Malware Analysis Report

2025-03-15 09:53

Sample ID 240916-s4d5fawapr
Target Backdoor.Win32.Berbew.AA.MTB-25509fda5ac9fb22b5e8390b81109422b0afa0a4cb7a3b5f22ec1d044bf7691eN
SHA256 25509fda5ac9fb22b5e8390b81109422b0afa0a4cb7a3b5f22ec1d044bf7691e
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25509fda5ac9fb22b5e8390b81109422b0afa0a4cb7a3b5f22ec1d044bf7691e

Threat Level: Known bad

The file Backdoor.Win32.Berbew.AA.MTB-25509fda5ac9fb22b5e8390b81109422b0afa0a4cb7a3b5f22ec1d044bf7691eN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:40

Reported

2024-09-16 15:42

Platform

win7-20240903-en

Max time kernel

112s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbadagln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecgjdong.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiilge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cojeomee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djafaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fipbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fipbhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddkgbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddmchcnd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emgdmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnjnkkbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clnehado.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkbbinig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dochelmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecgjdong.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejcofica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbdagg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eepmlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egpena32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddmchcnd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnfhqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnfhqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnhefh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eepmlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efoifiep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnhefh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqinhcoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efhcej32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebappk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiilge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhbbcail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfkclf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebockkal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cojeomee.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cceapl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dglpdomh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekghcq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebappk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cceapl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlpbna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhklna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejfllhao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emgdmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbdagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejcofica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekghcq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epeajo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkeoongd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhbbcail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqngcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djafaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddppmclb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqfabdaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enmnahnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkjhjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faijggao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlboca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbadagln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecjgio32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqngcc32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cojeomee.exe N/A
N/A N/A C:\Windows\SysWOW64\Cceapl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnehado.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbjnqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djafaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlpbna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkbbinig.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcjjkkji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbmkfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddkgbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlboca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkeoongd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnckki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmchcnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dglpdomh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dochelmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnfhqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbadagln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddppmclb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhklna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjhjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnhefh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbdagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqfabdaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcemnopj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dklepmal.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqinhcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecgjdong.exe N/A
N/A N/A C:\Windows\SysWOW64\Enmnahnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecjgio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efhcej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejcofica.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqngcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epqgopbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebockkal.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfllhao.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiilge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekghcq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecnpdnho.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebappk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eepmlf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emgdmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epeajo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enhaeldn.exe N/A
N/A N/A C:\Windows\SysWOW64\Efoifiep.exe N/A
N/A N/A C:\Windows\SysWOW64\Egpena32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpgnoo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnjnkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Faijggao.exe N/A
N/A N/A C:\Windows\SysWOW64\Fipbhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhbbcail.exe N/A
N/A N/A C:\Windows\SysWOW64\Flnndp32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Windows\SysWOW64\Cojeomee.exe N/A
N/A N/A C:\Windows\SysWOW64\Cojeomee.exe N/A
N/A N/A C:\Windows\SysWOW64\Cceapl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cceapl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnehado.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnehado.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbjnqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbjnqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djafaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djafaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlpbna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlpbna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkbbinig.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkbbinig.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcjjkkji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcjjkkji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbmkfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbmkfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddkgbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddkgbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlboca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlboca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkeoongd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkeoongd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnckki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnckki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmchcnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmchcnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dglpdomh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dglpdomh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dochelmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dochelmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnfhqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnfhqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbadagln.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbadagln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddppmclb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddppmclb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhklna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhklna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjhjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjhjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnhefh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnhefh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbdagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbdagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqfabdaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqfabdaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcemnopj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcemnopj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dklepmal.exe N/A
N/A N/A C:\Windows\SysWOW64\Dklepmal.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqinhcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqinhcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecgjdong.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecgjdong.exe N/A
N/A N/A C:\Windows\SysWOW64\Enmnahnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Enmnahnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqkjmcmq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Dglpdomh.exe C:\Windows\SysWOW64\Ddmchcnd.exe N/A
File created C:\Windows\SysWOW64\Hhejoigh.dll C:\Windows\SysWOW64\Dnfhqi32.exe N/A
File created C:\Windows\SysWOW64\Hclemh32.dll C:\Windows\SysWOW64\Dqfabdaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekghcq32.exe C:\Windows\SysWOW64\Eiilge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cceapl32.exe C:\Windows\SysWOW64\Cojeomee.exe N/A
File opened for modification C:\Windows\SysWOW64\Clnehado.exe C:\Windows\SysWOW64\Cceapl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpgnoo32.exe C:\Windows\SysWOW64\Egpena32.exe N/A
File created C:\Windows\SysWOW64\Fipbhd32.exe C:\Windows\SysWOW64\Faijggao.exe N/A
File created C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Fnjnkkbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Cojeomee.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
File created C:\Windows\SysWOW64\Bafmhm32.dll C:\Windows\SysWOW64\Djafaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnhefh32.exe C:\Windows\SysWOW64\Dkjhjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epqgopbi.exe C:\Windows\SysWOW64\Eqngcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fipbhd32.exe C:\Windows\SysWOW64\Faijggao.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkbbinig.exe C:\Windows\SysWOW64\Dlpbna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddkgbc32.exe C:\Windows\SysWOW64\Dbmkfh32.exe N/A
File created C:\Windows\SysWOW64\Baboljno.dll C:\Windows\SysWOW64\Dbmkfh32.exe N/A
File created C:\Windows\SysWOW64\Hmdkip32.dll C:\Windows\SysWOW64\Dklepmal.exe N/A
File created C:\Windows\SysWOW64\Epeajo32.exe C:\Windows\SysWOW64\Emgdmc32.exe N/A
File created C:\Windows\SysWOW64\Necdin32.dll C:\Windows\SysWOW64\Clnehado.exe N/A
File opened for modification C:\Windows\SysWOW64\Dbmkfh32.exe C:\Windows\SysWOW64\Dcjjkkji.exe N/A
File created C:\Windows\SysWOW64\Ddppmclb.exe C:\Windows\SysWOW64\Dbadagln.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiilge32.exe C:\Windows\SysWOW64\Ejfllhao.exe N/A
File created C:\Windows\SysWOW64\Qhalbm32.dll C:\Windows\SysWOW64\Ddmchcnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhklna32.exe C:\Windows\SysWOW64\Ddppmclb.exe N/A
File created C:\Windows\SysWOW64\Dklepmal.exe C:\Windows\SysWOW64\Dcemnopj.exe N/A
File created C:\Windows\SysWOW64\Eepmlf32.exe C:\Windows\SysWOW64\Ebappk32.exe N/A
File created C:\Windows\SysWOW64\Dnckki32.exe C:\Windows\SysWOW64\Dkeoongd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe C:\Windows\SysWOW64\Ddmchcnd.exe N/A
File created C:\Windows\SysWOW64\Ogadek32.dll C:\Windows\SysWOW64\Ebockkal.exe N/A
File opened for modification C:\Windows\SysWOW64\Efoifiep.exe C:\Windows\SysWOW64\Enhaeldn.exe N/A
File created C:\Windows\SysWOW64\Enmnahnm.exe C:\Windows\SysWOW64\Ecgjdong.exe N/A
File created C:\Windows\SysWOW64\Hdpbking.dll C:\Windows\SysWOW64\Ejcofica.exe N/A
File created C:\Windows\SysWOW64\Ekghcq32.exe C:\Windows\SysWOW64\Eiilge32.exe N/A
File created C:\Windows\SysWOW64\Kfadkk32.dll C:\Windows\SysWOW64\Fnjnkkbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebappk32.exe C:\Windows\SysWOW64\Ecnpdnho.exe N/A
File created C:\Windows\SysWOW64\Fakmpf32.dll C:\Windows\SysWOW64\Enhaeldn.exe N/A
File created C:\Windows\SysWOW64\Pggcij32.dll C:\Windows\SysWOW64\Efoifiep.exe N/A
File created C:\Windows\SysWOW64\Cojeomee.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
File opened for modification C:\Windows\SysWOW64\Dklepmal.exe C:\Windows\SysWOW64\Dcemnopj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqinhcoc.exe C:\Windows\SysWOW64\Dklepmal.exe N/A
File created C:\Windows\SysWOW64\Epqgopbi.exe C:\Windows\SysWOW64\Eqngcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddppmclb.exe C:\Windows\SysWOW64\Dbadagln.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecjgio32.exe C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
File created C:\Windows\SysWOW64\Ebappk32.exe C:\Windows\SysWOW64\Ecnpdnho.exe N/A
File created C:\Windows\SysWOW64\Eomohejp.dll C:\Windows\SysWOW64\Emgdmc32.exe N/A
File created C:\Windows\SysWOW64\Aoqbnfda.dll C:\Windows\SysWOW64\Dochelmj.exe N/A
File created C:\Windows\SysWOW64\Dbadagln.exe C:\Windows\SysWOW64\Dnfhqi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkjhjm32.exe C:\Windows\SysWOW64\Dhklna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqfabdaf.exe C:\Windows\SysWOW64\Dbdagg32.exe N/A
File created C:\Windows\SysWOW64\Cbjnqh32.exe C:\Windows\SysWOW64\Clnehado.exe N/A
File created C:\Windows\SysWOW64\Dkbbinig.exe C:\Windows\SysWOW64\Dlpbna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Dkbbinig.exe N/A
File created C:\Windows\SysWOW64\Bpmoggbh.dll C:\Windows\SysWOW64\Dkbbinig.exe N/A
File created C:\Windows\SysWOW64\Ejcofica.exe C:\Windows\SysWOW64\Efhcej32.exe N/A
File created C:\Windows\SysWOW64\Egpena32.exe C:\Windows\SysWOW64\Efoifiep.exe N/A
File created C:\Windows\SysWOW64\Djafaf32.exe C:\Windows\SysWOW64\Cbjnqh32.exe N/A
File created C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Dkbbinig.exe N/A
File opened for modification C:\Windows\SysWOW64\Dochelmj.exe C:\Windows\SysWOW64\Dglpdomh.exe N/A
File created C:\Windows\SysWOW64\Okobem32.dll C:\Windows\SysWOW64\Dkjhjm32.exe N/A
File created C:\Windows\SysWOW64\Dochelmj.exe C:\Windows\SysWOW64\Dglpdomh.exe N/A
File created C:\Windows\SysWOW64\Bdnnjcdh.dll C:\Windows\SysWOW64\Epqgopbi.exe N/A
File created C:\Windows\SysWOW64\Enhaeldn.exe C:\Windows\SysWOW64\Epeajo32.exe N/A
File created C:\Windows\SysWOW64\Clnehado.exe C:\Windows\SysWOW64\Cceapl32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Flnndp32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkbbinig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dqinhcoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekghcq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eepmlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enhaeldn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djafaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dqfabdaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emgdmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbjnqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbmkfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfkclf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddppmclb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eqngcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnfhqi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbdagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecgjdong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Faijggao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fipbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddmchcnd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejfllhao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eiilge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efoifiep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dglpdomh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enmnahnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecjgio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epqgopbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlboca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkjhjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebockkal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbadagln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dklepmal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efhcej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egpena32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlpbna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dochelmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcemnopj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddkgbc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkeoongd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clnehado.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnckki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhklna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epeajo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fnjnkkbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fhbbcail.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flnndp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cceapl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecnpdnho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebappk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpgnoo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnhefh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejcofica.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cojeomee.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhbbcail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll" C:\Windows\SysWOW64\Efhcej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efhcej32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Faijggao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqfabdaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll" C:\Windows\SysWOW64\Dcemnopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" C:\Windows\SysWOW64\Eepmlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll" C:\Windows\SysWOW64\Dlboca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll" C:\Windows\SysWOW64\Dnckki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll" C:\Windows\SysWOW64\Dnfhqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" C:\Windows\SysWOW64\Eiilge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll" C:\Windows\SysWOW64\Dhklna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll" C:\Windows\SysWOW64\Dqfabdaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll" C:\Windows\SysWOW64\Ecgjdong.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll" C:\Windows\SysWOW64\Dkbbinig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qleikgfd.dll" C:\Windows\SysWOW64\Dbadagln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll" C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejcofica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fipbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djafaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlpbna32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkbbinig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enhaeldn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejcofica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" C:\Windows\SysWOW64\Ejfllhao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll" C:\Windows\SysWOW64\Ebappk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcemnopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll" C:\Windows\SysWOW64\Clnehado.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkbbinig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dochelmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbmkfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaonc32.dll" C:\Windows\SysWOW64\Dkeoongd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamcoejo.dll" C:\Windows\SysWOW64\Dnhefh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eqkjmcmq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efoifiep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cojeomee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" C:\Windows\SysWOW64\Fhbbcail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dglpdomh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqinhcoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakmpf32.dll" C:\Windows\SysWOW64\Enhaeldn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnkmfoc.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dlboca32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dklepmal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddppmclb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egpena32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clnehado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djafaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll" C:\Windows\SysWOW64\Dbmkfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbjnqh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqinhcoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epeajo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcij32.dll" C:\Windows\SysWOW64\Efoifiep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnfhqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebockkal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqngcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll" C:\Windows\SysWOW64\Ebockkal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbjnqh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dochelmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enmnahnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dglpdomh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Cojeomee.exe
PID 2172 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Cojeomee.exe
PID 2172 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Cojeomee.exe
PID 2172 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Cojeomee.exe
PID 2752 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Cojeomee.exe C:\Windows\SysWOW64\Cceapl32.exe
PID 2752 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Cojeomee.exe C:\Windows\SysWOW64\Cceapl32.exe
PID 2752 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Cojeomee.exe C:\Windows\SysWOW64\Cceapl32.exe
PID 2752 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Cojeomee.exe C:\Windows\SysWOW64\Cceapl32.exe
PID 2968 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cceapl32.exe C:\Windows\SysWOW64\Clnehado.exe
PID 2968 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cceapl32.exe C:\Windows\SysWOW64\Clnehado.exe
PID 2968 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cceapl32.exe C:\Windows\SysWOW64\Clnehado.exe
PID 2968 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cceapl32.exe C:\Windows\SysWOW64\Clnehado.exe
PID 888 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Clnehado.exe C:\Windows\SysWOW64\Cbjnqh32.exe
PID 888 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Clnehado.exe C:\Windows\SysWOW64\Cbjnqh32.exe
PID 888 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Clnehado.exe C:\Windows\SysWOW64\Cbjnqh32.exe
PID 888 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Clnehado.exe C:\Windows\SysWOW64\Cbjnqh32.exe
PID 2552 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Cbjnqh32.exe C:\Windows\SysWOW64\Djafaf32.exe
PID 2552 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Cbjnqh32.exe C:\Windows\SysWOW64\Djafaf32.exe
PID 2552 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Cbjnqh32.exe C:\Windows\SysWOW64\Djafaf32.exe
PID 2552 wrote to memory of 2224 N/A C:\Windows\SysWOW64\Cbjnqh32.exe C:\Windows\SysWOW64\Djafaf32.exe
PID 2224 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Djafaf32.exe C:\Windows\SysWOW64\Dlpbna32.exe
PID 2224 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Djafaf32.exe C:\Windows\SysWOW64\Dlpbna32.exe
PID 2224 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Djafaf32.exe C:\Windows\SysWOW64\Dlpbna32.exe
PID 2224 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Djafaf32.exe C:\Windows\SysWOW64\Dlpbna32.exe
PID 1144 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Dlpbna32.exe C:\Windows\SysWOW64\Dkbbinig.exe
PID 1144 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Dlpbna32.exe C:\Windows\SysWOW64\Dkbbinig.exe
PID 1144 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Dlpbna32.exe C:\Windows\SysWOW64\Dkbbinig.exe
PID 1144 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Dlpbna32.exe C:\Windows\SysWOW64\Dkbbinig.exe
PID 2464 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Dkbbinig.exe C:\Windows\SysWOW64\Dcjjkkji.exe
PID 2464 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Dkbbinig.exe C:\Windows\SysWOW64\Dcjjkkji.exe
PID 2464 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Dkbbinig.exe C:\Windows\SysWOW64\Dcjjkkji.exe
PID 2464 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Dkbbinig.exe C:\Windows\SysWOW64\Dcjjkkji.exe
PID 2792 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Dbmkfh32.exe
PID 2792 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Dbmkfh32.exe
PID 2792 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Dbmkfh32.exe
PID 2792 wrote to memory of 2112 N/A C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Dbmkfh32.exe
PID 2112 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dbmkfh32.exe C:\Windows\SysWOW64\Ddkgbc32.exe
PID 2112 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dbmkfh32.exe C:\Windows\SysWOW64\Ddkgbc32.exe
PID 2112 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dbmkfh32.exe C:\Windows\SysWOW64\Ddkgbc32.exe
PID 2112 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dbmkfh32.exe C:\Windows\SysWOW64\Ddkgbc32.exe
PID 2932 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ddkgbc32.exe C:\Windows\SysWOW64\Dlboca32.exe
PID 2932 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ddkgbc32.exe C:\Windows\SysWOW64\Dlboca32.exe
PID 2932 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ddkgbc32.exe C:\Windows\SysWOW64\Dlboca32.exe
PID 2932 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Ddkgbc32.exe C:\Windows\SysWOW64\Dlboca32.exe
PID 2888 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Dlboca32.exe C:\Windows\SysWOW64\Dkeoongd.exe
PID 2888 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Dlboca32.exe C:\Windows\SysWOW64\Dkeoongd.exe
PID 2888 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Dlboca32.exe C:\Windows\SysWOW64\Dkeoongd.exe
PID 2888 wrote to memory of 2460 N/A C:\Windows\SysWOW64\Dlboca32.exe C:\Windows\SysWOW64\Dkeoongd.exe
PID 2460 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkeoongd.exe C:\Windows\SysWOW64\Dnckki32.exe
PID 2460 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkeoongd.exe C:\Windows\SysWOW64\Dnckki32.exe
PID 2460 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkeoongd.exe C:\Windows\SysWOW64\Dnckki32.exe
PID 2460 wrote to memory of 976 N/A C:\Windows\SysWOW64\Dkeoongd.exe C:\Windows\SysWOW64\Dnckki32.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dnckki32.exe C:\Windows\SysWOW64\Dfkclf32.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dnckki32.exe C:\Windows\SysWOW64\Dfkclf32.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dnckki32.exe C:\Windows\SysWOW64\Dfkclf32.exe
PID 976 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dnckki32.exe C:\Windows\SysWOW64\Dfkclf32.exe
PID 1984 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Dfkclf32.exe C:\Windows\SysWOW64\Ddmchcnd.exe
PID 1984 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Dfkclf32.exe C:\Windows\SysWOW64\Ddmchcnd.exe
PID 1984 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Dfkclf32.exe C:\Windows\SysWOW64\Ddmchcnd.exe
PID 1984 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Dfkclf32.exe C:\Windows\SysWOW64\Ddmchcnd.exe
PID 3008 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ddmchcnd.exe C:\Windows\SysWOW64\Dglpdomh.exe
PID 3008 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ddmchcnd.exe C:\Windows\SysWOW64\Dglpdomh.exe
PID 3008 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ddmchcnd.exe C:\Windows\SysWOW64\Dglpdomh.exe
PID 3008 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Ddmchcnd.exe C:\Windows\SysWOW64\Dglpdomh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Cojeomee.exe

C:\Windows\system32\Cojeomee.exe

C:\Windows\SysWOW64\Cceapl32.exe

C:\Windows\system32\Cceapl32.exe

C:\Windows\SysWOW64\Clnehado.exe

C:\Windows\system32\Clnehado.exe

C:\Windows\SysWOW64\Cbjnqh32.exe

C:\Windows\system32\Cbjnqh32.exe

C:\Windows\SysWOW64\Djafaf32.exe

C:\Windows\system32\Djafaf32.exe

C:\Windows\SysWOW64\Dlpbna32.exe

C:\Windows\system32\Dlpbna32.exe

C:\Windows\SysWOW64\Dkbbinig.exe

C:\Windows\system32\Dkbbinig.exe

C:\Windows\SysWOW64\Dcjjkkji.exe

C:\Windows\system32\Dcjjkkji.exe

C:\Windows\SysWOW64\Dbmkfh32.exe

C:\Windows\system32\Dbmkfh32.exe

C:\Windows\SysWOW64\Ddkgbc32.exe

C:\Windows\system32\Ddkgbc32.exe

C:\Windows\SysWOW64\Dlboca32.exe

C:\Windows\system32\Dlboca32.exe

C:\Windows\SysWOW64\Dkeoongd.exe

C:\Windows\system32\Dkeoongd.exe

C:\Windows\SysWOW64\Dnckki32.exe

C:\Windows\system32\Dnckki32.exe

C:\Windows\SysWOW64\Dfkclf32.exe

C:\Windows\system32\Dfkclf32.exe

C:\Windows\SysWOW64\Ddmchcnd.exe

C:\Windows\system32\Ddmchcnd.exe

C:\Windows\SysWOW64\Dglpdomh.exe

C:\Windows\system32\Dglpdomh.exe

C:\Windows\SysWOW64\Dochelmj.exe

C:\Windows\system32\Dochelmj.exe

C:\Windows\SysWOW64\Dnfhqi32.exe

C:\Windows\system32\Dnfhqi32.exe

C:\Windows\SysWOW64\Dbadagln.exe

C:\Windows\system32\Dbadagln.exe

C:\Windows\SysWOW64\Ddppmclb.exe

C:\Windows\system32\Ddppmclb.exe

C:\Windows\SysWOW64\Dhklna32.exe

C:\Windows\system32\Dhklna32.exe

C:\Windows\SysWOW64\Dkjhjm32.exe

C:\Windows\system32\Dkjhjm32.exe

C:\Windows\SysWOW64\Dnhefh32.exe

C:\Windows\system32\Dnhefh32.exe

C:\Windows\SysWOW64\Dbdagg32.exe

C:\Windows\system32\Dbdagg32.exe

C:\Windows\SysWOW64\Dqfabdaf.exe

C:\Windows\system32\Dqfabdaf.exe

C:\Windows\SysWOW64\Dcemnopj.exe

C:\Windows\system32\Dcemnopj.exe

C:\Windows\SysWOW64\Dklepmal.exe

C:\Windows\system32\Dklepmal.exe

C:\Windows\SysWOW64\Dqinhcoc.exe

C:\Windows\system32\Dqinhcoc.exe

C:\Windows\SysWOW64\Ecgjdong.exe

C:\Windows\system32\Ecgjdong.exe

C:\Windows\SysWOW64\Enmnahnm.exe

C:\Windows\system32\Enmnahnm.exe

C:\Windows\SysWOW64\Eqkjmcmq.exe

C:\Windows\system32\Eqkjmcmq.exe

C:\Windows\SysWOW64\Ecjgio32.exe

C:\Windows\system32\Ecjgio32.exe

C:\Windows\SysWOW64\Efhcej32.exe

C:\Windows\system32\Efhcej32.exe

C:\Windows\SysWOW64\Ejcofica.exe

C:\Windows\system32\Ejcofica.exe

C:\Windows\SysWOW64\Eqngcc32.exe

C:\Windows\system32\Eqngcc32.exe

C:\Windows\SysWOW64\Epqgopbi.exe

C:\Windows\system32\Epqgopbi.exe

C:\Windows\SysWOW64\Ebockkal.exe

C:\Windows\system32\Ebockkal.exe

C:\Windows\SysWOW64\Ejfllhao.exe

C:\Windows\system32\Ejfllhao.exe

C:\Windows\SysWOW64\Eiilge32.exe

C:\Windows\system32\Eiilge32.exe

C:\Windows\SysWOW64\Ekghcq32.exe

C:\Windows\system32\Ekghcq32.exe

C:\Windows\SysWOW64\Ecnpdnho.exe

C:\Windows\system32\Ecnpdnho.exe

C:\Windows\SysWOW64\Ebappk32.exe

C:\Windows\system32\Ebappk32.exe

C:\Windows\SysWOW64\Eepmlf32.exe

C:\Windows\system32\Eepmlf32.exe

C:\Windows\SysWOW64\Emgdmc32.exe

C:\Windows\system32\Emgdmc32.exe

C:\Windows\SysWOW64\Epeajo32.exe

C:\Windows\system32\Epeajo32.exe

C:\Windows\SysWOW64\Enhaeldn.exe

C:\Windows\system32\Enhaeldn.exe

C:\Windows\SysWOW64\Efoifiep.exe

C:\Windows\system32\Efoifiep.exe

C:\Windows\SysWOW64\Egpena32.exe

C:\Windows\system32\Egpena32.exe

C:\Windows\SysWOW64\Fpgnoo32.exe

C:\Windows\system32\Fpgnoo32.exe

C:\Windows\SysWOW64\Fnjnkkbk.exe

C:\Windows\system32\Fnjnkkbk.exe

C:\Windows\SysWOW64\Faijggao.exe

C:\Windows\system32\Faijggao.exe

C:\Windows\SysWOW64\Fipbhd32.exe

C:\Windows\system32\Fipbhd32.exe

C:\Windows\SysWOW64\Fhbbcail.exe

C:\Windows\system32\Fhbbcail.exe

C:\Windows\SysWOW64\Flnndp32.exe

C:\Windows\system32\Flnndp32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 140

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cojeomee.exe

MD5 015b111b56c36c37d9514038142e9c41
SHA1 3bcbb25672a529b10ed2a070b4d75e0189dcf0ca
SHA256 0bd9d603dbab530a3dd2dc113d3c62574884abc4fbd84d2f344fc343036b476e
SHA512 641d8a91a755498f50b7647faf346650d9e98eaa820db88fff793144329c97c88d8c0c400d6f77076afc9b4bf21aeaae543e44e6df3639f858e3f53439e28ca8

memory/2752-13-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2172-12-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Cceapl32.exe

MD5 dad2b30ed8aa3b187eb12d66015159d6
SHA1 f5a5c5386bcce771be1e50a5e26f81b36c9aebe9
SHA256 789bc552ec11a7e41bcc3e19e322f87c18522b119b29746f3e89a45d8509440e
SHA512 565f6fa1ef05f251a16da20db99a797803805e6ef730d90f524cc6a25ecd8cc3e6b878f03bf01f5df2af062623dd6232b7ffe62ab0c3f6fe13a7155ab48d78da

memory/2752-21-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Clnehado.exe

MD5 4ecd72e66f8f6917e16e5d93e20fd21a
SHA1 c8786e9289759fabdd76ad648980a912be9dc69c
SHA256 3d3f4c5b4e45fdc4acd3c28d39ba8ac1667d2a699915cc4429b48e93085793da
SHA512 1814c2f963e94bb0b4c07727957d6714a6c30238f6865194fb37f8008d0cc9c7742897431dbdc9839d0584db1acd390d6f2620c9b0b9d27ada375eeced676407

memory/2968-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/888-40-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Cbjnqh32.exe

MD5 382b3734e81565eb17cca9440311cbc2
SHA1 291529edf2fcbc768d111f540f16af093d931a8d
SHA256 e6d6970bfa3aa76c23bdfa5694c853721ca3d450f1595539eaad5e8c8375f12a
SHA512 3f139046574271fad246b0079ba6d8ff750a3383dff65af5b38ec852fdb7cf66b3c573299d0797a266cdf5b2e9c9b61bd3fe9962a4ef4ea556dc04488e32960a

memory/2552-53-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Djafaf32.exe

MD5 ade05a618b282cec79f5bebded08d85d
SHA1 591a168bd7407e690df85346511bc33aa92a9f11
SHA256 9f4a60bdd03061968ec826826130557fc1d52a9189eb4669c6ca618204a47bc9
SHA512 0769b5212e87c2d02aec8822a0e2fabda0b72145f22ded85bfc732d76b180e541da26c78b2d11399fe8f796c93fe30d1e2f7072c34f5ac40b15bd34c8db1aa95

C:\Windows\SysWOW64\Dlpbna32.exe

MD5 65d685eb1b6a18d1c57e253e900b8d61
SHA1 4a1fe835cb4101afe4b98be30fb59c4bd8c1ed97
SHA256 6a414b27c836c89dca273595bfb34f9bdedc10a26a5172b18574294c9e465aa7
SHA512 49b11e84e4c32e7b1ec9de833d81b3a412e95bdeb33bcb962eb905db95073e7cd94fd33eb9618d4e79d5fcc30f752322757b7321b01c2cb1d6daa02c77d609e4

memory/2224-74-0x0000000000310000-0x0000000000343000-memory.dmp

\Windows\SysWOW64\Dkbbinig.exe

MD5 9290ffe327ff1c7b08e01d59b7c16078
SHA1 b1d381d2d0759df05a7f0e87c8774bbcf1b36d5b
SHA256 e7fa6e3add42f77c10b2c1647d887dd9b7c64240fd0e6f72a6cb25fce358e818
SHA512 06b8a27861b5ef446acf214ff848ccf90493010e29c4cb3300312746164262ce014544aeb3b7eeabab9643ca12c5fc0b6e74ad87bc22eec2f396e77c38dad664

C:\Windows\SysWOW64\Dcjjkkji.exe

MD5 1e03fe85f6e58dedf53e0c76bff7c3a7
SHA1 fdab57ee39d142601214d1017c2e56facba3594a
SHA256 dd06a45f6b90c4df7c20c11de7772e25e3333ff1de4481600594dfa8f7e0d01d
SHA512 3ed31cf2f36d4ec21e902f1ed5252998880bf1496ac3848129cdd17f46a2ced7d694edd4a3c759433079929d9d4d727fdc7aa78ded5a1b97131f73ce8e34da48

C:\Windows\SysWOW64\Dbmkfh32.exe

MD5 205d100230d5a790d586cb497f7ab0b9
SHA1 e7add063450e76c2f6b513dac762f0065f8abce5
SHA256 35864f7b3b80b5b625c8b437cdc6897bae88029eacae34a7829ce0c14ee591ec
SHA512 933b2d9f9d5e0cb3904ac59fa8ba94d955db4582309ca70cf3dc70e142dd6375235707d1fee4669ca16c69b7884e904b4cc475bf707e0637c8e00a12af33ab86

\Windows\SysWOW64\Dlboca32.exe

MD5 20cbe9654021c215354c9b70f2921c3f
SHA1 bb1296bd6efee9538ee23a5420309311173878b5
SHA256 523deae793b110532cdb440977699ca0132262ea566cb473e7f158b468749cad
SHA512 e4a9e9bca924d5a823e5205d5b325b337e3a40c6e6dbc84ff9ac011eb0aa593cc6618ed1afef0c3f19035335eb724b1dd832214ef3ce7b20660235d70e8eacac

\Windows\SysWOW64\Dkeoongd.exe

MD5 769521b75a026f81c1cbe62cc0c4d5e0
SHA1 e205950ca9018a6810a67a22a06be9529e9ad7bf
SHA256 bfedd3c4427eba0d88b87d8d5b1d045c7a3edbcdca0f6a41aab1dbc2051ce747
SHA512 d594a2572d2466145aea940e89e7dbe5f665dbf753e8a221a5683a48e64693f00dec86db54da9653f1231a3d65d3feea00ce7bc63f20412c9a5d81602de4f33d

memory/2888-153-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Dnckki32.exe

MD5 013d64ab3f2f9eb99f84a80219c8dd2f
SHA1 a044e668ba3c111a312a3470d1579c5955684bbe
SHA256 2b4b9b6a919c2f1c76ecbe2583472c88d4458d584a9f44accae154bc437a1e83
SHA512 5503f4837522c7b8a03ea21d761b448981467ab1f9543d1d5e5bc7b9f96886eeedea8b87698d42f995263a68f92327e1d3de6588f173d938b9b62ade17b5f7d5

C:\Windows\SysWOW64\Dfkclf32.exe

MD5 394ae969531ba839a541be5515c4d0b3
SHA1 8f8b48a6ee003e7e59f8e4b5b6f51d1d757ac4e4
SHA256 07aa0ae13d59b01265fd9e96d454e3d738be78cac8a3bdaa1675b9bdf19af4c4
SHA512 0177dc4986cf794aa94c6ede9ab65254ba0e0ff28c24c944e30d6654979760c9f4b12a28dfc50eacd8b09d9c6fd41780507da3f744017845c727707e1bb946a7

\Windows\SysWOW64\Ddmchcnd.exe

MD5 067024cc932da2ccabb30e4468387f92
SHA1 b5adb4aadb8ee664b7621c5d0d1a4ceed33456e0
SHA256 0c3dfb5631d1c78f756d725f3f58bd9e12c9768769eae8fa2e5e27f1cc7fc741
SHA512 a04f6787f39d2496f171355f02aee0a7d46af3f4c1e49316ca1e1db5de2f6256814c0fe9f15f603dc009246d71316d2173857cf11513460856808f895a7d741a

memory/3008-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-205-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Dglpdomh.exe

MD5 61c443ec0f507592a9a7e721556f32d0
SHA1 6adc1a26a600a7bc62cfbf40e3ffa940dc0adad9
SHA256 203fd40c3a2835bf56ce26e694f70913fc3ade5dc4e32f152fe221e803b23469
SHA512 717fad49f50eef208ad941151573e5eb2de2b7285546e0edf13e35f00891ed67e77f50672b5a5c5f6cf27803be34855aac9aed04048244a439209331151283fc

C:\Windows\SysWOW64\Dochelmj.exe

MD5 346f7ae5c5dd8728aedbcdc9070bb7c5
SHA1 4b731adbd163926858c698f30f818e42860437d4
SHA256 a3127205c4a8851945010a64e2f86af3ec455fa59564d2b04011991349073a13
SHA512 05b015f1d4fe2da715487f23c492c633d48b0b9b12da470068d74e0f1634fc1c8682a13d30180e706ea458e7dd0075d3f6bb2b8249a8c4fe0baef46a9e14b1ca

memory/1080-221-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dbadagln.exe

MD5 1aca33478d8959fcc944ff9f469fec86
SHA1 4fa9f68ac28570015723b96c5afbc0cc5b00da6c
SHA256 b251c7715f1b8337cf6f421e41559e6469907701fd555651cfc8da38a7a14f0b
SHA512 6859a3ae8c1829c06090ccaacebe215a4dc0dffd06d737bc8cf106a4735f262862ecef4a89094adba8e10fe29e467a604a09708787c19878b53d7bf6cf7ab44d

memory/856-240-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1352-251-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-261-0x0000000000250000-0x0000000000283000-memory.dmp

memory/644-270-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dnhefh32.exe

MD5 c5825a8c45fb166745c70e8b8eadd22e
SHA1 78b05ee32e2a1d2c49cc5e24c7705dba8037d4bb
SHA256 a3ffb1560ef12eb2829a23893016110f42e383bc482ffc7d25839ab54ba1fe53
SHA512 b331827d4deebd37fd3f283ab8d8dc4b8f0c007013a4f2468e49227e0d5e41bbce008d0d660592c815b9cd25bbdf1d943267a3b7b43bcbfa14fe82b3344a8304

memory/1952-282-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1952-293-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2360-325-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2784-326-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2360-324-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2712-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2784-339-0x0000000000300000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Dqinhcoc.exe

MD5 19cbdb7074619626c91c0980291e5d91
SHA1 debdbb2f06d8c4efd332ebdb5acf340ece876a09
SHA256 4a80998b54feb2fd0822fd90307aa270f729de6efd5e11191646be57ab538d81
SHA512 1a0414eabfbf7e3f1683f3385fd4295d429fe872b90ec540a4a4ac5f61d1e4a5fb25bec82512f72b5c57bc4b93bc2405298a2560ea0fab1d1abbc9586ed6587a

memory/2712-346-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2172-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1328-404-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2224-403-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1144-426-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ebockkal.exe

MD5 1ac4a2ef5722f0cf3d6adc93cfd6031d
SHA1 6677ce078f865823faf43b0642667c9637ef1bcd
SHA256 a7cd95fe85d688f0bb547d70a125355467a3a6b04fa6d7bf877281504f649355
SHA512 3dba5ecca8811aae4820cab9e8c45e449e6845cf77616f7f1467a836c973bf756236cd8d4ad5dc797230c53f22b6ac23ea9001653f91053b4d1e2fc10f87e5e8

memory/484-431-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2504-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2792-458-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ecnpdnho.exe

MD5 2d2915792e5d29f4f3af6f7b536c6e6e
SHA1 0a0fdb3f0a7ed55f0b7a914993c2f020f7c669b2
SHA256 70bad2160d94ab1dd8e90fd479b6b06909b2d21aef2b60c7991d46da211c2f88
SHA512 424a8caf7a088775015bd18e14592228e7791263ddda8d98bb88e07ac2361c73e912af7e58cee522558041c0c44c401f73b125f0b167631bb22aca6a7cd4d2ab

C:\Windows\SysWOW64\Eepmlf32.exe

MD5 8c2794f4e6884f517360d2be5f109102
SHA1 fbc671588595f56e0858049854484831c0c27517
SHA256 61a21c4c939a008f383660d66dd8d74a2e8d1f15a36a2627c82b6ea274a9291c
SHA512 69eb00e8eabb0a363eabb66f72beae0879dd6e9ac38ab98fc4f7f40a7466f1ca49b149b2caef382e29e059fd9a223d2d852985fbf4712910de774e6344783078

memory/976-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1988-511-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Enhaeldn.exe

MD5 7d42aacf52fb04d52c6ff5e3651ba5cc
SHA1 44ecc3f6f98d8c9a777382ce93da701f0763e24b
SHA256 6918dd4ddfe8ab20c27dcf86d0f10b5d3d31de9c4bee0186fe4f6442e65fb486
SHA512 b4a3659319d3ca5030d75e6228104a64ce66968419130446d6ed8a31f03beead2eeecde43964d3dce42322108de541cfa4ce83254d6d8779ee9a01a8c73c8f62

C:\Windows\SysWOW64\Efoifiep.exe

MD5 fadc0779c7ea3469b86c2fb7327ad2e7
SHA1 a45f2022a4b7048ca9eb354eb1e513b2a5c36bf7
SHA256 78fddbe61e4caf9334c349ba414e9aac14f12cfd88fb65ad6ce0190900f5a517
SHA512 d2f4463cc92dd1d2f05a2316b638175b19b6302c7bf4eeee5bf6d0aa490808d7b84d6e37c27d8d566bdfba234bcf678ea93dac6922d60893876658895a628c71

C:\Windows\SysWOW64\Fnjnkkbk.exe

MD5 f0a0602cb9d163a8ec05edb3530f3ee9
SHA1 7006a41e57d92b0416e5d9db654eb94d44545a9e
SHA256 5b8be79483b769dc3a3958180004b98aeb344a0487d8e64a10d63c8fd3c0f94c
SHA512 12a14a446e34fc5cb64f97ea3887e53a1220e0ffa03553997a88195559c60dd6f24b6fc50a207780aa87fa0f9b15925e7161c3a9f9fc2cf6879bfd10ebd198eb

C:\Windows\SysWOW64\Faijggao.exe

MD5 4f68aceff830b8302c75377885763386
SHA1 be7eb13003f7e491e8597d6413c9699c9d7038ad
SHA256 58e685837d20bacf5d0ff3ce692c4a6af963316e6b3b4b4b086df50d68c39aa6
SHA512 b16fbeb4ca13d80c2837b6de0b53c69b8e6ffbe2326fb1d5bcf66c30b43991f428774f10a6589fea95cc556320b9934ac9b693026ab0121db8e0a03a9de63991

C:\Windows\SysWOW64\Flnndp32.exe

MD5 472b3217a9f76a4c5c7646c6db1bc76f
SHA1 ef23c25035ef50a577db3bbf0892799835794aab
SHA256 0ee69916e7aa0b4acb2c35572316495a52e7a7fa667693f5c521261065cd2e6a
SHA512 a31fbf7eda9959cbc4024ee330625003bd152cf458c373a81eeaff58c2d078b6032e8eef341e8b6ab6d0eda38ab769649265f5371083544a86f99b59ef1365ff

C:\Windows\SysWOW64\Fhbbcail.exe

MD5 5686500f1bcaa3ef478f285510d31fc8
SHA1 a5506019c28c1dfd8edaca15f1ce4ff9788bde30
SHA256 f408af59ad3a1b6cc69e345dbb3be904c216a7d70f06dfc8ddc708bd524de4cf
SHA512 38a99758d05391293f79183cd415be2ce23f6766cd5c5445851749c309f00c1835adf7fd8c432567ac57b39733e9746e217c0c84244e35897935eb3a49f40cdd

C:\Windows\SysWOW64\Fipbhd32.exe

MD5 275f992e21841a2511ab9ba8efa457f7
SHA1 d7478f9c3b004d0784a50bba574b9d5d12632ac2
SHA256 a216f927721cac113f2af5d3edaf838a49cd218d077f0697b3a78a75cf403d4e
SHA512 81e79f1ebde8346d41351b92e41ec78be80a1d53901f7913e4092206c1e41c2066d65e6356362c43ae04ee0e7bf460973ebf87e9cc8c9835f6b020284b42fc99

C:\Windows\SysWOW64\Fpgnoo32.exe

MD5 a62aeb2b6ea490869624abeff7517685
SHA1 22ea356355df5e4b844aa7f26429323f40d302d2
SHA256 ebadc57538fe6fc261d397751acba2b837886331baa42a2e37d78139c7c0f53c
SHA512 6025c1683382e167e79531b0552728395d3389372f44cb306ee0eb1520ff599bd440bd340286d7eb969e65bc15a197c5d771609f53847af67770209b2929d4bc

C:\Windows\SysWOW64\Egpena32.exe

MD5 a27db55153281aaeb35d05cb527fafab
SHA1 7d5a8372ed6c2135e962aa218c548ac24ecef630
SHA256 b36e22cf1715496703e939f8f4a825940c5755ec8d910c20ad7b2f10d343d7a0
SHA512 2f572fe01a1074f0dafdd58cc4876edb2d7857ab1940cccb780f5c5b34550082aaaa609c078d7815660f9aa57fce9065b39c130f2e1584c28f600173d8dbe0c0

C:\Windows\SysWOW64\Epeajo32.exe

MD5 86ea0b7fdcc2109bff567387e4c2cbf3
SHA1 804b9e83892f7dc3acc22ee8ce61ee8010b6b304
SHA256 de9e3aa277f705e0b26221509adf56e0f91f0dd15c6b0697b9a903838d405fe8
SHA512 ee3b7968aa412eb06916b2a1180c1d1057bae7c98b1a1473798bd5091b1d9d58b9c4a372257e706f7390ea018318f85287696d2bb3376e24162d8cbda6a5c6af

memory/316-510-0x0000000000300000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Emgdmc32.exe

MD5 c39eabe44780a313835289b6b813bcdd
SHA1 bd2406fa02827c8f6af92d9ad4bc18fba2b54d0f
SHA256 03c36d209e6098b61c683237e47bacf9fe31e76d69cd3dd706a3d24ec3f8bed4
SHA512 ad2f2679e33979653bc59462f6440183861641bae0469e2f1a9fe165b2eafc2f9efad40e174c9d8128079d0e60663d588250838c6ae409370ce09538eecf8fa1

memory/316-500-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2460-499-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1524-490-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ebappk32.exe

MD5 c4e6da4ae022c4f7fb100e74d60e1dcb
SHA1 2d288179c9de5a734bc9ad34556a62adeed069c4
SHA256 c40735ae3ca1cc3fab07260aad6991de06ce4f33511d66dbd0f8f290ee0f85c0
SHA512 c626545b9467a311ae9623fc1dc1d554f4adb81350923114726b46659f5acca3b90722f11fd6e783dc2df54838b829cc4a50fb7b613d08a896581891239138b9

memory/1928-486-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2888-484-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2932-479-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1164-478-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1928-477-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1164-468-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ekghcq32.exe

MD5 f60caed55f17fb97eef28a1a58ebb85d
SHA1 9d4ddc728890a5b98207fe2c0408877cc7d169c5
SHA256 e6378d2eeadcb3498fcd07140108095705e3af877c29d95caf0fa6cc8094375e
SHA512 f463db525d0cacba6e6c19e765935bffb791623c421b3ccbd52817013a8b0af22bc60585431520a21cdb6b47bc178b0457946d9e6aac46be96c66a5a192889b3

memory/844-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2112-457-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eiilge32.exe

MD5 3a7e7c5a7d6b57d9a5b09c989eed2791
SHA1 0bf882fc2599e84169f7b2cfa0591e2e618ccd93
SHA256 2d4eb0a398d482202a1b3613adf1e385b5cbe3fa00e3e3d4231c26102f734837
SHA512 6657c459c624bc1bfa6bcbda799cca38fa6adb70a00943c069a3ff8fb57383b883c9f97f5d7d6da6d121fbf33931ad7ea53be89a5168e86199fbb6dbb87113b4

memory/3048-448-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1844-447-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/1844-446-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ejfllhao.exe

MD5 267a0ce9225893a05498aea9810766f3
SHA1 debce83eb3375d634f14c26a19901ff9250745f2
SHA256 bc7b966715bc88e3479fd49b101b74630c6af09aca48966357e22c8af2f51c6c
SHA512 999e6e448d6a01596a0831ecb79da10b2343b1bfe92fe7b26eab434ae976ef91d2485a3aacf7a42b78b5e14f673698a65e884226dbf07b1d54d2bd6cdc9ace20

memory/1844-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2464-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/484-424-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Epqgopbi.exe

MD5 5f359bef68dee0f513eab620d3d93845
SHA1 a1241dda046a267086685fde431c087737b18f4c
SHA256 4f3ab6337dae1d22e62cfbc678ca54ae2f33196d3bd276d2f1e6c8a6f2eb53ca
SHA512 30227bc9d5128aa3991d5d4b4827545b84363e736c4cc30e8f75219b3e5c82441560698b1efb5f51a23cb38b4ce453db1f0096fb965465d9259386f66bd434a0

memory/484-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1328-414-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1328-413-0x0000000000280000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Eqngcc32.exe

MD5 d454565dfe093e7311873bd2d5341bda
SHA1 02d19aed68571cc89346dd85412785cb629394d2
SHA256 04ef8cb56bd51ee166e60672fd8674782a1154ef208dba43b5aaab2731b34755
SHA512 fdf9567bd84f98e7bbe0118f13b4389d1becbbb94cb838d7b6b329f877958d87edf30154a7a43a47e443b3e25cb2a8969e9c031ecc40ca4dc4abb22207008d11

C:\Windows\SysWOW64\Ejcofica.exe

MD5 e3622c9078ccd47b566fc2aa86fae1ff
SHA1 2fd20dbdaa2d82653ca332c3b05adae06c7c1ac3
SHA256 5ab88dd0cb6b408466f248b180baaaa2ca62ffc4c4d42918a9319363d5a14db7
SHA512 31ce201d4802c13f3830c39791210f2092362b298b42f5ce264b40a5532e635e14e36dae43d99771a18f11905cb074f0ee2beb7c7a9f55e67cf137a1d8b17568

memory/2552-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2880-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2916-392-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Efhcej32.exe

MD5 a079b52e436832ce939c72b3457cc7ff
SHA1 7f47951391a6be7e06f7e7e4cc6517ee5ce32ace
SHA256 86a3db223e427516406eeaad2bb73c5489d44e197866241a71a4331267da9460
SHA512 8c7fc91d26fe340090e0e9bba8daf3f2d66a0f31ff5388652fba010e73667f225590fa5db6b6cee535cf6b5a56a201bb003d8267dcc59070908074b72c3ef598

memory/2916-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/888-382-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ecjgio32.exe

MD5 8443227b1b08db69b2424c299183c908
SHA1 495b6bd51bf4ce8b0e707edb0b15921ef0cce690
SHA256 37a4cbf5da342bc5fb3773d4792572b2fc770454e56062dc975091429f995c90
SHA512 a6ba6e9e7a402c12546e725e7bc0be63950a69bda72b3917990e16161e7e9e1c12efddbe68a61f7037f23ac111ae8d9f44d8947b887f5f701de58f83c06c103d

memory/2660-378-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2660-372-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2752-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-370-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Eqkjmcmq.exe

MD5 d8cc27d6f133683a3da2c497b926f011
SHA1 2fd5866df92cc02a2bf88d90608bba6fd3ecfe7f
SHA256 c5342629d3db92bead701b1b9c01af2161e680935451ad8adb17d74642322e90
SHA512 4dc9871ce6309912cf90e7d23986ae6ec1cffa2d9f3c7bb2b4f862df1a3c1c00018e58eebf24c1c0688e82b8beeb5058e959888d6a5264e7dc5e6cb40760d35a

memory/2908-365-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1776-357-0x0000000000270000-0x00000000002A3000-memory.dmp

memory/2908-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1776-358-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Enmnahnm.exe

MD5 35a54973f36889ac43da6a608016c1db
SHA1 38bec0ad50ad60c84361e007c37d60db7713af48
SHA256 9d036747b1e66dd294ed5f67ab13a58aadace8ff8a3ff1c341e8437ff89359ce
SHA512 63caae56f3a6c159b569aa8266cf4ef2ba49fa2d14765577f457e5de0585e36fb0a1d42a7cd44291b83c7a8ce17d7e99cca4cc0bd8d87054d279af42d9231acf

memory/1776-348-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2712-347-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ecgjdong.exe

MD5 53e894c0feff621013aa017484c049ca
SHA1 2a1924ae7d1e09801ee09be39e7264ec04a434fc
SHA256 cc3657a05eba163b7f1be5401bb1a551a1ff7ad0b91ddcc61c39d1f411f08d73
SHA512 8c44eda50f0373e0f0a188b1013404864ae4fc4b2751e3a88dc5bbcc9867382721d4ae23f31811c0a93ce5b2ae8c4e726ef8f4ecf622072bf3372d94b87942cc

memory/2784-332-0x0000000000300000-0x0000000000333000-memory.dmp

C:\Windows\SysWOW64\Dklepmal.exe

MD5 6748bc9479b9210b47bd587af61a4c02
SHA1 951d9a4a27685db9c880efea4372ac57b3a974b7
SHA256 71770abe2dede62e29091fd77f91ea1597c93de07d7ba8b408028fe20c9c3952
SHA512 a9ed104689f5a96dc0b89812fdb14b2e3a6945cd214026a561188f26b60a423463b146142e60ef4286e807c811ac21ebeb33b6f8dce59d2edcb57b39d7753472

memory/2360-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/768-314-0x0000000000260000-0x0000000000293000-memory.dmp

memory/768-313-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Dcemnopj.exe

MD5 61861c4fa5946467cc4fc6592746dc62
SHA1 29c4556109415fd92b27fca8c3784c6cf1d40be6
SHA256 f8ed0e4a9aa846e3eee6c100400bec69232abaab34d8265ba93c545339de5a0c
SHA512 4b127ed1a1b453b0e763920dbe0e605b8c36ac3ee49322f438ed71448acfb3ca631e74e03680b46d9831fb6f35a6f0dc74c00fc9d1f03158e42694e5fb8f5ef3

memory/2412-303-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/768-304-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dqfabdaf.exe

MD5 17d234898f9d0ae85ac1998dab2f0336
SHA1 97276011a7ac224d531e4543f5a950bf3330fab5
SHA256 e4babc4799f850a07e49167922c55f79eaa13e589ba15058ef6e86bf8f4bb6c3
SHA512 1e3b68a19b7ba4a506ab70b1965d67ccc5ae151d586eebd5bac59acb0849aa60265790d0a647621314da5ed7835532f7bcf4529ac3b385ee833de7e0b5ab083e

memory/2412-299-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1952-292-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Dbdagg32.exe

MD5 f9264f4b0584deb8a7cc8e0bc343a8d6
SHA1 af3cd192330aed145266c1fa2d6a4e5d39816c1e
SHA256 b472f83023129589c08853632cec72189366a05d37298e6c47191c138ceb78d3
SHA512 6490cbb6d52c2e36a5d60bb7e35525638ffb242148ded1c995aedcc983243fad44662707c7971c0cd47159b1f42007f0dd6dd5aaccb49f8dfc38784d9f09c92f

memory/2516-283-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2516-281-0x0000000000250000-0x0000000000283000-memory.dmp

memory/644-272-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2516-271-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dkjhjm32.exe

MD5 ff3b5459e4f4ffd184f068a0d4baa76b
SHA1 7b0ba861984f3b74a7b9767671b839f1e60014d1
SHA256 332d01c3d214211485f773d6f25fff6f35b1f1cf8402736e0c7304ec37aaacc0
SHA512 294a55ef6db0ff55aba696a11f7ac7d9ed25a324ad78dd5d37863d92f0b2b85ce3f85a62b61b46fe86e4950b28feaab7a1307a58d4e2d5482026b115ad90a21a

memory/1352-257-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Dhklna32.exe

MD5 d3ba7200de504a1750ba4f6c71457417
SHA1 73d26c83ad84fdde9f823948bd587be04c77d08b
SHA256 9331beb5dd4e548ef590548ec42e566f90c7f0ed05b65c067c213ef56a9f02d8
SHA512 58be6034ba52ecdc0077bacf1077a08b8a8088c6af06a398c83cf9a4788361ce983da144c4901d7ed83c9cc83d4659ee71a2f72473186921dff0637f0e44f5d7

memory/2220-250-0x0000000001F30000-0x0000000001F63000-memory.dmp

memory/2220-249-0x0000000001F30000-0x0000000001F63000-memory.dmp

C:\Windows\SysWOW64\Ddppmclb.exe

MD5 0c7d15cd5b691a73ff54d1a3cb0b1537
SHA1 85a4769be5e7687334788772425764fe719d7c48
SHA256 6fb2c89363bcb8dd34b7e9fac0669cc42704d8106d89631cc25690975e81dfc9
SHA512 7710b232cc2f64ef2c113caa8cb97766de83d41d98c7faa5c39bcece8f1ad6eafa9504c8deeb3e757becb36c909bebabff53a36138d1be58cd9cedc10cb592a6

memory/856-231-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dnfhqi32.exe

MD5 ea8cbe51d87868e88ea66477f9b6c974
SHA1 3a88ab44b2009e145632a42c5767680edee95304
SHA256 62e09cb270926597356d6e298234a8d18942ecf680222a6ba80765d008d9df14
SHA512 8827752555459b575f51b358bc1165c4cd9630ebb9482f6676d6ce9e3fa0dcb9e727eae95f9541b298158cb529ae4c16b3d39a8f4b0c6d1152d08cd141d4ec58

memory/1484-227-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/1080-211-0x0000000000400000-0x0000000000433000-memory.dmp

memory/976-179-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2460-170-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2888-145-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2932-144-0x0000000001F40000-0x0000000001F73000-memory.dmp

C:\Windows\SysWOW64\Ddkgbc32.exe

MD5 e328e325181991b55d0459eee57ba699
SHA1 b221003f86cf6ffe81763f49367560f8b2507c8e
SHA256 4480ea5790cacbf4b6942fb0360c542d39c3bc7e315d624de2120cc1f7cbd1df
SHA512 b94ea5a5442f80900f2e3c73c2343bcbccdd0e7e09b2709c9dc78607920edecbef88e66d794cdd2b0ba6dd5f7a976b202b23fcbea67c90791d49a147d7977785

memory/2112-126-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2792-118-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2464-100-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1144-91-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2552-65-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1776-666-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2660-668-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2908-667-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:40

Reported

2024-09-16 15:42

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gggfme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkadoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbbblhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdgehobe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ciknefmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Edlann32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kclnfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhoind32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnmjomlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hphfac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adpogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlobmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jldkeeig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdbiphhi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgehml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdnkhn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odljjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhoind32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pehjfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhffijdm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dngobghg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcihjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jejbhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbbgicnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ehpmbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjfjee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilmedf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijhhenhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maeaajpl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adnbapjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dijppjfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Namegfql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jglaepim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhleefhe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjcqffkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inidkb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klddlckd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcpcgfmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eblgon32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apimodmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmpcdfll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laeoec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glchjedc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kppbejka.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlobmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldbefe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhkpdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npognfpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onakco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmbopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deidjf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfdklllb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eimlgnij.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahgamo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbknhqbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Namegfql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nofoki32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iccpniqp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjiloqjb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkhceh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcaqka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqilaplo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eennefib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hdicggla.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Iccpniqp.exe N/A
N/A N/A C:\Windows\SysWOW64\Inidkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagqgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilmedf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibgmaqfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Idhiii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iloajfml.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaljbmkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjfohjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnpjlajn.exe N/A
N/A N/A C:\Windows\SysWOW64\Jejbhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jldkeeig.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaqcnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlfhke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnedgq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdalog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaemilci.exe N/A
N/A N/A C:\Windows\SysWOW64\Koimbpbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Khabke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khdoqefq.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdkoef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkegbpca.exe N/A
N/A N/A C:\Windows\SysWOW64\Kejloi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klddlckd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaaldjil.exe N/A
N/A N/A C:\Windows\SysWOW64\Kemhei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khkdad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loemnnhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldbefe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llimgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcedmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddble32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ledoegkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbhool32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lefkkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlbpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Moalil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhiabbdi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mociol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhknhabf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdbnmbhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mccokj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhpgca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhbciqln.exe N/A
N/A N/A C:\Windows\SysWOW64\Nomlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdbekh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqloo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Namegfql.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgmcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Noaeqjpe.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfknmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nocbfjmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfnjbdep.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlfoodc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nofoki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpghccm.exe N/A
N/A N/A C:\Windows\SysWOW64\Okmpqjad.exe N/A
N/A N/A C:\Windows\SysWOW64\Obfhmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ollljmhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohcmpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjmdocp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofijnbkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Odljjo32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Pehjfm32.exe C:\Windows\SysWOW64\Pfeijqqe.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcnkli32.exe C:\Windows\SysWOW64\Lapopm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmfodn32.exe C:\Windows\SysWOW64\Ljhchc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaofedkl.exe C:\Windows\SysWOW64\Akenij32.exe N/A
File created C:\Windows\SysWOW64\Eilbckfb.dll C:\Windows\SysWOW64\Khkdad32.exe N/A
File created C:\Windows\SysWOW64\Ijiflg32.dll C:\Windows\SysWOW64\Ainnhdbp.exe N/A
File created C:\Windows\SysWOW64\Cempebgi.dll C:\Windows\SysWOW64\Lmfodn32.exe N/A
File created C:\Windows\SysWOW64\Adpogp32.exe C:\Windows\SysWOW64\Ababkdij.exe N/A
File created C:\Windows\SysWOW64\Icchoopc.dll C:\Windows\SysWOW64\Jnapgjdo.exe N/A
File created C:\Windows\SysWOW64\Onempd32.dll C:\Windows\SysWOW64\Ljkghi32.exe N/A
File created C:\Windows\SysWOW64\Milgmknm.dll C:\Windows\SysWOW64\Jmopmalc.exe N/A
File created C:\Windows\SysWOW64\Jckeokan.exe C:\Windows\SysWOW64\Jopiom32.exe N/A
File created C:\Windows\SysWOW64\Kgqdfi32.exe C:\Windows\SysWOW64\Kjlcmdbb.exe N/A
File created C:\Windows\SysWOW64\Pmoagk32.exe C:\Windows\SysWOW64\Pehjfm32.exe N/A
File created C:\Windows\SysWOW64\Jnolbm32.dll C:\Windows\SysWOW64\Bfghlhmd.exe N/A
File created C:\Windows\SysWOW64\Bmimdg32.exe C:\Windows\SysWOW64\Bcpika32.exe N/A
File created C:\Windows\SysWOW64\Hjbhph32.exe C:\Windows\SysWOW64\Hgdlcm32.exe N/A
File created C:\Windows\SysWOW64\Ghldkkkk.dll C:\Windows\SysWOW64\Iobmmoed.exe N/A
File created C:\Windows\SysWOW64\Femdjbab.dll C:\Windows\SysWOW64\Igieoleg.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhknhabf.exe C:\Windows\SysWOW64\Mociol32.exe N/A
File created C:\Windows\SysWOW64\Odjmdocp.exe C:\Windows\SysWOW64\Ohcmpn32.exe N/A
File created C:\Windows\SysWOW64\Bohbck32.dll C:\Windows\SysWOW64\Kmbmdeoj.exe N/A
File created C:\Windows\SysWOW64\Klmbobfa.dll C:\Windows\SysWOW64\Npjnbg32.exe N/A
File created C:\Windows\SysWOW64\Fhjaco32.dll C:\Windows\SysWOW64\Ledoegkm.exe N/A
File created C:\Windows\SysWOW64\Dfcojl32.dll C:\Windows\SysWOW64\Jclljaei.exe N/A
File created C:\Windows\SysWOW64\Fpffjn32.dll C:\Windows\SysWOW64\Ndomiddc.exe N/A
File created C:\Windows\SysWOW64\Cakofc32.dll C:\Windows\SysWOW64\Pnjgog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iloajfml.exe C:\Windows\SysWOW64\Idhiii32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gplged32.exe C:\Windows\SysWOW64\Glqkefff.exe N/A
File created C:\Windows\SysWOW64\Iojghflb.dll C:\Windows\SysWOW64\Cepadh32.exe N/A
File created C:\Windows\SysWOW64\Glchjedc.exe C:\Windows\SysWOW64\Geipnl32.exe N/A
File created C:\Windows\SysWOW64\Jldkeeig.exe C:\Windows\SysWOW64\Jejbhk32.exe N/A
File created C:\Windows\SysWOW64\Plmiie32.dll C:\Windows\SysWOW64\Apimodmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfjeckpj.exe C:\Windows\SysWOW64\Cboibm32.exe N/A
File created C:\Windows\SysWOW64\Aagfblqi.dll C:\Windows\SysWOW64\Ogdofo32.exe N/A
File created C:\Windows\SysWOW64\Ladhkmno.exe C:\Windows\SysWOW64\Ljjpnb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odcfdc32.exe C:\Windows\SysWOW64\Ophjdehd.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfpghccm.exe C:\Windows\SysWOW64\Nofoki32.exe N/A
File created C:\Windows\SysWOW64\Hfbbdj32.exe C:\Windows\SysWOW64\Hohjgpmo.exe N/A
File created C:\Windows\SysWOW64\Odifjipd.exe C:\Windows\SysWOW64\Oakjnnap.exe N/A
File created C:\Windows\SysWOW64\Cihckfoa.dll C:\Windows\SysWOW64\Okpkgm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgpobmca.exe C:\Windows\SysWOW64\Ppffec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Agnkck32.exe C:\Windows\SysWOW64\Adpogp32.exe N/A
File created C:\Windows\SysWOW64\Hceook32.dll C:\Windows\SysWOW64\Dgomaf32.exe N/A
File created C:\Windows\SysWOW64\Cmdmpe32.exe C:\Windows\SysWOW64\Cfjeckpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Gloejmld.exe C:\Windows\SysWOW64\Gnlenp32.exe N/A
File created C:\Windows\SysWOW64\Ffpcbchm.exe C:\Windows\SysWOW64\Fdogjk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fifomlap.exe C:\Windows\SysWOW64\Foakpc32.exe N/A
File created C:\Windows\SysWOW64\Fhkkfnao.dll C:\Windows\SysWOW64\Jaljbmkd.exe N/A
File created C:\Windows\SysWOW64\Apkjddke.exe C:\Windows\SysWOW64\Apimodmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhcbidcd.exe C:\Windows\SysWOW64\Ndhgie32.exe N/A
File created C:\Windows\SysWOW64\Hgbhfhcl.dll C:\Windows\SysWOW64\Hjlaoioh.exe N/A
File created C:\Windows\SysWOW64\Maeaajpl.exe C:\Windows\SysWOW64\Mhmmieil.exe N/A
File created C:\Windows\SysWOW64\Ohdlpa32.exe C:\Windows\SysWOW64\Opmcod32.exe N/A
File created C:\Windows\SysWOW64\Ajodef32.exe C:\Windows\SysWOW64\Ahngmnnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmagch32.exe C:\Windows\SysWOW64\Bejobk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjbhph32.exe C:\Windows\SysWOW64\Hgdlcm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhffijdm.exe C:\Windows\SysWOW64\Nnabladg.exe N/A
File created C:\Windows\SysWOW64\Hnphkj32.dll C:\Windows\SysWOW64\Ehkcgkdj.exe N/A
File opened for modification C:\Windows\SysWOW64\Phbolflm.exe C:\Windows\SysWOW64\Pfdbpjmi.exe N/A
File created C:\Windows\SysWOW64\Pjlnhi32.exe C:\Windows\SysWOW64\Paaidf32.exe N/A
File created C:\Windows\SysWOW64\Ahafcp32.dll C:\Windows\SysWOW64\Adnbapjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckafkfkp.exe C:\Windows\SysWOW64\Cegnol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jaljbmkd.exe C:\Windows\SysWOW64\Iloajfml.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Eldlhckj.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fljlom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfpkhjae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhicoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfilkj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jihngboe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahgamo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abdoqd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pklamb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cldjkl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eojeodga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldbefe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgkjch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anmmkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onhhmpoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akmjdpac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmdjha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paaidf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaofedkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfjee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmagch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Laeoec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmlhaa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imjgbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhgmcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgoigcip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fefjanml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqpbboeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnedgq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aidomjaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgdgijhp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmnpfd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbdmdlie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andqol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppffec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnjgog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hfhbipdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnknim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdeffgff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmbopm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egbdjhlp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odbpij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iobmmoed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndhgie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glabolja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjiloqjb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbkeacqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nomlek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfjcep32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bihancje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjlaoioh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npadcfnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpbpecen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgqdfi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bldgoeog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlcmgqdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjhalkjc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phbolflm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmlafk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Capkim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmimdg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odljjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gphddlfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdppaidl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fhnichde.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfilkj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijiflg32.dll" C:\Windows\SysWOW64\Ainnhdbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqeln32.dll" C:\Windows\SysWOW64\Glchjedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amnioced.dll" C:\Windows\SysWOW64\Mhoind32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidjgo32.dll" C:\Windows\SysWOW64\Npognfpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjfmminc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ggafgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iobmmoed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljkghi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiljbjbl.dll" C:\Windows\SysWOW64\Hfbbdj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmhgp32.dll" C:\Windows\SysWOW64\Fgkfqgce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afnefieo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfall32.dll" C:\Windows\SysWOW64\Jopiom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lglcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qfjcep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaaneok.dll" C:\Windows\SysWOW64\Ifcben32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anmmkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll" C:\Windows\SysWOW64\Jejbhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofijnbkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpfjpko.dll" C:\Windows\SysWOW64\Pojjcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiiibnn.dll" C:\Windows\SysWOW64\Cekhihig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iqpclh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll" C:\Windows\SysWOW64\Poidhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cleqfb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll" C:\Windows\SysWOW64\Qppkhfec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmppneal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgkjch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdeffgff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kakednfj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfcmhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll" C:\Windows\SysWOW64\Apkjddke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apkjddke.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jopiom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljjpnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll" C:\Windows\SysWOW64\Ollljmhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikjlg32.dll" C:\Windows\SysWOW64\Ailabddb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ggdbmoho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgglf32.dll" C:\Windows\SysWOW64\Inidkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfbbdj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgoj32.dll" C:\Windows\SysWOW64\Aofjoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehnpmkbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbhfhcl.dll" C:\Windows\SysWOW64\Hjlaoioh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jihngboe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kfanflne.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qhekaejj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jglkkiea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpbaelj.dll" C:\Windows\SysWOW64\Jjknakhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbjogmlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Onhhmpoo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgcbbc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fofdkcmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nocbfjmc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Foakpc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jaqcnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeodp32.dll" C:\Windows\SysWOW64\Qhddgofo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lipmoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cboibm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflajb32.dll" C:\Windows\SysWOW64\Gcgqag32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hphfac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjlnhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbbgicnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Meadlo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enccibdi.dll" C:\Windows\SysWOW64\Phpbffnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpoahbe.dll" C:\Windows\SysWOW64\Ddekmo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Iccpniqp.exe
PID 212 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Iccpniqp.exe
PID 212 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Iccpniqp.exe
PID 228 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Inidkb32.exe
PID 228 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Inidkb32.exe
PID 228 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Inidkb32.exe
PID 4084 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Iagqgn32.exe
PID 4084 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Iagqgn32.exe
PID 4084 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Iagqgn32.exe
PID 2728 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Iagqgn32.exe C:\Windows\SysWOW64\Ilmedf32.exe
PID 2728 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Iagqgn32.exe C:\Windows\SysWOW64\Ilmedf32.exe
PID 2728 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Iagqgn32.exe C:\Windows\SysWOW64\Ilmedf32.exe
PID 3436 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Ilmedf32.exe C:\Windows\SysWOW64\Ibgmaqfl.exe
PID 3436 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Ilmedf32.exe C:\Windows\SysWOW64\Ibgmaqfl.exe
PID 3436 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Ilmedf32.exe C:\Windows\SysWOW64\Ibgmaqfl.exe
PID 4216 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Ibgmaqfl.exe C:\Windows\SysWOW64\Idhiii32.exe
PID 4216 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Ibgmaqfl.exe C:\Windows\SysWOW64\Idhiii32.exe
PID 4216 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Ibgmaqfl.exe C:\Windows\SysWOW64\Idhiii32.exe
PID 4592 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Idhiii32.exe C:\Windows\SysWOW64\Iloajfml.exe
PID 4592 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Idhiii32.exe C:\Windows\SysWOW64\Iloajfml.exe
PID 4592 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Idhiii32.exe C:\Windows\SysWOW64\Iloajfml.exe
PID 3896 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Iloajfml.exe C:\Windows\SysWOW64\Jaljbmkd.exe
PID 3896 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Iloajfml.exe C:\Windows\SysWOW64\Jaljbmkd.exe
PID 3896 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Iloajfml.exe C:\Windows\SysWOW64\Jaljbmkd.exe
PID 4352 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Jaljbmkd.exe C:\Windows\SysWOW64\Jdjfohjg.exe
PID 4352 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Jaljbmkd.exe C:\Windows\SysWOW64\Jdjfohjg.exe
PID 4352 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Jaljbmkd.exe C:\Windows\SysWOW64\Jdjfohjg.exe
PID 1336 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jnpjlajn.exe
PID 1336 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jnpjlajn.exe
PID 1336 wrote to memory of 4544 N/A C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jnpjlajn.exe
PID 4544 wrote to memory of 4180 N/A C:\Windows\SysWOW64\Jnpjlajn.exe C:\Windows\SysWOW64\Jejbhk32.exe
PID 4544 wrote to memory of 4180 N/A C:\Windows\SysWOW64\Jnpjlajn.exe C:\Windows\SysWOW64\Jejbhk32.exe
PID 4544 wrote to memory of 4180 N/A C:\Windows\SysWOW64\Jnpjlajn.exe C:\Windows\SysWOW64\Jejbhk32.exe
PID 4180 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jldkeeig.exe
PID 4180 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jldkeeig.exe
PID 4180 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jldkeeig.exe
PID 4504 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Jldkeeig.exe C:\Windows\SysWOW64\Jaqcnl32.exe
PID 4504 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Jldkeeig.exe C:\Windows\SysWOW64\Jaqcnl32.exe
PID 4504 wrote to memory of 4900 N/A C:\Windows\SysWOW64\Jldkeeig.exe C:\Windows\SysWOW64\Jaqcnl32.exe
PID 4900 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jlfhke32.exe
PID 4900 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jlfhke32.exe
PID 4900 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jlfhke32.exe
PID 1964 wrote to memory of 5072 N/A C:\Windows\SysWOW64\Jlfhke32.exe C:\Windows\SysWOW64\Jnedgq32.exe
PID 1964 wrote to memory of 5072 N/A C:\Windows\SysWOW64\Jlfhke32.exe C:\Windows\SysWOW64\Jnedgq32.exe
PID 1964 wrote to memory of 5072 N/A C:\Windows\SysWOW64\Jlfhke32.exe C:\Windows\SysWOW64\Jnedgq32.exe
PID 5072 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Jnedgq32.exe C:\Windows\SysWOW64\Jdalog32.exe
PID 5072 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Jnedgq32.exe C:\Windows\SysWOW64\Jdalog32.exe
PID 5072 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Jnedgq32.exe C:\Windows\SysWOW64\Jdalog32.exe
PID 4300 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jdalog32.exe C:\Windows\SysWOW64\Jaemilci.exe
PID 4300 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jdalog32.exe C:\Windows\SysWOW64\Jaemilci.exe
PID 4300 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jdalog32.exe C:\Windows\SysWOW64\Jaemilci.exe
PID 1608 wrote to memory of 5068 N/A C:\Windows\SysWOW64\Jaemilci.exe C:\Windows\SysWOW64\Koimbpbc.exe
PID 1608 wrote to memory of 5068 N/A C:\Windows\SysWOW64\Jaemilci.exe C:\Windows\SysWOW64\Koimbpbc.exe
PID 1608 wrote to memory of 5068 N/A C:\Windows\SysWOW64\Jaemilci.exe C:\Windows\SysWOW64\Koimbpbc.exe
PID 5068 wrote to memory of 3828 N/A C:\Windows\SysWOW64\Koimbpbc.exe C:\Windows\SysWOW64\Khabke32.exe
PID 5068 wrote to memory of 3828 N/A C:\Windows\SysWOW64\Koimbpbc.exe C:\Windows\SysWOW64\Khabke32.exe
PID 5068 wrote to memory of 3828 N/A C:\Windows\SysWOW64\Koimbpbc.exe C:\Windows\SysWOW64\Khabke32.exe
PID 3828 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Khabke32.exe C:\Windows\SysWOW64\Khdoqefq.exe
PID 3828 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Khabke32.exe C:\Windows\SysWOW64\Khdoqefq.exe
PID 3828 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Khabke32.exe C:\Windows\SysWOW64\Khdoqefq.exe
PID 2056 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Khdoqefq.exe C:\Windows\SysWOW64\Kdkoef32.exe
PID 2056 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Khdoqefq.exe C:\Windows\SysWOW64\Kdkoef32.exe
PID 2056 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Khdoqefq.exe C:\Windows\SysWOW64\Kdkoef32.exe
PID 5092 wrote to memory of 3852 N/A C:\Windows\SysWOW64\Kdkoef32.exe C:\Windows\SysWOW64\Kkegbpca.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Iccpniqp.exe

C:\Windows\system32\Iccpniqp.exe

C:\Windows\SysWOW64\Inidkb32.exe

C:\Windows\system32\Inidkb32.exe

C:\Windows\SysWOW64\Iagqgn32.exe

C:\Windows\system32\Iagqgn32.exe

C:\Windows\SysWOW64\Ilmedf32.exe

C:\Windows\system32\Ilmedf32.exe

C:\Windows\SysWOW64\Ibgmaqfl.exe

C:\Windows\system32\Ibgmaqfl.exe

C:\Windows\SysWOW64\Idhiii32.exe

C:\Windows\system32\Idhiii32.exe

C:\Windows\SysWOW64\Iloajfml.exe

C:\Windows\system32\Iloajfml.exe

C:\Windows\SysWOW64\Jaljbmkd.exe

C:\Windows\system32\Jaljbmkd.exe

C:\Windows\SysWOW64\Jdjfohjg.exe

C:\Windows\system32\Jdjfohjg.exe

C:\Windows\SysWOW64\Jnpjlajn.exe

C:\Windows\system32\Jnpjlajn.exe

C:\Windows\SysWOW64\Jejbhk32.exe

C:\Windows\system32\Jejbhk32.exe

C:\Windows\SysWOW64\Jldkeeig.exe

C:\Windows\system32\Jldkeeig.exe

C:\Windows\SysWOW64\Jaqcnl32.exe

C:\Windows\system32\Jaqcnl32.exe

C:\Windows\SysWOW64\Jlfhke32.exe

C:\Windows\system32\Jlfhke32.exe

C:\Windows\SysWOW64\Jnedgq32.exe

C:\Windows\system32\Jnedgq32.exe

C:\Windows\SysWOW64\Jdalog32.exe

C:\Windows\system32\Jdalog32.exe

C:\Windows\SysWOW64\Jaemilci.exe

C:\Windows\system32\Jaemilci.exe

C:\Windows\SysWOW64\Koimbpbc.exe

C:\Windows\system32\Koimbpbc.exe

C:\Windows\SysWOW64\Khabke32.exe

C:\Windows\system32\Khabke32.exe

C:\Windows\SysWOW64\Khdoqefq.exe

C:\Windows\system32\Khdoqefq.exe

C:\Windows\SysWOW64\Kdkoef32.exe

C:\Windows\system32\Kdkoef32.exe

C:\Windows\SysWOW64\Kkegbpca.exe

C:\Windows\system32\Kkegbpca.exe

C:\Windows\SysWOW64\Kejloi32.exe

C:\Windows\system32\Kejloi32.exe

C:\Windows\SysWOW64\Klddlckd.exe

C:\Windows\system32\Klddlckd.exe

C:\Windows\SysWOW64\Kaaldjil.exe

C:\Windows\system32\Kaaldjil.exe

C:\Windows\SysWOW64\Kemhei32.exe

C:\Windows\system32\Kemhei32.exe

C:\Windows\SysWOW64\Khkdad32.exe

C:\Windows\system32\Khkdad32.exe

C:\Windows\SysWOW64\Loemnnhe.exe

C:\Windows\system32\Loemnnhe.exe

C:\Windows\SysWOW64\Ldbefe32.exe

C:\Windows\system32\Ldbefe32.exe

C:\Windows\SysWOW64\Llimgb32.exe

C:\Windows\system32\Llimgb32.exe

C:\Windows\SysWOW64\Lbcedmnl.exe

C:\Windows\system32\Lbcedmnl.exe

C:\Windows\SysWOW64\Lddble32.exe

C:\Windows\system32\Lddble32.exe

C:\Windows\SysWOW64\Ledoegkm.exe

C:\Windows\system32\Ledoegkm.exe

C:\Windows\SysWOW64\Lbhool32.exe

C:\Windows\system32\Lbhool32.exe

C:\Windows\SysWOW64\Lefkkg32.exe

C:\Windows\system32\Lefkkg32.exe

C:\Windows\SysWOW64\Mlbpma32.exe

C:\Windows\system32\Mlbpma32.exe

C:\Windows\SysWOW64\Moalil32.exe

C:\Windows\system32\Moalil32.exe

C:\Windows\SysWOW64\Mhiabbdi.exe

C:\Windows\system32\Mhiabbdi.exe

C:\Windows\SysWOW64\Mociol32.exe

C:\Windows\system32\Mociol32.exe

C:\Windows\SysWOW64\Mhknhabf.exe

C:\Windows\system32\Mhknhabf.exe

C:\Windows\SysWOW64\Mdbnmbhj.exe

C:\Windows\system32\Mdbnmbhj.exe

C:\Windows\SysWOW64\Mccokj32.exe

C:\Windows\system32\Mccokj32.exe

C:\Windows\SysWOW64\Mhpgca32.exe

C:\Windows\system32\Mhpgca32.exe

C:\Windows\SysWOW64\Nhbciqln.exe

C:\Windows\system32\Nhbciqln.exe

C:\Windows\SysWOW64\Nomlek32.exe

C:\Windows\system32\Nomlek32.exe

C:\Windows\SysWOW64\Nefdbekh.exe

C:\Windows\system32\Nefdbekh.exe

C:\Windows\SysWOW64\Nlqloo32.exe

C:\Windows\system32\Nlqloo32.exe

C:\Windows\SysWOW64\Namegfql.exe

C:\Windows\system32\Namegfql.exe

C:\Windows\SysWOW64\Nhgmcp32.exe

C:\Windows\system32\Nhgmcp32.exe

C:\Windows\SysWOW64\Noaeqjpe.exe

C:\Windows\system32\Noaeqjpe.exe

C:\Windows\SysWOW64\Nfknmd32.exe

C:\Windows\system32\Nfknmd32.exe

C:\Windows\SysWOW64\Nhjjip32.exe

C:\Windows\system32\Nhjjip32.exe

C:\Windows\SysWOW64\Nocbfjmc.exe

C:\Windows\system32\Nocbfjmc.exe

C:\Windows\SysWOW64\Nfnjbdep.exe

C:\Windows\system32\Nfnjbdep.exe

C:\Windows\SysWOW64\Nhlfoodc.exe

C:\Windows\system32\Nhlfoodc.exe

C:\Windows\SysWOW64\Nofoki32.exe

C:\Windows\system32\Nofoki32.exe

C:\Windows\SysWOW64\Nfpghccm.exe

C:\Windows\system32\Nfpghccm.exe

C:\Windows\SysWOW64\Okmpqjad.exe

C:\Windows\system32\Okmpqjad.exe

C:\Windows\SysWOW64\Obfhmd32.exe

C:\Windows\system32\Obfhmd32.exe

C:\Windows\SysWOW64\Ollljmhg.exe

C:\Windows\system32\Ollljmhg.exe

C:\Windows\SysWOW64\Ohcmpn32.exe

C:\Windows\system32\Ohcmpn32.exe

C:\Windows\SysWOW64\Odjmdocp.exe

C:\Windows\system32\Odjmdocp.exe

C:\Windows\SysWOW64\Ofijnbkb.exe

C:\Windows\system32\Ofijnbkb.exe

C:\Windows\SysWOW64\Odljjo32.exe

C:\Windows\system32\Odljjo32.exe

C:\Windows\SysWOW64\Okfbgiij.exe

C:\Windows\system32\Okfbgiij.exe

C:\Windows\SysWOW64\Oflfdbip.exe

C:\Windows\system32\Oflfdbip.exe

C:\Windows\SysWOW64\Podkmgop.exe

C:\Windows\system32\Podkmgop.exe

C:\Windows\SysWOW64\Pbbgicnd.exe

C:\Windows\system32\Pbbgicnd.exe

C:\Windows\SysWOW64\Pilpfm32.exe

C:\Windows\system32\Pilpfm32.exe

C:\Windows\SysWOW64\Pofhbgmn.exe

C:\Windows\system32\Pofhbgmn.exe

C:\Windows\SysWOW64\Pmjhlklg.exe

C:\Windows\system32\Pmjhlklg.exe

C:\Windows\SysWOW64\Poidhg32.exe

C:\Windows\system32\Poidhg32.exe

C:\Windows\SysWOW64\Piaiqlak.exe

C:\Windows\system32\Piaiqlak.exe

C:\Windows\SysWOW64\Pcfmneaa.exe

C:\Windows\system32\Pcfmneaa.exe

C:\Windows\SysWOW64\Pfeijqqe.exe

C:\Windows\system32\Pfeijqqe.exe

C:\Windows\SysWOW64\Pehjfm32.exe

C:\Windows\system32\Pehjfm32.exe

C:\Windows\SysWOW64\Pmoagk32.exe

C:\Windows\system32\Pmoagk32.exe

C:\Windows\SysWOW64\Pomncfge.exe

C:\Windows\system32\Pomncfge.exe

C:\Windows\SysWOW64\Qfgfpp32.exe

C:\Windows\system32\Qfgfpp32.exe

C:\Windows\SysWOW64\Qppkhfec.exe

C:\Windows\system32\Qppkhfec.exe

C:\Windows\SysWOW64\Qfjcep32.exe

C:\Windows\system32\Qfjcep32.exe

C:\Windows\SysWOW64\Qihoak32.exe

C:\Windows\system32\Qihoak32.exe

C:\Windows\SysWOW64\Aijlgkjq.exe

C:\Windows\system32\Aijlgkjq.exe

C:\Windows\SysWOW64\Akihcfid.exe

C:\Windows\system32\Akihcfid.exe

C:\Windows\SysWOW64\Afnlpohj.exe

C:\Windows\system32\Afnlpohj.exe

C:\Windows\SysWOW64\Alkeifga.exe

C:\Windows\system32\Alkeifga.exe

C:\Windows\SysWOW64\Aioebj32.exe

C:\Windows\system32\Aioebj32.exe

C:\Windows\SysWOW64\Apimodmh.exe

C:\Windows\system32\Apimodmh.exe

C:\Windows\SysWOW64\Apkjddke.exe

C:\Windows\system32\Apkjddke.exe

C:\Windows\SysWOW64\Aidomjaf.exe

C:\Windows\system32\Aidomjaf.exe

C:\Windows\SysWOW64\Bejobk32.exe

C:\Windows\system32\Bejobk32.exe

C:\Windows\SysWOW64\Bmagch32.exe

C:\Windows\system32\Bmagch32.exe

C:\Windows\SysWOW64\Bldgoeog.exe

C:\Windows\system32\Bldgoeog.exe

C:\Windows\SysWOW64\Bboplo32.exe

C:\Windows\system32\Bboplo32.exe

C:\Windows\SysWOW64\Bpbpecen.exe

C:\Windows\system32\Bpbpecen.exe

C:\Windows\SysWOW64\Bpbpecen.exe

C:\Windows\system32\Bpbpecen.exe

C:\Windows\SysWOW64\Bliajd32.exe

C:\Windows\system32\Bliajd32.exe

C:\Windows\SysWOW64\Bcpika32.exe

C:\Windows\system32\Bcpika32.exe

C:\Windows\SysWOW64\Bmimdg32.exe

C:\Windows\system32\Bmimdg32.exe

C:\Windows\SysWOW64\Bbefln32.exe

C:\Windows\system32\Bbefln32.exe

C:\Windows\SysWOW64\Bipnihgi.exe

C:\Windows\system32\Bipnihgi.exe

C:\Windows\SysWOW64\Cdebfago.exe

C:\Windows\system32\Cdebfago.exe

C:\Windows\SysWOW64\Cibkohef.exe

C:\Windows\system32\Cibkohef.exe

C:\Windows\SysWOW64\Cplckbmc.exe

C:\Windows\system32\Cplckbmc.exe

C:\Windows\SysWOW64\Cbjogmlf.exe

C:\Windows\system32\Cbjogmlf.exe

C:\Windows\SysWOW64\Cmpcdfll.exe

C:\Windows\system32\Cmpcdfll.exe

C:\Windows\SysWOW64\Cpnpqakp.exe

C:\Windows\system32\Cpnpqakp.exe

C:\Windows\SysWOW64\Cekhihig.exe

C:\Windows\system32\Cekhihig.exe

C:\Windows\SysWOW64\Cleqfb32.exe

C:\Windows\system32\Cleqfb32.exe

C:\Windows\SysWOW64\Cboibm32.exe

C:\Windows\system32\Cboibm32.exe

C:\Windows\SysWOW64\Cfjeckpj.exe

C:\Windows\system32\Cfjeckpj.exe

C:\Windows\SysWOW64\Cmdmpe32.exe

C:\Windows\system32\Cmdmpe32.exe

C:\Windows\SysWOW64\Cepadh32.exe

C:\Windows\system32\Cepadh32.exe

C:\Windows\SysWOW64\Ciknefmk.exe

C:\Windows\system32\Ciknefmk.exe

C:\Windows\SysWOW64\Clijablo.exe

C:\Windows\system32\Clijablo.exe

C:\Windows\SysWOW64\Ddqbbo32.exe

C:\Windows\system32\Ddqbbo32.exe

C:\Windows\SysWOW64\Debnjgcp.exe

C:\Windows\system32\Debnjgcp.exe

C:\Windows\SysWOW64\Dpgbgpbe.exe

C:\Windows\system32\Dpgbgpbe.exe

C:\Windows\SysWOW64\Dbfoclai.exe

C:\Windows\system32\Dbfoclai.exe

C:\Windows\SysWOW64\Dmkcpdao.exe

C:\Windows\system32\Dmkcpdao.exe

C:\Windows\SysWOW64\Ddekmo32.exe

C:\Windows\system32\Ddekmo32.exe

C:\Windows\SysWOW64\Dgdgijhp.exe

C:\Windows\system32\Dgdgijhp.exe

C:\Windows\SysWOW64\Dibdeegc.exe

C:\Windows\system32\Dibdeegc.exe

C:\Windows\SysWOW64\Dmnpfd32.exe

C:\Windows\system32\Dmnpfd32.exe

C:\Windows\SysWOW64\Ddhhbngi.exe

C:\Windows\system32\Ddhhbngi.exe

C:\Windows\SysWOW64\Dgfdojfm.exe

C:\Windows\system32\Dgfdojfm.exe

C:\Windows\SysWOW64\Deidjf32.exe

C:\Windows\system32\Deidjf32.exe

C:\Windows\SysWOW64\Dlcmgqdd.exe

C:\Windows\system32\Dlcmgqdd.exe

C:\Windows\SysWOW64\Dpoiho32.exe

C:\Windows\system32\Dpoiho32.exe

C:\Windows\SysWOW64\Dcmedk32.exe

C:\Windows\system32\Dcmedk32.exe

C:\Windows\SysWOW64\Edlann32.exe

C:\Windows\system32\Edlann32.exe

C:\Windows\SysWOW64\Eennefib.exe

C:\Windows\system32\Eennefib.exe

C:\Windows\SysWOW64\Ecanojgl.exe

C:\Windows\system32\Ecanojgl.exe

C:\Windows\SysWOW64\Eilfldoi.exe

C:\Windows\system32\Eilfldoi.exe

C:\Windows\SysWOW64\Epeohn32.exe

C:\Windows\system32\Epeohn32.exe

C:\Windows\SysWOW64\Egpgehnb.exe

C:\Windows\system32\Egpgehnb.exe

C:\Windows\SysWOW64\Eincadmf.exe

C:\Windows\system32\Eincadmf.exe

C:\Windows\SysWOW64\Ellpmolj.exe

C:\Windows\system32\Ellpmolj.exe

C:\Windows\SysWOW64\Egbdjhlp.exe

C:\Windows\system32\Egbdjhlp.exe

C:\Windows\SysWOW64\Elolco32.exe

C:\Windows\system32\Elolco32.exe

C:\Windows\SysWOW64\Egdqph32.exe

C:\Windows\system32\Egdqph32.exe

C:\Windows\SysWOW64\Eegqldqg.exe

C:\Windows\system32\Eegqldqg.exe

C:\Windows\SysWOW64\Fnnimbaj.exe

C:\Windows\system32\Fnnimbaj.exe

C:\Windows\SysWOW64\Fgfmeg32.exe

C:\Windows\system32\Fgfmeg32.exe

C:\Windows\SysWOW64\Fnqebaog.exe

C:\Windows\system32\Fnqebaog.exe

C:\Windows\SysWOW64\Fpoaom32.exe

C:\Windows\system32\Fpoaom32.exe

C:\Windows\SysWOW64\Fdjnolfd.exe

C:\Windows\system32\Fdjnolfd.exe

C:\Windows\SysWOW64\Feljgd32.exe

C:\Windows\system32\Feljgd32.exe

C:\Windows\SysWOW64\Fpandm32.exe

C:\Windows\system32\Fpandm32.exe

C:\Windows\SysWOW64\Fgkfqgce.exe

C:\Windows\system32\Fgkfqgce.exe

C:\Windows\SysWOW64\Fneoma32.exe

C:\Windows\system32\Fneoma32.exe

C:\Windows\SysWOW64\Fdogjk32.exe

C:\Windows\system32\Fdogjk32.exe

C:\Windows\SysWOW64\Ffpcbchm.exe

C:\Windows\system32\Ffpcbchm.exe

C:\Windows\SysWOW64\Fljlom32.exe

C:\Windows\system32\Fljlom32.exe

C:\Windows\SysWOW64\Fcddkggf.exe

C:\Windows\system32\Fcddkggf.exe

C:\Windows\SysWOW64\Gjnlha32.exe

C:\Windows\system32\Gjnlha32.exe

C:\Windows\SysWOW64\Gphddlfp.exe

C:\Windows\system32\Gphddlfp.exe

C:\Windows\SysWOW64\Gcgqag32.exe

C:\Windows\system32\Gcgqag32.exe

C:\Windows\SysWOW64\Gnlenp32.exe

C:\Windows\system32\Gnlenp32.exe

C:\Windows\SysWOW64\Gloejmld.exe

C:\Windows\system32\Gloejmld.exe

C:\Windows\SysWOW64\Ggdigekj.exe

C:\Windows\system32\Ggdigekj.exe

C:\Windows\SysWOW64\Glabolja.exe

C:\Windows\system32\Glabolja.exe

C:\Windows\SysWOW64\Gckjlf32.exe

C:\Windows\system32\Gckjlf32.exe

C:\Windows\SysWOW64\Gggfme32.exe

C:\Windows\system32\Gggfme32.exe

C:\Windows\SysWOW64\Gmdoel32.exe

C:\Windows\system32\Gmdoel32.exe

C:\Windows\SysWOW64\Gcngafol.exe

C:\Windows\system32\Gcngafol.exe

C:\Windows\SysWOW64\Gjhonp32.exe

C:\Windows\system32\Gjhonp32.exe

C:\Windows\SysWOW64\Gqagkjne.exe

C:\Windows\system32\Gqagkjne.exe

C:\Windows\SysWOW64\Gcpcgfmi.exe

C:\Windows\system32\Gcpcgfmi.exe

C:\Windows\SysWOW64\Hnehdo32.exe

C:\Windows\system32\Hnehdo32.exe

C:\Windows\SysWOW64\Hdppaidl.exe

C:\Windows\system32\Hdppaidl.exe

C:\Windows\SysWOW64\Hdbmfhbi.exe

C:\Windows\system32\Hdbmfhbi.exe

C:\Windows\SysWOW64\Hfcinq32.exe

C:\Windows\system32\Hfcinq32.exe

C:\Windows\SysWOW64\Hqimlihn.exe

C:\Windows\system32\Hqimlihn.exe

C:\Windows\SysWOW64\Hgbfhc32.exe

C:\Windows\system32\Hgbfhc32.exe

C:\Windows\SysWOW64\Hnmnengg.exe

C:\Windows\system32\Hnmnengg.exe

C:\Windows\SysWOW64\Hdffah32.exe

C:\Windows\system32\Hdffah32.exe

C:\Windows\SysWOW64\Hfhbipdb.exe

C:\Windows\system32\Hfhbipdb.exe

C:\Windows\SysWOW64\Hjcojo32.exe

C:\Windows\system32\Hjcojo32.exe

C:\Windows\SysWOW64\Hdicggla.exe

C:\Windows\system32\Hdicggla.exe

C:\Windows\SysWOW64\Hclccd32.exe

C:\Windows\system32\Hclccd32.exe

C:\Windows\SysWOW64\Imdgljil.exe

C:\Windows\system32\Imdgljil.exe

C:\Windows\SysWOW64\Iqpclh32.exe

C:\Windows\system32\Iqpclh32.exe

C:\Windows\SysWOW64\Igjlibib.exe

C:\Windows\system32\Igjlibib.exe

C:\Windows\SysWOW64\Ijhhenhf.exe

C:\Windows\system32\Ijhhenhf.exe

C:\Windows\SysWOW64\Icqmncof.exe

C:\Windows\system32\Icqmncof.exe

C:\Windows\SysWOW64\Imiagi32.exe

C:\Windows\system32\Imiagi32.exe

C:\Windows\SysWOW64\Iepihf32.exe

C:\Windows\system32\Iepihf32.exe

C:\Windows\SysWOW64\Igneda32.exe

C:\Windows\system32\Igneda32.exe

C:\Windows\SysWOW64\Ijmapm32.exe

C:\Windows\system32\Ijmapm32.exe

C:\Windows\SysWOW64\Iqgjmg32.exe

C:\Windows\system32\Iqgjmg32.exe

C:\Windows\SysWOW64\Ifcben32.exe

C:\Windows\system32\Ifcben32.exe

C:\Windows\SysWOW64\Imnjbhaa.exe

C:\Windows\system32\Imnjbhaa.exe

C:\Windows\SysWOW64\Jffokn32.exe

C:\Windows\system32\Jffokn32.exe

C:\Windows\SysWOW64\Jmpgghoo.exe

C:\Windows\system32\Jmpgghoo.exe

C:\Windows\SysWOW64\Jgekdq32.exe

C:\Windows\system32\Jgekdq32.exe

C:\Windows\SysWOW64\Jjdgal32.exe

C:\Windows\system32\Jjdgal32.exe

C:\Windows\SysWOW64\Jclljaei.exe

C:\Windows\system32\Jclljaei.exe

C:\Windows\SysWOW64\Jnapgjdo.exe

C:\Windows\system32\Jnapgjdo.exe

C:\Windows\SysWOW64\Jmdqbg32.exe

C:\Windows\system32\Jmdqbg32.exe

C:\Windows\SysWOW64\Jelhcd32.exe

C:\Windows\system32\Jelhcd32.exe

C:\Windows\SysWOW64\Jcoioabf.exe

C:\Windows\system32\Jcoioabf.exe

C:\Windows\SysWOW64\Jfmekm32.exe

C:\Windows\system32\Jfmekm32.exe

C:\Windows\SysWOW64\Jjhalkjc.exe

C:\Windows\system32\Jjhalkjc.exe

C:\Windows\SysWOW64\Jmgmhgig.exe

C:\Windows\system32\Jmgmhgig.exe

C:\Windows\SysWOW64\Jabiie32.exe

C:\Windows\system32\Jabiie32.exe

C:\Windows\SysWOW64\Jcaeea32.exe

C:\Windows\system32\Jcaeea32.exe

C:\Windows\SysWOW64\Jglaepim.exe

C:\Windows\system32\Jglaepim.exe

C:\Windows\SysWOW64\Jjknakhq.exe

C:\Windows\system32\Jjknakhq.exe

C:\Windows\SysWOW64\Jnfjbj32.exe

C:\Windows\system32\Jnfjbj32.exe

C:\Windows\SysWOW64\Kccbjq32.exe

C:\Windows\system32\Kccbjq32.exe

C:\Windows\SysWOW64\Khonkogj.exe

C:\Windows\system32\Khonkogj.exe

C:\Windows\SysWOW64\Kfanflne.exe

C:\Windows\system32\Kfanflne.exe

C:\Windows\SysWOW64\Kagbdenk.exe

C:\Windows\system32\Kagbdenk.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8

C:\Windows\SysWOW64\Kebodc32.exe

C:\Windows\system32\Kebodc32.exe

C:\Windows\SysWOW64\Kfdklllb.exe

C:\Windows\system32\Kfdklllb.exe

C:\Windows\SysWOW64\Kaioidkh.exe

C:\Windows\system32\Kaioidkh.exe

C:\Windows\SysWOW64\Kjbdbjbi.exe

C:\Windows\system32\Kjbdbjbi.exe

C:\Windows\SysWOW64\Kmppneal.exe

C:\Windows\system32\Kmppneal.exe

C:\Windows\SysWOW64\Kmbmdeoj.exe

C:\Windows\system32\Kmbmdeoj.exe

C:\Windows\SysWOW64\Kfkamk32.exe

C:\Windows\system32\Kfkamk32.exe

C:\Windows\SysWOW64\Kjfmminc.exe

C:\Windows\system32\Kjfmminc.exe

C:\Windows\SysWOW64\Ldoafodd.exe

C:\Windows\system32\Ldoafodd.exe

C:\Windows\SysWOW64\Lndfchdj.exe

C:\Windows\system32\Lndfchdj.exe

C:\Windows\SysWOW64\Lfpkhjae.exe

C:\Windows\system32\Lfpkhjae.exe

C:\Windows\SysWOW64\Ljkghi32.exe

C:\Windows\system32\Ljkghi32.exe

C:\Windows\SysWOW64\Laeoec32.exe

C:\Windows\system32\Laeoec32.exe

C:\Windows\SysWOW64\Laglkb32.exe

C:\Windows\system32\Laglkb32.exe

C:\Windows\SysWOW64\Lkppchfi.exe

C:\Windows\system32\Lkppchfi.exe

C:\Windows\SysWOW64\Lajhpbme.exe

C:\Windows\system32\Lajhpbme.exe

C:\Windows\SysWOW64\Lhdqml32.exe

C:\Windows\system32\Lhdqml32.exe

C:\Windows\SysWOW64\Mhfmbl32.exe

C:\Windows\system32\Mhfmbl32.exe

C:\Windows\SysWOW64\Mopeofjl.exe

C:\Windows\system32\Mopeofjl.exe

C:\Windows\SysWOW64\Maoakaip.exe

C:\Windows\system32\Maoakaip.exe

C:\Windows\SysWOW64\Mdmngm32.exe

C:\Windows\system32\Mdmngm32.exe

C:\Windows\SysWOW64\Mgkjch32.exe

C:\Windows\system32\Mgkjch32.exe

C:\Windows\SysWOW64\Maaoaa32.exe

C:\Windows\system32\Maaoaa32.exe

C:\Windows\SysWOW64\Mdokmm32.exe

C:\Windows\system32\Mdokmm32.exe

C:\Windows\SysWOW64\Mhkgnkoj.exe

C:\Windows\system32\Mhkgnkoj.exe

C:\Windows\SysWOW64\Mgngih32.exe

C:\Windows\system32\Mgngih32.exe

C:\Windows\SysWOW64\Meoggpmd.exe

C:\Windows\system32\Meoggpmd.exe

C:\Windows\SysWOW64\Moglpedd.exe

C:\Windows\system32\Moglpedd.exe

C:\Windows\SysWOW64\Meadlo32.exe

C:\Windows\system32\Meadlo32.exe

C:\Windows\SysWOW64\Mgbpdgap.exe

C:\Windows\system32\Mgbpdgap.exe

C:\Windows\SysWOW64\Nmlhaa32.exe

C:\Windows\system32\Nmlhaa32.exe

C:\Windows\SysWOW64\Nahdapae.exe

C:\Windows\system32\Nahdapae.exe

C:\Windows\SysWOW64\Ndfanlpi.exe

C:\Windows\system32\Ndfanlpi.exe

C:\Windows\SysWOW64\Nkpijfgf.exe

C:\Windows\system32\Nkpijfgf.exe

C:\Windows\SysWOW64\Ndinck32.exe

C:\Windows\system32\Ndinck32.exe

C:\Windows\SysWOW64\Nkbfpeec.exe

C:\Windows\system32\Nkbfpeec.exe

C:\Windows\SysWOW64\Nnabladg.exe

C:\Windows\system32\Nnabladg.exe

C:\Windows\SysWOW64\Nhffijdm.exe

C:\Windows\system32\Nhffijdm.exe

C:\Windows\SysWOW64\Noqofdlj.exe

C:\Windows\system32\Noqofdlj.exe

C:\Windows\SysWOW64\Nejgbn32.exe

C:\Windows\system32\Nejgbn32.exe

C:\Windows\SysWOW64\Nhicoi32.exe

C:\Windows\system32\Nhicoi32.exe

C:\Windows\SysWOW64\Nnfkgp32.exe

C:\Windows\system32\Nnfkgp32.exe

C:\Windows\SysWOW64\Nhkpdi32.exe

C:\Windows\system32\Nhkpdi32.exe

C:\Windows\SysWOW64\Noehac32.exe

C:\Windows\system32\Noehac32.exe

C:\Windows\SysWOW64\Onhhmpoo.exe

C:\Windows\system32\Onhhmpoo.exe

C:\Windows\SysWOW64\Odbpij32.exe

C:\Windows\system32\Odbpij32.exe

C:\Windows\SysWOW64\Ogqmee32.exe

C:\Windows\system32\Ogqmee32.exe

C:\Windows\SysWOW64\Oklifdmi.exe

C:\Windows\system32\Oklifdmi.exe

C:\Windows\SysWOW64\Oeamcmmo.exe

C:\Windows\system32\Oeamcmmo.exe

C:\Windows\SysWOW64\Oddmoj32.exe

C:\Windows\system32\Oddmoj32.exe

C:\Windows\SysWOW64\Oojalb32.exe

C:\Windows\system32\Oojalb32.exe

C:\Windows\SysWOW64\Oahnhncc.exe

C:\Windows\system32\Oahnhncc.exe

C:\Windows\SysWOW64\Oediim32.exe

C:\Windows\system32\Oediim32.exe

C:\Windows\SysWOW64\Ogefqeaj.exe

C:\Windows\system32\Ogefqeaj.exe

C:\Windows\SysWOW64\Oakjnnap.exe

C:\Windows\system32\Oakjnnap.exe

C:\Windows\SysWOW64\Odifjipd.exe

C:\Windows\system32\Odifjipd.exe

C:\Windows\SysWOW64\Ohdbkh32.exe

C:\Windows\system32\Ohdbkh32.exe

C:\Windows\SysWOW64\Okcogc32.exe

C:\Windows\system32\Okcogc32.exe

C:\Windows\SysWOW64\Onakco32.exe

C:\Windows\system32\Onakco32.exe

C:\Windows\SysWOW64\Ofhcdlgg.exe

C:\Windows\system32\Ofhcdlgg.exe

C:\Windows\SysWOW64\Ohgopgfj.exe

C:\Windows\system32\Ohgopgfj.exe

C:\Windows\SysWOW64\Poagma32.exe

C:\Windows\system32\Poagma32.exe

C:\Windows\SysWOW64\Pdnpeh32.exe

C:\Windows\system32\Pdnpeh32.exe

C:\Windows\SysWOW64\Philfgdh.exe

C:\Windows\system32\Philfgdh.exe

C:\Windows\SysWOW64\Pnfdnnbo.exe

C:\Windows\system32\Pnfdnnbo.exe

C:\Windows\SysWOW64\Pbapom32.exe

C:\Windows\system32\Pbapom32.exe

C:\Windows\SysWOW64\Pdpmkhjl.exe

C:\Windows\system32\Pdpmkhjl.exe

C:\Windows\SysWOW64\Pgoigcip.exe

C:\Windows\system32\Pgoigcip.exe

C:\Windows\SysWOW64\Poeahaib.exe

C:\Windows\system32\Poeahaib.exe

C:\Windows\SysWOW64\Pbdmdlie.exe

C:\Windows\system32\Pbdmdlie.exe

C:\Windows\SysWOW64\Pdbiphhi.exe

C:\Windows\system32\Pdbiphhi.exe

C:\Windows\SysWOW64\Phneqf32.exe

C:\Windows\system32\Phneqf32.exe

C:\Windows\SysWOW64\Pklamb32.exe

C:\Windows\system32\Pklamb32.exe

C:\Windows\SysWOW64\Pnknim32.exe

C:\Windows\system32\Pnknim32.exe

C:\Windows\SysWOW64\Pbfjjlgc.exe

C:\Windows\system32\Pbfjjlgc.exe

C:\Windows\SysWOW64\Pdeffgff.exe

C:\Windows\system32\Pdeffgff.exe

C:\Windows\SysWOW64\Phpbffnp.exe

C:\Windows\system32\Phpbffnp.exe

C:\Windows\SysWOW64\Pgcbbc32.exe

C:\Windows\system32\Pgcbbc32.exe

C:\Windows\SysWOW64\Pojjcp32.exe

C:\Windows\system32\Pojjcp32.exe

C:\Windows\SysWOW64\Pnmjomlg.exe

C:\Windows\system32\Pnmjomlg.exe

C:\Windows\SysWOW64\Pfdbpjmi.exe

C:\Windows\system32\Pfdbpjmi.exe

C:\Windows\SysWOW64\Phbolflm.exe

C:\Windows\system32\Phbolflm.exe

C:\Windows\SysWOW64\Qkakhakq.exe

C:\Windows\system32\Qkakhakq.exe

C:\Windows\SysWOW64\Qomghp32.exe

C:\Windows\system32\Qomghp32.exe

C:\Windows\SysWOW64\Qnpgdmjd.exe

C:\Windows\system32\Qnpgdmjd.exe

C:\Windows\SysWOW64\Qffoejkg.exe

C:\Windows\system32\Qffoejkg.exe

C:\Windows\SysWOW64\Qhekaejj.exe

C:\Windows\system32\Qhekaejj.exe

C:\Windows\SysWOW64\Qkchna32.exe

C:\Windows\system32\Qkchna32.exe

C:\Windows\SysWOW64\Qoocnpag.exe

C:\Windows\system32\Qoocnpag.exe

C:\Windows\SysWOW64\Qnbdjl32.exe

C:\Windows\system32\Qnbdjl32.exe

C:\Windows\SysWOW64\Qfilkj32.exe

C:\Windows\system32\Qfilkj32.exe

C:\Windows\SysWOW64\Qhghge32.exe

C:\Windows\system32\Qhghge32.exe

C:\Windows\SysWOW64\Akfdcq32.exe

C:\Windows\system32\Akfdcq32.exe

C:\Windows\SysWOW64\Andqol32.exe

C:\Windows\system32\Andqol32.exe

C:\Windows\SysWOW64\Abpmpkoh.exe

C:\Windows\system32\Abpmpkoh.exe

C:\Windows\SysWOW64\Adnilfnl.exe

C:\Windows\system32\Adnilfnl.exe

C:\Windows\SysWOW64\Afnefieo.exe

C:\Windows\system32\Afnefieo.exe

C:\Windows\SysWOW64\Ailabddb.exe

C:\Windows\system32\Ailabddb.exe

C:\Windows\SysWOW64\Aofjoo32.exe

C:\Windows\system32\Aofjoo32.exe

C:\Windows\SysWOW64\Ainnhdbp.exe

C:\Windows\system32\Ainnhdbp.exe

C:\Windows\SysWOW64\Akmjdpac.exe

C:\Windows\system32\Akmjdpac.exe

C:\Windows\SysWOW64\Ankgpk32.exe

C:\Windows\system32\Ankgpk32.exe

C:\Windows\SysWOW64\Aeeomegd.exe

C:\Windows\system32\Aeeomegd.exe

C:\Windows\SysWOW64\Afdkfh32.exe

C:\Windows\system32\Afdkfh32.exe

C:\Windows\SysWOW64\Bgfhnpde.exe

C:\Windows\system32\Bgfhnpde.exe

C:\Windows\SysWOW64\Bkadoo32.exe

C:\Windows\system32\Bkadoo32.exe

C:\Windows\SysWOW64\Bfghlhmd.exe

C:\Windows\system32\Bfghlhmd.exe

C:\Windows\SysWOW64\Bghddp32.exe

C:\Windows\system32\Bghddp32.exe

C:\Windows\SysWOW64\Bnbmqjjo.exe

C:\Windows\system32\Bnbmqjjo.exe

C:\Windows\SysWOW64\Bihancje.exe

C:\Windows\system32\Bihancje.exe

C:\Windows\SysWOW64\Bndjfjhl.exe

C:\Windows\system32\Bndjfjhl.exe

C:\Windows\SysWOW64\Bijncb32.exe

C:\Windows\system32\Bijncb32.exe

C:\Windows\SysWOW64\Bngfli32.exe

C:\Windows\system32\Bngfli32.exe

C:\Windows\SysWOW64\Bbbblhnc.exe

C:\Windows\system32\Bbbblhnc.exe

C:\Windows\SysWOW64\Bgokdomj.exe

C:\Windows\system32\Bgokdomj.exe

C:\Windows\SysWOW64\Becknc32.exe

C:\Windows\system32\Becknc32.exe

C:\Windows\SysWOW64\Cgagjo32.exe

C:\Windows\system32\Cgagjo32.exe

C:\Windows\SysWOW64\Cpipkl32.exe

C:\Windows\system32\Cpipkl32.exe

C:\Windows\SysWOW64\Cfbhhfbg.exe

C:\Windows\system32\Cfbhhfbg.exe

C:\Windows\SysWOW64\Cnnllhpa.exe

C:\Windows\system32\Cnnllhpa.exe

C:\Windows\SysWOW64\Cicqja32.exe

C:\Windows\system32\Cicqja32.exe

C:\Windows\SysWOW64\Clbmfm32.exe

C:\Windows\system32\Clbmfm32.exe

C:\Windows\SysWOW64\Cpmifkgd.exe

C:\Windows\system32\Cpmifkgd.exe

C:\Windows\SysWOW64\Cldjkl32.exe

C:\Windows\system32\Cldjkl32.exe

C:\Windows\SysWOW64\Cbqonf32.exe

C:\Windows\system32\Cbqonf32.exe

C:\Windows\SysWOW64\Dngobghg.exe

C:\Windows\system32\Dngobghg.exe

C:\Windows\SysWOW64\Dimcppgm.exe

C:\Windows\system32\Dimcppgm.exe

C:\Windows\SysWOW64\Diamko32.exe

C:\Windows\system32\Diamko32.exe

C:\Windows\SysWOW64\Dfemdcba.exe

C:\Windows\system32\Dfemdcba.exe

C:\Windows\SysWOW64\Doqbifpl.exe

C:\Windows\system32\Doqbifpl.exe

C:\Windows\SysWOW64\Eppobi32.exe

C:\Windows\system32\Eppobi32.exe

C:\Windows\SysWOW64\Ehkcgkdj.exe

C:\Windows\system32\Ehkcgkdj.exe

C:\Windows\SysWOW64\Eikpan32.exe

C:\Windows\system32\Eikpan32.exe

C:\Windows\SysWOW64\Ehnpmkbg.exe

C:\Windows\system32\Ehnpmkbg.exe

C:\Windows\SysWOW64\Eohhie32.exe

C:\Windows\system32\Eohhie32.exe

C:\Windows\SysWOW64\Eimlgnij.exe

C:\Windows\system32\Eimlgnij.exe

C:\Windows\SysWOW64\Ehpmbj32.exe

C:\Windows\system32\Ehpmbj32.exe

C:\Windows\SysWOW64\Eojeodga.exe

C:\Windows\system32\Eojeodga.exe

C:\Windows\SysWOW64\Eipilmgh.exe

C:\Windows\system32\Eipilmgh.exe

C:\Windows\SysWOW64\Eoladdeo.exe

C:\Windows\system32\Eoladdeo.exe

C:\Windows\SysWOW64\Fefjanml.exe

C:\Windows\system32\Fefjanml.exe

C:\Windows\SysWOW64\Flpbnh32.exe

C:\Windows\system32\Flpbnh32.exe

C:\Windows\SysWOW64\Fbjjkble.exe

C:\Windows\system32\Fbjjkble.exe

C:\Windows\SysWOW64\Fidbgm32.exe

C:\Windows\system32\Fidbgm32.exe

C:\Windows\SysWOW64\Flboch32.exe

C:\Windows\system32\Flboch32.exe

C:\Windows\SysWOW64\Foakpc32.exe

C:\Windows\system32\Foakpc32.exe

C:\Windows\SysWOW64\Fifomlap.exe

C:\Windows\system32\Fifomlap.exe

C:\Windows\SysWOW64\Fpqgjf32.exe

C:\Windows\system32\Fpqgjf32.exe

C:\Windows\SysWOW64\Fcodfa32.exe

C:\Windows\system32\Fcodfa32.exe

C:\Windows\SysWOW64\Fhllni32.exe

C:\Windows\system32\Fhllni32.exe

C:\Windows\SysWOW64\Fofdkcmd.exe

C:\Windows\system32\Fofdkcmd.exe

C:\Windows\SysWOW64\Fcaqka32.exe

C:\Windows\system32\Fcaqka32.exe

C:\Windows\SysWOW64\Fhnichde.exe

C:\Windows\system32\Fhnichde.exe

C:\Windows\SysWOW64\Fljedg32.exe

C:\Windows\system32\Fljedg32.exe

C:\Windows\SysWOW64\Ggoiap32.exe

C:\Windows\system32\Ggoiap32.exe

C:\Windows\SysWOW64\Ginenk32.exe

C:\Windows\system32\Ginenk32.exe

C:\Windows\SysWOW64\Gpgnjebd.exe

C:\Windows\system32\Gpgnjebd.exe

C:\Windows\SysWOW64\Ggafgo32.exe

C:\Windows\system32\Ggafgo32.exe

C:\Windows\SysWOW64\Ghcbohpp.exe

C:\Windows\system32\Ghcbohpp.exe

C:\Windows\SysWOW64\Gchflq32.exe

C:\Windows\system32\Gchflq32.exe

C:\Windows\SysWOW64\Ggdbmoho.exe

C:\Windows\system32\Ggdbmoho.exe

C:\Windows\SysWOW64\Glqkefff.exe

C:\Windows\system32\Glqkefff.exe

C:\Windows\SysWOW64\Gplged32.exe

C:\Windows\system32\Gplged32.exe

C:\Windows\SysWOW64\Geipnl32.exe

C:\Windows\system32\Geipnl32.exe

C:\Windows\SysWOW64\Glchjedc.exe

C:\Windows\system32\Glchjedc.exe

C:\Windows\SysWOW64\Gcmpgpkp.exe

C:\Windows\system32\Gcmpgpkp.exe

C:\Windows\SysWOW64\Geklckkd.exe

C:\Windows\system32\Geklckkd.exe

C:\Windows\SysWOW64\Gjghdj32.exe

C:\Windows\system32\Gjghdj32.exe

C:\Windows\SysWOW64\Hcommoin.exe

C:\Windows\system32\Hcommoin.exe

C:\Windows\SysWOW64\Hfniikha.exe

C:\Windows\system32\Hfniikha.exe

C:\Windows\SysWOW64\Hhleefhe.exe

C:\Windows\system32\Hhleefhe.exe

C:\Windows\SysWOW64\Hcaibo32.exe

C:\Windows\system32\Hcaibo32.exe

C:\Windows\SysWOW64\Hjlaoioh.exe

C:\Windows\system32\Hjlaoioh.exe

C:\Windows\SysWOW64\Hohjgpmo.exe

C:\Windows\system32\Hohjgpmo.exe

C:\Windows\SysWOW64\Hfbbdj32.exe

C:\Windows\system32\Hfbbdj32.exe

C:\Windows\SysWOW64\Hphfac32.exe

C:\Windows\system32\Hphfac32.exe

C:\Windows\SysWOW64\Hgbonm32.exe

C:\Windows\system32\Hgbonm32.exe

C:\Windows\SysWOW64\Hfeoijbi.exe

C:\Windows\system32\Hfeoijbi.exe

C:\Windows\SysWOW64\Hqjcgbbo.exe

C:\Windows\system32\Hqjcgbbo.exe

C:\Windows\SysWOW64\Hgdlcm32.exe

C:\Windows\system32\Hgdlcm32.exe

C:\Windows\SysWOW64\Hjbhph32.exe

C:\Windows\system32\Hjbhph32.exe

C:\Windows\SysWOW64\Iqmplbpl.exe

C:\Windows\system32\Iqmplbpl.exe

C:\Windows\SysWOW64\Ifihdi32.exe

C:\Windows\system32\Ifihdi32.exe

C:\Windows\SysWOW64\Ijedehgm.exe

C:\Windows\system32\Ijedehgm.exe

C:\Windows\SysWOW64\Iobmmoed.exe

C:\Windows\system32\Iobmmoed.exe

C:\Windows\SysWOW64\Igieoleg.exe

C:\Windows\system32\Igieoleg.exe

C:\Windows\SysWOW64\Imfmgcdn.exe

C:\Windows\system32\Imfmgcdn.exe

C:\Windows\SysWOW64\Icpecm32.exe

C:\Windows\system32\Icpecm32.exe

C:\Windows\SysWOW64\Ihmnldib.exe

C:\Windows\system32\Ihmnldib.exe

C:\Windows\SysWOW64\Ignnjk32.exe

C:\Windows\system32\Ignnjk32.exe

C:\Windows\SysWOW64\Imjgbb32.exe

C:\Windows\system32\Imjgbb32.exe

C:\Windows\SysWOW64\Ioicnn32.exe

C:\Windows\system32\Ioicnn32.exe

C:\Windows\SysWOW64\Iiaggc32.exe

C:\Windows\system32\Iiaggc32.exe

C:\Windows\SysWOW64\Jqhphq32.exe

C:\Windows\system32\Jqhphq32.exe

C:\Windows\SysWOW64\Jfehpg32.exe

C:\Windows\system32\Jfehpg32.exe

C:\Windows\SysWOW64\Jmopmalc.exe

C:\Windows\system32\Jmopmalc.exe

C:\Windows\SysWOW64\Jcihjl32.exe

C:\Windows\system32\Jcihjl32.exe

C:\Windows\SysWOW64\Jjcqffkm.exe

C:\Windows\system32\Jjcqffkm.exe

C:\Windows\SysWOW64\Jqmicpbj.exe

C:\Windows\system32\Jqmicpbj.exe

C:\Windows\SysWOW64\Jopiom32.exe

C:\Windows\system32\Jopiom32.exe

C:\Windows\SysWOW64\Jckeokan.exe

C:\Windows\system32\Jckeokan.exe

C:\Windows\SysWOW64\Jihngboe.exe

C:\Windows\system32\Jihngboe.exe

C:\Windows\SysWOW64\Jmdjha32.exe

C:\Windows\system32\Jmdjha32.exe

C:\Windows\SysWOW64\Jginej32.exe

C:\Windows\system32\Jginej32.exe

C:\Windows\SysWOW64\Jqbbno32.exe

C:\Windows\system32\Jqbbno32.exe

C:\Windows\SysWOW64\Jglkkiea.exe

C:\Windows\system32\Jglkkiea.exe

C:\Windows\SysWOW64\Jfokff32.exe

C:\Windows\system32\Jfokff32.exe

C:\Windows\SysWOW64\Kimgba32.exe

C:\Windows\system32\Kimgba32.exe

C:\Windows\SysWOW64\Kmhccpci.exe

C:\Windows\system32\Kmhccpci.exe

C:\Windows\SysWOW64\Kjlcmdbb.exe

C:\Windows\system32\Kjlcmdbb.exe

C:\Windows\SysWOW64\Kgqdfi32.exe

C:\Windows\system32\Kgqdfi32.exe

C:\Windows\SysWOW64\Kjopbd32.exe

C:\Windows\system32\Kjopbd32.exe

C:\Windows\SysWOW64\Kcgekjgp.exe

C:\Windows\system32\Kcgekjgp.exe

C:\Windows\SysWOW64\Kgcqlh32.exe

C:\Windows\system32\Kgcqlh32.exe

C:\Windows\SysWOW64\Kakednfj.exe

C:\Windows\system32\Kakednfj.exe

C:\Windows\SysWOW64\Kpnepk32.exe

C:\Windows\system32\Kpnepk32.exe

C:\Windows\SysWOW64\Kifjip32.exe

C:\Windows\system32\Kifjip32.exe

C:\Windows\SysWOW64\Kppbejka.exe

C:\Windows\system32\Kppbejka.exe

C:\Windows\SysWOW64\Kclnfi32.exe

C:\Windows\system32\Kclnfi32.exe

C:\Windows\SysWOW64\Kggjghkd.exe

C:\Windows\system32\Kggjghkd.exe

C:\Windows\SysWOW64\Lapopm32.exe

C:\Windows\system32\Lapopm32.exe

C:\Windows\SysWOW64\Lcnkli32.exe

C:\Windows\system32\Lcnkli32.exe

C:\Windows\SysWOW64\Ljhchc32.exe

C:\Windows\system32\Ljhchc32.exe

C:\Windows\SysWOW64\Lmfodn32.exe

C:\Windows\system32\Lmfodn32.exe

C:\Windows\SysWOW64\Lglcag32.exe

C:\Windows\system32\Lglcag32.exe

C:\Windows\SysWOW64\Ljjpnb32.exe

C:\Windows\system32\Ljjpnb32.exe

C:\Windows\SysWOW64\Ladhkmno.exe

C:\Windows\system32\Ladhkmno.exe

C:\Windows\SysWOW64\Lfaqcclf.exe

C:\Windows\system32\Lfaqcclf.exe

C:\Windows\SysWOW64\Lipmoo32.exe

C:\Windows\system32\Lipmoo32.exe

C:\Windows\SysWOW64\Lcealh32.exe

C:\Windows\system32\Lcealh32.exe

C:\Windows\SysWOW64\Lfcmhc32.exe

C:\Windows\system32\Lfcmhc32.exe

C:\Windows\SysWOW64\Libido32.exe

C:\Windows\system32\Libido32.exe

C:\Windows\SysWOW64\Lhcjbfag.exe

C:\Windows\system32\Lhcjbfag.exe

C:\Windows\SysWOW64\Mjafoapj.exe

C:\Windows\system32\Mjafoapj.exe

C:\Windows\SysWOW64\Mmpbkm32.exe

C:\Windows\system32\Mmpbkm32.exe

C:\Windows\SysWOW64\Mpnngh32.exe

C:\Windows\system32\Mpnngh32.exe

C:\Windows\SysWOW64\Mjdbda32.exe

C:\Windows\system32\Mjdbda32.exe

C:\Windows\SysWOW64\Migcpneb.exe

C:\Windows\system32\Migcpneb.exe

C:\Windows\SysWOW64\Mmbopm32.exe

C:\Windows\system32\Mmbopm32.exe

C:\Windows\SysWOW64\Mpqklh32.exe

C:\Windows\system32\Mpqklh32.exe

C:\Windows\SysWOW64\Mpchbhjl.exe

C:\Windows\system32\Mpchbhjl.exe

C:\Windows\SysWOW64\Mhjpceko.exe

C:\Windows\system32\Mhjpceko.exe

C:\Windows\SysWOW64\Mjiloqjb.exe

C:\Windows\system32\Mjiloqjb.exe

C:\Windows\SysWOW64\Mdaqhf32.exe

C:\Windows\system32\Mdaqhf32.exe

C:\Windows\SysWOW64\Mhmmieil.exe

C:\Windows\system32\Mhmmieil.exe

C:\Windows\SysWOW64\Maeaajpl.exe

C:\Windows\system32\Maeaajpl.exe

C:\Windows\SysWOW64\Mhoind32.exe

C:\Windows\system32\Mhoind32.exe

C:\Windows\SysWOW64\Njmejp32.exe

C:\Windows\system32\Njmejp32.exe

C:\Windows\SysWOW64\Nmlafk32.exe

C:\Windows\system32\Nmlafk32.exe

C:\Windows\SysWOW64\Npjnbg32.exe

C:\Windows\system32\Npjnbg32.exe

C:\Windows\SysWOW64\Ndejcemn.exe

C:\Windows\system32\Ndejcemn.exe

C:\Windows\SysWOW64\Najjmjkg.exe

C:\Windows\system32\Najjmjkg.exe

C:\Windows\SysWOW64\Ndhgie32.exe

C:\Windows\system32\Ndhgie32.exe

C:\Windows\SysWOW64\Nhcbidcd.exe

C:\Windows\system32\Nhcbidcd.exe

C:\Windows\SysWOW64\Nmpkakak.exe

C:\Windows\system32\Nmpkakak.exe

C:\Windows\SysWOW64\Npognfpo.exe

C:\Windows\system32\Npognfpo.exe

C:\Windows\SysWOW64\Niglfl32.exe

C:\Windows\system32\Niglfl32.exe

C:\Windows\SysWOW64\Npadcfnl.exe

C:\Windows\system32\Npadcfnl.exe

C:\Windows\SysWOW64\Ngklppei.exe

C:\Windows\system32\Ngklppei.exe

C:\Windows\SysWOW64\Nmedmj32.exe

C:\Windows\system32\Nmedmj32.exe

C:\Windows\SysWOW64\Ndomiddc.exe

C:\Windows\system32\Ndomiddc.exe

C:\Windows\SysWOW64\Ogmiepcf.exe

C:\Windows\system32\Ogmiepcf.exe

C:\Windows\SysWOW64\Oileakbj.exe

C:\Windows\system32\Oileakbj.exe

C:\Windows\SysWOW64\Odaiodbp.exe

C:\Windows\system32\Odaiodbp.exe

C:\Windows\SysWOW64\Okkalnjm.exe

C:\Windows\system32\Okkalnjm.exe

C:\Windows\SysWOW64\Omjnhiiq.exe

C:\Windows\system32\Omjnhiiq.exe

C:\Windows\SysWOW64\Ophjdehd.exe

C:\Windows\system32\Ophjdehd.exe

C:\Windows\SysWOW64\Odcfdc32.exe

C:\Windows\system32\Odcfdc32.exe

C:\Windows\SysWOW64\Ohobebig.exe

C:\Windows\system32\Ohobebig.exe

C:\Windows\SysWOW64\Oknnanhj.exe

C:\Windows\system32\Oknnanhj.exe

C:\Windows\SysWOW64\Ogdofo32.exe

C:\Windows\system32\Ogdofo32.exe

C:\Windows\SysWOW64\Okpkgm32.exe

C:\Windows\system32\Okpkgm32.exe

C:\Windows\SysWOW64\Opmcod32.exe

C:\Windows\system32\Opmcod32.exe

C:\Windows\SysWOW64\Ohdlpa32.exe

C:\Windows\system32\Ohdlpa32.exe

C:\Windows\SysWOW64\Oiehhjjp.exe

C:\Windows\system32\Oiehhjjp.exe

C:\Windows\SysWOW64\Opopdd32.exe

C:\Windows\system32\Opopdd32.exe

C:\Windows\SysWOW64\Phfhfa32.exe

C:\Windows\system32\Phfhfa32.exe

C:\Windows\SysWOW64\Pncanhaf.exe

C:\Windows\system32\Pncanhaf.exe

C:\Windows\SysWOW64\Ppamjcpj.exe

C:\Windows\system32\Ppamjcpj.exe

C:\Windows\SysWOW64\Phiekaql.exe

C:\Windows\system32\Phiekaql.exe

C:\Windows\SysWOW64\Paaidf32.exe

C:\Windows\system32\Paaidf32.exe

C:\Windows\SysWOW64\Pjlnhi32.exe

C:\Windows\system32\Pjlnhi32.exe

C:\Windows\SysWOW64\Ppffec32.exe

C:\Windows\system32\Ppffec32.exe

C:\Windows\SysWOW64\Pgpobmca.exe

C:\Windows\system32\Pgpobmca.exe

C:\Windows\SysWOW64\Pnjgog32.exe

C:\Windows\system32\Pnjgog32.exe

C:\Windows\SysWOW64\Pafcofcg.exe

C:\Windows\system32\Pafcofcg.exe

C:\Windows\SysWOW64\Pgbkgmao.exe

C:\Windows\system32\Pgbkgmao.exe

C:\Windows\SysWOW64\Pjahchpb.exe

C:\Windows\system32\Pjahchpb.exe

C:\Windows\SysWOW64\Pnlcdg32.exe

C:\Windows\system32\Pnlcdg32.exe

C:\Windows\SysWOW64\Qgehml32.exe

C:\Windows\system32\Qgehml32.exe

C:\Windows\SysWOW64\Qnopjfgi.exe

C:\Windows\system32\Qnopjfgi.exe

C:\Windows\SysWOW64\Qajlje32.exe

C:\Windows\system32\Qajlje32.exe

C:\Windows\SysWOW64\Qhddgofo.exe

C:\Windows\system32\Qhddgofo.exe

C:\Windows\SysWOW64\Qjeaog32.exe

C:\Windows\system32\Qjeaog32.exe

C:\Windows\SysWOW64\Aamipe32.exe

C:\Windows\system32\Aamipe32.exe

C:\Windows\SysWOW64\Ahgamo32.exe

C:\Windows\system32\Ahgamo32.exe

C:\Windows\SysWOW64\Akenij32.exe

C:\Windows\system32\Akenij32.exe

C:\Windows\SysWOW64\Aaofedkl.exe

C:\Windows\system32\Aaofedkl.exe

C:\Windows\SysWOW64\Adnbapjp.exe

C:\Windows\system32\Adnbapjp.exe

C:\Windows\SysWOW64\Akgjnj32.exe

C:\Windows\system32\Akgjnj32.exe

C:\Windows\SysWOW64\Ababkdij.exe

C:\Windows\system32\Ababkdij.exe

C:\Windows\SysWOW64\Adpogp32.exe

C:\Windows\system32\Adpogp32.exe

C:\Windows\SysWOW64\Agnkck32.exe

C:\Windows\system32\Agnkck32.exe

C:\Windows\SysWOW64\Abdoqd32.exe

C:\Windows\system32\Abdoqd32.exe

C:\Windows\SysWOW64\Ahngmnnd.exe

C:\Windows\system32\Ahngmnnd.exe

C:\Windows\SysWOW64\Ajodef32.exe

C:\Windows\system32\Ajodef32.exe

C:\Windows\SysWOW64\Aqilaplo.exe

C:\Windows\system32\Aqilaplo.exe

C:\Windows\SysWOW64\Ahpdcn32.exe

C:\Windows\system32\Ahpdcn32.exe

C:\Windows\SysWOW64\Anmmkd32.exe

C:\Windows\system32\Anmmkd32.exe

C:\Windows\SysWOW64\Bdgehobe.exe

C:\Windows\system32\Bdgehobe.exe

C:\Windows\SysWOW64\Bkamdi32.exe

C:\Windows\system32\Bkamdi32.exe

C:\Windows\SysWOW64\Bbkeacqo.exe

C:\Windows\system32\Bbkeacqo.exe

C:\Windows\SysWOW64\Bhennm32.exe

C:\Windows\system32\Bhennm32.exe

C:\Windows\SysWOW64\Bjfjee32.exe

C:\Windows\system32\Bjfjee32.exe

C:\Windows\SysWOW64\Bqpbboeg.exe

C:\Windows\system32\Bqpbboeg.exe

C:\Windows\SysWOW64\Bhgjcmfi.exe

C:\Windows\system32\Bhgjcmfi.exe

C:\Windows\SysWOW64\Bjhgke32.exe

C:\Windows\system32\Bjhgke32.exe

C:\Windows\SysWOW64\Bbpolb32.exe

C:\Windows\system32\Bbpolb32.exe

C:\Windows\SysWOW64\Bdnkhn32.exe

C:\Windows\system32\Bdnkhn32.exe

C:\Windows\SysWOW64\Bkhceh32.exe

C:\Windows\system32\Bkhceh32.exe

C:\Windows\SysWOW64\Bbbkbbkg.exe

C:\Windows\system32\Bbbkbbkg.exe

C:\Windows\SysWOW64\Bdphnmjk.exe

C:\Windows\system32\Bdphnmjk.exe

C:\Windows\SysWOW64\Bkjpkg32.exe

C:\Windows\system32\Bkjpkg32.exe

C:\Windows\SysWOW64\Cqghcn32.exe

C:\Windows\system32\Cqghcn32.exe

C:\Windows\SysWOW64\Cinpdl32.exe

C:\Windows\system32\Cinpdl32.exe

C:\Windows\SysWOW64\Cjomldfp.exe

C:\Windows\system32\Cjomldfp.exe

C:\Windows\SysWOW64\Ceeaim32.exe

C:\Windows\system32\Ceeaim32.exe

C:\Windows\SysWOW64\Ckoifgmb.exe

C:\Windows\system32\Ckoifgmb.exe

C:\Windows\SysWOW64\Cbiabq32.exe

C:\Windows\system32\Cbiabq32.exe

C:\Windows\SysWOW64\Cegnol32.exe

C:\Windows\system32\Cegnol32.exe

C:\Windows\SysWOW64\Ckafkfkp.exe

C:\Windows\system32\Ckafkfkp.exe

C:\Windows\SysWOW64\Cbknhqbl.exe

C:\Windows\system32\Cbknhqbl.exe

C:\Windows\SysWOW64\Ciefek32.exe

C:\Windows\system32\Ciefek32.exe

C:\Windows\SysWOW64\Cjfclcpg.exe

C:\Windows\system32\Cjfclcpg.exe

C:\Windows\SysWOW64\Capkim32.exe

C:\Windows\system32\Capkim32.exe

C:\Windows\SysWOW64\Cgjcfgoa.exe

C:\Windows\system32\Cgjcfgoa.exe

C:\Windows\SysWOW64\Dndlba32.exe

C:\Windows\system32\Dndlba32.exe

C:\Windows\SysWOW64\Dijppjfd.exe

C:\Windows\system32\Dijppjfd.exe

C:\Windows\SysWOW64\Djklgb32.exe

C:\Windows\system32\Djklgb32.exe

C:\Windows\SysWOW64\Dbbdip32.exe

C:\Windows\system32\Dbbdip32.exe

C:\Windows\SysWOW64\Dgomaf32.exe

C:\Windows\system32\Dgomaf32.exe

C:\Windows\SysWOW64\Dnienqbi.exe

C:\Windows\system32\Dnienqbi.exe

C:\Windows\SysWOW64\Decmjjie.exe

C:\Windows\system32\Decmjjie.exe

C:\Windows\SysWOW64\Dlmegd32.exe

C:\Windows\system32\Dlmegd32.exe

C:\Windows\SysWOW64\Dbgndoho.exe

C:\Windows\system32\Dbgndoho.exe

C:\Windows\SysWOW64\Deejpjgc.exe

C:\Windows\system32\Deejpjgc.exe

C:\Windows\SysWOW64\Dlobmd32.exe

C:\Windows\system32\Dlobmd32.exe

C:\Windows\SysWOW64\Djbbhafj.exe

C:\Windows\system32\Djbbhafj.exe

C:\Windows\SysWOW64\Dicbfhni.exe

C:\Windows\system32\Dicbfhni.exe

C:\Windows\SysWOW64\Ejdonq32.exe

C:\Windows\system32\Ejdonq32.exe

C:\Windows\SysWOW64\Eblgon32.exe

C:\Windows\system32\Eblgon32.exe

C:\Windows\SysWOW64\Eieplhlf.exe

C:\Windows\system32\Eieplhlf.exe

C:\Windows\SysWOW64\Eldlhckj.exe

C:\Windows\system32\Eldlhckj.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 12388 -ip 12388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12388 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/212-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/212-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Iccpniqp.exe

MD5 36300c5c7524b0f0e4d313bed7f8ce81
SHA1 b8f0b0c4dfa83e7c6c56b8575686e657b783b2b0
SHA256 cc1ec643117f8d8ebf7842b7989aca7689e9de74b841e4f581250c5f621b9326
SHA512 0ea5439611ae4ba6385b8becedad0ad13c24c44216e5d3d94d5090d842b8df1536d18e6d2a39bd85a240bc109590cf42dd3874aee8750172c554f481be655171

memory/228-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Inidkb32.exe

MD5 bd57899d65c86b8c7ee1cb46a617ba4f
SHA1 4689699859dad99aea18a4f9cf875543277c4430
SHA256 cabdc035a45848430d3ed34b411bc089c4451d5adb89dfe524eae207974489ed
SHA512 53b4f289a1cb20a26da48cc8a438fd62264a00e1ae5081373918ea58b8eb2c495946c78b9bd396f02e37e2ffd8d43532bf77a2f418a1d481f34c876b5d51346e

memory/4084-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Iagqgn32.exe

MD5 3cc19d3aee345181af8a35fcf0e57ced
SHA1 c3fc82e88ba8fdcf6b1edbb6b3b093abbbb5f539
SHA256 bc7049523ed155f8cccf2a4007f4322189da3479003843dfc0326a39c0b89588
SHA512 7a1adc49dc757679089d903aa52519ade5df4b8ccb78b299882d11bf13c642ed4714165bdac60b8e9bc958818da8094f48b93bbc94d7f049a70af9285c9ff95e

memory/2728-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ilmedf32.exe

MD5 d7c53700ceed40f5fbd2f3fcdf0b8653
SHA1 9123664513f92f0c9ac12d13fe7e4601d7b37055
SHA256 33968117e96304cbbce3b7fd29d47e32e8020a6f9769fa6c99256c1d1c50443a
SHA512 6c7058fb835c97e78c936c53c34b85de9fe8e94b0f3001cc5f3b896b88cd1e999a3622af74fdd090ba14c75e91adec151e277ce5ad0d7f7dabe18cdfb25af71f

memory/3436-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ibgmaqfl.exe

MD5 5da2589c5cef2c8910f58644d0b0eb7d
SHA1 2f7ed4eafd5194973b1e1da52029eadad93e9e39
SHA256 fdfd391ca45cc12e25688b1108da42594de693f5e76a3a4fec00802b95e9651d
SHA512 ea32fbe51f47c40d297e36ad825ac58fd5df754aef346bf9f67be75acc541c7b7ede08bfb1819405551854efed53dc9e4aefcbf0f6ecbfe5c0b72224d0dd0645

memory/4216-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Idhiii32.exe

MD5 5bb5ae4a9da96b67c14d4efdc620519d
SHA1 e597c93380d1a318cbbc43da7dc82a038b48fc12
SHA256 da9ea77f678f953f4c07dd30305b72fff71349b586c39fd48f7d88773249d508
SHA512 211d9d31d25fac330bba1a63a4a3f1fc410723295e0a930054f229992efbff8f224e2e9da43a816e740c84584dff699aca62ab9bdef422b3334ffe17eaf7332b

memory/4592-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Iloajfml.exe

MD5 d72bb1fc6ac16fbd36474238412bba53
SHA1 5f2863b5b7971fbbf9f6d5d770eb02fd6de61faa
SHA256 49dc5d8ba95ae1eec1f25bff2c184b9f985a8f9f93a10e721cff2c6dacc87e6c
SHA512 5ecb2173436b3b4e0cc9103ad08b34296ef3ef41a0f2f30f9d6485523064e06fa7291c95da11c752f169a8ea130074b50c710cbfee845f49212c962e2816b1f4

memory/3896-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jaljbmkd.exe

MD5 3d7cd894bb057f9d8a4c04ef56dc3b2b
SHA1 4a66aa55dafcb830466e040b9ebba0088386a91a
SHA256 30a1b6870b37e4126d8a23ae95e7877f82a9972c415725f3d480ee9f8fc97800
SHA512 40dee533c158fc740152b226742cf000b9edfed7ad2a16248cb20c83c8dac85b4c2b6e65585ceb6e2471fb487e35e32be8bea0fea5a63d687a75769abb02008a

memory/4352-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jdjfohjg.exe

MD5 cf60b6f01f0158ba0db5411d4cc959b0
SHA1 92484fbb2c8c37164ef4845b71a6cdd9d6935636
SHA256 bc61f5a05af73000a65bb40820ae0e15720a960d9bd3c0125988aa91e7fac0db
SHA512 8c18fb961326475202189c5a170006c766e86607c05bbdddfaff8ff2097ed7666d82653a9f811eda88d01d1d7614fc3fdb9eadf60d61621cc7f4b84699983ef9

memory/1336-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4544-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jnpjlajn.exe

MD5 b069455024fe5ef024300dca1d2e20ad
SHA1 8fca3e4f08971e44fb8019d95b3be186ea4d419c
SHA256 6f348175f1f080a3d83c897700ffcfd676a7333ff6962a21dbf4fea53bb1b180
SHA512 1ba4d89838919306f654fa1b706464b0befec35d3c6d6d11df9242071c88869356371cc6f0f9302b8b7f43991c09a80b2c228c31ded8c54083ea3f19d0c066a7

C:\Windows\SysWOW64\Jejbhk32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Jejbhk32.exe

MD5 21c4c7113d87adad6d634827a160f7da
SHA1 916843a8a486211623285bf7dab12d6ce50f1af3
SHA256 8dba7fc94528975a664c563ee8a382d52a1c2cf8acea382e59ec2412534da334
SHA512 caf1d73a108251be31f62035f8efa65ddf2820a66ed4f32fe85e91a0f1ac2a2a843b58e0126af56ba8aab4252b6102e1d7f97578752e8e5aaca760d5627c33cd

memory/4180-88-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jldkeeig.exe

MD5 b7180c38310f53e87a92277288cdff4a
SHA1 705f14c7d2df4c45d94c0f828c0f1afdb4ae294f
SHA256 7025e5b0b8cb22e4dd004497be25b1e45a8ab9d693666027a96994bdda0a6ab5
SHA512 c6fe6b9244bc6392a652f619d1a57af8460c3f637631f82a588085342eef93206d428ff2facf4f14f95c32663d387821f54dcfe8a7aaf4bcf69c284df3d06ff6

memory/4504-96-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jaqcnl32.exe

MD5 aa7ee8f810f9641405fdc44d704d6c29
SHA1 22ac566b305f1975f19f8e4e9253eabadae29445
SHA256 b4e37558409feca694ebf83a443f6d128e753f4f555cf4dfda490a62165efdf4
SHA512 26e277dcfa5e77d221e82ff7fe6b519d7d0235059559a72c5244842687f495dd18b4f9df93872916df1b216c879fbfa284602888286961a9d81bbb24694f0640

memory/4900-105-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jlfhke32.exe

MD5 e27f06f98811a16a9a179e7675ebb029
SHA1 4aa34d911cf2e694772a3e08de12a0f85e3862c0
SHA256 8f70ee53adadb23eaae1c7175e20868e3d4f7a7fbdfc49c9749638537ccde6fe
SHA512 0039e3d1388de5ebf804fd4b74ca67747b96a86fb13588453ebc3a0ff0f795396fc4b1613596072f3f515757057091eb1d0b4f557d380b668f315e60199616dc

memory/1964-112-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5072-120-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jnedgq32.exe

MD5 2ae2825946e812ccbaf9a5f77ebe522c
SHA1 342ac305dfb1bdd7b99707d7ed686ee21baf983d
SHA256 3e4d533c6ce3dd999564389503e51d2392bc6818e00accb59a8749207496c9ea
SHA512 c7c90ed74d43cd604bd806bb3ecd67324e48593c692b93c426b15c7b24ac2be15fb661dc4c8a104503b7a9ea6982c7790e7a4e1b754175da080e89124a6d2edc

C:\Windows\SysWOW64\Jdalog32.exe

MD5 9fdc14ee4884220ce7bb041e130a2e39
SHA1 d3efc72d16913146e1ccd6513657b6b9c4dc4fbe
SHA256 c4f097f8011369c6f67e49fa6650f178a29d763b6f56eacbaebb494f0b26ffa8
SHA512 1ef0a9f8ecbbc611394a07aebfe0a6ceb1454ae0d401c1cfe816a7dccddd676172c419b4245bdaa9c2e7efb48a52a878e6e3bc147f74f6334d0f27581b019b02

memory/4300-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jaemilci.exe

MD5 39208a92ee1f8c3248c0d2d717f078cd
SHA1 5e89ef437fd702f21a9c01316ccffe2c8b29b657
SHA256 d22b4ccd760158cfe24b6ad51dbc475e63f4fc9a629af89d938c5cfda22d80d7
SHA512 f463a0de40e2dc92286225f156539e2def143be449fdff362e42326bc98d958b50902ca4f681db8bdb18f3533e3a5e08bb65be4ae62326ed7a192467653fc728

memory/1608-137-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Koimbpbc.exe

MD5 60bd7ae9ae303cfccedefc857a059018
SHA1 64bdaeb236da80c791c7d08370db71b1deceb512
SHA256 322e24ca5fab0adb3719fc1aac7ddb0dfe7dfa7d923e839a0b6976ee88ca4b1c
SHA512 7aa2f0d5deb58141484e4fb932f64edba919308d9d483d18a5fdf4b0964b4d50dc0cb962d5c2b8e3d8f7db0e087afc9035bc98bb070d4fa18d8d0784ca1093e8

memory/5068-144-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3828-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Khabke32.exe

MD5 70076320a21ccb6be3a2cd58f32b7258
SHA1 c17cf7b52c82e0a6475e1db41110cb626e651af1
SHA256 55d5bafa1a54a6a92ea0661d39792e607792336a2e9cbe3767cb54636d0fa338
SHA512 33bc2d59195906f059f48f64906c29f43bd435566eec5f26b7b3524a771f31b3b7f041aa7703c8f3ce30ecd49c6c175f43172f6b9eb86e814bef91ed3629c2b3

C:\Windows\SysWOW64\Khdoqefq.exe

MD5 b23e4a276e6fd6090d449c48f70a8236
SHA1 27f4663e8b047d6312b807a62d8bcd6389d58686
SHA256 03de106165d97e9a6876f432ba050fda3b34968331c6cf622554b5a2b43cbc58
SHA512 6ef73d0f133f2d856a38daa8cb01c7697c0e4b109c0f64f21acc195a8f58f041bfba68b4131a1c4067b30b53e084de53b68c26eb265e1ef9f578c5125b81737d

memory/2056-160-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kdkoef32.exe

MD5 caef8b7e77570a34dc1a1644b39dbe1e
SHA1 71fc51c48ff3f1db61818a7c182430ae78ead4d0
SHA256 9ce89a34d43bd4f9228ca21e54026417e67c84ad32dfb1aac35ae28c5601c12e
SHA512 d6b2bacef5313380701e46fc4a65779d8ef5e5d77f0b76e36d9e351d025a6335f72f607f197a5c3792011409f784144273c9e6a003bfbbfd1205d2a2faff3347

memory/5092-168-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kkegbpca.exe

MD5 010267bf6efd7feb2a54dff2bb552e5f
SHA1 f0475782add8b72a6e907fa2103143fad23211a9
SHA256 4d730038c52f5a52782fc580b9d9d3f96640833eff4ac835072d3b10e11c9225
SHA512 a7a38abc3838b0bba6a861902cf4d83058a5c91879f97cc820a8c8bdda706e7a274ac13c2353f3ff4ee82805eb4d4fd9031cff10bed2820fa6b2f8b300676100

memory/3852-176-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kejloi32.exe

MD5 8064464f7f775d7c08482f67dea58dd4
SHA1 46c22eff97445ba1119c1196c4bd3eac21e09441
SHA256 9e8ff1b0dc7890e8a635d459f1fafa0d12b116a2a9d6c1c3998663bb761a59bd
SHA512 db191fdc51d63ff6ef3520b453fc879724492b3716bee829f6f06800e7b991a5fa6764679657e0d0ff08817c7e89d95a59b2062643ccc7a120ece88ac8e9b90d

memory/1760-184-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Klddlckd.exe

MD5 379ac21753f2ec5d50d5dc095afedc1c
SHA1 04efe4f531b7db352c1073faa1d4a1fa57b205ac
SHA256 2158bd4d8b4c25f1654d596426dae6434fbbdf249612babaff81cbb243f40e7d
SHA512 63f038366b47d2a4c81bf6f001f8222856c1e61ac269f8029ad2e218cde54b2dde9e8c150bde96db54cc852c2e8e064358e825f42842b7a952269e16af88fc3a

memory/1932-192-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kaaldjil.exe

MD5 78d2ddce0106999f8879a108f69107e2
SHA1 1b219c333c969f7e7db191966bacc159feafd335
SHA256 81b1988cfb8ccf1deeb5f5134c5695242f36d74f6c38b2ff154bd68ac1d84357
SHA512 61edf00d074f167ef11aaf69337c358a4ef75763e98c2cfbfcd6e1da5b4eafa2d73086098d6f28e41f8a47db3dd4694747b98c483c3eb1a64a2608d7ad0b1705

memory/468-201-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kemhei32.exe

MD5 c949e2aba471d3eeb1902a7f0904af4c
SHA1 db60cefc99f24ff806657a4c206edfa77ef5592b
SHA256 b8489231063d8adb6ab9711c85351396033c974da55634337506b98d50c29032
SHA512 2b75e09435d9665f895c19eb193fdc3ee792b3bb8080f80bd366e83c0d29219fb14990fdd4441d1eccafc4155a9591c38f54387804217b217a59cae4effc1c8d

memory/1084-209-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Khkdad32.exe

MD5 512767ea769485b0cc2b0df37693898c
SHA1 fd5cb4cd580f0a085bac276f720cba4b4e2d8ac6
SHA256 f5b5b5d831e5926b9eba8877dfadb5d45853403370210294e101b8abf6117e72
SHA512 13ff6b879da3aa96e24fd147dbbd9a1d61912a1669153d06109e219dcb746db85625db6f078ebbc3fed389a01478da8c9a86e8c610a2b280002ed63558a0a283

memory/4632-217-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Loemnnhe.exe

MD5 30a83777c6972b578e14371f916e92d8
SHA1 6c70cf5c40da394ded1f192f22c2144c8a353a0e
SHA256 1d7eb64d3fcd9c3f90b2513be7c35acdad5ef8d95e5b6f143235f8812f1bbd88
SHA512 266b768a7c588e8b15b349aa56d3c04d6c0a16f917b25fe0aa9f3c453271cdaff489e89df8fbeb92bca602e88c952304a52b9ce40e342a822cc9c2cfdc3a09d6

memory/4448-224-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ldbefe32.exe

MD5 ffb94a6009c9216a4bee0684116d462f
SHA1 9258ac1327e8ade73282344f6ed11052b47db828
SHA256 cfb98518150056ef16ef27bd02668ad9bbbbe876c6fc8d0920538d2e343304c2
SHA512 241c53040517474a81ec159a87b5ce9be9c10360fb0819e9d09724049064aa8e6bf013b46dc56cd2e5deb90c3b9b56dc16079fad5e2ff3c26c228fc715e35b5d

memory/408-237-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Llimgb32.exe

MD5 b3945f959d75e459ab2244234e3738f8
SHA1 8798a5616d023c56b34580447ff164610ff4a291
SHA256 1a43693aaff401d18058d0d9cfe52c97d1864f67af9384247b9b249ba7ccfc98
SHA512 aa19f16251fef683a10cf60f6d705f31c22a3bc6b59dd142420bf96f06617c819abba59fde4ee56195fd239b1ac1ff351325e49209c931bcd864992fe0396411

memory/4124-241-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lbcedmnl.exe

MD5 588e449780bda7af7a54b2fede997d82
SHA1 e70974b79717674c97630cfa452fafea7dca4e21
SHA256 2f2fb15a44ab7af21832521e93f52890f623ac2a22dd55cd857f8d9d52cde75c
SHA512 e6945e0396acd3684969ae465d162a7815887a7f9259c28b16fd7800487eeb51af85b34b00746127991c78e8523d4164068d8f12f1b57b0d7d7b09bd1bfc4a1b

memory/4872-248-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lddble32.exe

MD5 475d15c001078ee8db3a46f6527bcca9
SHA1 56c131ee11d7b00948888bcf4a4153877f20bdf6
SHA256 a29b67f64471f7bf99d4a6ca2fe749554acb13c5a98edba0c817ca0920319c5f
SHA512 e58be77ea107725b84cb9e63b223a5ec98f6e57dd6ad381e675decbff5e8df85458d2fb6e93b720a0eb878aef7abaa4a8febd2c8c7dfbc4c709ac3c83b3d95c2

memory/992-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4612-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1172-269-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lefkkg32.exe

MD5 157fa1311758e28209be7aac9ad6960f
SHA1 cb66bf46d5bf159e19fd2d849423989c401d221a
SHA256 4c14b49870a209ac9a82c8b8a345e9c6b88aee5008c0b59868f39182e0bb20e8
SHA512 8cc52cf2a5a1ddd72ed31103b2ad6c9a093a45ebe412f6b5db47f16303d503cc1f3f2fbf2965aefdec96fd7dc50d34d2d7948bff6e434d79093e72c7fe7a58a7

memory/3388-275-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1480-281-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2060-287-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mhiabbdi.exe

MD5 924b224c2d634f3766a62b89cd868f37
SHA1 d63cf5078d62ab89faced1890676f03f5361f799
SHA256 e7ca7bb821f9133cb3ba52a542172bb115d7e2431abed4a18d0fa76f6fa0d9e2
SHA512 ca95646142cdcafd7ac9e1d13de62c8378acff20a53c0abdfd4bb606c6ab66bd66871de9401eef5d53f8b301361c136238989ba116312345e7483f089b88264c

memory/1028-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3052-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2264-305-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3120-311-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1168-317-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mhpgca32.exe

MD5 375e6069645c254e33e10d5d8b5ae47c
SHA1 3f349ecb28a701fe811c97b56ff374cc01009f76
SHA256 4d2e5e7cb33d97bf5b1f79e96340ce7b920a3bee15edffa7108d5ea86a2f6405
SHA512 8c805746af4b7ac0aa7e6f5a04e679252a3414b55b891bddff933f99f3942d324bb77d6e68ccbbef45a52bfb37339609ef9a64e842608e6f209953ab49b0a0d4

memory/1860-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2220-329-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4016-335-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3888-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4972-347-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Namegfql.exe

MD5 5d4ee95bc94e9a89f32d38b7d28183eb
SHA1 d9917b8b4341fb21c2be1debe0ddd3643cea676e
SHA256 c40fa04e679dede0f9b3305c690712df5fddbe7cd034352fd8177627a3bb70a6
SHA512 658fa323f329d8fcecf28f238d872c8db614a5321ba133603afeda493163561523e9708e13bb437d8874ecdc74acab92919c93d018ddb482873f0054ca2967f5

memory/624-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4412-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2788-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/688-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1540-381-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3528-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/744-393-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3508-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2148-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4896-407-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Okmpqjad.exe

MD5 51efedd789a63a42d82fb566f218e29e
SHA1 ff628074f2d6de68c5ac85e2acdd8f24d33e8644
SHA256 39f3dc62a743a034cc8a7809c77d4af95a31e8c5f48d0b4f33e97c7588b7c9bf
SHA512 326a50d5e751bcfde3adfc5e4b4bd5a89c3d7bb55a86b778cb76c4ab6b9d38488495a2a7834686966a2c0ab153788be16b0e76b6b286bf00e8595edf2e5b4590

memory/3920-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/8-419-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ollljmhg.exe

MD5 86d7d2585b5f95e0bbdd31a632e6ee09
SHA1 26bc2307bcb9a8e6091afab569c650cf7f36f27f
SHA256 144d2a9935de13431af256fbd521f50dc1852a10a74e5db1a24b7f104a9b3e73
SHA512 7a630fe2b96daebc9fffe1239b51f8fdba35a2a8c070341dd6ec69a4da1e95c91fab478b08e655d2c31e20c1470a8004f73e43e637335a9afe13c3070863f4dd

memory/3544-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4256-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2000-437-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ofijnbkb.exe

MD5 e23110222199b78489762697522535a5
SHA1 926c8359cfa9832ad9a94f40b23863589cac5bb1
SHA256 96fd33d9d070e35c04cfcf18dd70a6fe0318864a621d1cf4b71f572e3f4b1633
SHA512 17720bb91acb4e2e6fd9999abe480dcacc7e9784e4dcb59e91998605b66fe5535bde7cbb618cc743804c601448290fcb2b071a93d746f82ebb494146a80c22e8

memory/3988-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/372-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2992-461-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Podkmgop.exe

MD5 e864cf164e948618f00e01498bd1b44b
SHA1 2a6474af40287e307d21b18d70609a7cb82db30b
SHA256 ae62c947c8d2df43398f2c7902fd249833677b9959d452a2723b7e72a3d5802a
SHA512 4451925d9fff9bbe138d2bb69e7d74fcbe307bef22c8db3ec520e18f1694219ef6c6b62a0be0c336249af7917341e46f0c667739bf0572242f819f1cfb09853a

memory/4704-467-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3468-473-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1192-479-0x0000000000400000-0x0000000000433000-memory.dmp

memory/112-485-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pmjhlklg.exe

MD5 9266e850867437966421f02a2f34d827
SHA1 7ffa13a3ef6f1ad6fbdd7ce63b7f810ba55adef6
SHA256 f401ba4507bcb36d7057bd2340531ef41e11e00ad2da36c0cbd2cac712fbdc36
SHA512 5e1cd33ae13637169e1e3bd8a8b3092d63945a854f3e15825938223738d21383f22fba15e12f70eaf6c39e74affaa547fbd082d9f23d38e1e2451a37ea1bfb1b

memory/1020-491-0x0000000000400000-0x0000000000433000-memory.dmp

memory/816-497-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Piaiqlak.exe

MD5 1d56895989cdf1004be2b8eff61db74d
SHA1 6c4d24bd986b5dca60196198675ad53b8fca6854
SHA256 696e68f39db19c48c0c6d6112f6331f38a80be49d1a5603f3ee32265b0fe3993
SHA512 a8ffe98fea6816869ac077ac52d5800108ce981d8d70edfb4dbde8bfca91c69a6934ceb26dee329e63b2caf56128d2f165a1653e1594aa3753a73df8a9de842b

memory/4812-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5048-515-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4116-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2568-527-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4816-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/212-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4556-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5160-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5232-553-0x0000000000400000-0x0000000000433000-memory.dmp

memory/228-552-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5320-560-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5368-571-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-573-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5408-574-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2728-566-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4084-559-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5460-581-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4216-580-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alkeifga.exe

MD5 97fd2fdb7da61de51669982b886adcaf
SHA1 cd04db388f2f8194bd61323f04d72952bfac5a36
SHA256 704621ba9aef70695ad9348685e2d3f768e47849e06e01af8673b9ff97550b24
SHA512 9ddfa6c6670d7028df76c4d33afccd9d73b46705c9b52ed9f12d5e27080d39ccd00e90d50a57b321554f2a8e13579193ed6ea1a656530adc1f0d40648848f40c

memory/4592-587-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5520-588-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3896-594-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Apkjddke.exe

MD5 8468dabba8e3cc3dbb87d1003b23a0dc
SHA1 e3c1dd7a10690982c0dbf6b36927fb21a54a66e7
SHA256 69e2ad8e96fe77c1011f87cdf2a1c32f754451f466d8782b0d3be52f809c9827
SHA512 e8ce879b98a9170fe1189b547d076d938efd0d5168fc5a0b937050bfe29d9f449347a8e1a884f4dc0317b44376d32baf5838062f85a79577c9cdc0a4b37eab73

C:\Windows\SysWOW64\Bcpika32.exe

MD5 164031597a5ebe507d8b00ed9d39b4ae
SHA1 a4e8ebbc063ceaeba7f38032a1198cb1bf48cdd5
SHA256 40e2359ed69747a664da05adcf58782d49e94b6e80e7daeaafb7b1e8fe3caedb
SHA512 580da0ac72851b192d33e05f70488d421b533c1aecd689723288089cb4b79c8f79f3460ace2860ab3bba37cd4b0cad5c708b35bb0e3da0db68727bc4afd71aff

C:\Windows\SysWOW64\Bbefln32.exe

MD5 fc4fcce6bb8a81e467f85d0fdd33e5d9
SHA1 aa51619f37a76e04ebaaa0e7c4731380b9ec3aef
SHA256 a3be2533e72072a9e0e59506e74dc7a0354d2227d30f323935f37822c67ece44
SHA512 ccfc29a99bec17cc67498d180e69e7980ca3aa327e6ac402a3a846f4cea8aab1f5c46bdfb0d377acbf831a1083e9578ba5c7f32075e9644d1a27c1dd5803a36f

C:\Windows\SysWOW64\Cdebfago.exe

MD5 08b5670daef8f4366f41dc408420f20a
SHA1 f6b5b8e1ffbf21c89cea73789032ba99d9d5631b
SHA256 ad38eafd8897196f39b54525e1d99080cc70bfac17b5f2f7b33022100d7db35f
SHA512 b80cc965e27e68ba9c40e8c21598260ccb6f17dfff63c20f5db5745ed339a3762c5ef59fce9f59a06f9dd5ee151cf79c167701654d35fc9693316fcba1fbe450

C:\Windows\SysWOW64\Cmpcdfll.exe

MD5 36f89c095fc2288aa23bd0ecaeaa0b56
SHA1 d520a4d1660fe799089f06d5b41adaaebc6742e9
SHA256 36942ab10534b0cf1d6111b658dfe3e179dc80f4a1cc9f01705d3bcae2751c0f
SHA512 b7b948e2ffdb1a2f424e8ceef3572dba165eeccd29040b69adf9b023aed120d4043e147f30fac0bf92b851e0db39957d67b8e64996f1ea9436efc98bc01a6e76

C:\Windows\SysWOW64\Cepadh32.exe

MD5 b5ebbd947ef1872ba64eee800285c4d8
SHA1 b03baa1fe250cedc35624b86a7b43e4733bf239d
SHA256 f52c2223e4bd63e7a626f82c308181879018995336709157b85d87ec0c88e34a
SHA512 fecd871a74ac5ea35bd5f3f3f30684e198dc69d815b2dde518270575eaf06c491a5551fdcbec8a0d56ac9b82980f99c50b4aa9e2eb5865a19083f2d750d50509

C:\Windows\SysWOW64\Dpgbgpbe.exe

MD5 0563e76a174ae22e568c35ed035c604b
SHA1 94f88e1440a62c5d0f951e5ad703cad6aac0219c
SHA256 0eb43912ac35b080cc7b1d96d34cc3dc649bbe68e878c1a0033bfd61e74f89ae
SHA512 cc8bbfb9f2de74172fec8e26d4c502f9af48cfc222398f688805e28c0ced3c5a6e2ff7ef9e8dac28e65e8eec21273dfe4ebf1fe9c28c4bd170ac70f2eeea2c5e

C:\Windows\SysWOW64\Dmkcpdao.exe

MD5 d473b3a360825f3499c081b3c64cc7d9
SHA1 7bcd009faff9359b094616dd35d4b6a050c0ea33
SHA256 19fa5ab016fa26a48d322372a55b8d6cea8b9c67eeebd672ac9975fff2d5dffb
SHA512 bd09d12551d4f3fc794385268d9b596e46862c7cca267e016e3caf70d8654558735b54992ad6d7db9752636d471a59311d10ec2a119f3534d0ae2f6f27cc96dd

C:\Windows\SysWOW64\Dcmedk32.exe

MD5 986f5a489183a7d3216d140b6877e6f6
SHA1 40cbd73bbd2ecfbc067468771b447dd6dcd5ed36
SHA256 ff3dec211d596d7c44fced47361c4fec694c50ead0cc7d8b9cc4b371fed3f3fa
SHA512 fe082a5332078264e793be90c35075a6650a602313c55afd36a91bcbcbd54d55ce77e5a4b7cbca2d11c5604e3cad4a630c070866b4d993e3c7ac4556a78b1c1a

C:\Windows\SysWOW64\Epeohn32.exe

MD5 ff86fe30ba7f8bde91d3ed117b607956
SHA1 6688dd19ed7bd68fe10076a26e7eed675e3aa640
SHA256 bef12ac3ebb454d14ae22c558d52959ffe69dbd3064de0d712ac5d02e1f461d2
SHA512 338d66d9a15620ca045fb2619f718ab43c5b69948bab8db06e70d498b472c96b5d909dd9706a54aae072310d0d2d8b8009d55b9c0de97c238daa6002225cfef0

C:\Windows\SysWOW64\Elolco32.exe

MD5 befd119073d42d2b5af6fa672f685b03
SHA1 43371c5c92968e1accdb31a12e0aac23138d9d32
SHA256 5132af562152f47fb68fcc947fd3f355b6dcf431261be3ce5e681e14625766c7
SHA512 d333faf194a33ad13a7fa1ef4f1abac61edefdf6961eeb2087e648de18826b6cc64dd4938689c6d7c99fca5d73e0b7652af85e06cea8fe19489d43ba0526a643

C:\Windows\SysWOW64\Fgfmeg32.exe

MD5 615aaec26d2e3f9a36d91cdbfd4d3c4a
SHA1 b9249b962d04dfa74bf4cba964f928ad5a27d6a0
SHA256 8d8a6f4cf73ee0f3922c272b612f16f4cc6a87506c09f35175986e832e1bacf7
SHA512 7d3d8815b98c847faf30c50df364b8e77aa271d59cb010f846747934e99c1f98f1910843feb324f49ab50c733dfd329081695b925c743924c20c730e7ad53250

C:\Windows\SysWOW64\Fgkfqgce.exe

MD5 34b8db02273d60b8e3e3ee24ac6de817
SHA1 f98180cae6a87dafd7a257e2410d48663bae9e59
SHA256 76cf0196c616f40a84133848fadc14420362ecbd57d3c2df2dffe39146ae4bed
SHA512 dcdd380ffb641bc4e2e48e6dadf98932bdc1bc9c2d4d288385503da798bd44e05208eaf1da118b06ad93d0813a36efbe87d899554e39455646edc856e72a0e4f

C:\Windows\SysWOW64\Gmdoel32.exe

MD5 1d6705ce5cf1228ee0ff851bce6ccd77
SHA1 e23c6e1c222927ee194d547b584527daaeabb3fc
SHA256 7f3d57e88bdd3585e8a9166535da85dde18d53ea1599a0cc80fa3dc404bc83be
SHA512 899335742f1b27f419660b7590a0948025377655aacd6187b600e9394cc465b38bebca105cffdb153220a94a280c56ce0995c458167bf0b948dbf735e8758caa

C:\Windows\SysWOW64\Hdppaidl.exe

MD5 df2e0a9bdb4363a18c9952f716fd1327
SHA1 7d0d7bf918a5f579e795b404dc0dc33f47998c6e
SHA256 0937604c38300ed11b9ac14e47bc6da180057682e53920e43dc9ba8504c6891f
SHA512 ef6fa1290785316e892f560f4fcb8b2e6f21af73e7ff6611cfb99578448a8b1974cd0d78180b92a4c80661b987a6c00c216083f00779f943d6b77468418d1fd5

C:\Windows\SysWOW64\Hgbfhc32.exe

MD5 da972e4d2d152b0c5857c7a25d85cade
SHA1 d33233480b67f2ca89bc0d72e810f82b7e93fa05
SHA256 12d1d4611cac86e289dfc8ea58478c16874c1dc9f6750de10093407910dc7092
SHA512 de7fd31edee171fcfbdb76a505c1de06212e52c06d19c449fcd950e5b1ad92deed7e09643c715d88986a692090076fda60bcffcb2f334c9424400369852d15d9

C:\Windows\SysWOW64\Imdgljil.exe

MD5 016c7c473ef298dd2bbf570c07b902b0
SHA1 307fe6a62c96f3650d527e594f8423e5be917763
SHA256 4416b19d3fa89fb6429db30fc1e6894d250ad9cf50f2d23fc7610967599ce586
SHA512 9a864a808f615e6ad654d0212b3cd665f38c3dce5e899ca4855cd30735ec4ad9848478372784bb50f0faf2834310bd77f961c16dac40f80e59b5859357a83a9c

C:\Windows\SysWOW64\Iepihf32.exe

MD5 cf6b65ea46474353eed8f194a65e5032
SHA1 1a807791675d91c05857911518834e62fdb6f36a
SHA256 ff0856e5555f73b9bf85f3feac6ab49d7ffcb7d402ef1c3cc4efa6e855497830
SHA512 f0458eb42a2b766c67adc476b25c9e72764c08030d897362eb84acfad7bc25436fc107c11e367222f95ca4e6dddc2b2bb93bc723da575ddd8884e02564e81eda

C:\Windows\SysWOW64\Iqgjmg32.exe

MD5 68ab84ab61101b5bb65b9b9d8f9b973d
SHA1 47a8ccbe9038acc8462ab7e40b17b567d8c263d9
SHA256 86b9d146e0c6a5a8a9c028d05560f10231adf707c52a21794d6e4422f297679e
SHA512 2a407843b93eee527745841849cc7b893605bb266a23d9ed284e9f7116a7264dcccf1bde19ae203340525cae6c422efa2f04476706b76dd0bcc45779565981e4

C:\Windows\SysWOW64\Jffokn32.exe

MD5 ea4b1ad95a3d9ac429ed68ea019e05e6
SHA1 71ae9fee4bdf91da4b05f80004bf662f310b10bf
SHA256 0bbd9ed65dae44fb06e0224ce570fd108deb14cd139ed1db77fdea60bb1c9749
SHA512 397aade42ebe894e172b55c5f4ad1d2d7fdb5b9758400fd7e3d2c950be3906f9cf76b73a6cc89bf1ad5eb60b39143839ae62df897dfe199be83f9ad4c01e276e

C:\Windows\SysWOW64\Kjbdbjbi.exe

MD5 da5161a3bd65c2ee6a69115dc411db06
SHA1 687384d5b36791adaf45904b38037cb161bccf48
SHA256 a8d32b35d887ed2091e31a3250e4f9a0b2560bb862027dcf8e7607f6dc5a82f0
SHA512 8e9ae0befe2c0e0ad38a1aa6c32c9a03845b9bd37272515f9339ae56d41eeb19b68c1413df27bfff09f503774dac7f1c41e84614cf7015907e5a9787e9f29ec5

C:\Windows\SysWOW64\Kmbmdeoj.exe

MD5 0dd997b2f6387ef3ea80adc34036739b
SHA1 b206e5b1d7167aedbfe70fdf53d17dca8a17e08a
SHA256 090d9aee7faab3828590acc4193c965a4be9e33209c4a5be334222d932f91796
SHA512 0d30a11ee98deb34b1208c9e9a033eaf86c9153fad43825c79d7f103347b6a5cd30f3ebd178e524c56dff3def5d3cf33689bc773ee0ca6e88c1e2935eaff1c29

C:\Windows\SysWOW64\Ldoafodd.exe

MD5 fe11fda5031286341b577af2f5370961
SHA1 db74cb7b3a183cef2ef669412297b6a846094d28
SHA256 33cfcaa26313d7ac86b44c9ecee3d93c2116d9dc98305bd52f3c5d7a0802e8ca
SHA512 07c1d25579667092f4582b8e9cd27bf45227addd1bc844e1422d01371f7e98f12ecdbd54ba2df15f1a77d5e11ffc4a19907670f7887acc20d31830238fa9722a

C:\Windows\SysWOW64\Maoakaip.exe

MD5 a590b2c4a27b1b59f9e90787eeb89c08
SHA1 407d80ca1ab6b6bc4f3955cbae468ac21e8a34ea
SHA256 b46ce5efed14647cacc9ebe09e63e77c0a0f4a211a05c47893a940f5f53f4bd7
SHA512 b1ecdf960bb843d5451d36ab31b46842e10e2eeeaa18244d780a75c51eb760e854ce604e0d62fe0407801bf6f6ded5a5aadcc1f773756a811704ecac570a9be7

C:\Windows\SysWOW64\Mgngih32.exe

MD5 32c36c567b6380e860b545b5d076606f
SHA1 7599827dd1fd23972f74c8b3c273938af44b4665
SHA256 45f1e97d35e82b51cd969ad5aba4d76e4fe928cb037d6901c216610c0f773087
SHA512 e11035934dfce7d8ba3d7c006fd2cd43b02921f1078a0200db47db1f6a0e4815501d1d2a376fcb97f2c0ef6efafcafcd31763fd09582149c9b64657eaa564298

C:\Windows\SysWOW64\Moglpedd.exe

MD5 a7d59110b7bb729accbdd8ae94638cfb
SHA1 11f40c23ec7e10dbe85b7b36d041dacf023ec790
SHA256 513f9806eaef3e342090a488ef28ce7698253fe29545ee59b5b7d78732e85659
SHA512 4863bbac8339aadaaef3fc918022b036b131dfc46bb72eaf71b3a545b39454506614ca30ee0904b764fa192cb3a210c46310783cfa87c438e1a5c7d44fb14734

C:\Windows\SysWOW64\Nkpijfgf.exe

MD5 2ea3d8ed4fd538c056729566a5650688
SHA1 1138bc40029a20cfc6f716baa333734d6ac92152
SHA256 e732cdee8532a34becb8fc627ae41a22103cf12d9ba64560514a085a11f5512c
SHA512 f774cb5424d1ad3c01eedbac0f193b3d2b3ef7ec0e9e578b78a1e482f4d7a85b41e3a84f9571bca3d2a470c87b6838f1e3f7f3b38500eb2468b92d7e1b7eef82

C:\Windows\SysWOW64\Nhffijdm.exe

MD5 d0a8bce5614124edd36eb70e023b95ab
SHA1 80ad8a94ffbed755ac11555e45f55357f527c37e
SHA256 51785a93bac58f53bda35fe2b6b8c7121ee2c548d22503373e7ff6f2733099e5
SHA512 3812e99d9f61df58db5a38b8beba27e2e0c9b8b1daa2513fca27c7d731b78cf94d06376d12ea415ba77506c0487a96358f2c988daf2a4c7e35a7756c97c8b865

C:\Windows\SysWOW64\Nejgbn32.exe

MD5 1a4e718ffca33053fcedf09598cba409
SHA1 9646cfadeda35475beb41ce4b5b23df2f65dd6a3
SHA256 f9b7944fd9d2f703351d4c2a24f203de3961380076b585d3347117efaf4f7e91
SHA512 d3607a47306151f63a8b18ff3d7651e85a27afc68217b9d257c3d318a9324a0e3066d930df42096119459626f2bb8dd00d5b190771953b1c8202cb79b9b3e817

C:\Windows\SysWOW64\Nnfkgp32.exe

MD5 628f18f805e810d53ce1314a04f644dd
SHA1 cbe9da1fc8f53555159c76791c629bfa0ee6d101
SHA256 3f0f2f008300da8e5ef4a7ebdae1d7dbf583d3d99e74b19922f4cd0b4d78b773
SHA512 32aa0833fa4907e4e18864a16235851cb983bab8ae9d893c6b2997696e3e1e02759a6868746673a87122f839644ff466c3f54d85305cc553e1aad4dedcb23379

C:\Windows\SysWOW64\Noehac32.exe

MD5 fba62acb56158bd1ffcf10be50821377
SHA1 2b80d673a0ad14555dc42151cc7cd1e0b45d34af
SHA256 6ae38c4428f2ca79fc8499c2429c5551d228e3986084c217e4b4f16bbfb322e3
SHA512 ac969730bc305541e85c1663a3951a4dded2ed6cd5ffd8ccaf8cd1f77b6484887a540bd06ea7f0022db3e0d56ea471a537ae922e66cfdbd8eb91cf2bd917a270

C:\Windows\SysWOW64\Pdpmkhjl.exe

MD5 fa321ed409f9d25700c92dacdfc85e87
SHA1 f6d5d6da129fa32351aa59c25cf9b13c6da3d774
SHA256 b0326d11a1c663577dddd71fc3aff4342116d718cb2ceff8290128bb08312e29
SHA512 46167ed4edb4ac614e51de7fdc81e68faf3b7a7c267258bc11c3438a55f6513be8493fea4aa8b37df28c17d8bc30a5633f02365e0d1b34d7fce474496936f05f

C:\Windows\SysWOW64\Qomghp32.exe

MD5 941363f327175c5b997dcfebfd8cd123
SHA1 8caaa3933cd63049cc4574d296e227b1c0d8f47d
SHA256 d6b2d34088561244dedc3fd51b5e98d29cbfe406e339b7c4622f2e414c3013b2
SHA512 438e484566aa10e8313a18a8b9dde247524e9bb456e02df6e160ff3381ef47116af6e7d4a31fcd5cd7e13c0cb197b31944dd7efc9354096a3255c44690c375b1

C:\Windows\SysWOW64\Aeeomegd.exe

MD5 8b72084d80fbc907c29c16cd27d9975c
SHA1 cc9d96fccd7608c4137dfef104e055f2832915af
SHA256 ecd80c9d2d26fd7f8cb47d11aede2095afe2b80b039e558ceee9c4ce14110f3c
SHA512 075d255cf52367c5eab2fc3c2136362c87d515c9b818cdb9245655f9e2fd946ecc2e4bb606692bc19b4a597aced5d27799b4901696503ead75c11975af0d4976

C:\Windows\SysWOW64\Bihancje.exe

MD5 1682f4c8b3991b61f2c24cd26facd45d
SHA1 69ad05b3f5cb204d3710702f534cc482bc7aec5b
SHA256 b54b1dbe749486193a6b8e8825017eb7fde62684183d710b5911bd8cacc5ecc4
SHA512 c52e42c4cfc4e15938ce02ad657ef21531127f1f2ba0cd1cba91df0779800d6ba9ca365444d72ce5454ef39aa1b18a763754cc3379aba602934ad09e3cd123c9

C:\Windows\SysWOW64\Cfbhhfbg.exe

MD5 b7f14802b696e5b755fd96e15e67d5ee
SHA1 1ee27f983e5110f2e3cf403d6960bc549d9e0abc
SHA256 3b145e8d5d7bfc75cf546629e34e26471a6519b426e2ef26494005f2e01da7ac
SHA512 21129ab74aeadad5e75783fce44ce1528ef514565057f2599245d133101fc0df3eb34d82af3b3c95863d3278cbee6cf35dd71784af9b9a8e2ed65529d6ba1d2a

C:\Windows\SysWOW64\Cldjkl32.exe

MD5 ca49482e0d0826239064b8cf0a660efc
SHA1 f157f1de700132034bc7613d2021cb9b7010f799
SHA256 c502491d70de07372a07cc0349fdc592bb9a745e6d24d146b332d9431c82cf06
SHA512 5bfad9d25fbb0ea338a771dd25f68b48d1a37409ea45a998bbd5ae3d8b889ef45712d702fcf6d573937323880ecc7e59a1cbff0cff4a66c368a6c524578483fa

C:\Windows\SysWOW64\Dngobghg.exe

MD5 a60cc8d53ef9cad46313364f7dac6f31
SHA1 9fab602d3b1bb035e58b435bffb02d910ab951e8
SHA256 696908d8aae7e9e991769f3b404f5e341737316a739395ed7e4f924efc81fd6d
SHA512 af8d1fc277d33cee3a06a02c15e10b8c3580708a6b93206f60d1dd51018d85c43f73f1d4f8879b50f4a7a3ba58761addb56058349953fee65025f2843dd0ef0a

C:\Windows\SysWOW64\Doqbifpl.exe

MD5 7b5bd833140209612d98b0fe12ae28a0
SHA1 5578717b67540c03fe10dceeb5ca4bad3fab7a8f
SHA256 09b9bbc80803e3221edaa0f40f4bbcde84b2fdc531372b6a28d9943910553783
SHA512 fadf9f99ac942a30438a18ded6a62b3be54de9abddcae2a2be2ccc9c768b4652bf6fe00932d9bb013f89a0381f3639a13c2273f6f2c7df76f3119cc566938506

C:\Windows\SysWOW64\Ehnpmkbg.exe

MD5 6d71f5d651150e4aa2c4eb0eb619acf6
SHA1 c8d07be6c2d771e94d651f3d5048ee84f35db2e7
SHA256 dd1f83a0b2e61d1801a46eb8b0f50ff9d42a5d34496c46ac8cada2b3d21bcce2
SHA512 5908929d6feb4b6119c741d4fee889c615966e8ebc2db5636e6f6de21e665d8729f2a03d1f3b7c798740619f107f01636e446953ee6d5ac16e84df642f1bd9a9

C:\Windows\SysWOW64\Eimlgnij.exe

MD5 ff7f1385cd9ef7b85b02aa5263f660b5
SHA1 73e5762bc1cfa3ccfb53eea0ed3d60a2de98c9f5
SHA256 eada27a48b0227b4f156fcae6975a3c649a2b220d6719e22a58689ca0b5c2e95
SHA512 51b64d74e15f9725f2613033a7bb7d6afd254c5d5cf0dc48d42b1f2d79e81461534855d9bbc4701e4daf6912f9eec883715f86495bfba4d8a127ca48889007af

C:\Windows\SysWOW64\Eipilmgh.exe

MD5 d18198de7d2711d0b3147bacf1079bf4
SHA1 2ddd6067aceae00f2d0d6e63bdf3ae82511d743a
SHA256 fcdb457677fe3fa7366cf57c6ebe3409af38756b728aff911cee9f68f9f96f98
SHA512 c7d3c867ad6ef05e9b71807c49591753c708769b670bad042c49d7d171fbf1591d8f0784a0ba87f6363b82f2a812decd6329e9059cc20b2d9d98b43da40fc1d8

C:\Windows\SysWOW64\Fifomlap.exe

MD5 17227daf4a1c0ef56ed5888ec591b36b
SHA1 9eac70153e8eead30a2ab7282d94b0bc29ef1e8d
SHA256 964775297f74186ee909e4041e2d8a60db821601337e46205886a6075073d625
SHA512 fe6b86943a2ed1e0d363005cf41a1fd68e6b18354251e8f0ee5abaa7c5bc10fca0c0d8e6e96bc43462dbe99d6bb7c6a44ddcbbdbd5013f59554aba2bf0e9c681

C:\Windows\SysWOW64\Fcodfa32.exe

MD5 0b99a5830e08178203b8743bd02a0bcb
SHA1 f0050d1cbf14d2de914ff32f5ae77f77ed983552
SHA256 065b97ad4b482d602bd4cd04a230ee539f2137a040f727a706a64e3cfa7adde2
SHA512 76723ea8d576e0691d1515045bbdaf4591cd0114310a735ec0bc9824d48a481916de841767e6a3f043f6f5b6c422c01f22d8551aa25dce426891916d641884c7

C:\Windows\SysWOW64\Ggoiap32.exe

MD5 ac5babe075958f303087a629e5160958
SHA1 998eece1438cbe097c2be04daaa532459ef9fb0b
SHA256 02b577eded0d8a304c49ab106ee311af1c275cd0109c0443def1937498223a2f
SHA512 7ae2744ee134a2d8771d076e7392de28b25a9b4cf3fdf300ee1938c7b34bdc2ad88544f892720685d39bca503bf9a5b0688843c409bfebb7dd02a69bc53314ef

C:\Windows\SysWOW64\Ggafgo32.exe

MD5 9616d3eef2f39ea58bfccb666379c495
SHA1 7d9fbc70df212fc1367724743679f2b9efae9869
SHA256 c435f16e99f84489089f7421a35a6afaec5b35d4488ed975c300569ddd37658a
SHA512 38fb1b80b5e3f260456e139b0602db773e650d43c49a6ae2441f2666086b3a2d8da1f31cfc43ce698528e8d0ffadf0c25c19877bd0c6a51846851701183aec67

C:\Windows\SysWOW64\Gchflq32.exe

MD5 f799a56d5b826c5cc0ababbacb4e3b82
SHA1 211b43d7be874bccb7afaecb3628acf200cc4264
SHA256 b25cf3c8b194afbabae8535c6e15ddd4a36aed6406202f497aa0919a1ddaa40e
SHA512 fe89ebbcaf28e189a3e957bb4905521338fb4de582874aaf4414759768dfa27260e913f034badaa03a39d4a572566d4356613d9b616d8cf5941679dd253e4e59

C:\Windows\SysWOW64\Gplged32.exe

MD5 da228ee58292cde7db043590990e4a6a
SHA1 312e61ea13fecd734eb589d3b11491a790bd3ccf
SHA256 2d8d9f8d87f4aebaac02d8bb908fea3fb5bf3c3f467454a48be629179bf69745
SHA512 d92963586873204adf015617f96173ff4bcc717903762277933fd73d589cf6cdbc22d9acf69aab622fb1b7708b05de247472e5374ce903caa780b3151011fa2e

C:\Windows\SysWOW64\Gcmpgpkp.exe

MD5 6e532dd7e0ee2036e22610e1bec2f68f
SHA1 13e59ceec682baadb68be448f7ee0e67a0ea8006
SHA256 2d977b84ca7555dc2c38208e837d479a741bd24e65655e0fcf693eb6712de306
SHA512 dd0b7f6da31b4345cf29922888df3c5ea5a039d3e10522eba66a2f10669ad58a53ac7fb123fa8825feb73ca04062a5b46ef328e9cbd332d1b2e32300f97c20cc

C:\Windows\SysWOW64\Hcaibo32.exe

MD5 14a17002d8833ffdbd7ab949820f30f7
SHA1 55d57f26e3a96304bbc79e4b472e9aaa4fc2be7d
SHA256 d7a554f3a65f4bdbe10c495f287bff950051022baaecca51772fc181b38786b6
SHA512 ad4e7a005c7eddb597f059002ce00281573584a3d23018eedd5e61e8fd9758be9d71dd87a99f90b81f8613fd80735b4d3381a6fff29c50f2d38f470dc792a736

C:\Windows\SysWOW64\Hohjgpmo.exe

MD5 0b1c6f5f88f6e095f4bbd0d618a7b5c8
SHA1 b907f16d51d5bfcf5e8441db4e5b7dc7f8918fd8
SHA256 6909905dc2d368628f27132a11d63c18b0986a6925c31dc7f7ee7cef60e4a2ff
SHA512 ae911b2160054badac78dccdef10ccda9df226e2cb4f04acfc718a98348e4277667863db2d42c578dcbcf57482100b603fc402357db70973f055310e49383511

C:\Windows\SysWOW64\Hphfac32.exe

MD5 24f53268dd4aac4e2c210836019c622c
SHA1 2abefb391d48c49dad20457ed92655ab7f7f2a0a
SHA256 013d297e8074c4e1963deb8ddc12cfa70693346bad20780899e5c41986ec5087
SHA512 d5da7067cd9ae8c1639e1958890479701770490147f33b3805e000ac5c6b7b7accd2c5f02e888ad4210eba076195d404770ce0b452c6a1ef41903d906a2d623e

C:\Windows\SysWOW64\Ifihdi32.exe

MD5 edff973b9358e57092c135c4c6af11e1
SHA1 d7e1c3527c8ae4b0b0d2be19b66d585fc403ec12
SHA256 8f9c1e49a4f58cf4bc7f0feb9c3280fb13c57951c6ae7498265b2a035486aab4
SHA512 d98577e1003ee879a3c89d0d56bc1527cbd791911a60403c69acd3a2100af41597e00170fb207cf891b77cc24b894324ee94a7496a543e84fd801017eefa7a0a

C:\Windows\SysWOW64\Imfmgcdn.exe

MD5 a284d5923497c72a83c0aec6039600f9
SHA1 2525dc9266fe1c8a18fa79e23902a5c8c9d0170c
SHA256 5ddb158550bc6118926ca46238bac7a7ff7850d7da9653f8732bb677e8ee3e5d
SHA512 7f10009ed21d987b01d5b170ffccd505fbdd24e913456d98b8a4037cb50b264db65b9cbc6601a98ea5aca20ad87b0d641ce584eb71e0cd818b2c314a0571ff05

C:\Windows\SysWOW64\Iiaggc32.exe

MD5 f23336f3bb3b8f8ac8d64c01c66101ca
SHA1 41072da80fe769b03435cbdd17a4b033b99dd01c
SHA256 b4c070c9aea7a5576b15eb14f522653519335dd8ba95deae9c172180e5e01a78
SHA512 b182d933ffc2f790625da8b23a2b605a26c804c153939c586912e95b70eef158cbd0f6482dbbe9c0c3360d4267f3cb5654f5ed4bbfecedd55c5627db0f4e6f08

C:\Windows\SysWOW64\Jfehpg32.exe

MD5 f6a0acd580c448f1ab6bfe85af7351aa
SHA1 a53eda4335f07823de69f455be714ced8ba874e9
SHA256 15d51c89b03f6cd233532c700f918bcbad5a50ae6c4edb531116d2d4b913c075
SHA512 a7b064e556e669197bde05027d2772e2dd95f1d1503d23c42564d1b06320a49696edc464e1117c70d1f75c078edd8c38caa7d6b17bfa2a396699f0964df67da1

C:\Windows\SysWOW64\Jopiom32.exe

MD5 47f82aeedd6aac29463a9272def65244
SHA1 20925406c416e9dc4f1632f271340f40e07dc12c
SHA256 013ec42c845e1e4af30d22fdf46bfebf75976c5f847ffe28e0b65653223a1e56
SHA512 daee8c854af7b717de93126af785e8058c64845c8ea7fc89a2894457a75b47f285d8ddccbb2e1840dca69cde9bff72e28073dd9c026582bbbd493a84fb240131

C:\Windows\SysWOW64\Kmhccpci.exe

MD5 f0bf6601ba66a13960c12e440da55963
SHA1 c2a0d3365a82d3eacfbf30e18c00991728150620
SHA256 a5368164320b4b314b4e8ee338db66c6ccb99c6af61e7032627b51df34d235ec
SHA512 1c195994cd64580e05c3b47acd945beab72f9c56ae713adf050b09df3aa438b2e45c7cfbb1442a4ae59d1f93c1b3876d1106028856f51e48fe8745cd8d6271bb

C:\Windows\SysWOW64\Kjopbd32.exe

MD5 1aa10f134209555dcabd238c8dc55fcb
SHA1 cc4a44f63046e20778c194eac4e6cadc49574d12
SHA256 c564ceece2ebdbe0bdd7ef15ba3dcc95ef23f0f7ec7113f81c7963e2d79e3469
SHA512 13c19a3353be037add973207aecdad971a3b3b50d4cbbebb5eba945584386f6d6c7ff0be9473cb3460e2eb2cf66b9991a0539b28b6c545fe8ddae9e3af0d6da9

C:\Windows\SysWOW64\Kgcqlh32.exe

MD5 62ac857d84c6be2adc56df2f44508040
SHA1 e566196010377df3dd427a8fef1350062278d4d2
SHA256 7741a226fde32c6444d9944e87ed0f6492638892da35168ec6b069cbc481d60b
SHA512 80296f022a4be41e376647405a443587e9e6cc38e721d7e3c3f988504e58e16bc8a2801c57726bc70a23815bcbdff168e847a40289e470b942124ba50383ee87

C:\Windows\SysWOW64\Kifjip32.exe

MD5 a019c3d84f425fc44e48189447165a5f
SHA1 8a33858b05b81f6f8abccb030f4115293f5609a9
SHA256 8369c78c552f3768e0c1225344828fdf16678fed74184d8def685a3c2ce29d5c
SHA512 0ff7ad99d87df921a20632ce47c357840d64a055b63370c2779d7606f4e67f122704fc20776f5e8ed205cea4db50de08f1fc0f8badb6129b841f6fe9f07958fd

C:\Windows\SysWOW64\Lapopm32.exe

MD5 dbedc9f782c017c477f0075b44665e47
SHA1 8399cee4708eb96dbc26138871df45c09b05f10a
SHA256 145c57d6b40a10028bc3c04af3542f0e38344f22a9f856f8c7f34beb5972f22e
SHA512 bfec4369767ea7f4b5263af2468080bc3428dae88315a586c09b880534f100b992a789a5d8ad973a94287236c7866461c8154a87fbcfe3a6b99e9033a9a436f5

C:\Windows\SysWOW64\Ljhchc32.exe

MD5 c8fb492f14ca0939bd294abaf5c81710
SHA1 53fcc4b8274e248ffdf002b39b827f2a2383ce8a
SHA256 3b9b01b87a7f0c282fb07ab76214804ec0977ad4894dec99bf9eb9d8010e7604
SHA512 cd0b3a37c6a8e23c9aa4cdd62447adaa941e0ab52f2608932286ef1a750f48c7f3a84703bf5ba3dc95375dd6ec2ece62e8a345421bc4527c89f791a9851edd70

C:\Windows\SysWOW64\Lglcag32.exe

MD5 61a324b246bc2d7028db10076c870c96
SHA1 fcd57452a28c403698adb6dbcaac8709d4464c40
SHA256 d01d175e042ca1f024c8c720f690ac31d26f4a73891a1e602474702ee48ab695
SHA512 198913c859cf1a2f7fa87166125f3bb39ea5c0862023f0169beaefc8b9bf6bbd0d8c4dad51f2641ad889e2997c6bcd1719d1d9bee47a8bb35e460f67eca87541

C:\Windows\SysWOW64\Lcealh32.exe

MD5 42aa166a7b945bf424dbb66745f1976d
SHA1 782130b0a45c191a85adc2976f52ad10eb3bf458
SHA256 7313a0017ac44785907390f257c5abfe67c214db9da787f7b1d88de60505ac23
SHA512 46d02bf12b7b3bfb389e8b939e0edb044f34effdf29641207fd44a2569556da1167204612f601e670e60b7573d792ebc26ff391f53c20a4b3eafdb6b58109577

C:\Windows\SysWOW64\Mjafoapj.exe

MD5 3e680efe455566da98be01d57770ffd5
SHA1 04af614d49f5e6839fb6d87529eff68efff26a97
SHA256 44e410b3d47d03972e4047fea80bc5819e2aa6f433dc9d25add4a091f386c80a
SHA512 bb311f8c57af738812ad50e62f07f013ee8e4630341c68c693a3640a4b40992fe7aaaf99b25bae911b5596afe0f9816c42e4c49cd348646c2fbe68e63bb51651

C:\Windows\SysWOW64\Mpchbhjl.exe

MD5 fc145c4ee3f8e6162d5df4b1da45f11a
SHA1 6391dab9e95b301923d04ff04691473b036d894e
SHA256 9cd0212cde7f218d29f27dbec8b050920275978ff7c593dfd3c1af5fced4dc30
SHA512 1612b999df4491732306d3aec8a1aa9cf1de5685063f8deb07b2a6b205ab8f6aff4e6cef23454ce5cc1ed54321efd296c0bf91acb18bb77c306530e4de84f039

C:\Windows\SysWOW64\Mhmmieil.exe

MD5 eba2ab6c19c9724b815ff9be0fc93304
SHA1 3ba7c89b93ed5ab26b0bbf76d22bbb32bcb7c831
SHA256 6d9a7ebb63b1f04397b3b3a1e16f41b7a4eae89e9087283c858923bb04829f48
SHA512 2c001fcd8c7ba3e4e1ddefa815ac33d9a806be95983f03c964a271a7796dafde6d08379f34bc91cfd04805c206a37636b0ca00f95f88f3358c7687f71171a9ac

C:\Windows\SysWOW64\Najjmjkg.exe

MD5 3c221abdf37a15b823cde8f143410498
SHA1 9524b82b7a19be3bcf117d1adbdc61fa7597a80d
SHA256 8ff80c339f90e988d5b97def5a02f0a0a4c356769e2faba058dd0778255037db
SHA512 7c4ed2f87bc6d2cd8d2a07143683eb081a99494eabbd7be5a16b2cab819413dbe012806c034a0258bc7b8a26d1c0371653544d37c1b3babca8fd8331d88e85db

C:\Windows\SysWOW64\Npognfpo.exe

MD5 64e20bdf1a3fdd1fd4b5a5943278b334
SHA1 ce5af92ab94fb71f520110500c31f6c272315146
SHA256 87a0176143e0073b590136439feb8a7293b2b0c69adce06c9d4338fc3e6ab0eb
SHA512 91808a5460f66e8ef42571da602bea8ad75c18885eb600d2be5933325b18e0bd1b93c0dc854c4d6367250ab8516871d6f073b34818412613a7dbd26a2a17c4d5

C:\Windows\SysWOW64\Nmedmj32.exe

MD5 5e8b8b06dcdeace73842d13e9dd2d86c
SHA1 4e720826ac8cdc15ba113eee49273e07585d62e5
SHA256 561d294978fef2036ec1a843acfe856ed565ec50b7d31ba26a7d70374a09be72
SHA512 40dda39476e6666ea13a7a7e658b2a58d66238ce94d7e3d7e6133f0427e036f9c5e09f3e08b7036dd1d71a0cc6a3dab79ce41e9a8eeb890f6a2b7000a09ed13e

C:\Windows\SysWOW64\Ogmiepcf.exe

MD5 07f548b4578a369a11b34ed5d572a0c8
SHA1 2b813c3fc0821fd2f296c38c75921ed47f4f382a
SHA256 d0bfe2cd9902acc3da9c032b1381b201e85181761dd017971f6cbe78f8f9ef3b
SHA512 619b2523a94d6678e614f5dfa319c8bcddab513d35913eb4649b6d8dee1ca059c9bf8db88a20ce3ed9bf41d55e21d4802ba7b0c32035492f5d017602b50ca18e

C:\Windows\SysWOW64\Odaiodbp.exe

MD5 fdf26df2ece8c1dfb2e8f31c6381b478
SHA1 7a2ad496f653042e28baed4aec0a3542243cf532
SHA256 3e42799bc7d51f36281f16d3c2187afe4fe5bedd9f2f70f87fa725322adf6df3
SHA512 fa2baf503152615668e4c707d7a8f2f670b6d5856f36d3708ff8d0f2ae3f464435584decf47d31e0d33416606c6d2f3f455d77aeab25ad23fd2ae8de2163983d

C:\Windows\SysWOW64\Ogdofo32.exe

MD5 df11b40d1df8efc2c83f7c6f336611b1
SHA1 d76d3afd1249cae1c389fcf22a6feab307747e1d
SHA256 ba01aa2471eca1db74e4e2148bd540503b286878c6d345c938cf2328e80c7715
SHA512 eb60dc8c89d30f3353b9da428f580db582c6839aa3cff3626fff2a47eae162a82435fd90acc6b1666bc7b8f7c9230f3551f1d8abc53dca4dc9f001fb72f172d7

C:\Windows\SysWOW64\Opopdd32.exe

MD5 5408c7dd3b195f60c424bc36587e7494
SHA1 8d121cd05e5f3f4591fa7417c9b09bb2385d131a
SHA256 b5583adeb26befc9c1c85383da356e6e2643aa70cfff3b59fed765f535e0fe9f
SHA512 0ede00a6528e037c38613a72cd0ecef3d0fd4e651ed7474c3890b464e981ed0a57ef6bc0d93ac8109c4ff96faa8c2872cd541bd9be6fe31cf09d22d1354d6312

C:\Windows\SysWOW64\Pncanhaf.exe

MD5 045ecbcdc92f7fac92203ff1d81a80d0
SHA1 1ecb92ee2b9d27a01e3b2a588c0658030fff428d
SHA256 51037ac4e88b8006095b8626dddc295594413aead42f721cfdeb7187482da793
SHA512 3b472396ba57e9696b672f7c5629e7d8ae2464850c74cb655de50f95073982931fcf560f6d4ebff9ff58ee20e5ab8c22ee4a37e805773916ef4797beb90e564b

C:\Windows\SysWOW64\Paaidf32.exe

MD5 290987a144940eb2e97a7df9ba0126d7
SHA1 a07aaa04309f14978b0cfaf7dc630857e914fbe8
SHA256 54b541c211ee3543949806feeac8c4ac49e3e6095cc547e48052d692317fce2a
SHA512 da3e5b162cf2c3c465d581b0cdef9ed794bc8c8b2c69513fa7c2e546b74e970b6ec6eb489f7a54dad4453a9fd585c52fbfe7b65502cca8057d973bf471b249e0

C:\Windows\SysWOW64\Pnjgog32.exe

MD5 6809e7dfbfd5eb1854f7edc3bca5e6a2
SHA1 0b8f4d854980b811c6da3d61b9ddf0146af2484f
SHA256 a727447518885541b2910ca9ec60bad4b04c84d82b30771d002251cb8cd8ba77
SHA512 20d2d70e24ae0eb11f7efe83f2be1853dcfb214fda8dcfe08e134619808be653fcee3ee45ae1c55675711f1915eb052c9b906a4ceb87f082783837a89fab7c2f

C:\Windows\SysWOW64\Pgbkgmao.exe

MD5 ca3a758b6b83b3dff3b4458a88b68866
SHA1 1ed7efd67b49a03c0f152240c299b84039539a2a
SHA256 41dee295549a73659a682dcb27cedf00ab2608d9528e4f2a86df46f82ec15874
SHA512 f83d3100f8c4a12d0e77994c381f7ac56a7a5a39fc9f29df7f28d8375ccf01e95aa448f4b128b62d9da8c65d6e6d08b5cfb5da574e6f9d245da1149945f00151

C:\Windows\SysWOW64\Qnopjfgi.exe

MD5 1ebe65fe5b2ef4a108ed191106274afe
SHA1 4208b57fc7906aa803b725408c65f83fbbf09ad0
SHA256 e1c46687776e5aa085dfbac159de0ca817cbc25a8926fe4d0c4084973db3b474
SHA512 5ec2345531ba1db248d0ddcdfab1624242fd5526fc08064a5aaacc1b64b3faabada797ddb2ed54606553aa3ccbf2471edf7eb44781aa9d852c8c4576582ab175

C:\Windows\SysWOW64\Qjeaog32.exe

MD5 f201d0454b83c0abffc4a70e32b99fbc
SHA1 6f030cfcfd8d72c3063785d71fa7d989acdbfd62
SHA256 934566cf18d23efa84c9510e1bdcbf849f833f07ae5c2cbc0592c72e7725620c
SHA512 3a5c5da9408f1ca9204559a08e93f17eb2dc5b07eb5c2a37d3a6a9a1f99bd9965404914ff667d2913341d4abbbd2547a0f3b5c3bbab74c68328aefc947070295

C:\Windows\SysWOW64\Akenij32.exe

MD5 50d105c010474a4519359b3d127cf442
SHA1 6f2c2f92c3aca226a9d724569a1b32eca5ae9bc4
SHA256 747665337317122e74637e8783e5740a5651708f5efa3d50b20b6cca8a5e4766
SHA512 4e6bbfb25e579f221770109eb5fb05264cec25b0066c221aa5934a7a715c87919b3feaeb08be36e8570e86eb5b1d03dd0c2cb91171d3e75ad5074ca02d651c04

C:\Windows\SysWOW64\Akgjnj32.exe

MD5 162640bf9f2291c4b481f77d43b10892
SHA1 6bbba0fffa18bb9d72dccaa6f1f07d3dc5fb6545
SHA256 bb75b7d0861c0e5b01a83eec4f042c755657f635af2df12b760e4327472df5d9
SHA512 460c9ed9b3b61731727a6298c1b3e8dc606052f042c1d7569f8cab65b6d0cbefbfcd02cfe5198aa514467f1c1c3efb6bb6e0f8a4dd237bf30c166a4db2457e10

C:\Windows\SysWOW64\Abdoqd32.exe

MD5 ef830aa635d31efa05c52047d04dbde5
SHA1 71074fd281b187efdb2de578437e725773cc819d
SHA256 a80114371d441d8c0966a718901474785d74b87cc8547a25f27037bb1e7c8e98
SHA512 7433cb2793dcfd74f397c906c31e1b09ab92e2bfdc3d746e3f6c1c9655e28eb72e88d336dfeda23dc5b37ddccd8545c9058d1f4b85a00bb2f6ed7a9c183e4d13

C:\Windows\SysWOW64\Ajodef32.exe

MD5 75612316411befa343d65abe981642a2
SHA1 afae27449ef163bc59afd4fd6fa39160739d1f62
SHA256 7b23d87a940953702619667f7af1dd64854f485bb389e99307d9554df025a4f1
SHA512 36a6456c53d07f5e38bdf1de54c220e1e13350b49d3b51aaec9fc7ca82b555105108ebe853da68c180fe47825497cd57b0a2a901a6e5415b69642ada35c5eafb

C:\Windows\SysWOW64\Bkamdi32.exe

MD5 f53ae5109acf34ce6fcc6cfea2015344
SHA1 6f1c9521c335614ffaaa95b1e48183945760b436
SHA256 651d35cc0945148b6d15cd4f8067d53c855ffee678b54938581bdd28a5cd8900
SHA512 16fcfa48b44bc232076eead328dcae1abf3609706cb09bc0f80acc5bb09fe4cab3d12001509d6546a198518b90137ea80778f97c5ae0f41303cce511e36bdeb0

C:\Windows\SysWOW64\Bkhceh32.exe

MD5 04d5a78918b465b3e8c9c67792e78ef2
SHA1 e9eefc660e395c946314de826e1ae2a7523f105a
SHA256 2da5a1598eab521e8778cd4b123cb095c4c613867dff0afc051935579b1379c3
SHA512 5c1c1ad1fbd908cc674c8f2ddea7c4fae66bdfd19ae3e4e6488d33a86192968a6eba82e7eb438a3b7e93dc9698cc2cee41ddeb7ddb1ba36790725cf91b24bbaf

C:\Windows\SysWOW64\Bdphnmjk.exe

MD5 ee38f136b7f7b44cae065aee9b67209b
SHA1 3476dede3e18c674fbd7b042f61ba428f46ed9d6
SHA256 eba22dc85ecc682bd6f8f01af29aa6670e6e950125ca966a470b073f8cc35b71
SHA512 b7b9e8b6651f8e70dc2156e7cafbbe26e50b755adb33833e714651d77fdc32a175235b2e3c9a4dc877ccd2abf6802d3c8d6c206c7a748ab781b908576909d964

C:\Windows\SysWOW64\Cinpdl32.exe

MD5 9c9566e162533cbd584f367e32bf0de7
SHA1 0cbaba3c65cbf0db594b01e7fd480bb0bceb1fc2
SHA256 00d35e5c031bf7f417de647a7f137b4b9cb8732f32ca599b17fc0abad93df778
SHA512 9cb7bade496be5782ef892e68369dff85cd14d32a226a91aeaff4bc400b08bc2cffa91a65376e08ed8eaa52bbd00c91d5d7b1ea985b55e85bfbf447d06e0dc95

C:\Windows\SysWOW64\Ceeaim32.exe

MD5 b5923b338446785dd2af3263a00e6d0a
SHA1 da962cd7bdf79c51d8de9844bb544cd72cd31d5d
SHA256 f90bc55f5fd3a94e631285be4249990667ede3d396f8a41ab0254cd50a8532ff
SHA512 05b4d99b20440dc85576b50f791bf7f1c1c79450b8949a85225947254cab3c99a728761b304277adc84ef7f79c8c5bd99b0cd9f4780622a209aa46010bd4393f

C:\Windows\SysWOW64\Cegnol32.exe

MD5 4743f62e09d77d391a2ccf376887e858
SHA1 1645e1aec4e4f32d7bc3916fcfc20b9ec84666d9
SHA256 4863fa4cbe3e64a395d960a08a8098b3313ed2dbe3ea180bc99e71bc814962a1
SHA512 605a296d22b156755ef1ac6d184773eec75eeb1d3e096da80c927b726b51ba8a159950a9dd822c77102b29552cd48ba9f68165a817cb60f29643fff6bac36d89

C:\Windows\SysWOW64\Cjfclcpg.exe

MD5 af2b50b30ff53173cfdf0bf851ddfcfa
SHA1 f87328801bb80b094ee39c97c5b7e41e3ba4ab32
SHA256 444add6015f4b728d0c4e0d50ce7fcc0e415b8d9d496ec1a98a60a1c6f55687f
SHA512 79fe6de19f0bfee63a003d1cbd50d89b81d489fed836bff52918a82363c8525f46884097cbfc010c4da289235b17827e5f13d96061d7afd44ab168ab4e09ba78

C:\Windows\SysWOW64\Dijppjfd.exe

MD5 2f8f711475a75dfcf4c73d17a11c6ff9
SHA1 d202ebc44ce052617df1765f26f84ef62407e21a
SHA256 48a2b20716d21a3089289cb5e70cc0611af6ca7bedb5340b84aa143db0e0051e
SHA512 20a527ba439d6511315a6308d44c68664d165575a919faba4def9e601df91cca027566ab1e7d1dbf821292a7987d044c1684afe13de32094e9f5ca9c450e1984

C:\Windows\SysWOW64\Dgomaf32.exe

MD5 3493eb48e2c4b7a39c8e4472fa614fa7
SHA1 c966725e24bb1da0f028763409c96b765015450f
SHA256 be21a21ed213ecfe5f8955b3e2c4403cf21343140fcc0602ca4104b2ee96280d
SHA512 3241f5c596d875475feb6f911eb8269e0a6938a060d1279fc538c8007e7a414fbe7c0fe194b3bfe9d9d41a5fcbf5095db3bc92380e228aba0c33861dea82739e

C:\Windows\SysWOW64\Dnienqbi.exe

MD5 67030c9150d6b903d09e41c4c5150699
SHA1 9f97bb1f7b25b2148a9ba0b0598494211a241c03
SHA256 c278e922817203ecf6c19c145a7f901ba98e62a637f95c00267a99d43c14a5a9
SHA512 70092ba4320e9de9b2d6e2738fb52660cbff55aae3500bf6a8117850eeeb7c17f1e52dce34fc465e88e924a2c6e7c888de6db8a906b74dff8d3bca8a7d561027

C:\Windows\SysWOW64\Djbbhafj.exe

MD5 b880ad441f58cbfa4963a13895e96d54
SHA1 39afb9e404858f3ec77b01e87e7d25a77ff71f89
SHA256 0169f58d2e9d8cccb9ce5999160c63deb9a94028f2178613d93d431323d3e2be
SHA512 b70e1cd22e3f4ed257aabc7c7120d0d746c85e03f8355ec61705a455218f1b0392d3fdb58bc89414d22a0a8ea6b828061be549a5c212ff97b6f0cd17ed8c1672

C:\Windows\SysWOW64\Eieplhlf.exe

MD5 6f1573983099ac3b7c26a621f382fb24
SHA1 da961dca793827c5fc2a2c3dc2c5adb76fd2db77
SHA256 774c6152d90d75c4f37e7fbb221919b152e9300dcc16f12c3116c9a45c878798
SHA512 8e8a220f44f10fd84066760e55bde3363ce73a4052e00731426cc53e45dccb0fd39b967d43989c439a1d67bb54bc4a111f65de49ff5f438f3a3ac0a950243080