e3a747c97ab353897d86c8cf3fdf31da277

C:\Windows\SysWOW64\Oibanm32.exe

MD5 e12ccbf2028f442cf2cc5a8473ad45ee
SHA1 3c1d32e9b5bacd30f0ad74ffe53e7fcc2ecbb620
SHA256 b4768756c82cf91747b3e2dc8effdb42b555be2f8cf81b9bd786fa737c52990b
SHA512 27749a73a721ffb6ee383e468997776acf6079f50c1aa70aff4b993185b511e8075950b572af94ac4a7cb651fabfa0e54f06b715a952cbb9ac734233af9d4179

C:\Windows\SysWOW64\Okamjh32.exe

MD5 7d2e962fac299d926883b1ae2fa624bb
SHA1 a225441a35abb4654c6f7841692c53a34c1c8150
SHA256 0e43bde848dbccb3e3c1f2f587a5d3076aff07578616f2dc61f5656c44885581
SHA512 495e33354bac913aaba73f475f2b2e32c24d7b20419144a80e1162f5a7dd5114bee7aa31c163d8ed2859847617cba33d2553a92df2cf2e3767a45d1dcb083f4c

C:\Windows\SysWOW64\Oqnfbo32.exe

MD5 df9a90a9d36c271d7963ff35ffff2c6c
SHA1 c73acbdd6892505075f297f503e277cf740c8cae
SHA256 b87b919604e1328d30e6033833eed5745cfc764b5f0bfe36e125a2cf977d548e
SHA512 94ef7ff5d137decdd5773e35a71097bd26220fde85c1c98ae6f0f0f3b59db23b0e1c4a30ac7247786de76a2f1396ad4ed8e8fc0d9bcfb4440ff4f91033986690

C:\Windows\SysWOW64\Oclbok32.exe

MD5 15b0f09a21ee025984a7aa9636d98bac
SHA1 ae179252b852ed374c64d58dc5dadc9a6041a08e
SHA256 b5e9a3918043fa728868cf57873638a64e654028844ed99387a2f6a099cf5153
SHA512 e0b5a5c50169aa42bd488995f22246160e6b4bbcfdb2f7f9538ce75e50e2246de8f90ebfb7c367c9abebbd335a2dd8679fa91afd44ad5b544ca264161c83cb89

C:\Windows\SysWOW64\Oghnoi32.exe

MD5 6bf7d236f58134a211b90e8024bc499e
SHA1 f75abac1c4108593cacddd0e72dc9820f2c223cc
SHA256 07319df71a4d2d0e4dffdfd20c03d22837fc78ac2da44cb45976eed956c52e8c
SHA512 131591d37fc95f513c15439142fc5d500a9220d7dc601a90544a75d35c7001221d5ae10ebc1bb3b169116ace5ea3dc2eba8d398349270f47035a611d1cfba523

C:\Windows\SysWOW64\Onaflccf.exe

MD5 53b33091a23a73bfff9f912a5750db14
SHA1 36dd42c55c1a83e4ba217abbbc96aa0038ef2acf
SHA256 70524128e5380a404e30a020873bc062b6d50576876417811f33a3aa12c20eed
SHA512 e1423488e42179393fe3a59b8f6820633b7bbf637ff42fb9466dd662cfe5089ca835568a5b53b6c9a3fc52673001c3bb32c54890f8ec8b124f5ad96e6aedcffc

C:\Windows\SysWOW64\Omdfgq32.exe

MD5 9a2cc36a003aa65d5e455b3b7c2bb8f9
SHA1 818e216ed797e575117a689c3ef559a526809ba3
SHA256 d903900a590cb70c94bad4d499e38cf9bb23441ecf94d07f26a5ff67a2ab741d
SHA512 4ee9570b8ada8e18005d1f84ab61766e86b96e83f7661fc881d044ae86fbff71a5ff1fb89747e9c532fcfd18242b545b93a2b76e264ce17a40154e8ec6f56b5f

C:\Windows\SysWOW64\Oeloin32.exe

MD5 b2438c2c2d3f5a541220a1fe3105e913
SHA1 9ba3f962fccef8250364e5c6488ae7ef2931f1fc
SHA256 5d3ec8c02478a63aa3b0cf3087b9524a4891db57bc22e40478bd96e38d2a66d5
SHA512 8c0b48ae05f62b78786b01ac55b13de0792d2be4c58698ac87cb5212409fd3750f93193844b8787d900342094ce7deb04b56f1796b538dcd0b013a01037cf5eb

C:\Windows\SysWOW64\Ogjkei32.exe

MD5 20c110900d4c171eb4639ae1856b7edc
SHA1 b70af9ce9ba284fcbd1b4a84c5cc93385c3620ba
SHA256 e6206d6938c84bbc74c6ce4baba32c8598331fb4a73a56c34b3034a588ff0594
SHA512 888bf8c7950e9a8782f839267ef170dc4b5c409af1f26fc36ed187048f8ba8233d869a51785d056437ca9213b4e6095e1b167cc1445d70cd9af528b74eea40ce

C:\Windows\SysWOW64\Ojhgad32.exe

MD5 6578d7ea4bf5e1dec00c7a7d7f066f1b
SHA1 d3279a9cb51a536969148c34c9c943c78772f457
SHA256 f4d201736bc365692077ce64fec5191497658095c269e37d2059f2b1689f213c
SHA512 7668246897bdcc8799c1dc28b31ba9cb21be2b8477fe7f7defa0075289ef1f2fd987c11e4951d80ab1c10be5683619f78d9250280d9fc684be6f165803475eac

C:\Windows\SysWOW64\Omgcmp32.exe

MD5 47d58cd6a597b201421edba9a1a47766
SHA1 2d52bdd80dc08a2c5aa405e318b3ef71095f7204
SHA256 a10251caa1834fe97add80f21d37a40975f77678ecd92ca6888b009f539331e3
SHA512 a52eb558af9cd47a71e07f87341631c22443b44c447b6b2e195f3a323a6162f997057a0672b6181b26ac438b0526ef79760f14398acf514b62bdce90806a99ff

C:\Windows\SysWOW64\Ocakjjok.exe

MD5 d402fef94cbf1190ecb052cd37a82eae
SHA1 b93813da1b520ad77a32bf90c4f62ebdd6a9b6cc
SHA256 754be209ccdf3873a0bca64861842ba8ee05c0a2f5d08417aa148ec820f5856b
SHA512 3ec0afe8b762f0ba7f65bb12da0b440fa7851bab76a9ceedc7202aa2604a6b73e312e1196993d9af4475a8514b80e07aae567b37b6f608ef879e73245a650957

C:\Windows\SysWOW64\Ofohfeoo.exe

MD5 99f8d3bad9b2a033275e1b67f052ee63
SHA1 650c8d7fc5e11bef38298786f839c83f46f5ef7d
SHA256 a7e63fa08460d73dbe474a6205ca9a1b41113e9c053d178f04359aaad5c2faa0
SHA512 a8dcbaa086235d0022cb7a15263b473c7315208db615ba61695d7bfc4487477b16d2a2e4883b6c93ddb0a71fd9f0553c1c0587979fbe4f212057ff1361663d5c

C:\Windows\SysWOW64\Oindba32.exe

MD5 8f3f2935e794ec60d44d9d840a6e8a6f
SHA1 b8fc99ebee41ed42321c772b76dcece72d68443c
SHA256 9a52df219482cc998944be4ab64488445be77293677e06dca7f36dfa681b2946
SHA512 8b996e402f3f0186c68cd909dc4d77b8f762d7e07e8052ee3b28564fb18bfc6a43bfe7fa9702370720a46d5d9e12ba286d7f32435c51f0476261a5c08ca3bb89

C:\Windows\SysWOW64\Omipbpfl.exe

MD5 d8d11a8dcc8d997832bb0869c235f1a6
SHA1 3e60d5787cafee982e562b988f73d0f8ea2f379b
SHA256 33a7d5b1ef4ee550e4c69e33b221b69e3e9cb128a0a54792ca33b9c3a9704314
SHA512 c2ccbcf9430a2e036c3f1a9bbf4c5e93f49db4cedbf5fa22305cd1c555771e0a80a69dd4f7b4999cdf1a625db9396864274897b65f8b28ef4ef2b07f7dec37d0

C:\Windows\SysWOW64\Paelcn32.exe

MD5 306ca82be23c61ce023de805a7af63b8
SHA1 827bc1e2e2f6b447b0b8356947868cc709124849
SHA256 bb4fd97c73a049a7c0841e47c5a54ee180a617ad6ad9d227e8a6774f13bfe750
SHA512 bf998ba0e5a9dca0458b5290acac50e703f67b74214a3719eb2a322052f35aefbaa9f5660d22f69f3da850236dcffa8c75e4ff65c281b53779ff1796cc5831d5

C:\Windows\SysWOW64\Pcchoj32.exe

MD5 7d2176f1bae9a52f21ec02aa9208d3bb
SHA1 789eeaa88c005d82e41b3f51a076456b63ca4a10
SHA256 429507dd42e460454d47b9330c2a7c89da3ab1318dde4efd7b33490cd66faf09
SHA512 012c75422b05f88f3903eb24587e2c645bea03767877d3816d49b16f6f7fd2308c7fad1b500be5663a35326eb84e926396bb754b1c63df458c3b69823872f82f

C:\Windows\SysWOW64\Pjmqldee.exe

MD5 a3fab15ea7756de3ccdc26a078a574ab
SHA1 781ef14367871726e8f6bcac21b7533a54b7d3fa
SHA256 18c2eab3cca6c85edc1b8295843c9d030f7ea9bf0cdee9bc0db7c85095967a08
SHA512 5ac2792ce4d3868d48bc558d2244106be3f881c2f33ae349ce2ff2dbf4d946c5c5eec9af2948c2179ef6237e044469c2542ad64ffa4031179222633246a87d46

C:\Windows\SysWOW64\Pipqgq32.exe

MD5 23c968068deb47f094bf2b967283790b
SHA1 b38eaaa8be9d5c1398b9a478494413751772d7f7
SHA256 14d88ffcb02915ef078ee4b5ffffe888c7571e000f7027678fd9e3ac29b50c5d
SHA512 089955701d3bb4f219a1601b4d978d846dc88c4d65faded38f270b7ac9ef4916a3ac0ccd79d94a51e4219318a929a7bf77ba2fcc59fb9376c4de76cd2513da7a

C:\Windows\SysWOW64\Plnmcl32.exe

MD5 5c563aea8c465b07ab80d1c6f1c7b037
SHA1 c97cbe98c4374eee69d282e07f65e7f9d6e52917
SHA256 e6241fa1931bc9080f50dca193cdb454f1b6eb3937f6a8308f197928266131f4
SHA512 0daf9240c9c3e86cd69a6a9d2fd53f72f1545a9c7c1db402533fa3eeacf23a4b44c1589c0290af5da57307df8782923ecf72db3e7fdeb210b4b426c66138acce

C:\Windows\SysWOW64\Ppjidkcm.exe

MD5 a5927c5023b26312e8a7dc5c567cba7c
SHA1 2884397e9b28818c0ff607ea5abf73987dc85276
SHA256 a7ea418e385d6dd2f2cd74835f035876cd3a3ba0a3cbe1c3ff85514866d81f38
SHA512 910e8a269851621562d9ac35cb18c98f64e7f9af129d0be89e581e512264132f9d70abf49eee961ea7ebaae8a078da14d6980ccfd16e3b986db9c27e8d50a5ee

C:\Windows\SysWOW64\Pbhepfbq.exe

MD5 803211fab31dd1a792f540e45e18feeb
SHA1 c483c4b01f9b9cf619678f0d19a118a6616caa6a
SHA256 01daa22e75b4ad3e8852488cae347cc103ca10067d140f2a067056d8108d5d2d
SHA512 f1dcbf23c9acd36db02061ec494dd26a7d138bb681587575e60a28f4c82f738726a6edd0e30c3a029275ec86b852e6075da75fbe1d65d545b7c598b91a8feb98

C:\Windows\SysWOW64\Pegalaad.exe

MD5 6b7295c6b783b7a1ce7b8839563f71e6
SHA1 c69681b527d6d8963c0da37996a2b1ebc97321d3
SHA256 4fbf3161d72a0eedd14aeef981c4eb29fb3c5413c45bbc2b9bc88df91f517700
SHA512 54459992725cf25ebab8ed49cd44d396b89845c086c2b8b75bca888dbe24d87e567e43f370fcb361bdea9d4f569cc66b627622029b14e2c195caabc9d307c570

C:\Windows\SysWOW64\Pibmmp32.exe

MD5 c6468ce415aa53af16d6317c8905a43e
SHA1 7f98be77e443ef74793721f7b6bc739f1eaa26e7
SHA256 1ec2a41e99ad47f56e15a5491c5dd23a435d9972f171634f768a73037acb5601
SHA512 5add560f8c75099b7c23306f0ee20ca316c5e2b3944b121964477b85d8e5aa86c5885499c90ef4390a51b85c8cdae27f0db4574540e565289d9804769153a0da

C:\Windows\SysWOW64\Pplejj32.exe

MD5 bda6f358a825cdbcc364f4d760a1a121
SHA1 2a620807ae49b60da58e096d74226bb6944194d0
SHA256 6e884ce4dc4bd32cb258247ce3f84d378786e3012b8623aec7cc7cb5501e010a
SHA512 3ffe3e379eb1d87c2a693467d65551917a411f3ba5f7f64c8c8f474998814ca9ece96ebd81503238ff36beb93eb9e01f54088101bc76ce13187b1a8855f6e265

C:\Windows\SysWOW64\Pnofeghe.exe

MD5 6249000a744a6afae0061bbccbea7c9e
SHA1 11d322cb899b7dc376527a752bbeccebf5717a82
SHA256 e161393b54e32a00641e0fc10d473ff61e02124bbd7526b8c240c7e51fe8bd7d
SHA512 675446fe78401b6583e1dddffa3b065831134f0ca1db1e3580160ddba4455c326002dba344ffddc22fca76119df324355c2a2a35cf4b30122237cb591a0ac971

C:\Windows\SysWOW64\Pffnfdhg.exe

MD5 1b382b797d3bc8ce44ee4b094689abbe
SHA1 4b0233a443d9c3267a55c49a84dcc6d5b62d0c4c
SHA256 81fbd3c3dee97afae0396a4145815fd5fd7cd72290b6c7115ca94796ff7ca0a5
SHA512 82a68a59e80098271075721e9cbf159d5d38a0569e65521b3797466fab07442086ef8826d1782ef35590430c1797b2fda48eae7d03f51d9c4e0ac01a3e483784

C:\Windows\SysWOW64\Piejbpgk.exe

MD5 dd755601912c89bfa2316e71db50da8f
SHA1 d503d89c9a8f7242ea93aae6bef439fdb549fdcc
SHA256 5701acccb3705912696a54d11f0ceeb9a5b35a55f16817c6930636a36b2138a8
SHA512 fe85b8b9b52589e6c04581cd324f92a5e5a41fd89b78df112c6ac6dc5e89b0e5eb99dd07da67bf297a9c7b07c83ce1e02f0232ac4c2524adfcc163a5ec267e73

C:\Windows\SysWOW64\Plcfokfn.exe

MD5 0ca1238885b8eaff1c0abb48a242974a
SHA1 b96455fae481388324834db764316ed1e081ae27
SHA256 33f97a8294b92beccbed37a18c348223a4f7ce75a570f8c1dda73737e0d941c5
SHA512 e9ee740a579503db54920a2f4e6fb8f881ce971c04b493e80bbbdf1ba03bbc431795a3e660be38a54addb87887f2ac4930fb1f1701e4b1040c943a5e03db21e1

C:\Windows\SysWOW64\Pnabkgfb.exe

MD5 3cc704917c74c4637ef55ac7adf06857
SHA1 9d0d978000f77c64119a1994c8da90a12640750f
SHA256 f59375f75ffce42bc9ae6e6fd832121f59346f305638e11661d91c32e6e64276
SHA512 a7a74050e32890962ef45f122cf8be9e157d7727f8ffd2a1cd5fdbdb1d75ad73d6276f1f9fb1ce4649bb09b1d60c80397797ef90e9f39aa8fb169fe40d4e47c9

C:\Windows\SysWOW64\Pbmoke32.exe

MD5 61b6584449d1c7632e505d416cbb9697
SHA1 64a31389489261a0ea2701d6293260ff14351078
SHA256 cb2efdc94d9fa54516177be920f7ae3eade6128419ee26729fee2541341e1ba5
SHA512 dff8d0ddfbdb6012cf69b734c19a14192a94d3d8cd50ec86bf108494bf67ec6adfec46a1f5d65ace08467c0f316f151bdbab5050b27ba08b2c73b815297cd5e3

C:\Windows\SysWOW64\Pigghpeh.exe

MD5 09d3673ac477c755a0cd08dcff35e902
SHA1 cd1e0ae6d3cc412a9cf5d309c93c40a47a7218e4
SHA256 0eb04b93481a5a6c74385b5a5edb19b403d8d7e3b76a7761a9c30a78a985d256
SHA512 a053e63fe418a3ac77cdd9b77d6b186093aa24933d8b07571c845d8ae10b8322fe3b03f4233ef71bd0a683cb72347b20634074a9cf6f480697bef57351ff77b0

C:\Windows\SysWOW64\Plecdk32.exe

MD5 b2d5196c3a753e0fe94b28d2ae099976
SHA1 0df83033de6e93d8b3e3c33dcc9039d4fdcbbd43
SHA256 01f71a983785ede03535fdc6c23d704798eb85f9d430e308fbb32640ed6f788d
SHA512 0c363b2fefeab915cd347ba01fe9f90cb35b4908ab63eb3254db2a05bc09de1834eb73a4abda66ec5f97f0a147d4eb88d95aa67526c48b9e8b24da9ea6ae7acc

C:\Windows\SysWOW64\Pndoqf32.exe

MD5 e23457859b100e5cd7d36179af01e5bc
SHA1 7bfe75a4d78b36ded5dbe7ac829f82d7ba7d54b0
SHA256 f58e0efc6d47c62bad6c427f1bb681e6594ab408d2aa232d468266d81a5f0fa1
SHA512 4b10a2d139ed67c7349c87dddfd5d48a48c41b56cd6c57a10a305de9216280ec3c0bc1a6dea76da07e17c3d35f5e8ef58594da1c93a234ca9f2af191b9d80be1

C:\Windows\SysWOW64\Pbokaelh.exe

MD5 cec4cdbc7cd90c9d14b4e2e4adab9441
SHA1 0f39703ec1b727ac5532c1877821f527d31e362c
SHA256 fd2ffc66ecdad685a2ebb1bea0beb3f04d14d15ff76cd73854ba398d7b3ae846
SHA512 2f10224f7925d4260990002db618ace3135333b54212674cbe62a7d59513c655177e75a157cabfa28ad8ab7539f3bdcda616292f8a61fae6cc8e7fa2e785b5d3

C:\Windows\SysWOW64\Pdqhin32.exe

MD5 737a78922501ef09077a9e572810bf8e
SHA1 6375f4bf6cb1249ef75307936e7ec1a8d7a167e2
SHA256 8940118df43f8cf5f094945b2ccfc01d3fd3eff4e018d022a5ff922612397e7e
SHA512 05ce0616a7e49fd08165bac620b8bcf5bf65d6d2736c38efeccc3777c25e9b9d2ccf302fe121a65f6677326e34e8ce35ffc5d81414ee481595a10a56d0249655

C:\Windows\SysWOW64\Qlhpjk32.exe

MD5 23a315789f8c4fa9c0f0732ef3aab690
SHA1 5456768053d2663ca97a04e464e3354ad1035ea6
SHA256 579433aacb17abfb56d47b4b01b00456d66025b4a8237ef6de26c5ce22776799
SHA512 4994bb057bdc32fc0d3287c111c05f4b5319a254fa5bd3e31f06785c411c433bf6f17072e69e8fcd5ebcbae6ad84adba41880f660c4abbe6c4ad233818375cdb

C:\Windows\SysWOW64\Qjkpegic.exe

MD5 16849a17173751b4fce0a6d98bdf0b87
SHA1 cef7ad3b68dd8cd5020c630b18b6bbd2a2c0ff1a
SHA256 f14d6c39c5c2b182066479fb3305bf5d961399713f03372423de78fa64481b2e
SHA512 74905d8b08ab1c80491a8af6c10bfbbf9e5f8c01997fcd624c9096d7a4a644a90bfaf0c514a24075ed25e077a5068ca2bcc1ba6219d2ac68503d5bcf039f77ef

C:\Windows\SysWOW64\Qnflff32.exe

MD5 134e37bfa88a76677c9bb06214464cce
SHA1 ece5d30c9f3fafe684b9de53d990c6b9a6175a3a
SHA256 e0725c95d24dc7747604ade85fa2291ffa20a3afd1c36bc99bfcac13b2b863ae
SHA512 62e4df66ac86670e3c8da31496a26239ee8eb32285ce545866e823213f5ae383aef7abf6f431bf70b564723ec62475160fe2adcf23072d208a4c26a0e7dddd47

C:\Windows\SysWOW64\Qepdbpii.exe

MD5 8140b6998d6d327236c61e4e284a4782
SHA1 e34f407d83b59f11168b70e02b979e274f7ce262
SHA256 c243b72073b7378fb34cef208cffdb8d4d4c6cd9e4eda0116d68e4a61566ad2f
SHA512 b527620152eb4e69820f2c4e18adeb6cf1f3aa0bc5edd7bd701e1c6e6be5fba527b26cbf3fc82df4b6f325bd21d1c7dcbcc3b03a58d42a828ed4f4bebba3d60f

C:\Windows\SysWOW64\Qhoqolhm.exe

MD5 597d72faebf229d85dc7128b5353d7ed
SHA1 3e644061073d7db78e55609928a722b5eb015915
SHA256 aa8c7b5f9a7166236f897fa163895ac9c41195732751a818d4ec562f87570a8b
SHA512 66c88a3a42a2d0cf3ea238a6f766b2380c34442dc3d8f6ab38ab4a6ef57269ab9fa05034de77050d4b5c67bb1f218266ae72cb81c45469d4be82434b7be69ddd

C:\Windows\SysWOW64\Qfaqji32.exe

MD5 23339658bd0fbef0a9f86be8ea134c32
SHA1 ed861f33f23ef960e8cc2063504bd8ede6e111e1
SHA256 f9f0a9d5117905a7f30f8943f9efa2f61ecdd08ded4247c04f3f248039b60f83
SHA512 02c883273d7d24b908cf0207ae0cf049c2a2c39173d8998f289890bbb1b5188f98d7d84968e25dc2ee98dbc47f78445b91b36ce1afc66ae92d345a526ec555c5

C:\Windows\SysWOW64\Qjmmkgga.exe

MD5 3def3b4957160ed1bbaeaf7772a32e9a
SHA1 c927ca74290e9aa2c2e53d029edd80d5ee30bc7d
SHA256 ee1f9f79e51872194ed84f693c370d5da4fbef1286ef86c9805a1310d3b7a106
SHA512 a759baa257518211c7f3f2fe3e2a132bdbe474c4552fcab353f5428263f38d0c060929dd8daa258f28e5d05164869785164a8ffe29085c46a98341e3c61fa796

C:\Windows\SysWOW64\Qagehaon.exe

MD5 6a2af7ceae9f0007119c64e415a1c767
SHA1 b07549aa8bb4916b4fae6673fbdb85c857f87131
SHA256 fccc50da1ceb45f6d8f98aa2f8626c2fc1560c7b28664c1c49436cabd1873876
SHA512 c867234ddfcd4ad86a3b5d8b2b9b95325f4eaaa04664081fcbeaabea2a8aefffa31cada42b2443bd9fd4c669dce7b68169184ef743c6b6dc402b8098e0e7f596

C:\Windows\SysWOW64\Adeadmna.exe

MD5 0f6544bda7af56b96e042a9ba0aceb3b
SHA1 2fece6675625902f40708d5011fdc0d270e586ee
SHA256 740bc5c64a64da08fd30dc28d6beb947d3f1867f9b37c8515ff0467de1015278
SHA512 5173a3eb908d69d9e378a9b6dfa3794b7c178acd523405f0780bfb5b0424867a34072ef7a1274649dc736e73d09e4d1d9f395986ebc3d2d9336260e671109e58

C:\Windows\SysWOW64\Afdmphme.exe

MD5 d9ccf64bd91b22e43ef2fb3d5670dbab
SHA1 56ab136d889d55433ddb2e2d508ebcb21a815342
SHA256 c184e9562ece17bb4ecbc82dbbeb5b639928281c67d4306619e41f609c81cb81
SHA512 3b28a2ea6351433fbe0d60c6daf0cf2e104bc177c7bc1355fe870961cb8d29c45e1771a11b2f5a1d68308cc93c57a74dbfacdb035e10beec87d77bb8867567a6

C:\Windows\SysWOW64\Aibjlcli.exe

MD5 d2c4b83de3e03763c81e13df97d0c850
SHA1 176dc81a7f3ff2967cbd0fa7ce59bdd5f30ba386
SHA256 1e678b7b95a8a18661ffc31a6bd5544ce6fca7022c1f26ccfa6e3b8411a5c982
SHA512 23d1cf6ac901c168239c854ce856d73d7408a4134e6c4e7267518754662cbb4d62c9ff61a5f9562c934387faba17788d1e7f2d28d33ec95bc40852ea7193a66b

C:\Windows\SysWOW64\Amnemb32.exe

MD5 f37a7b6953c1286b7e95abe4cbbaf159
SHA1 05a19f801a09556d0cbd766a2808de4624acf64d
SHA256 26852cd9c619d2ec31dd2b89123d04ddc5e28e8499d4f4ab6d2576ad6a00182e
SHA512 2862efd66421e68bdfbb107105ad8090095f2ee1a99952f94c080e5be0c31163a99c21bf71271e8013ae900ec7097737b8c70a8e5094bf7cca09748b7a9f04d9

C:\Windows\SysWOW64\Aplbin32.exe

MD5 0b78e9c4bef175aae58d6b3d2ae63403
SHA1 6b6ab9e469497e15c57c44ad2851b2cdd7e21b01
SHA256 27664f8e84984ae9996a6d0924e96d471b485e2001992414d22a40175daf971e
SHA512 98d228ff02525958d0faddd239074db6f68df600906662bd0192e046424e0b4925291bbc7524a2e23f1e804e8d385024fcc0d9587d3a158dcb09c8cd7a7654b4

C:\Windows\SysWOW64\Abjnei32.exe

MD5 eb44c7ac6248bd690bafc13bb8aa4db2
SHA1 7bdcd5fa6fc08b22e18912b2f8d0ff86b4a1cb1c
SHA256 91e4905a8909f9647f71ad337b2a2ee5b8a94849e2fab8546688582ce0a58f9c
SHA512 3776130f74e88bf134cb9619235930a531cffc55fc1e7f2aedbe775cb7f8d6ad8564243110ef33b9e6e461a9b10688d3bf84c4bb461e4f3d5af14117c854c64d

C:\Windows\SysWOW64\Affjehkb.exe

MD5 32d5f915e3ff13fe75f7ab6a0cc2c2e3
SHA1 f63afe3c7b696683be5c19a6c7120354c36faab8
SHA256 20a548eb66a107ea4780c502d65de2843352924c70a1f1741d3c8845ba31a182
SHA512 231700f0d667d0fb4025e319d9cae35284e2f4faf0cf69b600d6721815a6625d609133d89a9d15d49e862ae0125464e43b25be7d59440134de15f82f21b6ebcb

C:\Windows\SysWOW64\Ampbbbbo.exe

MD5 bf8be4704d0276a0b0451f0a71fdd32a
SHA1 089279c4b6c71d2abef0a7aee79257edfbbfbba7
SHA256 78b22d0d6a7763c56a2385f3273a7c61190c8bf4666e5e35d25e491a576d734c
SHA512 d86847d0360f70fec7b00eb92aae5c47ad1debbd2a93456d2ebd7d099016254a57977df7f822c0d756b1feea5728582b2c399e042dd044974d10787e702963aa

C:\Windows\SysWOW64\Alcbno32.exe

MD5 d8c6eb3e162ca991eadf47e5eabdf18b
SHA1 7dcd1fcb63bd52812cf9fd4997ffb51395c94831
SHA256 78313f29d5453b533150dd67e6d919a2f3d94fa08ba8a06ab5ec119d277cb986
SHA512 9765e6b706213bcb40ec110f5bb4fb93a57a0e8612999091715c4c11ab6e1d9790eecb5f3f315609b40e8da925d334250206329b995932686ac430e44fcf6db2

C:\Windows\SysWOW64\Adjkol32.exe

MD5 ebeb7374bea45cb44fbd610e900cd7d2
SHA1 cacfd4a2f2061bc18f315a010057c416cea412c0
SHA256 067d8d1904534c2fe2bda4602db29ae82eea5efda210b77123b517a90a6752a5
SHA512 abcc008d00774b0c16b58200c526633c4ec5bc113cc824d7ac912d521ec2ead7786eb0b809c187f39d9b78583a35c8d30c73f6ce78287d7aa2238e3217376480

C:\Windows\SysWOW64\Afhgkg32.exe

MD5 67b4f8ab4efd7e5893d134ba26356099
SHA1 c466edab8ec8cd2c217e538276474588ae5801b7
SHA256 34dad1ef40ff0db606c2c0a38c81d78d64e4fe689cf1ad7d53782868e7501a0f
SHA512 59c115e6ba6db322aa65a01507004bda9fa69b3961af1c3e7b06a6958e825caec0b543e49df4dc65f4939b9d285d1220e7550ede2f3372d762431c5219cd96e6

C:\Windows\SysWOW64\Aigcgc32.exe

MD5 f74c03aa6d0d8e20233da0f1ea797443
SHA1 52640b53758c30f52451bb43d33a97a1e4f7ce00
SHA256 25ccbea8eb25a25ab5e08dc4007daf7ca6ae3e0af535f1b59c637a9c7eb2b499
SHA512 d1021d32f2850f8d877482036961dcd2753c91fb757eeb60e632b60d2bf44ad3170068ad018578a62426aeca9f41906feb677172b622b9f9a675f7c8bb607ea0

C:\Windows\SysWOW64\Ambohapm.exe

MD5 c46d49e18739be9fd9e8b1341d01fae8
SHA1 ada5460288ce8022b9855c83e5665c772cc3652c
SHA256 0e7398e6d13356aa4bde793b856031da22163fd34f0c0d8ce4904418a32f8fb0
SHA512 a6092c2d8e4fda6ce63da26d182b382e8e8bbd605557a14e50d836cc1c1ca0b92bc53e85d52379773aea3e49be58d4593af25b75565d56c4954566257b9a43af

C:\Windows\SysWOW64\Apakdmpp.exe

MD5 3012d5854cf775ddfab976e3d67d3e9c
SHA1 166e697c45fea1ed2f8547d039c4235c3bec4353
SHA256 462a8beb2325943bae64535773647776c228073fbabbda57e34173587b853858
SHA512 f50f7d52cf19a9b229966dc6472b3ae2c16256147f12fb271f7e55a9213bad5e322d6adab67a35ecf9a3501e8ab2a543f1120b482f47f03292a81b4109eca2a0

C:\Windows\SysWOW64\Aocloj32.exe

MD5 3668977b9cde754bfdf3472767dd0bee
SHA1 c0c5dda778b660aeae49f0f0b2df97a81d2ca8a1
SHA256 dba265aa62382f2f0b8869b02a39a01819740c9b74fc72fb226db7d42334b959
SHA512 e6c404642d0086bec584344d97d778ccc4b6a0dda69065e582ebbc524d254eb84bef5dc9197f98d57da2dd25a01b7be4ec3d4d4edfc0dfe54c32418337000c54

C:\Windows\SysWOW64\Afkcqg32.exe

MD5 00a62a724441cd2be68253dc0bbb546b
SHA1 05f13169b1d38a97012dbac8d23fbe1c97dbbf67
SHA256 23c48c242812fad7100c6a6cca00be3f696ed38c800cf18d39e662294abad224
SHA512 a4700fcecbb403f145ee97d8217617a22ce50e063126f6346253d8dfac151797fb5093fb8dbc68a3b1d76b45a1d90e5aad79a2f7a410c29fc9b4987e9c258aea

C:\Windows\SysWOW64\Aendldnh.exe

MD5 e2098462dc4ae98356fb0ed5abd69bab
SHA1 815dbbdcdacf3de3c76d8fb6f23fad14e9150356
SHA256 f1355c9f1690949c795a6399ed63ede7365d6f87029c20ac51f3a76a5b434d5a
SHA512 e4709bca8e73d49ed3bc009ea81d5fa81fca1f2d9f82df20f50c34cd1488cf9981656c27fd7c7538c56c612ff25ae267929806f71fa3ca77c5aff26b9dc38ec5

C:\Windows\SysWOW64\Ahlphpmk.exe

MD5 28392d7e3b0491d73c6df3be17e29ca8
SHA1 10d7c1a2debcafc1df6fa882a9d6d136a772e6fc
SHA256 7ec0127e4cf02ade42d03249105c937f1ba7c0b90997175c68f37d7a5896561a
SHA512 b3227cd34267aa0b8b88ce8de8e75b82f3562458af360747aa307a06e5b3e1a788c1007bc018b503b671690f54cf1fb24aa86e3d1528ca2d229ef730241ab35a

C:\Windows\SysWOW64\Apchim32.exe

MD5 d8021e89e23f140fa0f3656c49baa66f
SHA1 7d28123c46c8d0d8e49bdd368a1b7a378ea61c65
SHA256 9c99b6419c3a8b201087e56c6375d6bfe79d56f460576673d36d1ec5f40336e8
SHA512 d479f6d8451608dcc5c1f2cc197a7475c1448c2bf15a64d88d5576c994dcd7e65ecdd70b92d05b4ef6db469bdb10b7f2fbd03423a974e25b5263a3622a0c608c

C:\Windows\SysWOW64\Abadeh32.exe

MD5 e2144f94f272c9754c60b68bcfdda263
SHA1 acea77f18f64c268df5073083c2e34911884268a
SHA256 a7cccf5643d267229a98783eb3c3a0d4458b367e037f851065ac7cea1943a75c
SHA512 96dce37a13eb6aa2cd3c6ce77fd2392d65581fa3aebc35e6045cbddcdb7694aa6b16d64f9b65fb499da102f76e32ec8321f249f86ddbca1da7f58fd87a28749e

C:\Windows\SysWOW64\Aaddaecl.exe

MD5 6ccf3bc0aa23f3863816fefc917aad16
SHA1 24989161c3cdecd07c92811ddc472d8ee0b7354e
SHA256 cfdca415d41acbbab0522579f7047a4e87acec4682c07bf44dd5af047c305b4f
SHA512 93d3770a6dd10bceb6c98a9ae42965a3ca262e74136d9207ad8438c519a55f234a6982112f17d2bdfc3464ab4b66a758bbaf3e5955b498ed1e8646e219587119

C:\Windows\SysWOW64\Aillbbdn.exe

MD5 edb3e4be6f60997ec5ad0948fecdfa5b
SHA1 d218f036abfdb1fbce4b91e6d5c2766af70f107a
SHA256 3c34a148a7bba4df4b7d57fa0d7b5c361d5f429966128e994fb3a7edb7b253cd
SHA512 2b106f4e35fd7fff406ddfc1d178cfbf700ef6930bb67fd1a80356b6fb8e5456e928e5a31c644ed6b5b3ab1520a85dc9a3657d8227b45f046d7c13a7cca2ce44

C:\Windows\SysWOW64\Aljinncb.exe

MD5 526eea8ad3b46dbe5d6b30c2a503ebd9
SHA1 d8ef9a936ab5ca0663ed112193cb30667bee01c2
SHA256 12b32495f9f83311c1fda3acfd64bb0e2a51e91d40835b9f34279a9acd39ad6d
SHA512 c6ec888ffc439ca4e917bc9512a2f3bdc2c180c993b05f89591efc1b2d9c947c4685fcbb8f9dba7e62ad6b037155981457bd93043e8f712c3f44722045e9af90

C:\Windows\SysWOW64\Bkmijk32.exe

MD5 c34464a89cb15a720565e37b54c90044
SHA1 030c056e5ac18e571ccbfeba81120802a12e9ad2
SHA256 95d24e46a18eea4b298998106ce60c248005d8451f88540a944cc04e1f1c8303
SHA512 85ceb111e617fc0e0419ee0cdb6dd37d511765a12c26890b2485b2762bbd3db1f9da1c277ebe39f7001d0e48891bf58dca5942665152d4cef6888320e7b4f6ff

C:\Windows\SysWOW64\Bbdakh32.exe

MD5 0d5e19dbd7c913a518894777454eda8f
SHA1 d2409e6ff36e1701c83ea90b808adaa0061f31a8
SHA256 ad10b2d4ca81c14e1b650c3ab990fbf6ef0a484e108683b7c47363c98e053db4
SHA512 54a907b8399ab0fb83c897cbaa32741dafd2d5ff941db54c6d549ecce10eb6c5be60e163c086ab73ec0fd467f361132a63a62c01f8a3816ee124cff991046fff

C:\Windows\SysWOW64\Bebmgc32.exe

MD5 34021484217321a85ad3942228528761
SHA1 07187d7e037db767d6257831b54e9ede0c0f9103
SHA256 13b0bad28377dab7c13460fc374ce3ef80ba41a5dc92d91f280b5d28aa1081df
SHA512 f2cf7166fe78ed36c860d924af53258a8bd4bf7798b5bb04295c4ffd3fc54f2fde291845cc8e8d0235d496c8080c1547397434e920c2ae53b10acd4fcca89b6f

C:\Windows\SysWOW64\Bdemcpqm.exe

MD5 0cd2a24bab34855cd19436a8a6e98d6e
SHA1 b50dff2e7630a5e66250a08da594f18cf8ce70bb
SHA256 c86eab59092b0e3915297c245c9e7ffc308d7ed517aa0db4ae10a7ed8f86ecee
SHA512 e9ea1679cdcde34d538d736af9ff5ae2ef548ddec579a66dae912d5cae2c28c885e1a64a169b42d668de0d31accecdaadfd6295e3c70e3f5fd2d12e6f815534c

C:\Windows\SysWOW64\Bkoepj32.exe

MD5 efe1dc4054ec9ed8f24f36c07dd91ba9
SHA1 d918b4e4c7df3b2e4caf76289ff10f3f31709f50
SHA256 275dded6d3a0213c82389e2cc97f71ca023d6530a7363d6ccf50be96cf71d260
SHA512 a01f83d4533e0e0c19317cd205a69a3a094898edab41e0ca1adeac2042142367d72c134c2b575c1132b1e2a0fdae8cc0fdcef62d173707bb2d3b25efcc2c960f

C:\Windows\SysWOW64\Bokapipc.exe

MD5 c3d87aafeca9b29991a5cb60f2af23b7
SHA1 08213ffc23f69623a8000b2dfeebc2499b4fad4f
SHA256 14f85a3e39b48ce7696cd97e586e30566771c1c5ad1c45cd02c06d74811a616a
SHA512 391638f7e0ab94bc74ae1b13960a57ee446a815ca25a0e8f4320190f6a78bcef3a1541fdacb40a98507b380260c4f4e59fd0bb9ad0e97e04ac472609d125991b

C:\Windows\SysWOW64\Bainld32.exe

MD5 87e7396e2fbc3e059e5310da0e117ecc
SHA1 c8a43f4ffa687119a86b89340979a02f826b27aa
SHA256 20772c2e2c185ac66cee5f7ac5a0346abdc8be0ba1efc239adac21bd47321d68
SHA512 ccc20f5687e0ae65bd21243db151942c81ea048cb60a5b54f8eda40598ac7bf57737b71211529ef83f748e6d61810ec0aff008446c28d4f81661ff12aa3939be

C:\Windows\SysWOW64\Bedjmcgp.exe

MD5 6b806da132c81a9dc8401d795f5f92fd
SHA1 397ef530c599c51ada0d121b33722f127b95d0f7
SHA256 ad2c75079d026a09104ae91423bfa6e5fa3794d4a2fece142e4bf6d046ed7cff
SHA512 38048a8d1b04193aa488c0134dc1fe433ec3e09e163621524ec280f2549b29e81cb34d1c1a74846cdb1eab1ca8b3687190441093caaef0ce667dc7c90b82c57f

C:\Windows\SysWOW64\Bhcfiogc.exe

MD5 2e870028f2dc18007aec60a47b0f813c
SHA1 89a73b0c8f8b7bedb26f607742856adf3cda89a6
SHA256 3d0975598aead3e4cc3fb79e8aba31ada4510eabb6d2b1b4ce0fb658214d52fe
SHA512 eb4943ae8b393f6b0bf70dcb09963de8a77f663913c37e1b52a79cd18c65176a462dbcd368dea37b078d71a9a37457228ddc602f67ff18b8f16af608cfff56c7

C:\Windows\SysWOW64\Bomneh32.exe

MD5 ca87f0708559e7d37103fd22c7f76659
SHA1 5e2cc7270b49527b5f8ade134caec22359f988db
SHA256 98be0f4892a490f67c6d39be8a8a77963fd1d2a19b826ef81719f93785f647a6
SHA512 b218900167cff90ff6de914fc8867783141f9d077d95008e422299110733c7bed1705e4e5699d8ca07c2ce93a19482ad29e47bd73b0d42ba2c1008fe8a99172b

C:\Windows\SysWOW64\Bnpoaeek.exe

MD5 69fcaf00de7031bcd0f5591ba84173d6
SHA1 9e8065f5656cc20c5f2f369b5703c593bd24d076
SHA256 7dba19281dc68c3f214ab225185ff2f973f3bcbf455350e2219245c83a444123
SHA512 230b8f3160887176b70831561fc1280adb7528fca8462dd75c4c0a5fe9ff6232e8d178517e35878abee803158bb07436c7b15ce08de43774f917bc5d8cfcddef

C:\Windows\SysWOW64\Bpnkmadn.exe

MD5 4df134e572f5ea54e8d3fa5fef480783
SHA1 8e17331f4b8d3b0cb33f2dcab2424c13e91c78d1
SHA256 4212b4d2d2f0e0dbc1bfd614d7f19e3ff07c04e12fe780ef9c465181223e56ca
SHA512 c8a61eff0cd1320fc9fedca456e461bcab9cc45a0af80934750979897145942449a86ab13ca51f56d39c634ee52950bf5ca518df8b34e7a7a1de8cd0db23e7b0

C:\Windows\SysWOW64\Bakkad32.exe

MD5 2d57ec430aef4756d45d71c760f6f0a5
SHA1 e3eedd7d7773557c768f14d8257bbf2884fc2422
SHA256 ebe112ebdaa692095370cd6c56a6c372eaf58d42844497898233c4fe8d5703db
SHA512 3c36371120c8f40259f3394554feacb7238b918b92a85d02c9ab3fde11a86fd7f5776fe36db1a77419deea1eee826ab6e8e67c1ff3f66f788adabab69a8fa76b

C:\Windows\SysWOW64\Bhecnndq.exe

MD5 2a272293194113b15adf0594e88d1eab
SHA1 26348ca23cf622758972f19b5dcb2413daeda7fb
SHA256 e95fd06102ed9a71fb65305e0036933f7c7671d5b6a0ae37266751a5d0989b2c
SHA512 fbd5bb6a5e546bee09c3cb270eed1c07aff5757be400a9a177edec1b246eb6d561f742e18fe3c41a607634e6d11cde1390096e8147093c0df9745c81c0a6df0a

C:\Windows\SysWOW64\Bghcjk32.exe

MD5 e2d56da1958ad99e8a0928ae7a4a9eed
SHA1 6c1db33a73264ab664ae420f6119249f640618c5
SHA256 d8484ef64ffb111bd7e4d3a4abc9753715154e6a4859784bc5aa1eecec263e99
SHA512 2eb544c4cdf23e4d9383963a870b38693bd21beba2a4d0112b0ea37e84d07a066ed46201ce0c599c01661c65dbdbffea08b1a64fa7c4819d228a16ebaaa67a99

C:\Windows\SysWOW64\Bkdokjdd.exe

MD5 5f0caa453ec31d5e3e5eeca025dde6bd
SHA1 40477be9edfa70222ccc4cdbebd0b0f9fc7b7ac4
SHA256 8b1c8708d1004667245ea320205e9e21b988ced1e11b9ed126b9eeed91a777e8
SHA512 26b6936259ffd3fd4ba5be767b3962c66e1fdcced0c75e4f5c17d356235f7a5bea7006816b6782c5105d576bacb068326cfd63bac656f0c4eb940ff884505ef1

C:\Windows\SysWOW64\Bnbkgech.exe

MD5 53610449d35e3cf46df4901e8e718028
SHA1 929ee204f09ef78f31b2e53d551f0afc31f5cffa
SHA256 6d938ed745de293421afe3426f7dec3043d1a79ba6756392d4e9cac013c2c6c4
SHA512 e41f3b5ff80da6fbdb95e0f3234208796c7a4a172b96e1e7751c0c87373563f132c1506c783c3a5d5fe71c338f474ec22c82dabcad0bfe5b095e94d2092dad00

C:\Windows\SysWOW64\Bpqgcq32.exe

MD5 7c4f92f505d039c0e1eba89086bbc0f9
SHA1 8a724501145a02bba9724295fb6ab52505dd1aff
SHA256 54e51aae00b6e00306748b57b64b6926b3e07ed7b6f3bba3d272becdfacd9abe
SHA512 0d8de15fbd12a1ae5a476e3cf27bb06c58a3e17a0331b359eeb3156a2e94eeb07827ee026343e2c5d2794b45ce47f0658fb755328068e1e2f6bb70ec8bfde9f9

C:\Windows\SysWOW64\Bdlccoje.exe

MD5 0f2b83e8f1484b29ce94af3192fa7f6d
SHA1 987dde0c49442b02fdf1269eb9c2300aba7729f3
SHA256 7dc881fc530025de070cb35ddc9e9a536c282782dc0c3d6bfa53776b143f4ec7
SHA512 5122e07fb48defe2a1e882402b7352066e70b9d08923e14bf3a6c5900ec7497d566fecc05ee8396a2f78a3fb3f9b1a940080efa6b42b0e814ff930c7ae6caa74

C:\Windows\SysWOW64\Bgkppkih.exe

MD5 e61ad5ae4466d79b78494d79e01ec0b2
SHA1 29dffa485ebff9bd2dfbf8cc91672af9fe8149f3
SHA256 3d62f1ccbe0873b63ffc2efe0232cf0f72ed32c535baf7ba0dc72ed78a67dd05
SHA512 43d2a1e8c4427f539311e9037ddbdbbb4b413b99d2f2e29b30f371319154bdb92150e404ebba1f2f1fec1c1c65cefc7081db3e680a6786831a3d96d2c592f7ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:38

Reported

2024-09-16 15:41

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bapiabak.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acqimo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baicac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anadoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acqimo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ampkof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qffbbldm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anadoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dobfld32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qnjnnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qddfkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qffbbldm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampkof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqkgpedc.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjclpcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afhohlbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambgef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aclpap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anadoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeklkchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Acqimo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajkaii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepefb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnjjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnhjohkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebblb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Baicac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcknmop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnmcjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beglgani.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgehcmmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjddphlq.exe N/A
N/A N/A C:\Windows\SysWOW64\Beihma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhdil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbmefbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bapiabak.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcoenmao.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfmajipb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdabcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnffqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Caebma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagobalc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpckf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceehho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffdpghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmqmma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cegdnopg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhfajjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmcibama.exe N/A
N/A N/A C:\Windows\SysWOW64\Danecp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfknkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dobfld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daqbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhkjej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkifae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daconoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddakjkqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dddhpjof.exe N/A
N/A N/A C:\Windows\SysWOW64\Dknpmdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmllipeg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Maickled.dll C:\Windows\SysWOW64\Caebma32.exe N/A
File created C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Cogflbdn.dll C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Hmcjlfqa.dll C:\Windows\SysWOW64\Aqkgpedc.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnbmefbg.exe C:\Windows\SysWOW64\Bhhdil32.exe N/A
File created C:\Windows\SysWOW64\Gifhkeje.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File created C:\Windows\SysWOW64\Olfdahne.dll C:\Windows\SysWOW64\Cnffqf32.exe N/A
File created C:\Windows\SysWOW64\Aoqimi32.dll C:\Windows\SysWOW64\Qddfkd32.exe N/A
File created C:\Windows\SysWOW64\Ampkof32.exe C:\Windows\SysWOW64\Qffbbldm.exe N/A
File created C:\Windows\SysWOW64\Oahicipe.dll C:\Windows\SysWOW64\Acqimo32.exe N/A
File created C:\Windows\SysWOW64\Ebdijfii.dll C:\Windows\SysWOW64\Beglgani.exe N/A
File created C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Bcoenmao.exe N/A
File created C:\Windows\SysWOW64\Jekpanpa.dll C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Ehfnmfki.dll C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File created C:\Windows\SysWOW64\Echdno32.dll C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File created C:\Windows\SysWOW64\Jdipdgch.dll C:\Windows\SysWOW64\Dobfld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Bmhnkg32.dll C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File created C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bjddphlq.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Beihma32.exe N/A
File created C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File created C:\Windows\SysWOW64\Bneljh32.dll C:\Windows\SysWOW64\Bjokdipf.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Caebma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Dfknkg32.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File created C:\Windows\SysWOW64\Acqimo32.exe C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File opened for modification C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bnhjohkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Oammoc32.dll C:\Windows\SysWOW64\Dkifae32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Eiojlkkj.dll C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Cnffqf32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Phiifkjp.dll C:\Windows\SysWOW64\Bnhjohkb.exe N/A
File created C:\Windows\SysWOW64\Cdlgno32.dll C:\Windows\SysWOW64\Bebblb32.exe N/A
File created C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Eokchkmi.dll C:\Windows\SysWOW64\Cegdnopg.exe N/A
File created C:\Windows\SysWOW64\Ehmdjdgk.dll C:\Windows\SysWOW64\Qffbbldm.exe N/A
File opened for modification C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Anadoi32.exe N/A
File created C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dmcibama.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File created C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Dhkjej32.exe N/A
File created C:\Windows\SysWOW64\Oicmfmok.dll C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bjokdipf.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Qnjnnj32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File opened for modification C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bnhjohkb.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ampkof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ambgef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anadoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagobalc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acjclpcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daqbip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beglgani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aclpap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acqimo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bapiabak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caebma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmcibama.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qffbbldm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acqimo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajkaii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beihma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aclpap32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" C:\Windows\SysWOW64\Anadoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anadoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkifae32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Qnjnnj32.exe
PID 3612 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Qnjnnj32.exe
PID 3612 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Qnjnnj32.exe
PID 3636 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Qnjnnj32.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 3636 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Qnjnnj32.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 3636 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Qnjnnj32.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 4768 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qffbbldm.exe
PID 4768 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qffbbldm.exe
PID 4768 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qffbbldm.exe
PID 1648 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Ampkof32.exe
PID 1648 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Ampkof32.exe
PID 1648 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Ampkof32.exe
PID 4184 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Ampkof32.exe C:\Windows\SysWOW64\Aqkgpedc.exe
PID 4184 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Ampkof32.exe C:\Windows\SysWOW64\Aqkgpedc.exe
PID 4184 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Ampkof32.exe C:\Windows\SysWOW64\Aqkgpedc.exe
PID 1148 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Acjclpcf.exe
PID 1148 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Acjclpcf.exe
PID 1148 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Acjclpcf.exe
PID 5024 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Afhohlbj.exe
PID 5024 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Afhohlbj.exe
PID 5024 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Afhohlbj.exe
PID 2796 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 2796 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 2796 wrote to memory of 4468 N/A C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 4468 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aclpap32.exe
PID 4468 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aclpap32.exe
PID 4468 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aclpap32.exe
PID 3588 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Anadoi32.exe
PID 3588 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Anadoi32.exe
PID 3588 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Anadoi32.exe
PID 3676 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 3676 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 3676 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 3480 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 3480 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 3480 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 2712 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Acqimo32.exe
PID 2712 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Acqimo32.exe
PID 2712 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Acqimo32.exe
PID 4984 wrote to memory of 5084 N/A C:\Windows\SysWOW64\Acqimo32.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 4984 wrote to memory of 5084 N/A C:\Windows\SysWOW64\Acqimo32.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 4984 wrote to memory of 5084 N/A C:\Windows\SysWOW64\Acqimo32.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 5084 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 5084 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 5084 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 1068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 1068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 1068 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 2612 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 2612 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 2612 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 4412 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4412 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4412 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 1468 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 1468 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 1468 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 2128 wrote to memory of 3824 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Baicac32.exe
PID 2128 wrote to memory of 3824 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Baicac32.exe
PID 2128 wrote to memory of 3824 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Baicac32.exe
PID 3824 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bgcknmop.exe
PID 3824 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bgcknmop.exe
PID 3824 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bgcknmop.exe
PID 4744 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Bgcknmop.exe C:\Windows\SysWOW64\Bnmcjg32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 404

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3612-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3612-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Qnjnnj32.exe

MD5 a75aa52c407071ccdf21934f6bcbefc2
SHA1 439877a38048d85d831ded11472e2ab79f8c1a1c
SHA256 48fc59c14329dc8c9c1ecdd5b6506e37c364b48a5e1c3edb7da69460a9af5653
SHA512 56ec22c6a4b302eb5b87418d7916df04d928e2bee62277505cbb39994e75efe99fd4251e0cc15c924f8eb765c20c4660a6f0051692373337145326ed0ce4c3cc

memory/3636-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qddfkd32.exe

MD5 dc9100c28ab9214dd21178cfbd1ba726
SHA1 a2238600cc191b9a85f96111b44ffc26805f89a3
SHA256 29b86f42a4eb26f07d4d73a7e41da33e48dfc79e3746f03d563ca64058ce1484
SHA512 8e66b4db48320adbe126903377de21711a6d57df55fa2fcfa13a755f479f28a33db60105e3649d51ceb8c230d30f8f5961e3671c4f16ff3239843b97d7c2ac49

memory/4768-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1648-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qffbbldm.exe

MD5 1db420b3c2eb747fcd18277f7ec35937
SHA1 850455642d2ebade3aa3d9edf753663d8511f722
SHA256 b10672ebdbb88fabcf3394b38ac4c6e0e3b5151fa6b415ad6a47ca03f728a3fd
SHA512 108f69cc293f2014741abd86a1c9419da99b6bd776d430715c0873f0ab5620c20dafc6ef9db7a61576df403189d122117e87f66fc726f67f317a0fe1b4d81a66

C:\Windows\SysWOW64\Ampkof32.exe

MD5 08f9b25775edd781b9e729fe251d0122
SHA1 35a9a8fb41dd66b9f4fd25d867051d6791895a20
SHA256 55b8a583c2e87a423c6d9f1c8a9c1a725160e5a0a94ee691b272b1b19c713e80
SHA512 166ac0665dbecc43500e8218da745466ce73eccdbfc9f1602fc8ef23ade684ab59dbf49e8575a9143f693e9ed8d4f13c8584e2210172f7b5151c0a7886218b84

memory/4184-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aqkgpedc.exe

MD5 a0c8e2919dc19597308784d56f99b724
SHA1 a34f091545812c030a4158acfbb3519c64d42259
SHA256 8a21ff8b77ef6c67102a1b5e37fb1aec6c41f22c403146ee1fcda19b99d6286a
SHA512 47e3b63dec31d1759aeb276c4b534eabb706d0a101a42a66cf11037669f475c20367d199635a738cd1ab83328827c8bc5c2b7330260177aa5233f5c719d09e88

memory/1148-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Acjclpcf.exe

MD5 037f2410b9d0ee884e21a6e3f39a9ea2
SHA1 ab4cff0ca0cba1408cf6ec1536c7648d3357d791
SHA256 3351242f85c5ab7067ae1580f86e814666bacdf90a009c1b0baedcab6a010a5e
SHA512 9f555ca07512fa8e8ceddf80ac841ee2d227714e2cae04ddd464edd6d0d8967eec04af73fddce1a8ecdf681d3fed0b36a3608b21e45c01d75994176ab8365607

memory/5024-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 4040ea9ab91d7350c09541dff05ceab6
SHA1 174e48904edbb6014cd515963189aca3cba1982d
SHA256 7515428207ba9f4fda7f329dcc9dd3835ae5746fb599c8fad5e65e8fc5be7044
SHA512 b8a7e1c7adabfd6d39dd560da3ef184a136fb45adfc912a4bbb9baf6cbaa4bdfb82fe61755f09f9a46b46ab77c34f563e4c2aeec2961135c149aa7f682de03f5

memory/2796-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ambgef32.exe

MD5 6f9480eee51080791c701926114545c4
SHA1 b9ff0842cb12f721cf0231ce198ec79441193c22
SHA256 2b7351dc30c0b9dc77b8655c8672a1a6ff595f7315c64b4c1f2b9b7e40c3f169
SHA512 7f60ff4fa984940743a41a98705d2c7ed3dcf7121475a3d6874d4e7bf32351fccba63fdac50b3778dccfcbae8b6b94f89e41f998a8fdee39e7db140831ed0b80

memory/4468-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aclpap32.exe

MD5 687d35c64c6d1dcb9fbccc66484a648c
SHA1 dc5e3e2c58b5b02221c5f5d39003094b16c0f92b
SHA256 27162e8ba5d89c3eabf95bdacc1208fe0e7b8931568dc0e339a5a7feae500e1f
SHA512 67eae94f02cc0164ce947d9ee38a8dbcf92b6c7eb80a7246345441d44e1d7abba91a46bf6cc9fac69fc697b37ea4fe4a4f179f8ca2482679c1fada99a471eb17

memory/3588-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Anadoi32.exe

MD5 653c2d621d806989ef0506cbc03eb4b4
SHA1 5069640d7176b0a66eeb85f8929301ce3d10ca69
SHA256 2de15800371bc0c837d72ada93ad1da838cafbba70752c75bbdd9725770d1f6c
SHA512 a148df3aa3561cf72078368d874eec9abd63d654f6213e29f9af7a63769a11189ded55489096d0bed265cd55be99c268785e067101c2050d44ca7ba8cf95d95c

memory/3676-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 f08de8953849a0a0109c2373e5a8f594
SHA1 0900f8714b8ac34db3b25e2832d95aee51451518
SHA256 8bf80ea7588a3c5e5d335d9fdbf3a466244294f835e9fc42b2c0dd6899045952
SHA512 ca888b110d6674cab2ffd71a61da537a2f83ea1db238b7a8123f617d04e0eb9d419eedae52437c8b5ccfecde3865a708a7015263f0954f82be40b623074ca771

memory/3480-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ajhddjfn.exe

MD5 880ca6d9557c7165778ec85b204320ab
SHA1 1aaf6a0596314d780e5fda5a16d20e4b73e64439
SHA256 7deb67635bf4e34a19c24df3f6be097e6c237926aed05e242aef171f3e7ebb33
SHA512 09f1831ecd818e1ea7436e2b901051c0d34fac24cd8f3271be537f7cd456b96d1772b0e6e9e634e42f4445c934f4501feeb717f36c0f43bae5cb65b636bc3f9c

memory/2712-96-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Acqimo32.exe

MD5 a429021e2a5f0e6f986441014b258339
SHA1 e97ba8e84dffcda981b41c37028bf2b8172b5026
SHA256 31a056669842376b6b9c6426f237b3c28e50860d723a91865d4aaaeda82825d8
SHA512 3c43e7981f1d1a1bbe705be7439b27d4458e19ee59e3be2345b60941138dd3cae5b7bc652dc43cd4807d3c2fab3f68afe5463d15ff73157f7b6bc8aa954e9698

memory/4984-104-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ajkaii32.exe

MD5 b20479d65b1f40592ba16b36cad17358
SHA1 3e931073f40dec5b0128676173050bfff84e8e1f
SHA256 0222b8853f2d2b5855aaa24c89d3270f534c64d81197f50bc767b6c2578bcdea
SHA512 fc28b0e4506954d795de91832113ff5e1efbf864bb6fc946a1d9da6c95b8b140f3ec7951fb75231faf1e8483fd5e0f3eb7a30be43a950f3c4682f53084c4ffa9

memory/5084-112-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aepefb32.exe

MD5 373b64c13956c47507aeb0abb1f85553
SHA1 c38186120a176261bed2cb5bd7096149481c03a6
SHA256 dad9e53983932efb7b091812b3d4f0698e53e630c04c111d2992b3b053a621a3
SHA512 6a165ae579e726372d8a9e6576aa97002fb3fe765bbbb210f0b04a0660f6460b0ad254a3b142382cdaacab0df543803c249ed332fc776826864142ca082ef920

memory/1068-120-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bfabnjjp.exe

MD5 b7d1c271782dd109ed9058b4cdc1b0bc
SHA1 77c09a7c9af0b952245e609946fffb561916e92c
SHA256 cdb2dfa396203fb1e4e3e3140b73dcd3901633d85b2d71c208a882321208d28e
SHA512 219b1c5dcee9b0e0a594a838c0fda0521953f0f4d192a5336ac791d904fdbdea688c7c59581f4f1e03342b2775cf1afd1c5932a2c8c7b64667fe8715570eab01

memory/2612-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnhjohkb.exe

MD5 f97ec17c01f35f963450e012bc29f43c
SHA1 40513d9d7eaa36d2eae91010d57375349e0f849a
SHA256 a224b3959a87b7a6d53c03583c92dab512744e164b9147176670fdeee7e83bf1
SHA512 5208111444a719c7c371ab4ecc5489277963d1d9c08e7720ea44a7c0add426f42a9ac67cc7756927920ed1367265fc7149bf4e1e9aaa5aa7488fb4789a2c7dd6

memory/4412-136-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bebblb32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bebblb32.exe

MD5 b0a36327b1448217c110b99098d8ee68
SHA1 a41ec6569f239a40cd1d9326184a242d0e2702d0
SHA256 cfaafe4fb28df2136119ca2c7db07c0dfd827ef0b1223dc9044f6aab2b697852
SHA512 d4cd32c3a424c618055852f2f375440b1d48c6813dde9c3f28a66d502560f8290c7ca50a7b6884623f881cd2fcc36a040eb85ce39ddd591dab77f8bdbe5c1a34

memory/1468-144-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjokdipf.exe

MD5 c2b6f421567334c08ab82830f90a956b
SHA1 1c2aee9d3335be756da20a61f6f22fde2393558b
SHA256 262f4ba170119d6421ac0a23e947f17fef1dc95674e1781522df0753ec24ce78
SHA512 1bacb31a1f58fc0836050a57dd1f367bde9139e40a86a1fccf7b9585d413a0676f81f989300a33324e64e938290351d373f6b608545292fe1c69a4be3f372a74

memory/2128-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Baicac32.exe

MD5 1189e88ba13a885c2f192a7dd8efbe9e
SHA1 6dc94eda10d87dcf9c5bffcf386f98e98045526a
SHA256 f5c7d5e400d22dee8288990b8fff966a73aeb6dcfc1092c3e885f4e800649331
SHA512 9eaeba7e9a9c7ef13c2317b8d705201d42a2ffed411e2cf109e415e29601a30329733065a434613a3aca6a2e7ab2ddcdb1b5d3078fbe61ed266cb991852808db

memory/3824-160-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bgcknmop.exe

MD5 fb1968ecb570117daea9ea48d61280f6
SHA1 3e6324a57231c9ee8b2d3e6cb154bd509ec367ae
SHA256 9ab4ea47f7069e931c1fdf375e235a330f5cf4ef082a1b4cf634b8ca198bd42e
SHA512 08d29fd850a62f6e317bb2277aafa4db623a0d7f720beb8803d56ef3cd0865ab2a068ed154e09f6dd3bd01dd566b0635285c17f9d25a4391b3ef85bdf56d817e

memory/4744-168-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnmcjg32.exe

MD5 da1e15c7d92245f1f69bf1eadfd152d7
SHA1 70c967ecd4b17e1c17c9091159919b41e2d69baa
SHA256 a4852900c8143ab78e3569f02410f13701eb32211d088f205cc8250d4e2d4de6
SHA512 707467e2e1ffe1876f8d69c5316972bfd346a526e925910341b233bc4db7571bed206e95ba567f00d26643a8eb8aa46cf13f6c6df5637a1c2a98b1f2c4ac5eb4

memory/2640-176-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Beglgani.exe

MD5 92ccae5fa474b62f3bed3f38471a1d2c
SHA1 f4dad403f22c0c792d9d4523d592dbd4ba1dca3e
SHA256 838b01b5c4d7c55bd80bfc465a2e93a372d826fbca01f99b206777da0d6dbe36
SHA512 9e7a55d68875d33f186fb6edb08c4ff5f4fa3bffd3d359467f7e955aa83164db4c6a140a5035581e4a2d409794fae038f4ea69ab92b3d4185405611abbf5a289

memory/1948-184-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 2a0ac29e9bd6643eae4ab0d877214d14
SHA1 899ad2b6266b43fe20458bffc85ee35560bc572e
SHA256 9d1efafecaeaf3c4548ab01d7bbf3b6e4f6e9c410cc45d5fa67c20af9f78d6bd
SHA512 7b1f5dc0bddfc6c02b01aff5f7f08f7b8509652f95e16acca733ab0221676b00607d45f2f3879a5ad854518473d946c4b9ee5966f2d9c15f7436a0e62222cda2

memory/2776-193-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjddphlq.exe

MD5 26af35ac08b5a5bb0f3c599d0e69bd04
SHA1 c3e414c5f3ad3919db827d838777bfceb992fe52
SHA256 c8e4efcbc4b506107a0536033a2d362f7a8f11fc60293707752acf1af14fa443
SHA512 75fa00c6a4b93513d6bfb3773662ab9807faf1ab0b23ed001d3778f13ab032fb8cb85a7db73f04be1848f393e5370a2883970a2a966786e3f32f7b4272688284

memory/4512-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Beihma32.exe

MD5 8472712500320403d43f3bb3b4f2452d
SHA1 ad9dbbb4e0422919e58786ede426a85acbd848f7
SHA256 30f55d8390e0314013f8f6fc0deac28ff815720c94476eda215c85ccb42e2eb1
SHA512 3054784c0f3784c1401957b8307527f1003a36dadb54811c87903fe247a70d6f764b02bc00f0a3928cc9eb0e52ac5aec6835756007fad20814d52622829d16b2

memory/1232-208-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4092-216-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bhhdil32.exe

MD5 e3a9f23fbe28ef7a73d28a9f8c050271
SHA1 1dcc5a65257eb117fa9c6a5a65395995010dbd10
SHA256 ce4fb934790ea788b4e02849ebe43af714a57f22afa10db177c4b2d480df1436
SHA512 61e34a91c63fbde0bd0cfb23ddfb06183f04e15e181f189e5d41544b396008a35f7d592e6488bf5d34a078efdd681565da4a5c0fe2f717dad2db2582c75c487a

C:\Windows\SysWOW64\Bnbmefbg.exe

MD5 81b04cf407a77db4a41caed38a98ae8e
SHA1 e0c049cb26312836eebce2861ca317478761bc8f
SHA256 73d03354d4fe855bda583288fdef4ae0822e26bb362e882697ed544aa6683956
SHA512 934ffb0e8f19faed124383504d3ae5d08a7d25e82325e533670bbd4ce8efbc5cb3753012a396ddbd55c81f383634f870ce155256f432ce11cc76b12db2bccc73

memory/3976-224-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bapiabak.exe

MD5 134f953ca7e9fda60d8aad9a06ed581d
SHA1 38512c2908562d12600bef94e8287eec353ae204
SHA256 11d6564731a2cf245e79f84f97482e4a6ed85dc94d477ef11b55ab15bf7a8c11
SHA512 55ea6cfb05fa3d597442c73ca6f1535cf37fd3b3f6b3968a33f79ef966a204a97b8422b88a4990e75d5b3d50a4e45c79eda4fffc096b5812a412267d5fedda93

memory/4600-233-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bcoenmao.exe

MD5 4c92ce3ef48470f90a06656be88ee082
SHA1 36cba3f5cff8c39ccbe475675a605eddb2e778ea
SHA256 fa5439728d938bd675efa36b71e5079fa11a7754e8a2708b566f45542678c61d
SHA512 07dffae009c35ce81031b59bf94bc746ec24109a67e818e804b490e49ab0df70a94d179f63c75ffc23f37d7785d24eac6d3a8d5834f0154b5d5b563471d51f31

memory/2644-244-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cfmajipb.exe

MD5 58e749c88527f349f41df5212644878f
SHA1 d87aff59a86644f45cc8a8d57efec20808224bd9
SHA256 1697bee89c854d73c9ed2363b90c15a0e51cda66dcc21a78fef7bc36b2fd9631
SHA512 40298c4613a79f05ecad52cec6d8cfcfc3212943b5769d553f1bc18b0500469e8ee4a6cf0811e643cc6f1f1dba594ce6df0954d74d06b84c06017e444a6bbcbe

memory/1080-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cmgjgcgo.exe

MD5 391a1e352a8f5fa984bef66e8abb94eb
SHA1 04caf23ea935cc36b811562ff0ff37ab83a5ceb1
SHA256 505698c0b171d2afbe6741fe29abbab6802d384ac97101dff77a1504ac0cc2d3
SHA512 6bb7deb91cfd434bd8fddb2e0a0de888c6fcd298106df7514f037f2d3ca733b27bbf423a938228584c1e5d9249d01f53000e16adffcbf1af166b7c0275836cbe

memory/456-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1360-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4312-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/936-275-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4952-281-0x0000000000400000-0x0000000000433000-memory.dmp

memory/804-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/396-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4228-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2324-305-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1048-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3108-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2416-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3520-329-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dmcibama.exe

MD5 1eb4cce05f23bc01ac1c8e49dc4ac3bd
SHA1 4e75de8a706623f2ded7d38fee1215fe82fef5c5
SHA256 7c31a77f47aaf2a417250809c85f837855ebfc185c0d9a1c1f7f60a3930caeb8
SHA512 d55d1bb52152e22bf5e2eaa838694ef5bde5f9a85a111ca9147f2e7e36cb6216cf17f1ed06fbf5af424b2f924bbb014fc5a0f6d4334579c52df16edf1c3832f9

memory/1952-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2284-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3844-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5112-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4520-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2752-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5032-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3332-377-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ddakjkqi.exe

MD5 efbf0099b16f03fabb47dccfca476382
SHA1 140fb60e00153a888d072dfaff047af89b7e961e
SHA256 884687f734f9dea693ddc518a7fecc5549d95c38cecb0fe67311d11fcec732d2
SHA512 01a73f93c659873a34570f623abc57add6bb1da9017c37ba27528ab0aa4a893dd6da523091aa1812edbd58562d7bb5556fd43de2f209f8a3b60f2c6f1a687ea8

memory/4864-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2864-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2608-395-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 95c2cff3bf0dd4fedafdf84e73920d57
SHA1 43df9a64d667192ea9fbbcaca7267bfaf6315e98
SHA256 6c8237eb0c3195386c18d5b5103276810130921521c1293d23656c2d5d36b448
SHA512 9097754ed277e77e44051ff11a80df9d2a8bff3ef8ec9418428136a35d7da8d243949f5088f1595cc1504b4a3cd473529a8a28e8bf372f37c6b10d60d3daafba

memory/5028-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2608-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5028-404-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2864-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2752-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3844-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1952-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2324-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3976-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4744-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1468-478-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2128-476-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3824-474-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-470-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-468-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2776-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4512-464-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1232-462-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4092-460-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4600-456-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2644-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1080-452-0x0000000000400000-0x0000000000433000-memory.dmp

memory/456-450-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1360-448-0x0000000000400000-0x0000000000433000-memory.dmp

memory/936-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4952-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/804-441-0x0000000000400000-0x0000000000433000-memory.dmp

memory/396-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4228-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1048-433-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3108-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2416-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3520-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2284-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5112-419-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4520-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5032-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4864-409-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3332-411-0x0000000000400000-0x0000000000433000-memory.dmp