Malware Analysis Report

2025-03-15 09:46

Sample ID 240916-s93pzswdnn
Target Backdoor.Win32.Berbew.pz-bc221406cba9c074529c5f67f456a8fc503181c4af746dde55d62f5e6c7a6297N
SHA256 bc221406cba9c074529c5f67f456a8fc503181c4af746dde55d62f5e6c7a6297
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc221406cba9c074529c5f67f456a8fc503181c4af746dde55d62f5e6c7a6297

Threat Level: Known bad

The file Backdoor.Win32.Berbew.pz-bc221406cba9c074529c5f67f456a8fc503181c4af746dde55d62f5e6c7a6297N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:50

Reported

2024-09-16 15:52

Platform

win7-20240903-en

Max time kernel

120s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efoifiep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aahimb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogdhik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkeoongd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnifaajh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpcohbm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cffjagko.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egcfdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iblola32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcikog32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laaabo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onamle32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjjkfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcbookpp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jeaahk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koibpd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onldqejb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bahelebm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cffjagko.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epqgopbi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kngekdnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oqojhp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bahelebm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onamle32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Plpqim32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afqhjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpgecq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcemnopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epnkip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maldfbjn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clilmbhd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maldfbjn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efmlqigc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jkdcdf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Befnbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chggdoee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckhpejbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpgnoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mneaacno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajamfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcemnopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laaabo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epqgopbi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddppmclb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Igpaec32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aadobccg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apnfno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boobki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dglpdomh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnjalhpp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efoifiep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qemomb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcikog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amjpgdik.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Blgcio32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpgecq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chbihc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jeaahk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blgcio32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejfllhao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogdhik32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ingmmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igpaec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iblola32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdcdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeaahk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnifaajh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcikog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfidqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kngekdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Koibpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkdckff.exe N/A
N/A N/A C:\Windows\SysWOW64\Laaabo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgbcfdmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Maldfbjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mneaacno.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpcohbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnjklb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nknkeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkbmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odacbpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Onldqejb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogdhik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onamle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqojhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjjkfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbookpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpqim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qemomb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aadobccg.exe N/A
N/A N/A C:\Windows\SysWOW64\Afqhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amjpgdik.exe N/A
N/A N/A C:\Windows\SysWOW64\Aahimb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajamfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apnfno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aldfcpjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bemkle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blgcio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbchkime.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhpqcpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bahelebm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhbmip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Befnbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boobki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chggdoee.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckhpejbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Clilmbhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpgecq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chbihc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffjagko.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcjjkkji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkeoongd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkclf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dglpdomh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddppmclb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcemnopj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnjalhpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Egcfdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epnkip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epqgopbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfllhao.exe N/A
N/A N/A C:\Windows\SysWOW64\Efmlqigc.exe N/A
N/A N/A C:\Windows\SysWOW64\Epeajo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efoifiep.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
N/A N/A C:\Windows\SysWOW64\Ingmmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ingmmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igpaec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igpaec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iblola32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iblola32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdcdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkdcdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeaahk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeaahk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnifaajh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnifaajh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcikog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcikog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfidqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfidqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kngekdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kngekdnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Koibpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Koibpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkdckff.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldkdckff.exe N/A
N/A N/A C:\Windows\SysWOW64\Laaabo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laaabo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgbcfdmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgbcfdmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Maldfbjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Maldfbjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mneaacno.exe N/A
N/A N/A C:\Windows\SysWOW64\Mneaacno.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpcohbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpcohbm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnjklb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnjklb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nknkeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nknkeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkbmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhkbmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odacbpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Odacbpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Onldqejb.exe N/A
N/A N/A C:\Windows\SysWOW64\Onldqejb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogdhik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogdhik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onamle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onamle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqojhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqojhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjjkfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjjkfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbookpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbookpp.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpqim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpqim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qemomb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qemomb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aadobccg.exe N/A
N/A N/A C:\Windows\SysWOW64\Aadobccg.exe N/A
N/A N/A C:\Windows\SysWOW64\Afqhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afqhjj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Kngekdnf.exe C:\Windows\SysWOW64\Kfidqb32.exe N/A
File created C:\Windows\SysWOW64\Laaabo32.exe C:\Windows\SysWOW64\Ldkdckff.exe N/A
File opened for modification C:\Windows\SysWOW64\Onamle32.exe C:\Windows\SysWOW64\Ogdhik32.exe N/A
File created C:\Windows\SysWOW64\Aadobccg.exe C:\Windows\SysWOW64\Qemomb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbchkime.exe C:\Windows\SysWOW64\Blgcio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jnifaajh.exe C:\Windows\SysWOW64\Jeaahk32.exe N/A
File created C:\Windows\SysWOW64\Qkbeqfel.dll C:\Windows\SysWOW64\Nknkeg32.exe N/A
File created C:\Windows\SysWOW64\Ajamfh32.exe C:\Windows\SysWOW64\Aahimb32.exe N/A
File created C:\Windows\SysWOW64\Iblola32.exe C:\Windows\SysWOW64\Igpaec32.exe N/A
File created C:\Windows\SysWOW64\Blgcio32.exe C:\Windows\SysWOW64\Bemkle32.exe N/A
File created C:\Windows\SysWOW64\Aobffp32.dll C:\Windows\SysWOW64\Onamle32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amjpgdik.exe C:\Windows\SysWOW64\Afqhjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Blgcio32.exe C:\Windows\SysWOW64\Bemkle32.exe N/A
File created C:\Windows\SysWOW64\Elllck32.dll C:\Windows\SysWOW64\Iblola32.exe N/A
File created C:\Windows\SysWOW64\Mjpdkq32.dll C:\Windows\SysWOW64\Efoifiep.exe N/A
File created C:\Windows\SysWOW64\Ogaceogh.dll C:\Windows\SysWOW64\Afqhjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcjjkkji.exe C:\Windows\SysWOW64\Cffjagko.exe N/A
File created C:\Windows\SysWOW64\Cpokpklp.dll C:\Windows\SysWOW64\Dnjalhpp.exe N/A
File created C:\Windows\SysWOW64\Jbnlaqhi.exe C:\Windows\SysWOW64\Jkdcdf32.exe N/A
File created C:\Windows\SysWOW64\Kngekdnf.exe C:\Windows\SysWOW64\Kfidqb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhpqcpkm.exe C:\Windows\SysWOW64\Bbchkime.exe N/A
File created C:\Windows\SysWOW64\Bjcmdmiq.dll C:\Windows\SysWOW64\Dcjjkkji.exe N/A
File created C:\Windows\SysWOW64\Ogadek32.dll C:\Windows\SysWOW64\Epqgopbi.exe N/A
File created C:\Windows\SysWOW64\Mbpmdgef.dll C:\Windows\SysWOW64\Apnfno32.exe N/A
File created C:\Windows\SysWOW64\Djgaeaao.dll C:\Windows\SysWOW64\Igpaec32.exe N/A
File created C:\Windows\SysWOW64\Kppegfpa.dll C:\Windows\SysWOW64\Befnbd32.exe N/A
File created C:\Windows\SysWOW64\Pnenhc32.dll C:\Windows\SysWOW64\Egcfdn32.exe N/A
File created C:\Windows\SysWOW64\Gfdeopaj.dll C:\Windows\SysWOW64\Koibpd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngpcohbm.exe C:\Windows\SysWOW64\Mneaacno.exe N/A
File created C:\Windows\SysWOW64\Ghibjjfb.dll C:\Windows\SysWOW64\Nnjklb32.exe N/A
File created C:\Windows\SysWOW64\Qemomb32.exe C:\Windows\SysWOW64\Plpqim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epeajo32.exe C:\Windows\SysWOW64\Efmlqigc.exe N/A
File created C:\Windows\SysWOW64\Aahimb32.exe C:\Windows\SysWOW64\Amjpgdik.exe N/A
File created C:\Windows\SysWOW64\Dfkclf32.exe C:\Windows\SysWOW64\Dkeoongd.exe N/A
File created C:\Windows\SysWOW64\Apnfno32.exe C:\Windows\SysWOW64\Ajamfh32.exe N/A
File created C:\Windows\SysWOW64\Iahbkogl.dll C:\Windows\SysWOW64\Bhpqcpkm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ingmmn32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
File created C:\Windows\SysWOW64\Kfidqb32.exe C:\Windows\SysWOW64\Jcikog32.exe N/A
File created C:\Windows\SysWOW64\Koibpd32.exe C:\Windows\SysWOW64\Kngekdnf.exe N/A
File created C:\Windows\SysWOW64\Mneaacno.exe C:\Windows\SysWOW64\Maldfbjn.exe N/A
File created C:\Windows\SysWOW64\Nknkeg32.exe C:\Windows\SysWOW64\Nnjklb32.exe N/A
File created C:\Windows\SysWOW64\Pjjkfe32.exe C:\Windows\SysWOW64\Oqojhp32.exe N/A
File created C:\Windows\SysWOW64\Afqhjj32.exe C:\Windows\SysWOW64\Aadobccg.exe N/A
File created C:\Windows\SysWOW64\Jlqogi32.dll C:\Windows\SysWOW64\Jkdcdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqojhp32.exe C:\Windows\SysWOW64\Onamle32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flnndp32.exe C:\Windows\SysWOW64\Fpgnoo32.exe N/A
File created C:\Windows\SysWOW64\Mmgqao32.dll C:\Windows\SysWOW64\Ldkdckff.exe N/A
File created C:\Windows\SysWOW64\Dglpdomh.exe C:\Windows\SysWOW64\Dfkclf32.exe N/A
File created C:\Windows\SysWOW64\Jhgnoe32.dll C:\Windows\SysWOW64\Ngpcohbm.exe N/A
File opened for modification C:\Windows\SysWOW64\Onldqejb.exe C:\Windows\SysWOW64\Odacbpee.exe N/A
File opened for modification C:\Windows\SysWOW64\Clilmbhd.exe C:\Windows\SysWOW64\Ckhpejbf.exe N/A
File created C:\Windows\SysWOW64\Ldkdckff.exe C:\Windows\SysWOW64\Koibpd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgbcfdmo.exe C:\Windows\SysWOW64\Laaabo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnjklb32.exe C:\Windows\SysWOW64\Ngpcohbm.exe N/A
File created C:\Windows\SysWOW64\Pcbookpp.exe C:\Windows\SysWOW64\Pjjkfe32.exe N/A
File created C:\Windows\SysWOW64\Dnjalhpp.exe C:\Windows\SysWOW64\Dcemnopj.exe N/A
File opened for modification C:\Windows\SysWOW64\Iblola32.exe C:\Windows\SysWOW64\Igpaec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcikog32.exe C:\Windows\SysWOW64\Jnifaajh.exe N/A
File opened for modification C:\Windows\SysWOW64\Koibpd32.exe C:\Windows\SysWOW64\Kngekdnf.exe N/A
File opened for modification C:\Windows\SysWOW64\Qemomb32.exe C:\Windows\SysWOW64\Plpqim32.exe N/A
File created C:\Windows\SysWOW64\Mlanmb32.dll C:\Windows\SysWOW64\Chbihc32.exe N/A
File created C:\Windows\SysWOW64\Kpcmnaip.dll C:\Windows\SysWOW64\Cpgecq32.exe N/A
File created C:\Windows\SysWOW64\Dcemnopj.exe C:\Windows\SysWOW64\Ddppmclb.exe N/A
File opened for modification C:\Windows\SysWOW64\Egcfdn32.exe C:\Windows\SysWOW64\Dnjalhpp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Flnndp32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngpcohbm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhkbmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qemomb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajamfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffjagko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfidqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blgcio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Befnbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfkclf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egcfdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jeaahk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcbookpp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chbihc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcemnopj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpgnoo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jkdcdf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nknkeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onamle32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbchkime.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnjalhpp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koibpd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aldfcpjn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpgecq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcikog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgbcfdmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afqhjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckhpejbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Maldfbjn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjjkfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aadobccg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aahimb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldkdckff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onldqejb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apnfno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dglpdomh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejfllhao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ingmmn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kngekdnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkeoongd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igpaec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogdhik32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqojhp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bemkle32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bahelebm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epqgopbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efmlqigc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnifaajh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odacbpee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Laaabo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnjklb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amjpgdik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhbmip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chggdoee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epnkip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epeajo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flnndp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clilmbhd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddppmclb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iblola32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mneaacno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plpqim32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mneaacno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Epqgopbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbihnp32.dll" C:\Windows\SysWOW64\Aadobccg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcmnaip.dll" C:\Windows\SysWOW64\Cpgecq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddppmclb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egcfdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhpqcpkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdlmb32.dll" C:\Windows\SysWOW64\Dcemnopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjjki32.dll" C:\Windows\SysWOW64\Kngekdnf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhkbmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plpqim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dglpdomh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efmlqigc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbgmkqd.dll" C:\Windows\SysWOW64\Laaabo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aldfcpjn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbchkime.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcemnopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll" C:\Windows\SysWOW64\Dnjalhpp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ogdhik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhbmip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chbihc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iblola32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnoe32.dll" C:\Windows\SysWOW64\Ngpcohbm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Onamle32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bemkle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll" C:\Windows\SysWOW64\Efoifiep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgbcfdmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aadobccg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahbkogl.dll" C:\Windows\SysWOW64\Bhpqcpkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabcdq32.dll" C:\Windows\SysWOW64\Blgcio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll" C:\Windows\SysWOW64\Ddppmclb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhpqcpkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiajn32.dll" C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcikog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcbookpp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aadobccg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckinbali.dll" C:\Windows\SysWOW64\Chggdoee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll" C:\Windows\SysWOW64\Cffjagko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epqgopbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcjjkkji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Laaabo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmflbo32.dll" C:\Windows\SysWOW64\Onldqejb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll" C:\Windows\SysWOW64\Bemkle32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ingmmn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jeaahk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldkdckff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkbeqfel.dll" C:\Windows\SysWOW64\Nknkeg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbnlaqhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll" C:\Windows\SysWOW64\Epqgopbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apnfno32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfkclf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajamfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohaaaf.dll" C:\Windows\SysWOW64\Aldfcpjn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chggdoee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkeoongd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfkclf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejfllhao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehokjjf.dll" C:\Windows\SysWOW64\Ingmmn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igpaec32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Befnbd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Boobki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglenb32.dll" C:\Windows\SysWOW64\Clilmbhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clilmbhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll" C:\Windows\SysWOW64\Epnkip32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ingmmn32.exe
PID 2248 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ingmmn32.exe
PID 2248 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ingmmn32.exe
PID 2248 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ingmmn32.exe
PID 2796 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ingmmn32.exe C:\Windows\SysWOW64\Igpaec32.exe
PID 2796 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ingmmn32.exe C:\Windows\SysWOW64\Igpaec32.exe
PID 2796 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ingmmn32.exe C:\Windows\SysWOW64\Igpaec32.exe
PID 2796 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Ingmmn32.exe C:\Windows\SysWOW64\Igpaec32.exe
PID 2808 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Igpaec32.exe C:\Windows\SysWOW64\Iblola32.exe
PID 2808 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Igpaec32.exe C:\Windows\SysWOW64\Iblola32.exe
PID 2808 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Igpaec32.exe C:\Windows\SysWOW64\Iblola32.exe
PID 2808 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Igpaec32.exe C:\Windows\SysWOW64\Iblola32.exe
PID 2528 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Iblola32.exe C:\Windows\SysWOW64\Jkdcdf32.exe
PID 2528 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Iblola32.exe C:\Windows\SysWOW64\Jkdcdf32.exe
PID 2528 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Iblola32.exe C:\Windows\SysWOW64\Jkdcdf32.exe
PID 2528 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Iblola32.exe C:\Windows\SysWOW64\Jkdcdf32.exe
PID 1724 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Jkdcdf32.exe C:\Windows\SysWOW64\Jbnlaqhi.exe
PID 1724 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Jkdcdf32.exe C:\Windows\SysWOW64\Jbnlaqhi.exe
PID 1724 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Jkdcdf32.exe C:\Windows\SysWOW64\Jbnlaqhi.exe
PID 1724 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Jkdcdf32.exe C:\Windows\SysWOW64\Jbnlaqhi.exe
PID 2692 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Jbnlaqhi.exe C:\Windows\SysWOW64\Jeaahk32.exe
PID 2692 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Jbnlaqhi.exe C:\Windows\SysWOW64\Jeaahk32.exe
PID 2692 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Jbnlaqhi.exe C:\Windows\SysWOW64\Jeaahk32.exe
PID 2692 wrote to memory of 2444 N/A C:\Windows\SysWOW64\Jbnlaqhi.exe C:\Windows\SysWOW64\Jeaahk32.exe
PID 2444 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Jeaahk32.exe C:\Windows\SysWOW64\Jnifaajh.exe
PID 2444 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Jeaahk32.exe C:\Windows\SysWOW64\Jnifaajh.exe
PID 2444 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Jeaahk32.exe C:\Windows\SysWOW64\Jnifaajh.exe
PID 2444 wrote to memory of 2536 N/A C:\Windows\SysWOW64\Jeaahk32.exe C:\Windows\SysWOW64\Jnifaajh.exe
PID 2536 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jnifaajh.exe C:\Windows\SysWOW64\Jcikog32.exe
PID 2536 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jnifaajh.exe C:\Windows\SysWOW64\Jcikog32.exe
PID 2536 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jnifaajh.exe C:\Windows\SysWOW64\Jcikog32.exe
PID 2536 wrote to memory of 1608 N/A C:\Windows\SysWOW64\Jnifaajh.exe C:\Windows\SysWOW64\Jcikog32.exe
PID 1608 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jcikog32.exe C:\Windows\SysWOW64\Kfidqb32.exe
PID 1608 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jcikog32.exe C:\Windows\SysWOW64\Kfidqb32.exe
PID 1608 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jcikog32.exe C:\Windows\SysWOW64\Kfidqb32.exe
PID 1608 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Jcikog32.exe C:\Windows\SysWOW64\Kfidqb32.exe
PID 2840 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Kfidqb32.exe C:\Windows\SysWOW64\Kngekdnf.exe
PID 2840 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Kfidqb32.exe C:\Windows\SysWOW64\Kngekdnf.exe
PID 2840 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Kfidqb32.exe C:\Windows\SysWOW64\Kngekdnf.exe
PID 2840 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Kfidqb32.exe C:\Windows\SysWOW64\Kngekdnf.exe
PID 2172 wrote to memory of 520 N/A C:\Windows\SysWOW64\Kngekdnf.exe C:\Windows\SysWOW64\Koibpd32.exe
PID 2172 wrote to memory of 520 N/A C:\Windows\SysWOW64\Kngekdnf.exe C:\Windows\SysWOW64\Koibpd32.exe
PID 2172 wrote to memory of 520 N/A C:\Windows\SysWOW64\Kngekdnf.exe C:\Windows\SysWOW64\Koibpd32.exe
PID 2172 wrote to memory of 520 N/A C:\Windows\SysWOW64\Kngekdnf.exe C:\Windows\SysWOW64\Koibpd32.exe
PID 520 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Koibpd32.exe C:\Windows\SysWOW64\Ldkdckff.exe
PID 520 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Koibpd32.exe C:\Windows\SysWOW64\Ldkdckff.exe
PID 520 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Koibpd32.exe C:\Windows\SysWOW64\Ldkdckff.exe
PID 520 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Koibpd32.exe C:\Windows\SysWOW64\Ldkdckff.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Ldkdckff.exe C:\Windows\SysWOW64\Laaabo32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Ldkdckff.exe C:\Windows\SysWOW64\Laaabo32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Ldkdckff.exe C:\Windows\SysWOW64\Laaabo32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\SysWOW64\Ldkdckff.exe C:\Windows\SysWOW64\Laaabo32.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Laaabo32.exe C:\Windows\SysWOW64\Mgbcfdmo.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Laaabo32.exe C:\Windows\SysWOW64\Mgbcfdmo.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Laaabo32.exe C:\Windows\SysWOW64\Mgbcfdmo.exe
PID 2280 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Laaabo32.exe C:\Windows\SysWOW64\Mgbcfdmo.exe
PID 2104 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Mgbcfdmo.exe C:\Windows\SysWOW64\Maldfbjn.exe
PID 2104 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Mgbcfdmo.exe C:\Windows\SysWOW64\Maldfbjn.exe
PID 2104 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Mgbcfdmo.exe C:\Windows\SysWOW64\Maldfbjn.exe
PID 2104 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Mgbcfdmo.exe C:\Windows\SysWOW64\Maldfbjn.exe
PID 2464 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Maldfbjn.exe C:\Windows\SysWOW64\Mneaacno.exe
PID 2464 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Maldfbjn.exe C:\Windows\SysWOW64\Mneaacno.exe
PID 2464 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Maldfbjn.exe C:\Windows\SysWOW64\Mneaacno.exe
PID 2464 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Maldfbjn.exe C:\Windows\SysWOW64\Mneaacno.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Ingmmn32.exe

C:\Windows\system32\Ingmmn32.exe

C:\Windows\SysWOW64\Igpaec32.exe

C:\Windows\system32\Igpaec32.exe

C:\Windows\SysWOW64\Iblola32.exe

C:\Windows\system32\Iblola32.exe

C:\Windows\SysWOW64\Jkdcdf32.exe

C:\Windows\system32\Jkdcdf32.exe

C:\Windows\SysWOW64\Jbnlaqhi.exe

C:\Windows\system32\Jbnlaqhi.exe

C:\Windows\SysWOW64\Jeaahk32.exe

C:\Windows\system32\Jeaahk32.exe

C:\Windows\SysWOW64\Jnifaajh.exe

C:\Windows\system32\Jnifaajh.exe

C:\Windows\SysWOW64\Jcikog32.exe

C:\Windows\system32\Jcikog32.exe

C:\Windows\SysWOW64\Kfidqb32.exe

C:\Windows\system32\Kfidqb32.exe

C:\Windows\SysWOW64\Kngekdnf.exe

C:\Windows\system32\Kngekdnf.exe

C:\Windows\SysWOW64\Koibpd32.exe

C:\Windows\system32\Koibpd32.exe

C:\Windows\SysWOW64\Ldkdckff.exe

C:\Windows\system32\Ldkdckff.exe

C:\Windows\SysWOW64\Laaabo32.exe

C:\Windows\system32\Laaabo32.exe

C:\Windows\SysWOW64\Mgbcfdmo.exe

C:\Windows\system32\Mgbcfdmo.exe

C:\Windows\SysWOW64\Maldfbjn.exe

C:\Windows\system32\Maldfbjn.exe

C:\Windows\SysWOW64\Mneaacno.exe

C:\Windows\system32\Mneaacno.exe

C:\Windows\SysWOW64\Ngpcohbm.exe

C:\Windows\system32\Ngpcohbm.exe

C:\Windows\SysWOW64\Nnjklb32.exe

C:\Windows\system32\Nnjklb32.exe

C:\Windows\SysWOW64\Nknkeg32.exe

C:\Windows\system32\Nknkeg32.exe

C:\Windows\SysWOW64\Nhkbmo32.exe

C:\Windows\system32\Nhkbmo32.exe

C:\Windows\SysWOW64\Odacbpee.exe

C:\Windows\system32\Odacbpee.exe

C:\Windows\SysWOW64\Onldqejb.exe

C:\Windows\system32\Onldqejb.exe

C:\Windows\SysWOW64\Ogdhik32.exe

C:\Windows\system32\Ogdhik32.exe

C:\Windows\SysWOW64\Onamle32.exe

C:\Windows\system32\Onamle32.exe

C:\Windows\SysWOW64\Oqojhp32.exe

C:\Windows\system32\Oqojhp32.exe

C:\Windows\SysWOW64\Pjjkfe32.exe

C:\Windows\system32\Pjjkfe32.exe

C:\Windows\SysWOW64\Pcbookpp.exe

C:\Windows\system32\Pcbookpp.exe

C:\Windows\SysWOW64\Plpqim32.exe

C:\Windows\system32\Plpqim32.exe

C:\Windows\SysWOW64\Qemomb32.exe

C:\Windows\system32\Qemomb32.exe

C:\Windows\SysWOW64\Aadobccg.exe

C:\Windows\system32\Aadobccg.exe

C:\Windows\SysWOW64\Afqhjj32.exe

C:\Windows\system32\Afqhjj32.exe

C:\Windows\SysWOW64\Amjpgdik.exe

C:\Windows\system32\Amjpgdik.exe

C:\Windows\SysWOW64\Aahimb32.exe

C:\Windows\system32\Aahimb32.exe

C:\Windows\SysWOW64\Ajamfh32.exe

C:\Windows\system32\Ajamfh32.exe

C:\Windows\SysWOW64\Apnfno32.exe

C:\Windows\system32\Apnfno32.exe

C:\Windows\SysWOW64\Aldfcpjn.exe

C:\Windows\system32\Aldfcpjn.exe

C:\Windows\SysWOW64\Bemkle32.exe

C:\Windows\system32\Bemkle32.exe

C:\Windows\SysWOW64\Blgcio32.exe

C:\Windows\system32\Blgcio32.exe

C:\Windows\SysWOW64\Bbchkime.exe

C:\Windows\system32\Bbchkime.exe

C:\Windows\SysWOW64\Bhpqcpkm.exe

C:\Windows\system32\Bhpqcpkm.exe

C:\Windows\SysWOW64\Bahelebm.exe

C:\Windows\system32\Bahelebm.exe

C:\Windows\SysWOW64\Bhbmip32.exe

C:\Windows\system32\Bhbmip32.exe

C:\Windows\SysWOW64\Befnbd32.exe

C:\Windows\system32\Befnbd32.exe

C:\Windows\SysWOW64\Boobki32.exe

C:\Windows\system32\Boobki32.exe

C:\Windows\SysWOW64\Chggdoee.exe

C:\Windows\system32\Chggdoee.exe

C:\Windows\SysWOW64\Ckhpejbf.exe

C:\Windows\system32\Ckhpejbf.exe

C:\Windows\SysWOW64\Clilmbhd.exe

C:\Windows\system32\Clilmbhd.exe

C:\Windows\SysWOW64\Cpgecq32.exe

C:\Windows\system32\Cpgecq32.exe

C:\Windows\SysWOW64\Chbihc32.exe

C:\Windows\system32\Chbihc32.exe

C:\Windows\SysWOW64\Cffjagko.exe

C:\Windows\system32\Cffjagko.exe

C:\Windows\SysWOW64\Dcjjkkji.exe

C:\Windows\system32\Dcjjkkji.exe

C:\Windows\SysWOW64\Dkeoongd.exe

C:\Windows\system32\Dkeoongd.exe

C:\Windows\SysWOW64\Dfkclf32.exe

C:\Windows\system32\Dfkclf32.exe

C:\Windows\SysWOW64\Dglpdomh.exe

C:\Windows\system32\Dglpdomh.exe

C:\Windows\SysWOW64\Ddppmclb.exe

C:\Windows\system32\Ddppmclb.exe

C:\Windows\SysWOW64\Dcemnopj.exe

C:\Windows\system32\Dcemnopj.exe

C:\Windows\SysWOW64\Dnjalhpp.exe

C:\Windows\system32\Dnjalhpp.exe

C:\Windows\SysWOW64\Egcfdn32.exe

C:\Windows\system32\Egcfdn32.exe

C:\Windows\SysWOW64\Epnkip32.exe

C:\Windows\system32\Epnkip32.exe

C:\Windows\SysWOW64\Epqgopbi.exe

C:\Windows\system32\Epqgopbi.exe

C:\Windows\SysWOW64\Ejfllhao.exe

C:\Windows\system32\Ejfllhao.exe

C:\Windows\SysWOW64\Efmlqigc.exe

C:\Windows\system32\Efmlqigc.exe

C:\Windows\SysWOW64\Epeajo32.exe

C:\Windows\system32\Epeajo32.exe

C:\Windows\SysWOW64\Efoifiep.exe

C:\Windows\system32\Efoifiep.exe

C:\Windows\SysWOW64\Fpgnoo32.exe

C:\Windows\system32\Fpgnoo32.exe

C:\Windows\SysWOW64\Flnndp32.exe

C:\Windows\system32\Flnndp32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 140

Network

N/A

Files

memory/2248-0-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Ingmmn32.exe

MD5 94b654a1619fb1a82407e27031e74b6c
SHA1 e7eff8e3dc53778b7b029f7ba7cd781b4109a8ff
SHA256 9bc0e14214f6b0df5bff29e665519bc2f0a9df618e33b24f2eb495cd65360a94
SHA512 c4e25493e1c89c7bf1c9ab46dc542086789c988c547ba3107a7c37ee281fab0201dcb0096597f5510572c6803b64eb235ad9218b07aa29e201827190a57d7e4b

memory/2248-13-0x00000000001B0000-0x00000000001F4000-memory.dmp

memory/2796-21-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2796-15-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2248-14-0x00000000001B0000-0x00000000001F4000-memory.dmp

\Windows\SysWOW64\Igpaec32.exe

MD5 538b865a20a613850dd36bb81bedd082
SHA1 16a711101c64a416c759aea54e5482bd7bd78783
SHA256 50514a80c35a80131e0d76850e3172f8fda0462fd5aa68f5f2381fbf24df6cb5
SHA512 a550cfc0b706df861369216bf6b69654dcff9e80e6fef157b90992a249b09ea4874658ca2dd040d058acfac23b34446ab873820968656856c277e9876a3d2c52

\Windows\SysWOW64\Iblola32.exe

MD5 ed233022fcd988cc15b0f52b56e691d6
SHA1 62e19c46d96e1995e24e69cb66b99f7b7ec8681a
SHA256 6254b949c1e2eb5fcb54c4297af59e8f0e7f734e3faadb07215591288887da3a
SHA512 f685910df944d520fe892f5459475b9f63cc05d3ce77cebda4eef66618b1b89f9964ba6b6bf1d44681ad6d0e2f83448094a611a7b8ee1bbadf323970320e728d

memory/2808-38-0x00000000002C0000-0x0000000000304000-memory.dmp

\Windows\SysWOW64\Jkdcdf32.exe

MD5 d90e2dd4a2bc269c9d99cad17a754ca7
SHA1 5b1a184de02a065dd8fa9a71f16bac52a5d3399c
SHA256 edfe03bec2e68e1e839c88ca1ccc4e51c280b5b8188d20a433a7297ed2dc887b
SHA512 bb23238f23d78700de29d9c045bf9226994504e0f9c77d37c297caac1a96a01ae0578c14b6fb1b4726c6c35ef10d8fcc1eb8d7d999434c2c473436c41841f9c6

memory/2248-55-0x00000000001B0000-0x00000000001F4000-memory.dmp

memory/2248-54-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2528-53-0x00000000002A0000-0x00000000002E4000-memory.dmp

\Windows\SysWOW64\Jbnlaqhi.exe

MD5 61150bf5dcca63cde3b06d019e7a8aec
SHA1 b7f77135feff0f126b198944310f490cebc941af
SHA256 564d62eddc263e669691662220f71539bb5f4ffe24b1f30f15775e28ec2f300f
SHA512 a06f1bc4b8cb6b92bab53d3f9923f4331bd7859fa64b04d98aa7829879b0b67054c07a06ec990db7ac5025626b51ad54f4b898178338b51a09a676b50a37d301

memory/2692-70-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1724-68-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2796-67-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Jeaahk32.exe

MD5 05f4d1df4dd2cfadd1c13510dd16114f
SHA1 4d5de41b433c586469a1371d3b0cd01977e188b3
SHA256 f215d875302d8f2c1456ee20c86cb60ef2abc3bd1248889f847dfe69e285614b
SHA512 2542e378d3eacfc4156750b41dd9381aa8c1e3baac19461683eab69d6fa5fde1b664c2e2cecda66964e651e8655f9a6ed85236f88a79c6189e4d7d9d598ca480

\Windows\SysWOW64\Jnifaajh.exe

MD5 ca6fe36ecc157f28d72723da4dee83a0
SHA1 2d75e2a94f2b75bef1952ef6c91998c8f57d0156
SHA256 346ddf1874c9d90a00dd506158c7f0d272dee9846dc530efbb8783440e4c5dc3
SHA512 f4b4629b25ac45feac3cd7e2c5da55bd3fbcf1c226bbba4236cb264e84bdc003a47d8526e4868e5f9b6916b40e3d80d13b6f0ec088e2c32a83b472c33797fc3d

memory/2444-87-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-84-0x00000000002C0000-0x0000000000304000-memory.dmp

memory/2692-83-0x0000000001B70000-0x0000000001BB4000-memory.dmp

memory/2808-82-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2444-99-0x0000000000280000-0x00000000002C4000-memory.dmp

memory/2528-105-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2536-100-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Jcikog32.exe

MD5 b32fc46ed71b4484a7788cdd0b8bfb2e
SHA1 ea758e586582f4a4b19729a5bc11d29c81416e93
SHA256 83a7602294651fa1699d76685851e22b8cc5b4c29bb85e954d8197350b1952e6
SHA512 ee68775234c05462501ce8e3315a2d69fb64a5ed242a84446ff9ff260d69584035a5e39df55d5ff44f35660f114ef50bee934da95b1ca5c1cf39d9fd3c827c9f

memory/1724-108-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2536-110-0x00000000001B0000-0x00000000001F4000-memory.dmp

\Windows\SysWOW64\Kfidqb32.exe

MD5 f4eba94c848dfc97c9ed6075cac2e835
SHA1 e52f6911ea9ad4a25b309265570d4b3efa8a1ba7
SHA256 7cc33f4f0369c3041306a66bdcf20c19f4dc16f318e4cea59b47a6b08abb35d4
SHA512 e83e2c8c3844692f30dffa57ac771d5adaf21a87b08126a651bdbf581159228bcf6b7e9878eb3de5a5fbfb337b9f87b167b827dddc70e30d123b363a4a778d82

memory/2536-116-0x00000000001B0000-0x00000000001F4000-memory.dmp

memory/1608-124-0x00000000002E0000-0x0000000000324000-memory.dmp

memory/2840-132-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1608-130-0x00000000002E0000-0x0000000000324000-memory.dmp

memory/2692-129-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Kngekdnf.exe

MD5 d7f072b853a5ee35a40a36c45d060be7
SHA1 56b0cf2943888398f3e8c69d320c015e945a0fd1
SHA256 5346760f8753449ae1152e7308d8365cb6c27f224bdce61c5789252f8a69b79d
SHA512 3cff5c49b0cd08ce004fc3936a88c92ab6bfe26b093e5e427358d82b6e8237244b809aa847f84556015dabca3a2349329a7c88207179ba05a8c21074bfb02385

memory/520-164-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2172-163-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2172-162-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2536-161-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Koibpd32.exe

MD5 77ffa4935257f2e1449be06d6e1ed330
SHA1 7c4d5c9ca68862e8aed0a0525e903d22a326d2aa
SHA256 b5d1d40c97801ab8e009f6157394a95bdeb3f5bda54efa6bc7074d6223b497b2
SHA512 929f1cb92c058021e14c52486f03b851a60a3619d4fca13a9b4bf62f54e72aa0848a8bfeb3cf9d587889aac83789ef3c6aedc581a8cb2f42edfa232920203cad

memory/2444-148-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2172-147-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2840-146-0x00000000001B0000-0x00000000001F4000-memory.dmp

memory/2692-145-0x0000000001B70000-0x0000000001BB4000-memory.dmp

\Windows\SysWOW64\Ldkdckff.exe

MD5 53feaff7a0ccb0d68432abcb0565b6a0
SHA1 3c2d9f2fb60bebab0ec2845af09d6264c165a587
SHA256 7d0f342f9ae1c387fa9a096e7271beacaf487db383bce2bc750655161775c4a2
SHA512 60b9a991b035a8ad0ca531cac5d82b95e0b9618510ebf38ea66942e606fabeda7142aa071859877a20bee89bf7eabe9982cad48025a939e6cd84cbd63c58c4f3

memory/520-176-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2364-179-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1608-178-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Laaabo32.exe

MD5 9a7825df89b563ea6677bb47a460a3fd
SHA1 28cd2c7dbeed6f73314f2e64a6aa1727c8bd02a7
SHA256 d57da492bc08841784abc878346f8b3ab5b681408cb253c8d3e47dcbdc05fb9e
SHA512 143e5fc58f5d0ebcb78ee35043e567a61917aa8f0930b24333c45c998fa37120839a221b41495acb2dd0645eec4b97f5b4b79b16d488921732c2ce04243bc450

memory/2280-196-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2840-195-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1608-193-0x00000000002E0000-0x0000000000324000-memory.dmp

memory/2364-192-0x0000000000220000-0x0000000000264000-memory.dmp

memory/1608-187-0x00000000002E0000-0x0000000000324000-memory.dmp

\Windows\SysWOW64\Mgbcfdmo.exe

MD5 dd646de06ba7663af09f5b83447cdc23
SHA1 38240bb17fb3a38e60624cb84c8730f508fed327
SHA256 5d4a8126ac3d4710072ca631f0fcd720aa83576adfa889a6271f51bf64d1e46a
SHA512 617fce16004eb23b043ad7975ebdc2b3d26a29bc81df4f51cc2b057e51fb14d70a79c4d7b50bed4daf77c143e2b80ee9f89b6e03b8b8f9ba057103207d6379d8

memory/2172-210-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2172-212-0x0000000000450000-0x0000000000494000-memory.dmp

memory/2280-209-0x00000000002E0000-0x0000000000324000-memory.dmp

memory/2840-208-0x00000000001B0000-0x00000000001F4000-memory.dmp

\Windows\SysWOW64\Maldfbjn.exe

MD5 3c6661a4d137fc70ca3b64f9f32a6cd1
SHA1 1f1b7bf59c4ece5bde4ea26d08802ec0b62f809f
SHA256 68cd886a6476587ad84b5e2d78ccc335d833657a4e3890e802edd40b2fcf8d11
SHA512 ec0ee72ea65c25323d1da98316c393789749d7ec73498ded0c4478c1c0481ca8bfbf4f28820f671d8432930d0a02b012dab7d4a177b58b000a8e807c1c67c097

memory/2104-222-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2104-221-0x0000000000400000-0x0000000000444000-memory.dmp

memory/520-220-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2104-227-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2464-230-0x0000000000400000-0x0000000000444000-memory.dmp

\Windows\SysWOW64\Mneaacno.exe

MD5 3cce99c95a860ca36910e1b9e76fa098
SHA1 84c3255d9cf55439f83c81556760424c8b4a54a7
SHA256 f0f976e62059083ac66a947952d3e962ca9b7024c3517483b0a24dae6735e33d
SHA512 2ae0b37270a4c460fd3af1583e28cf2f19877a1bf43c6390d168e202bf67fafb0eeadbcfc3208f9171ab0a8347e10fd6c1629ef5adb98a292c4d8f2c8fc16b13

memory/2364-237-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1932-244-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2364-242-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2000-256-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1932-255-0x00000000003B0000-0x00000000003F4000-memory.dmp

memory/2280-254-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ngpcohbm.exe

MD5 959748330afd599a0aa32f975ee39e03
SHA1 abf8aa30e8c90de52393a39409bc32e4bde98f2c
SHA256 50fd62f58b647d378dc9c47d858bf594b28978f58eb5babee0ac0a9f50adbab6
SHA512 6cb90f19ac48e555e449d6b8178da4c74e3922a01ff4e8231efb6f8cb90e9bb70f8bbb4d9f2da712704327624547f530e670667155b3abd6aff986ec83563aa6

C:\Windows\SysWOW64\Nnjklb32.exe

MD5 61e68ed5c63ab937b7d45841dfada594
SHA1 5c9756b969ff74c387cb018574798b27fae9f4dd
SHA256 60057afb9b3212eeec6f4228047b5d43356affcfa928cf2c3227d05f784ef02f
SHA512 2bddcd52cf69a4503bb13389d37b59632ff17047d05f341ad5f688bed3534931ab95d6eb785c556880138d46f488035fd7d0502530468a11a86093070b7075c3

memory/1520-272-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2000-266-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2000-265-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2104-267-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2464-281-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1716-280-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1520-279-0x0000000000220000-0x0000000000264000-memory.dmp

memory/1520-278-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2104-277-0x0000000000220000-0x0000000000264000-memory.dmp

C:\Windows\SysWOW64\Nknkeg32.exe

MD5 23957e7968c6b32802aabb2b14febcb8
SHA1 e79de006e296358bfc63ea1f612e16702fb435dd
SHA256 505d203fb866db0fddbd99baedbff43f465e8e5deb0f83acdf79edbe069b9ce1
SHA512 5b2003b88a3d54302f45da35f903583738cefb327279d9fa275be524e4be6c43da06e270fe344426d0b59aff2e99c57d5df451ee42bc0d3b651005db5fbbfc92

memory/1716-287-0x0000000000220000-0x0000000000264000-memory.dmp

C:\Windows\SysWOW64\Nhkbmo32.exe

MD5 757dd8ae4ca7b2926a23c95617e3aa4f
SHA1 2ddf0bb82ae1085770cd9523b8e0601573c70775
SHA256 025554db778f5eb92cd75d9d93d90846cd7cdae5cac19caed6e4839f73018379
SHA512 0c944fb380591701aa2452efbe0dd0739e7aab68aba9efd677fafcc7636b121452d5190d96214e30ddd4c673b59db0d6ca76a19c3efaf5bc87a3da43f5563895

memory/1932-291-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2072-300-0x0000000000220000-0x0000000000264000-memory.dmp

C:\Windows\SysWOW64\Odacbpee.exe

MD5 47816aee3f2f32bc86766b9ac4d943eb
SHA1 e1f155e7ce13651cb5cbb431d51f8d5671c3c704
SHA256 4ca4fc75ddd3c4ed74bf28d6c339ce3d1bb55fac9c5e2bfdbd6de9fcca98acae
SHA512 3c7bf8c6bc091b3d4275c1031eb4590109876b0ba27cc23d7c7681f2ff7f0bc03c2489e3211928ba7934fb084200deaf13422d4b6e84ea8d08143e614c00e51b

memory/2000-304-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2000-299-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1932-297-0x00000000003B0000-0x00000000003F4000-memory.dmp

memory/1932-296-0x00000000003B0000-0x00000000003F4000-memory.dmp

C:\Windows\SysWOW64\Onldqejb.exe

MD5 d0f90a5097575b8cd53597c49d378859
SHA1 0f95743c1e67972940dc02c606a18e59fe7fe4a0
SHA256 e061872b46b9b3b8917808ef479ac773040afbda9a674735802884944da72a44
SHA512 84960275d41013f8bac8c6e0cec0fa924db29f163fd95ab6987f78367da3545fcef63e8a7adfa10cdf497c9f86608c53d883003f5daa276a41c055e755edfcf3

C:\Windows\SysWOW64\Ogdhik32.exe

MD5 f0bc44ba66c1226d5d661d4885bfb93d
SHA1 072629ec70ff5024be02e4d80976de0a13d161d7
SHA256 74ff026be7eec0f2db222c53f5acd5d2785b358fd3a280efec0e9f74ec34e6a9
SHA512 7848509345389816ababf11d38e139af32f1cb9f7fe5df3769b55bccdb9473d6b7ab71e50fd9cd498fdf27de191898fe0cc23e3f2fb7a93d672627fbfc372549

memory/1520-315-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2476-328-0x0000000000220000-0x0000000000264000-memory.dmp

memory/1588-329-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2476-327-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2476-326-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1716-325-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1520-324-0x0000000000220000-0x0000000000264000-memory.dmp

memory/1520-314-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2000-313-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2072-335-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2724-340-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2072-346-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2724-347-0x0000000000260000-0x00000000002A4000-memory.dmp

memory/864-351-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Oqojhp32.exe

MD5 8a4c24baee50453534375fab7f08d58c
SHA1 5d1a936f2d984120f5ed1fcb20c070cfa2224b58
SHA256 83febb3520dd1ae3b8837a723a634e817ac436d7fcc3c634c9431ad6278819c6
SHA512 892875712c1373fe0eb8698e200993b18ae74144d1e15be4e01d45fb9ee7ada2df695a8a765ed52d9fcc771d11b8d826b44d78869ddb0361ffacf71d369b2b04

memory/1588-339-0x00000000001B0000-0x00000000001F4000-memory.dmp

C:\Windows\SysWOW64\Onamle32.exe

MD5 b006c157d0cb5ed28395343ec08fe5c8
SHA1 7d0538122d040be0e4326c39c8bcd7eb6856614c
SHA256 b6113f7752411cbd76adf7ce4fe1448199d151f64380034057d782418ac36450
SHA512 83722317e8aa1e39bc35bd95f7a6663dd48a5158f085ca484895d1ba8284080afe0007763af1662255b504942fc71b88133fbdcbf473a25905da188f8761a4ef

memory/2576-357-0x0000000000220000-0x0000000000264000-memory.dmp

C:\Windows\SysWOW64\Pjjkfe32.exe

MD5 6073481a4cd626d4b6496a3a1cbcae0f
SHA1 7cee8eede8c64adc7cdbf461d6cf9664a72b98b6
SHA256 2558c5858283925ac4cc4060412294ec5254483d3e437782afff137851f28cfa
SHA512 ec279d887ae660543069bed263c412e81febe20593934f6d7acf515fff1c76d2d76240480e4c73bcc3ee2268e9c83e0429c67e09c2f4f3ffe9c6d72df9e897ea

memory/2476-363-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2748-362-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2476-361-0x0000000000220000-0x0000000000264000-memory.dmp

memory/2748-371-0x0000000001BC0000-0x0000000001C04000-memory.dmp

memory/1588-370-0x00000000001B0000-0x00000000001F4000-memory.dmp

memory/1588-369-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Pcbookpp.exe

MD5 9d17f7feca36764c59a4f0797719c5ae
SHA1 e6439df61b1f205c78b17570f6bb6fe3e70bb4a6
SHA256 a15f9343ada34a0f9f4c683c6174513403288da428258dba97a884c5b6391ac2
SHA512 55a9d3349837c0f7f1e429223425ad314dcc8aab90ce8ddbcd0de4e0051270f231dc2ddbee1e189851769f061de323891e5845ce47fc4755a11401124b83e720

memory/2092-375-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Plpqim32.exe

MD5 eca2d005cb4c26dcfe50854b8ce4c378
SHA1 22e2ca0216048c0782f3b00147fd2f97bb2b31b8
SHA256 9f23ce3165e8818d804ae9acea3a6d83fbf60b00e99ae07f49e66ac14f2632bd
SHA512 031eaaef42e46bd980b763142e1096a5c6601b7ebf3e01e2ce16b2e8daa0c191549301bc668c7f84d86c1f3e8797a93fbd514db0009eb3277071dcb939c492dc

C:\Windows\SysWOW64\Qemomb32.exe

MD5 0b174a84b0cfbdc053968f0df666a825
SHA1 52c88727e42a39731e0a96c16ac19a8a90ccd2c7
SHA256 b6577ccbbcb24f698ccd8aaaee15abb54ff133fecb531f50f87c3af5f3c43086
SHA512 80ead0b6258eebdc1ae97c68de0abb2598ab9959dbf49c544c5171a70cdb87c9d5b8ec9c6eead134cc52256f01ebf541d059c4286d7dec8b43613e0fab462b9c

C:\Windows\SysWOW64\Aadobccg.exe

MD5 e1195de4c355447a03e0977b62322695
SHA1 36e7bc28f8ae8a16af6919f8b83cb33f67067250
SHA256 bf6e2381becb9154797fd7a22f0acdbc0f0dd474d7b19fa6bf939bbfc34e7393
SHA512 b390956e5d2f4ce867367823476b48f70db5da1bd961dcfabe1355a0ba92ff28250478f29bd244a39b9a9e0cfd62ff620bfbdf1aab5f0c6465ed4765a0f3dd39

C:\Windows\SysWOW64\Afqhjj32.exe

MD5 70d21a85549695d0e95bd3dc1930260d
SHA1 4433d8351c22627c5a27aeeaa41be96c555373fa
SHA256 8f7f648cda6c9d8f317ce8c02c4b523ec3503123f213a4d1f052532d5093c2e3
SHA512 48e0663b40fefe75f571f8115f7ae6c32ca78f80844cd618bd8d856096a020d292eeb1dec9a1fe1f37dee2be48bf9470365bb2fb2b1bf90cc254ce1cae20ab83

C:\Windows\SysWOW64\Amjpgdik.exe

MD5 5288933cc0c365db4421adec3491aa62
SHA1 30ee4fc6706819da9a76fdf64e0c11265993234f
SHA256 bdd8b397f7a7bcd1fc751cc3bdaa7ad25bcafe5da06a7069e48b55d747825e60
SHA512 a1168391929937fdd2e34c220aa5c7e703110d7a3f18045b14880acefe2c3e0e3eefc96b74476a61714d4cdb2e128d77262faae16613933a53b069e9a1e5134b

C:\Windows\SysWOW64\Aahimb32.exe

MD5 10caebd27ac335bcfca198af8faca0d8
SHA1 c47c21d934392931b76af13c5f0939f10aa751ef
SHA256 2400438dd980682aa8476942549b9bf9df3b893163813d468521807f3ebb392e
SHA512 811009248875823ee930f2dd77fe424bdf22d0ec04ed9f644ba91c73b8de775f8a0b4d09312dbe6759ffc13494e297ff6fb7c1256878a6d3b50049f57c2014bf

C:\Windows\SysWOW64\Ajamfh32.exe

MD5 b2803b02af5aab6f9ef40c9052344273
SHA1 ce44e676faca6825f057cdb60293a8dd58848d69
SHA256 d17054a763daa573d1aa63029bcf6b926ba73a8339ed0d8d398baabb4b4a68db
SHA512 8d06a99f8696c283bbaf97d7c4a3f5c7b1cc427d714a3e97796b7112052bcdf634c84019edfd5530174f89da4dbd5393bf3d4118ca7e88114b4d2e8a0162cb40

C:\Windows\SysWOW64\Apnfno32.exe

MD5 f2d003ec6ff0367e831b9d9df63d2c2f
SHA1 64ffa6841253f61593844861d154ba96b240f769
SHA256 e2d172bf95fe082fa4b697a45bb3be28b6f9e99c2efa1e4df028976073bdb557
SHA512 8f1eb0f8efab9079d69bcba485e37575ccc4960723793c94c65d7c62e4fe8b8731af8c8dfc978cbd4553753da62d59ac06d667beecdf42cb146a5729db6f54f4

C:\Windows\SysWOW64\Aldfcpjn.exe

MD5 5a54e5a48c39d24bd46b422cedf8fc92
SHA1 b869946b204e19553a239240e74ccf266ae6fd40
SHA256 31ffdc0b2b3997759b8be3a08010e7d2d7141b4d538469706694668fd4aebfd1
SHA512 591bfa5e94f94f8876e58e20741b1c72fd957ff0aa9643e5559b778699f8b590557e59d1f2ccd792be3ecfa66bb87b3f93e4be7ec33634b2abc7c1d80eb1ec0c

C:\Windows\SysWOW64\Bemkle32.exe

MD5 d01dffe028164622f572700fcf041348
SHA1 41ffefe2ae5e0137b38c0be0112f793044d3a8e6
SHA256 49b43ba53958002481652f7740e51cd4a222773b730b7229911759230ad29239
SHA512 6a99231d090361eddd7c8ebcf8e63d75ca3ba79917a159146e6b41e78885cce50aa72d75636c91e969dd28c55dde5fdd1b5726872d8b3b35ceb2ecd51ac41297

C:\Windows\SysWOW64\Blgcio32.exe

MD5 84fba0a0a1d683f1465e33d978848da6
SHA1 b85888022cd0700cc8e08a137b27dd523d1c880e
SHA256 23e25eccfccf32c459260489f889a04e73185e9f62c22be9d220d2ea9e108d93
SHA512 54a3c615284f8762feaab43c64988e3d4b0c455316212d8cb468c65920e7af644a2eb26407541a6f764d43c4866140a658eddc066406e719a716ea757cf2d3a6

C:\Windows\SysWOW64\Bbchkime.exe

MD5 01e2128332658afb7e9c1dcf3bdeb6bb
SHA1 ab16e60aa14549fe51a1f01ab5ca2fac123366c7
SHA256 c5aee2bac4c2800e2f784aa69d4db11fa2fd7aa6d404b3aba914e6eb9dfbbd8a
SHA512 1ec667ac17051b281809018e6b56e297e638378a015aa0c6400f95f291b8f12ecf6285a3095791586a653c24ce94d659a15bff38ffe4d1bcee36d48182543a7c

C:\Windows\SysWOW64\Bhpqcpkm.exe

MD5 21d08e85a8fe754c4860342cb9bb72c1
SHA1 9fa9d1e48204b4d28c5d3ec223bc7d1be6b5524d
SHA256 e0a205a8f55b2a957871fbf7b3f77e8323ea157755da880a5dbb97eff21ba8d8
SHA512 60db9176cc6a3554893cbb000f0405ca13c8740243fb05534d35feca3b55a4d295bc2069bc2d816551965af3c2622f0eb831e5832f93ca352b09f39067c047a1

C:\Windows\SysWOW64\Bahelebm.exe

MD5 79cf4c09cee3747c54b5a781320b64b7
SHA1 56735765ce2ae7220b2f1aa6139fa0303731aa39
SHA256 51baa156f6cd06aa4b3b4cfd3fbfa26dfe3578a16bdab6c0a69c0b52027f121b
SHA512 4d9694a067703d73002fd268d84d606a1c895e8d95b387e2eb707cbd3f70258ac3af3018b595e8d11eddbf3b5903a27f68c22703ff3ef2dd7694c1cb294124ef

C:\Windows\SysWOW64\Bhbmip32.exe

MD5 07e35271acdfe1749c42201de8ced23d
SHA1 66749f66b796d241ac03d5e5ed7a0dc477b21241
SHA256 ee846577ae13aa1dd20fb9e1c14bb02b68bc803336afbe4fcd1921f0be64a50f
SHA512 7cfcc2e177d8d5bffc6d7cb15852d80e1398fec5d11e8e772ad473dec75a11c475b9e1ff82479b821cbf83599f817c5e54dce948f57f9b62ed5c302876c2eb1f

C:\Windows\SysWOW64\Befnbd32.exe

MD5 f569c56984f1c85b6c345424eb376be3
SHA1 e9b618027c2536f1a97def551d4568103dfc93ff
SHA256 603524d18f41887ccc5a4553347c7cff4f2c1762f9f3f403aff5546e368ed129
SHA512 e3d7be94338ac2901f8308ec9228f28f6f4c4956860940e8a145930fb271d3abfa7c159bee2c1334a5d83254961a229a7e869fbe48bef8f272dacc3e4f129a98

C:\Windows\SysWOW64\Boobki32.exe

MD5 278104dd398e95498fdebe65d60b4c92
SHA1 2486b191f9a3ba86f79d3a51578c8b52a796683b
SHA256 e367b166135770e70ba920d2b8159830f3ff69448e28730053b28fdb638c2662
SHA512 48a9bf31c0dd2e8a48f1b20cafa6f6fa4c9259c6541f834b689b22969a9250960e1f6519c3268b06999260ea371449b8d009a88004734034c31d86f91e5c6c37

C:\Windows\SysWOW64\Chggdoee.exe

MD5 2cefec8ac03b8831df6ff9fbb8f1175a
SHA1 e955f719ad3501f3269bce1c7d713b60dcd93b67
SHA256 176a709f0cd73d2d9b9acbfe3fa42589b3fdb6d81dcc2b83089113610a83604b
SHA512 406b72a042061aaa4a039156eb1b98594a5cdc00c1832c031c406e754670c981e5c84aa59a6885be0e7b92253753a7618b1741397100e5d769ddf08bb449f2dc

C:\Windows\SysWOW64\Ckhpejbf.exe

MD5 e8e6600317d34114a92eb1e201845c93
SHA1 1c35968cf8b3573ed9a09207298f9a2b378e9f5a
SHA256 b48c0c1c29f5ad7d991796001c54d5c1f484603d594e4450b9c84255ee2a9e48
SHA512 6e45ca2bd73507e641a77c35cdc2c457f56d0b1cce917fe6e306ebf46273b5042df8137dfef923010dbcd6b4d6e145f29c032352350143bb08a0ede83da98a03

C:\Windows\SysWOW64\Clilmbhd.exe

MD5 4b3b5e59fe3025978bed928a26b2358d
SHA1 fab0f942efe8d98ca7e692470c17fca8c3b7751a
SHA256 e2da63974cb4cb052818903509c6ed61647f87453b449b53e14fb2191e426791
SHA512 e93878e95f34f8024b3e625be1103b08ef52487f22b23e27825149e7f49f6b65d0ba616673676094a601c5643f77d5eeed7d4b948f57592b0015218f77aae5ab

C:\Windows\SysWOW64\Cpgecq32.exe

MD5 c9084ecc8ce34ed7929eb05522562a07
SHA1 7a7fa7a539f01c7672ccabe4f5eab5b78521a7e9
SHA256 f9c9ab8612be041e95a12bd1497605c93401c5e5e8da132ef82f4dd5e9756e6e
SHA512 ceb64c5394c85b23198b6a01e9c610cbe6a2a6f9bb0da0cc4c9bb348d0e52bc39752b5f37a0f71d3de704f65cfb61b49487280deaa84d85267e8a57c6fea1c15

C:\Windows\SysWOW64\Chbihc32.exe

MD5 54029e19fb0779f6508abfb9fc4985b3
SHA1 d23b64bd055464bfe64fbcdf21c42116af945fb2
SHA256 3eaa7e7e9c38f37dffa8ddbbf6ee94affa165aa066cc25fe2c7d7ce3ec3fe41e
SHA512 97b7adb91f47dc2f225386df6a1c4eaa1ce5cdfda488cbfe515305a931ba96c5b9ae4be573facac798b07e0a17468e256136e12a348c45d344af2bd8bccb4d38

C:\Windows\SysWOW64\Cffjagko.exe

MD5 4d7615565afefd83dd98b1958ee00d4a
SHA1 29908d84227f4d5d42b7a6cd0c585c321f9faf5c
SHA256 ad2859b97aca07c928cb7da1562e980adfe9900a59be0a42853438addaef72b6
SHA512 f41c2de9a87f686af2cf07909c1557ac3a1adec5fe7576abab9b5968c26439e02b84791cf764658717e37225be98cacdffc52babf447f464da1533814663efb5

C:\Windows\SysWOW64\Dcjjkkji.exe

MD5 de52603ceb6dd0870f709035791ac373
SHA1 129ee0ffd8e9f9fef3e461fc11210f4947d85ad0
SHA256 dd7322c19dab7a25bafaea1761f166a30824d9b1a7ca882b2c0c72ab70ced6ca
SHA512 c56301d07c459d379a7dbf3a236b565a91a1cd812338f96f7948f83013a023f6dfb43505f9efc5ac168aa82800b76d610e0280d7c7671521ff1208e678209e5b

C:\Windows\SysWOW64\Dkeoongd.exe

MD5 f1ee17fa3cf54525352bf7751d5ace2e
SHA1 dbcb16b1786291f62b4e7ff4c21c3e8991414d3a
SHA256 d31ddeffb3bfc252564687df5fa53e79891a238491886fd34a7d171169a2618f
SHA512 e3207526a90d490ebdedc8b1df55d3e9152ec58352eee62fa22051b1b100c88a4f94ae3e6703bd1513808a2a3da90b7bdfff84b6f15ba23124f5d7cf0c9ac3c2

C:\Windows\SysWOW64\Dfkclf32.exe

MD5 6aa5687daf27199654d90d2c10f27e35
SHA1 b7c636147be27697484b1b07d65b149d7410bee9
SHA256 f361e871546c458fd024453c0fc596868f91640ba572144fcd73517bc44a995f
SHA512 40d529d0afedaa82c0000c37b7069de610a0b17ef320da5752084b0dc181c4ca64c2b53ef7c872cfc7d9bf1f14a704d156a46c35af3b680eba8b3d91d2e18bd8

C:\Windows\SysWOW64\Dglpdomh.exe

MD5 256562bcca24b658302d4aca714d845d
SHA1 0a1d45770288f92c13ef17a7326a8d855cdc1763
SHA256 4a44af08ee8461a871983b415c1dcf00bb407679bdd38b6d344ae5724ca6578e
SHA512 45bd51f48f50d686f3b7102e6d81bf68d4d31b796ebe3c660fb69d61e59b2d4ca516612cdf7b09201d0209e236ffd6e15b8d973683a8df8780656d72294aa767

C:\Windows\SysWOW64\Ddppmclb.exe

MD5 623eb43359ecd9d824c8602e1df64317
SHA1 4a1889dec3372525f5ce5fb2d9b888d130dbe059
SHA256 cdce06ecc60ceebb05f50ac940fd836b04d5437e6335346ff7d837481c8ab8fb
SHA512 57df85b133fc7930fdaa55a95bae07991713da45fee07700254813dafa12c59312c449c7b46a73e1d7115b16876886b66f161deb4aaee0f7fbd22766342fab76

C:\Windows\SysWOW64\Dcemnopj.exe

MD5 4c1c99e92d13593b854272a09362a7c4
SHA1 f677a21c352ec0238df5154812fecb407b15e659
SHA256 bfff9fa44d9ec3d9166c204b8e724835409e4eeb92a32432cd645c594e8c9b16
SHA512 bf30cf3862822ebd0f5071c3c9b4d836a6adc25b854c1852f3106f5d269964ec85ebaff4c6852550eff9c56a7180b559ce4a2327ae88aa18500a0259fda99d0a

C:\Windows\SysWOW64\Dnjalhpp.exe

MD5 34500396be8deb009854a07132e0b98b
SHA1 f101a17ff3f5f0dea0bf1fc4a02305a1b500575b
SHA256 ccc417833348269aa33f39542101d3c5d15eabb8e942a0ee20829f21e67a0bda
SHA512 64a9e438703e8e7d4d9c94b75b61f1cbfe9fc4c216628add2d4531573530fc9ccb593ff9ab3d5a917277ba3b810ed2f217af26e9faeab92cbac3df88c700bbd4

C:\Windows\SysWOW64\Egcfdn32.exe

MD5 fe4f42815559022eee06a30ccf548333
SHA1 bac8c6db7258a378ad9f3bf738c3c6af3ece39b9
SHA256 159ca7759913c2f86a0d661cab33cf1c290c1f4a0a77a475dbf6925fbe780d05
SHA512 f34e120a05b6f305883884ace6c19ec1ebca95957f3cffaaf956474298ac31580efa5c7bd51df5cafaf1182c25c95700aba69683995a228d959bf516fd45b9ec

C:\Windows\SysWOW64\Epnkip32.exe

MD5 7c5c29f7d6906651dda5a61275131e9c
SHA1 43c7409d0d1d85ecde7d378b4fd3154622ebc0bd
SHA256 e9692f7c66c3bb6eb0d8054aaf0a95095eaf9899a0db4ef94687c5de43424f92
SHA512 4194dde1c4e693fd45a6fe20f82d8696656aa3f9844b64379467531da45826c4d1794172a9187f8237519c126720b5b5f26ba81acd5376e2a9072f2c664c5083

C:\Windows\SysWOW64\Epqgopbi.exe

MD5 e6ddf1148a5957f5ad1a34b47842bfca
SHA1 86b90736ca9eac29bd4193ccad6e6c622acc92cb
SHA256 c5e02106d325e0444316716d21e68834bf2ae64f0ffe4fb7dad9bdba8b31e2c6
SHA512 619f2587a479554f5b2489d5ad6f45d3b26dbeae76f7a4e910b18201a014065924107610d306f7560748902834b2174b94279581411ff32cc2a9db0946236025

C:\Windows\SysWOW64\Ejfllhao.exe

MD5 1e934e6facc16bfd0df807c541bdbf5c
SHA1 56ed61c6034af22f43ff856e113c2635b1fd32cb
SHA256 d432a6b07d4fb50f44f6217164379e5e488f0c3bb9e5c3b27129197d1aee5ad2
SHA512 381c0703d88e5122f5315279747ec4d337ec4ef9a45d3e7737d06ad737d96d698bd8890d7740ae48099e73dfe314227f72cd67e58558686b0a6e52c295ccb57a

C:\Windows\SysWOW64\Efmlqigc.exe

MD5 21dbfdd8aa4e7befbcf941fdfb6d3041
SHA1 827115e7432cad43018008c4033b8c77178eac1d
SHA256 c91b2c8424b12aa6d2b456c249dc445c05c20c1ddc6628bb89085802eae7949f
SHA512 55b4d005c935c0ae45af1903cb645eb4d24630505f54f155ca8f5d8af3901192e96fe650d1307f39e4e6234e02b6033f6bfcd502a92f2172582e041134efe61a

C:\Windows\SysWOW64\Epeajo32.exe

MD5 adce540906637ffd733e16532b63aeaf
SHA1 82fc772e4bab9e65fab878c7abc48997ba4fe384
SHA256 0f0dfb2f02e4b269c7120b4efbc86923b71201b1f68f80dbea82d1bfcca4accc
SHA512 d6cf406d5dffcaebf5a048e2710c4f738a0b361738b68ee3efe4bf92cb45be63be9e5693c81f2fb2c3d63a16751a1336faad1b52bc875afc7d45c032cf17dfbc

C:\Windows\SysWOW64\Efoifiep.exe

MD5 f70d7c4db8f7915375b41d627b5f70cc
SHA1 6eb3f298ae8f3336b3adb86ae13d1ee394278898
SHA256 2ebc47a1efc2502a58466e854b148cddf696de985769eed92a2860af1df663fe
SHA512 99c41fb086f566cb6f0f6cc5e33055acfc054398bfb264c12062f4855f123db0037d888d84d4e2ba0f69bace07a85a188529b6075f65c173a75fbb738d4b024f

C:\Windows\SysWOW64\Fpgnoo32.exe

MD5 776e92a28a440c141753e0aa98c0ec1c
SHA1 783e2031aaac4e6c9aa86577e8bc14f9ea155b91
SHA256 95cf099b70833ebb92ca7858966f316f2b09098b2f9e4d4141490889bb35259a
SHA512 5b73658118759f3367eedca0989d7d0e60186ecddddc3375de585439e0dda4196a9641ba2bfd0f0e68f1bbe98ff351343045dff4f3bb29728a19ab429d957503

C:\Windows\SysWOW64\Flnndp32.exe

MD5 1a24ed9f8322da53a9980fa037d32f16
SHA1 4621806bc03ba6f039be6b8be3265dc7c39c4075
SHA256 45f76e958a308e3c11b87c8e08d3d8090fa249676da908fc4701874d50c52716
SHA512 d452cbc5a6dd156b293df01d048f9eff448c9ad0a5cf2a1c55bd5d0368ad26ef0af3049accc05d6b33536f3601a5265e25028493f88664fc668ce4411113447b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:50

Reported

2024-09-16 15:52

Platform

win10v2004-20240802-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcjcnoej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmmmfj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaplqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gfokoelp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jddnfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcikgacl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qklmpalf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klhnfo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnifekmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lomqcjie.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpgnjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpjmnjqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgdejd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjmoag32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chqogq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofkgcobj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flinkojm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jilfifme.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iljpij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kqphfe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjmfjj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bafndi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilnbicff.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kclgmq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddnfmqng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Geohklaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lopmii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boenhgdd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgelgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdkoch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmafajfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kqfngd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aojefobm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coohhlpe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbnmke32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnnjmbpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjaabq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onapdl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icknfcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljobpiql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffnknafg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmkqpkla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilnbicff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jniood32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pagbaglh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjfmkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apjkcadp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kqfngd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnfnlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnbnhedj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnmhpg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dijbno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgbpaipl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boflmdkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckpbnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nelfeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oacoqnci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Igbalblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Okkdic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adcjop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akdilipp.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ahgjejhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmobchj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajggomog.exe N/A
N/A N/A C:\Windows\SysWOW64\Aodogdmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfngdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blhpqhlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Boflmdkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpdin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bljlfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bohibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcddcbab.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfbaonae.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhamkipi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkoigdom.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcfahbpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bheffh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bopocbcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfigpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckfphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmflbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Codhnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnqklgh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccbadp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cioilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbgnemjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckpbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfefkkqp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpnkdq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djcoai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkdliame.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbndfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpbdopck.exe N/A
N/A N/A C:\Windows\SysWOW64\Djhimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpdaepai.exe N/A
N/A N/A C:\Windows\SysWOW64\Dimenegi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpgnjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiobceef.exe N/A
N/A N/A C:\Windows\SysWOW64\Efccmidp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecgcfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejalcgkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Epndknin.exe N/A
N/A N/A C:\Windows\SysWOW64\Embddb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eppqqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiieicml.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpbmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbajbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flinkojm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjjnifbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmikeaap.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjmkoeqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpjcgm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffclcgfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fibhpbea.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdglmkeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fideeaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Glcaambb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdjibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjdaodja.exe N/A
N/A N/A C:\Windows\SysWOW64\Gigaka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpqjglii.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbofcghl.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjfnedho.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmdjapgb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpcfmkff.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ojgjndno.exe C:\Windows\SysWOW64\Ohhnbhok.exe N/A
File created C:\Windows\SysWOW64\Emoadlfo.exe C:\Windows\SysWOW64\Ebimgcfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgpcliao.exe C:\Windows\SysWOW64\Bdagpnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Njinmf32.exe C:\Windows\SysWOW64\Ngjbaj32.exe N/A
File created C:\Windows\SysWOW64\Cndeii32.exe C:\Windows\SysWOW64\Chglab32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlglidlo.exe C:\Windows\SysWOW64\Hmdlmg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oclkgccf.exe C:\Windows\SysWOW64\Oanokhdb.exe N/A
File created C:\Windows\SysWOW64\Okddnh32.dll C:\Windows\SysWOW64\Qaqegecm.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdjibj32.exe C:\Windows\SysWOW64\Glcaambb.exe N/A
File created C:\Windows\SysWOW64\Ahfmpnql.exe C:\Windows\SysWOW64\Apodoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jlgepanl.exe C:\Windows\SysWOW64\Jiiicf32.exe N/A
File created C:\Windows\SysWOW64\Dakdmb32.dll C:\Windows\SysWOW64\Gdjibj32.exe N/A
File created C:\Windows\SysWOW64\Mkmkkjko.exe C:\Windows\SysWOW64\Mcecjmkl.exe N/A
File created C:\Windows\SysWOW64\Mogcihaj.exe C:\Windows\SysWOW64\Mmhgmmbf.exe N/A
File created C:\Windows\SysWOW64\Mnokgcbe.dll C:\Windows\SysWOW64\Onapdl32.exe N/A
File created C:\Windows\SysWOW64\Oacoqnci.exe C:\Windows\SysWOW64\Oodcdb32.exe N/A
File created C:\Windows\SysWOW64\Gepgfb32.dll C:\Windows\SysWOW64\Fmhdkknd.exe N/A
File created C:\Windows\SysWOW64\Cfidbo32.dll C:\Windows\SysWOW64\Iomoenej.exe N/A
File created C:\Windows\SysWOW64\Jgmjmjnb.exe C:\Windows\SysWOW64\Jofalmmp.exe N/A
File created C:\Windows\SysWOW64\Ngidlo32.dll C:\Windows\SysWOW64\Lckiihok.exe N/A
File created C:\Windows\SysWOW64\Mjodla32.exe C:\Windows\SysWOW64\Mgphpe32.exe N/A
File created C:\Windows\SysWOW64\Ocoaob32.dll C:\Windows\SysWOW64\Gmojkj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jlolpq32.exe C:\Windows\SysWOW64\Jnlkedai.exe N/A
File created C:\Windows\SysWOW64\Kgkfnh32.exe C:\Windows\SysWOW64\Kodnmkap.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpdnjple.exe C:\Windows\SysWOW64\Bmeandma.exe N/A
File created C:\Windows\SysWOW64\Codhnb32.exe C:\Windows\SysWOW64\Cmflbf32.exe N/A
File created C:\Windows\SysWOW64\Jgpmmp32.exe C:\Windows\SysWOW64\Jpfepf32.exe N/A
File created C:\Windows\SysWOW64\Dpglbfpm.dll C:\Windows\SysWOW64\Mjahlgpf.exe N/A
File created C:\Windows\SysWOW64\Manmoq32.exe C:\Windows\SysWOW64\Mnpabe32.exe N/A
File created C:\Windows\SysWOW64\Leifdf32.dll C:\Windows\SysWOW64\Anobgl32.exe N/A
File created C:\Windows\SysWOW64\Bgmioggn.dll C:\Windows\SysWOW64\Fbpchb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njmqnobn.exe C:\Windows\SysWOW64\Ngndaccj.exe N/A
File created C:\Windows\SysWOW64\Mnkggfkb.exe C:\Windows\SysWOW64\Mkmkkjko.exe N/A
File created C:\Windows\SysWOW64\Jbnffffp.dll C:\Windows\SysWOW64\Odoogi32.exe N/A
File created C:\Windows\SysWOW64\Kkjaopom.dll C:\Windows\SysWOW64\Gfmojenc.exe N/A
File created C:\Windows\SysWOW64\Kofkbk32.exe C:\Windows\SysWOW64\Klhnfo32.exe N/A
File created C:\Windows\SysWOW64\Hkfoel32.dll C:\Windows\SysWOW64\Oabhfg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfmojenc.exe C:\Windows\SysWOW64\Gpcfmkff.exe N/A
File created C:\Windows\SysWOW64\Gahamgib.dll C:\Windows\SysWOW64\Dbnmke32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljceqb32.exe C:\Windows\SysWOW64\Lgdidgjg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe C:\Windows\SysWOW64\Ngqagcag.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmdjapgb.exe C:\Windows\SysWOW64\Gjfnedho.exe N/A
File created C:\Windows\SysWOW64\Oajpfn32.dll C:\Windows\SysWOW64\Hkfglb32.exe N/A
File created C:\Windows\SysWOW64\Adfnofpd.exe C:\Windows\SysWOW64\Aednci32.exe N/A
File created C:\Windows\SysWOW64\Emjgim32.exe C:\Windows\SysWOW64\Efpomccg.exe N/A
File created C:\Windows\SysWOW64\Ebimgcfi.exe C:\Windows\SysWOW64\Ekodjiol.exe N/A
File created C:\Windows\SysWOW64\Iocedcbl.dll C:\Windows\SysWOW64\Amcehdod.exe N/A
File opened for modification C:\Windows\SysWOW64\Qmhlgmmm.exe C:\Windows\SysWOW64\Qoelkp32.exe N/A
File created C:\Windows\SysWOW64\Ddgplado.exe C:\Windows\SysWOW64\Dfdpad32.exe N/A
File created C:\Windows\SysWOW64\Mmhgmmbf.exe C:\Windows\SysWOW64\Mfnoqc32.exe N/A
File created C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Icknfcol.exe N/A
File created C:\Windows\SysWOW64\Fnlmhc32.exe C:\Windows\SysWOW64\Fpimlfke.exe N/A
File created C:\Windows\SysWOW64\Fenpmnno.dll C:\Windows\SysWOW64\Offnhpfo.exe N/A
File created C:\Windows\SysWOW64\Ppioondd.dll C:\Windows\SysWOW64\Ddgplado.exe N/A
File created C:\Windows\SysWOW64\Mjknojbk.dll C:\Windows\SysWOW64\Qoelkp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe C:\Windows\SysWOW64\Illfdc32.exe N/A
File created C:\Windows\SysWOW64\Lmaamn32.exe C:\Windows\SysWOW64\Ljceqb32.exe N/A
File created C:\Windows\SysWOW64\Ddgibkpc.exe C:\Windows\SysWOW64\Dahmfpap.exe N/A
File created C:\Windows\SysWOW64\Maggnali.exe C:\Windows\SysWOW64\Mjmoag32.exe N/A
File created C:\Windows\SysWOW64\Cleegp32.exe C:\Windows\SysWOW64\Cfkmkf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkceokii.exe C:\Windows\SysWOW64\Dheibpje.exe N/A
File opened for modification C:\Windows\SysWOW64\Fbelcblk.exe C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdagpnbk.exe C:\Windows\SysWOW64\Bacjdbch.exe N/A
File opened for modification C:\Windows\SysWOW64\Nclikl32.exe C:\Windows\SysWOW64\Manmoq32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amcehdod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mogcihaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omjpeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alkijdci.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alnfpcag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bafndi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coohhlpe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llodgnja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkhapk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omqmop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igfclkdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljeafb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnohlgep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gimqajgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lokdnjkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljceqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djcoai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lggldm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgehfkop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdbdcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akqfkp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aehgnied.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fechomko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnifekmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhamkipi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpdhkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nclikl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gncchb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgeakekd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adcjop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apjkcadp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckfphc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnbakghm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kflide32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgnlkfal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdenmbkk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpfepf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Madjhb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bklfgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nglhld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocohmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcndbp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkmdecbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jqknkedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnbnhedj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojgjndno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klfaapbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdimqm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fideeaco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iipfmggc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlambk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iepaaico.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nccokk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijqmhnko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baadiiif.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jphkkpbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cioilg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nabfjpak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Geohklaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hidgai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlglidlo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll" C:\Windows\SysWOW64\Jqknkedi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njmqnobn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoioli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Epndknin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfokoelp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" C:\Windows\SysWOW64\Apjkcadp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gpqjglii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emihhjna.dll" C:\Windows\SysWOW64\Onnmdcjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfohjf32.dll" C:\Windows\SysWOW64\Qaalblgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" C:\Windows\SysWOW64\Enpmld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" C:\Windows\SysWOW64\Pahilmoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nglhld32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Codhnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hloqml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lqndhcdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoffg32.dll" C:\Windows\SysWOW64\Omjpeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgbpaipl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiagakg.dll" C:\Windows\SysWOW64\Embddb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihaej32.dll" C:\Windows\SysWOW64\Mmpdhboj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglkdbfn.dll" C:\Windows\SysWOW64\Fpimlfke.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iomoenej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahmjjoig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll" C:\Windows\SysWOW64\Npiiffqe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" C:\Windows\SysWOW64\Aaenbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll" C:\Windows\SysWOW64\Gkkgpc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjoiil32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkgiimng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" C:\Windows\SysWOW64\Ohhnbhok.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aeaanjkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icdheded.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfdpad32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kgnbdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpbnj32.dll" C:\Windows\SysWOW64\Bcfahbpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iphioh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igdnabjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Conanfli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gfmojenc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmhlgmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkaobnio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgifbhid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabibb32.dll" C:\Windows\SysWOW64\Ccbadp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbpchb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll" C:\Windows\SysWOW64\Mmfkhmdi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qodeajbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gdjibj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Manmoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll" C:\Windows\SysWOW64\Hoaojp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Illfdc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiobceef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpjcgm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcndbp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lqpamb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddnfmqng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljgf32.dll" C:\Windows\SysWOW64\Dkokcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" C:\Windows\SysWOW64\Bmeandma.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lnmkfh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fnlmhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjkgmg.dll" C:\Windows\SysWOW64\Jgmjmjnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" C:\Windows\SysWOW64\Johnamkm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgeakekd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll" C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnkggfkb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ahgjejhd.exe
PID 1116 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ahgjejhd.exe
PID 1116 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe C:\Windows\SysWOW64\Ahgjejhd.exe
PID 2572 wrote to memory of 384 N/A C:\Windows\SysWOW64\Ahgjejhd.exe C:\Windows\SysWOW64\Acmobchj.exe
PID 2572 wrote to memory of 384 N/A C:\Windows\SysWOW64\Ahgjejhd.exe C:\Windows\SysWOW64\Acmobchj.exe
PID 2572 wrote to memory of 384 N/A C:\Windows\SysWOW64\Ahgjejhd.exe C:\Windows\SysWOW64\Acmobchj.exe
PID 384 wrote to memory of 4680 N/A C:\Windows\SysWOW64\Acmobchj.exe C:\Windows\SysWOW64\Ajggomog.exe
PID 384 wrote to memory of 4680 N/A C:\Windows\SysWOW64\Acmobchj.exe C:\Windows\SysWOW64\Ajggomog.exe
PID 384 wrote to memory of 4680 N/A C:\Windows\SysWOW64\Acmobchj.exe C:\Windows\SysWOW64\Ajggomog.exe
PID 4680 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Ajggomog.exe C:\Windows\SysWOW64\Aodogdmn.exe
PID 4680 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Ajggomog.exe C:\Windows\SysWOW64\Aodogdmn.exe
PID 4680 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Ajggomog.exe C:\Windows\SysWOW64\Aodogdmn.exe
PID 3784 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Aodogdmn.exe C:\Windows\SysWOW64\Bfngdn32.exe
PID 3784 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Aodogdmn.exe C:\Windows\SysWOW64\Bfngdn32.exe
PID 3784 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Aodogdmn.exe C:\Windows\SysWOW64\Bfngdn32.exe
PID 4712 wrote to memory of 752 N/A C:\Windows\SysWOW64\Bfngdn32.exe C:\Windows\SysWOW64\Blhpqhlh.exe
PID 4712 wrote to memory of 752 N/A C:\Windows\SysWOW64\Bfngdn32.exe C:\Windows\SysWOW64\Blhpqhlh.exe
PID 4712 wrote to memory of 752 N/A C:\Windows\SysWOW64\Bfngdn32.exe C:\Windows\SysWOW64\Blhpqhlh.exe
PID 752 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Blhpqhlh.exe C:\Windows\SysWOW64\Boflmdkk.exe
PID 752 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Blhpqhlh.exe C:\Windows\SysWOW64\Boflmdkk.exe
PID 752 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Blhpqhlh.exe C:\Windows\SysWOW64\Boflmdkk.exe
PID 4164 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Boflmdkk.exe C:\Windows\SysWOW64\Bfpdin32.exe
PID 4164 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Boflmdkk.exe C:\Windows\SysWOW64\Bfpdin32.exe
PID 4164 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Boflmdkk.exe C:\Windows\SysWOW64\Bfpdin32.exe
PID 4980 wrote to memory of 648 N/A C:\Windows\SysWOW64\Bfpdin32.exe C:\Windows\SysWOW64\Bljlfh32.exe
PID 4980 wrote to memory of 648 N/A C:\Windows\SysWOW64\Bfpdin32.exe C:\Windows\SysWOW64\Bljlfh32.exe
PID 4980 wrote to memory of 648 N/A C:\Windows\SysWOW64\Bfpdin32.exe C:\Windows\SysWOW64\Bljlfh32.exe
PID 648 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Bljlfh32.exe C:\Windows\SysWOW64\Bohibc32.exe
PID 648 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Bljlfh32.exe C:\Windows\SysWOW64\Bohibc32.exe
PID 648 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Bljlfh32.exe C:\Windows\SysWOW64\Bohibc32.exe
PID 1732 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Bohibc32.exe C:\Windows\SysWOW64\Bcddcbab.exe
PID 1732 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Bohibc32.exe C:\Windows\SysWOW64\Bcddcbab.exe
PID 1732 wrote to memory of 2856 N/A C:\Windows\SysWOW64\Bohibc32.exe C:\Windows\SysWOW64\Bcddcbab.exe
PID 2856 wrote to memory of 3288 N/A C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bfbaonae.exe
PID 2856 wrote to memory of 3288 N/A C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bfbaonae.exe
PID 2856 wrote to memory of 3288 N/A C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bfbaonae.exe
PID 3288 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Bfbaonae.exe C:\Windows\SysWOW64\Bhamkipi.exe
PID 3288 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Bfbaonae.exe C:\Windows\SysWOW64\Bhamkipi.exe
PID 3288 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Bfbaonae.exe C:\Windows\SysWOW64\Bhamkipi.exe
PID 4992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bhamkipi.exe C:\Windows\SysWOW64\Bkoigdom.exe
PID 4992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bhamkipi.exe C:\Windows\SysWOW64\Bkoigdom.exe
PID 4992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Bhamkipi.exe C:\Windows\SysWOW64\Bkoigdom.exe
PID 2584 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Bkoigdom.exe C:\Windows\SysWOW64\Bcfahbpo.exe
PID 2584 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Bkoigdom.exe C:\Windows\SysWOW64\Bcfahbpo.exe
PID 2584 wrote to memory of 4404 N/A C:\Windows\SysWOW64\Bkoigdom.exe C:\Windows\SysWOW64\Bcfahbpo.exe
PID 4404 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Bcfahbpo.exe C:\Windows\SysWOW64\Bheffh32.exe
PID 4404 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Bcfahbpo.exe C:\Windows\SysWOW64\Bheffh32.exe
PID 4404 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Bcfahbpo.exe C:\Windows\SysWOW64\Bheffh32.exe
PID 2008 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Bheffh32.exe C:\Windows\SysWOW64\Bopocbcq.exe
PID 2008 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Bheffh32.exe C:\Windows\SysWOW64\Bopocbcq.exe
PID 2008 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Bheffh32.exe C:\Windows\SysWOW64\Bopocbcq.exe
PID 4412 wrote to memory of 224 N/A C:\Windows\SysWOW64\Bopocbcq.exe C:\Windows\SysWOW64\Cfigpm32.exe
PID 4412 wrote to memory of 224 N/A C:\Windows\SysWOW64\Bopocbcq.exe C:\Windows\SysWOW64\Cfigpm32.exe
PID 4412 wrote to memory of 224 N/A C:\Windows\SysWOW64\Bopocbcq.exe C:\Windows\SysWOW64\Cfigpm32.exe
PID 224 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Cfigpm32.exe C:\Windows\SysWOW64\Ckfphc32.exe
PID 224 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Cfigpm32.exe C:\Windows\SysWOW64\Ckfphc32.exe
PID 224 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Cfigpm32.exe C:\Windows\SysWOW64\Ckfphc32.exe
PID 4008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Ckfphc32.exe C:\Windows\SysWOW64\Cmflbf32.exe
PID 4008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Ckfphc32.exe C:\Windows\SysWOW64\Cmflbf32.exe
PID 4008 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Ckfphc32.exe C:\Windows\SysWOW64\Cmflbf32.exe
PID 1932 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Cmflbf32.exe C:\Windows\SysWOW64\Codhnb32.exe
PID 1932 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Cmflbf32.exe C:\Windows\SysWOW64\Codhnb32.exe
PID 1932 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Cmflbf32.exe C:\Windows\SysWOW64\Codhnb32.exe
PID 1948 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Codhnb32.exe C:\Windows\SysWOW64\Cfnqklgh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"

C:\Windows\SysWOW64\Ahgjejhd.exe

C:\Windows\system32\Ahgjejhd.exe

C:\Windows\SysWOW64\Acmobchj.exe

C:\Windows\system32\Acmobchj.exe

C:\Windows\SysWOW64\Ajggomog.exe

C:\Windows\system32\Ajggomog.exe

C:\Windows\SysWOW64\Aodogdmn.exe

C:\Windows\system32\Aodogdmn.exe

C:\Windows\SysWOW64\Bfngdn32.exe

C:\Windows\system32\Bfngdn32.exe

C:\Windows\SysWOW64\Blhpqhlh.exe

C:\Windows\system32\Blhpqhlh.exe

C:\Windows\SysWOW64\Boflmdkk.exe

C:\Windows\system32\Boflmdkk.exe

C:\Windows\SysWOW64\Bfpdin32.exe

C:\Windows\system32\Bfpdin32.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bohibc32.exe

C:\Windows\system32\Bohibc32.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bfbaonae.exe

C:\Windows\system32\Bfbaonae.exe

C:\Windows\SysWOW64\Bhamkipi.exe

C:\Windows\system32\Bhamkipi.exe

C:\Windows\SysWOW64\Bkoigdom.exe

C:\Windows\system32\Bkoigdom.exe

C:\Windows\SysWOW64\Bcfahbpo.exe

C:\Windows\system32\Bcfahbpo.exe

C:\Windows\SysWOW64\Bheffh32.exe

C:\Windows\system32\Bheffh32.exe

C:\Windows\SysWOW64\Bopocbcq.exe

C:\Windows\system32\Bopocbcq.exe

C:\Windows\SysWOW64\Cfigpm32.exe

C:\Windows\system32\Cfigpm32.exe

C:\Windows\SysWOW64\Ckfphc32.exe

C:\Windows\system32\Ckfphc32.exe

C:\Windows\SysWOW64\Cmflbf32.exe

C:\Windows\system32\Cmflbf32.exe

C:\Windows\SysWOW64\Codhnb32.exe

C:\Windows\system32\Codhnb32.exe

C:\Windows\SysWOW64\Cfnqklgh.exe

C:\Windows\system32\Cfnqklgh.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cioilg32.exe

C:\Windows\system32\Cioilg32.exe

C:\Windows\SysWOW64\Cbgnemjj.exe

C:\Windows\system32\Cbgnemjj.exe

C:\Windows\SysWOW64\Ckpbnb32.exe

C:\Windows\system32\Ckpbnb32.exe

C:\Windows\SysWOW64\Dfefkkqp.exe

C:\Windows\system32\Dfefkkqp.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dkdliame.exe

C:\Windows\system32\Dkdliame.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Dpbdopck.exe

C:\Windows\system32\Dpbdopck.exe

C:\Windows\SysWOW64\Djhimica.exe

C:\Windows\system32\Djhimica.exe

C:\Windows\SysWOW64\Dpdaepai.exe

C:\Windows\system32\Dpdaepai.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Ecgcfm32.exe

C:\Windows\system32\Ecgcfm32.exe

C:\Windows\SysWOW64\Ejalcgkg.exe

C:\Windows\system32\Ejalcgkg.exe

C:\Windows\SysWOW64\Epndknin.exe

C:\Windows\system32\Epndknin.exe

C:\Windows\SysWOW64\Embddb32.exe

C:\Windows\system32\Embddb32.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Eiieicml.exe

C:\Windows\system32\Eiieicml.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Fbajbi32.exe

C:\Windows\system32\Fbajbi32.exe

C:\Windows\SysWOW64\Flinkojm.exe

C:\Windows\system32\Flinkojm.exe

C:\Windows\SysWOW64\Fjjnifbl.exe

C:\Windows\system32\Fjjnifbl.exe

C:\Windows\SysWOW64\Fmikeaap.exe

C:\Windows\system32\Fmikeaap.exe

C:\Windows\SysWOW64\Fjmkoeqi.exe

C:\Windows\system32\Fjmkoeqi.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Ffclcgfn.exe

C:\Windows\system32\Ffclcgfn.exe

C:\Windows\SysWOW64\Fibhpbea.exe

C:\Windows\system32\Fibhpbea.exe

C:\Windows\SysWOW64\Fdglmkeg.exe

C:\Windows\system32\Fdglmkeg.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Glcaambb.exe

C:\Windows\system32\Glcaambb.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Gjdaodja.exe

C:\Windows\system32\Gjdaodja.exe

C:\Windows\SysWOW64\Gigaka32.exe

C:\Windows\system32\Gigaka32.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Gbofcghl.exe

C:\Windows\system32\Gbofcghl.exe

C:\Windows\SysWOW64\Gjfnedho.exe

C:\Windows\system32\Gjfnedho.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Gdaociml.exe

C:\Windows\system32\Gdaociml.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gfokoelp.exe

C:\Windows\system32\Gfokoelp.exe

C:\Windows\SysWOW64\Gkkgpc32.exe

C:\Windows\system32\Gkkgpc32.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Gbfldf32.exe

C:\Windows\system32\Gbfldf32.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hpjmnjqn.exe

C:\Windows\system32\Hpjmnjqn.exe

C:\Windows\SysWOW64\Hbhijepa.exe

C:\Windows\system32\Hbhijepa.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hkpqkcpd.exe

C:\Windows\system32\Hkpqkcpd.exe

C:\Windows\SysWOW64\Hmnmgnoh.exe

C:\Windows\system32\Hmnmgnoh.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hdhedh32.exe

C:\Windows\system32\Hdhedh32.exe

C:\Windows\SysWOW64\Hmpjmn32.exe

C:\Windows\system32\Hmpjmn32.exe

C:\Windows\SysWOW64\Higjaoci.exe

C:\Windows\system32\Higjaoci.exe

C:\Windows\SysWOW64\Hcpojd32.exe

C:\Windows\system32\Hcpojd32.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hlhccj32.exe

C:\Windows\system32\Hlhccj32.exe

C:\Windows\SysWOW64\Hcblpdgg.exe

C:\Windows\system32\Hcblpdgg.exe

C:\Windows\SysWOW64\Hkicaahi.exe

C:\Windows\system32\Hkicaahi.exe

C:\Windows\SysWOW64\Hildmn32.exe

C:\Windows\system32\Hildmn32.exe

C:\Windows\SysWOW64\Iljpij32.exe

C:\Windows\system32\Iljpij32.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Ikkpgafg.exe

C:\Windows\system32\Ikkpgafg.exe

C:\Windows\SysWOW64\Ilmmni32.exe

C:\Windows\system32\Ilmmni32.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Ijqmhnko.exe

C:\Windows\system32\Ijqmhnko.exe

C:\Windows\SysWOW64\Ipjedh32.exe

C:\Windows\system32\Ipjedh32.exe

C:\Windows\SysWOW64\Igdnabjh.exe

C:\Windows\system32\Igdnabjh.exe

C:\Windows\SysWOW64\Ipmbjgpi.exe

C:\Windows\system32\Ipmbjgpi.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Ikbfgppo.exe

C:\Windows\system32\Ikbfgppo.exe

C:\Windows\SysWOW64\Inqbclob.exe

C:\Windows\system32\Inqbclob.exe

C:\Windows\SysWOW64\Ipoopgnf.exe

C:\Windows\system32\Ipoopgnf.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jlfpdh32.exe

C:\Windows\system32\Jlfpdh32.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jnelok32.exe

C:\Windows\system32\Jnelok32.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jnhidk32.exe

C:\Windows\system32\Jnhidk32.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jgpmmp32.exe

C:\Windows\system32\Jgpmmp32.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jddnfd32.exe

C:\Windows\system32\Jddnfd32.exe

C:\Windows\SysWOW64\Jgbjbp32.exe

C:\Windows\system32\Jgbjbp32.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Jcikgacl.exe

C:\Windows\system32\Jcikgacl.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Kqmkae32.exe

C:\Windows\system32\Kqmkae32.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Kkconn32.exe

C:\Windows\system32\Kkconn32.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kcndbp32.exe

C:\Windows\system32\Kcndbp32.exe

C:\Windows\SysWOW64\Knchpiom.exe

C:\Windows\system32\Knchpiom.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Kkgiimng.exe

C:\Windows\system32\Kkgiimng.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lddgmbpb.exe

C:\Windows\system32\Lddgmbpb.exe

C:\Windows\SysWOW64\Lnmkfh32.exe

C:\Windows\system32\Lnmkfh32.exe

C:\Windows\SysWOW64\Lqkgbcff.exe

C:\Windows\system32\Lqkgbcff.exe

C:\Windows\SysWOW64\Lcjcnoej.exe

C:\Windows\system32\Lcjcnoej.exe

C:\Windows\SysWOW64\Lkalplel.exe

C:\Windows\system32\Lkalplel.exe

C:\Windows\SysWOW64\Lnohlgep.exe

C:\Windows\system32\Lnohlgep.exe

C:\Windows\SysWOW64\Lqndhcdc.exe

C:\Windows\system32\Lqndhcdc.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lqpamb32.exe

C:\Windows\system32\Lqpamb32.exe

C:\Windows\SysWOW64\Lcnmin32.exe

C:\Windows\system32\Lcnmin32.exe

C:\Windows\SysWOW64\Lkeekk32.exe

C:\Windows\system32\Lkeekk32.exe

C:\Windows\SysWOW64\Lmgabcge.exe

C:\Windows\system32\Lmgabcge.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mnfnlf32.exe

C:\Windows\system32\Mnfnlf32.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mjmoag32.exe

C:\Windows\system32\Mjmoag32.exe

C:\Windows\SysWOW64\Maggnali.exe

C:\Windows\system32\Maggnali.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mnkggfkb.exe

C:\Windows\system32\Mnkggfkb.exe

C:\Windows\SysWOW64\Maiccajf.exe

C:\Windows\system32\Maiccajf.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mjahlgpf.exe

C:\Windows\system32\Mjahlgpf.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Megljppl.exe

C:\Windows\system32\Megljppl.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Nclikl32.exe

C:\Windows\system32\Nclikl32.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Nelfeo32.exe

C:\Windows\system32\Nelfeo32.exe

C:\Windows\SysWOW64\Ngjbaj32.exe

C:\Windows\system32\Ngjbaj32.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nmnqjp32.exe

C:\Windows\system32\Nmnqjp32.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Odjeljhd.exe

C:\Windows\system32\Odjeljhd.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Omcjep32.exe

C:\Windows\system32\Omcjep32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oaqbkn32.exe

C:\Windows\system32\Oaqbkn32.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Olfghg32.exe

C:\Windows\system32\Olfghg32.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Oacoqnci.exe

C:\Windows\system32\Oacoqnci.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Pmoiqneg.exe

C:\Windows\system32\Pmoiqneg.exe

C:\Windows\SysWOW64\Pefabkej.exe

C:\Windows\system32\Pefabkej.exe

C:\Windows\SysWOW64\Plpjoe32.exe

C:\Windows\system32\Plpjoe32.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Pdkoch32.exe

C:\Windows\system32\Pdkoch32.exe

C:\Windows\SysWOW64\Pkegpb32.exe

C:\Windows\system32\Pkegpb32.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Pejkmk32.exe

C:\Windows\system32\Pejkmk32.exe

C:\Windows\SysWOW64\Phigif32.exe

C:\Windows\system32\Phigif32.exe

C:\Windows\SysWOW64\Pkgcea32.exe

C:\Windows\system32\Pkgcea32.exe

C:\Windows\SysWOW64\Qaalblgi.exe

C:\Windows\system32\Qaalblgi.exe

C:\Windows\SysWOW64\Qdphngfl.exe

C:\Windows\system32\Qdphngfl.exe

C:\Windows\SysWOW64\Qlgpod32.exe

C:\Windows\system32\Qlgpod32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qmhlgmmm.exe

C:\Windows\system32\Qmhlgmmm.exe

C:\Windows\SysWOW64\Qdbdcg32.exe

C:\Windows\system32\Qdbdcg32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Amjillkj.exe

C:\Windows\system32\Amjillkj.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Aojefobm.exe

C:\Windows\system32\Aojefobm.exe

C:\Windows\SysWOW64\Aednci32.exe

C:\Windows\system32\Aednci32.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Alnfpcag.exe

C:\Windows\system32\Alnfpcag.exe

C:\Windows\SysWOW64\Akqfkp32.exe

C:\Windows\system32\Akqfkp32.exe

C:\Windows\SysWOW64\Anobgl32.exe

C:\Windows\system32\Anobgl32.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Aamknj32.exe

C:\Windows\system32\Aamknj32.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Ahgcjddh.exe

C:\Windows\system32\Ahgcjddh.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Anclbkbp.exe

C:\Windows\system32\Anclbkbp.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Baadiiif.exe

C:\Windows\system32\Baadiiif.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bnhenj32.exe

C:\Windows\system32\Bnhenj32.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bakgoh32.exe

C:\Windows\system32\Bakgoh32.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Coohhlpe.exe

C:\Windows\system32\Coohhlpe.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cfkmkf32.exe

C:\Windows\system32\Cfkmkf32.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cbbnpg32.exe

C:\Windows\system32\Cbbnpg32.exe

C:\Windows\SysWOW64\Cdpjlb32.exe

C:\Windows\system32\Cdpjlb32.exe

C:\Windows\SysWOW64\Ckjbhmad.exe

C:\Windows\system32\Ckjbhmad.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Cdecgbfa.exe

C:\Windows\system32\Cdecgbfa.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dokgdkeh.exe

C:\Windows\system32\Dokgdkeh.exe

C:\Windows\SysWOW64\Dnmhpg32.exe

C:\Windows\system32\Dnmhpg32.exe

C:\Windows\SysWOW64\Dfdpad32.exe

C:\Windows\system32\Dfdpad32.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Dfglfdkb.exe

C:\Windows\system32\Dfglfdkb.exe

C:\Windows\SysWOW64\Dheibpje.exe

C:\Windows\system32\Dheibpje.exe

C:\Windows\SysWOW64\Dkceokii.exe

C:\Windows\system32\Dkceokii.exe

C:\Windows\SysWOW64\Dnbakghm.exe

C:\Windows\system32\Dnbakghm.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Ddligq32.exe

C:\Windows\system32\Ddligq32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dkfadkgf.exe

C:\Windows\system32\Dkfadkgf.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Enigke32.exe

C:\Windows\system32\Enigke32.exe

C:\Windows\SysWOW64\Efpomccg.exe

C:\Windows\system32\Efpomccg.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Emoadlfo.exe

C:\Windows\system32\Emoadlfo.exe

C:\Windows\SysWOW64\Enpmld32.exe

C:\Windows\system32\Enpmld32.exe

C:\Windows\SysWOW64\Efgemb32.exe

C:\Windows\system32\Efgemb32.exe

C:\Windows\SysWOW64\Eppjfgcp.exe

C:\Windows\system32\Eppjfgcp.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fflohaij.exe

C:\Windows\system32\Fflohaij.exe

C:\Windows\SysWOW64\Fligqhga.exe

C:\Windows\system32\Fligqhga.exe

C:\Windows\SysWOW64\Fngcmcfe.exe

C:\Windows\system32\Fngcmcfe.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Fmhdkknd.exe

C:\Windows\system32\Fmhdkknd.exe

C:\Windows\SysWOW64\Flkdfh32.exe

C:\Windows\system32\Flkdfh32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fpimlfke.exe

C:\Windows\system32\Fpimlfke.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Glgcbf32.exe

C:\Windows\system32\Glgcbf32.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Geohklaa.exe

C:\Windows\system32\Geohklaa.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Gbeejp32.exe

C:\Windows\system32\Gbeejp32.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hefnkkkj.exe

C:\Windows\system32\Hefnkkkj.exe

C:\Windows\SysWOW64\Hlpfhe32.exe

C:\Windows\system32\Hlpfhe32.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hidgai32.exe

C:\Windows\system32\Hidgai32.exe

C:\Windows\SysWOW64\Hlbcnd32.exe

C:\Windows\system32\Hlbcnd32.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hfjdqmng.exe

C:\Windows\system32\Hfjdqmng.exe

C:\Windows\SysWOW64\Hmdlmg32.exe

C:\Windows\system32\Hmdlmg32.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Hoeieolb.exe

C:\Windows\system32\Hoeieolb.exe

C:\Windows\SysWOW64\Iepaaico.exe

C:\Windows\system32\Iepaaico.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Ibcaknbi.exe

C:\Windows\system32\Ibcaknbi.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Ilnbicff.exe

C:\Windows\system32\Ilnbicff.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Iibccgep.exe

C:\Windows\system32\Iibccgep.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Igfclkdj.exe

C:\Windows\system32\Igfclkdj.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jghpbk32.exe

C:\Windows\system32\Jghpbk32.exe

C:\Windows\SysWOW64\Jiglnf32.exe

C:\Windows\system32\Jiglnf32.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jcoaglhk.exe

C:\Windows\system32\Jcoaglhk.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jiiicf32.exe

C:\Windows\system32\Jiiicf32.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jofalmmp.exe

C:\Windows\system32\Jofalmmp.exe

C:\Windows\SysWOW64\Jgmjmjnb.exe

C:\Windows\system32\Jgmjmjnb.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jedccfqg.exe

C:\Windows\system32\Jedccfqg.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Jlolpq32.exe

C:\Windows\system32\Jlolpq32.exe

C:\Windows\SysWOW64\Kcidmkpq.exe

C:\Windows\system32\Kcidmkpq.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Knnhjcog.exe

C:\Windows\system32\Knnhjcog.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Knqepc32.exe

C:\Windows\system32\Knqepc32.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kflide32.exe

C:\Windows\system32\Kflide32.exe

C:\Windows\SysWOW64\Kncaec32.exe

C:\Windows\system32\Kncaec32.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kodnmkap.exe

C:\Windows\system32\Kodnmkap.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kfnfjehl.exe

C:\Windows\system32\Kfnfjehl.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kgnbdh32.exe

C:\Windows\system32\Kgnbdh32.exe

C:\Windows\SysWOW64\Kjlopc32.exe

C:\Windows\system32\Kjlopc32.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lmaamn32.exe

C:\Windows\system32\Lmaamn32.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lckiihok.exe

C:\Windows\system32\Lckiihok.exe

C:\Windows\SysWOW64\Ljeafb32.exe

C:\Windows\system32\Ljeafb32.exe

C:\Windows\SysWOW64\Lmdnbn32.exe

C:\Windows\system32\Lmdnbn32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mgloefco.exe

C:\Windows\system32\Mgloefco.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mmhgmmbf.exe

C:\Windows\system32\Mmhgmmbf.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mnhdgpii.exe

C:\Windows\system32\Mnhdgpii.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mnjqmpgg.exe

C:\Windows\system32\Mnjqmpgg.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mjaabq32.exe

C:\Windows\system32\Mjaabq32.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Mgeakekd.exe

C:\Windows\system32\Mgeakekd.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nmfcok32.exe

C:\Windows\system32\Nmfcok32.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Njmqnobn.exe

C:\Windows\system32\Njmqnobn.exe

C:\Windows\SysWOW64\Nmkmjjaa.exe

C:\Windows\system32\Nmkmjjaa.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Offnhpfo.exe

C:\Windows\system32\Offnhpfo.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Ofhknodl.exe

C:\Windows\system32\Ofhknodl.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Onapdl32.exe

C:\Windows\system32\Onapdl32.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Ojhpimhp.exe

C:\Windows\system32\Ojhpimhp.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Paiogf32.exe

C:\Windows\system32\Paiogf32.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pffgom32.exe

C:\Windows\system32\Pffgom32.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qdoacabq.exe

C:\Windows\system32\Qdoacabq.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qodeajbg.exe

C:\Windows\system32\Qodeajbg.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Cdimqm32.exe

C:\Windows\system32\Cdimqm32.exe

C:\Windows\SysWOW64\Conanfli.exe

C:\Windows\system32\Conanfli.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cnhgjaml.exe

C:\Windows\system32\Cnhgjaml.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dgcihgaj.exe

C:\Windows\system32\Dgcihgaj.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 12692 -ip 12692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12692 -s 224

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1116-0-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1116-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Ahgjejhd.exe

MD5 21101ad06dee09051d93f93562ffd40a
SHA1 b0af3f8b7b78c8693cad55b8dba8485ae5e5a97b
SHA256 e3952863994af6bad240f163607fd9c8a00f04f7d34715b1c9fff0971b5d6800
SHA512 2e0b816d9edf5f1e7759e2a75bc3625bc4376e3beabb7bca4c2b77e3efe51a739506a49c2871719ed3d3a76511f74f947c9f054fe0b74e8298fb37b105e138a5

memory/2572-8-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Acmobchj.exe

MD5 711eca21330d3f8b5c77e9964416ad82
SHA1 7c5ee49c96454818cb419a7bc6d2f38fdbff9f2b
SHA256 9e148efff439095b4fc9e95c54fb00fdd98b73e49f9fe5d05b1e35bf5265c68e
SHA512 1c11528432f18bb16f5c1d8328b4771516817b3623888e097f6c56b99f6332668e505b7d8de89c4c5a62ae26cac5c6ea499470c066c98cf9963edce988cb12e6

memory/384-16-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ajggomog.exe

MD5 f2fc72df16a398999b3a4fc065793357
SHA1 aa62438c1ac898737933f0abd8621fa5bc44b791
SHA256 5eaacc5600a91d837351c9aca797859d4a3084d67010be130dfae047ac38572c
SHA512 8dc4e8eaa4dfa7246471883aec14fef9f3c7ea65c9a979f7a92af472a78a21051aa365ecd618ca938417120099d4f4284d8c292df87d4a65866a4908916048d7

memory/4680-24-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Aodogdmn.exe

MD5 0f274e2ff4c300f8003c833183a48e34
SHA1 71295ef8e9a8509c787439477c00ddf439e74077
SHA256 8f2fa77883b7718f6f3fe5674f10c6c73e0c5563f46c64fbf482be616bb8e9fc
SHA512 875962939de6dc91142bb1cb1960adfa0d5259f851f0c6c31870a66656b0427866519f1fca72b3a63e5a3d50a8d983e8450c07a7ef94d9c780fe74eb704f5eb8

memory/3784-33-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bfngdn32.exe

MD5 f6250289fcf7ca8655540ea405374a26
SHA1 055c7be3fed2e3c2baa37aa00ae79831d910d6d4
SHA256 50e2f53e885503bebcc7eeec1477f72bf48ba437865b8ea3f0d08b8ed0a2791d
SHA512 85fe07cd0a3388bff94d5470e51bee70f25cae58cb66e176577e9df49e3e566f808ad774fa6171c90f28a1163d4f117253ca49e2e00941487587db8c684d6fc2

memory/4712-40-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Blhpqhlh.exe

MD5 413d147fbdb37baab5e31f4939b18c00
SHA1 465d903555a466ec702756e91a60e310e0749672
SHA256 699db1aa293e8d664c26c7df122b35d2444cc8c4b8cbdb888ea9ba3b0b0a7c01
SHA512 b9178801cc8b725101f52e5708693fcc48abe991f7da8713caa4fa5e79d9e3719ed816cd6b0bc3b6adb99fc1f404e32404e1d5f388930b538df2b699aedeab7b

memory/752-48-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Boflmdkk.exe

MD5 d2dd4cec624e16b8ea4d453bf647c514
SHA1 3b326f6912fdd89d63095d1313c8f5d97036b5d7
SHA256 c1a681eb768fa607f1f5605e0770d64382446ecc1ef4e0b980b9f81a18728f13
SHA512 5e7b7bbddf9e1fb2d0023d5d66e82f29f430ccc1c56e677fc3114a9cb19dec4882614adea1aa0fabd394dc41d56838417322dc9221d25625e0bad8687f5688d9

memory/4164-57-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bfpdin32.exe

MD5 cac99ee1975dbd9d9bc341a3281ceb04
SHA1 94f318bca156b199d1a8fb595bec7a7ff8b7df63
SHA256 76f5b06c138714433600a53d711fec8222d13e99853b7e8a90752cf54539980a
SHA512 650ce832088ad3cf742d72903f69653970d4c99d2707dc8d55a2c2c907ffe8d72759ef77e2faccc234176e98b9a53a74b1af656d84e61a34077bf9878de859d5

memory/4980-65-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1116-73-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bljlfh32.exe

MD5 1be6e8617af7e4e4ed728e48c86400a4
SHA1 96044b9d704b4d5fc7681e26bcf9c5b2c16878cf
SHA256 0618597a394ed8eecdded1c03dbf3cb1c0a87e094189e7ea8014bb546ac36c34
SHA512 4b07f82627d1878ceddc599d369e02c667525b32c95cadb2e05c1c860c84f39a19268419dc1b7eec7c68fe5fe97e5e2a50c8a8ddea7aaba0cf4fc8cd97f94ca1

memory/648-74-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bohibc32.exe

MD5 f7599a1bdd8ed9fa1f0c856d6fcc5034
SHA1 f90e9f8f9c5678bf6bb532881fa55e9bd0ec912b
SHA256 50e1eab18c4df2ebca1512bb5995b86b44f67f59b7cdb9816524941cc7bb81b5
SHA512 e53541081cb03df9ddeea797a68dece2ee10b91914362bdc3d409304e15617d6d03db49b1d482ca4b46f0d022d7f1fd900564eef7d41fd76aa902c8af727c680

C:\Windows\SysWOW64\Bcddcbab.exe

MD5 cfc4e9093e7fcab712d2af6d4969ca10
SHA1 360b23fa94e8e153553453d9f7f3d17a03d1e3ab
SHA256 34f1724c8a458cdd9a0da0bf833fb8cb72c2acc726b88cd4dbf4cc093850841f
SHA512 4c85210f65151bada3fd59e41b5d7c3ec3eb39795a9b053408e425e7e0995d0b22e9e0f23fd303069426f0d748bddf9721513a467b9bc91302143d1beec51034

memory/2856-91-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2572-90-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3288-100-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bhamkipi.exe

MD5 66582de24f9b8ea5018544e731ec1aa2
SHA1 9878b9dcee31cc207ecceb732340b5a430e4594f
SHA256 86e83991ed320d6973e85a5585c3c3d08e6aeb7d17589cc7f64394bc59967bb1
SHA512 53bc33a357ae229d05dec2b62a5276e2e7b85fe2da2c5b2e8a57d665ca6a617191b69f92989f0c2418655067ad462170dbacf25bd78d3b0e6e01c7a6c3dd030e

memory/4992-113-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3784-121-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bcfahbpo.exe

MD5 6fd7fe0bdad2b585ce74255fdfa4c688
SHA1 7f12ba196a2a7d831deb3a43cc3c61705a396f74
SHA256 07838207bcb0d3ef887898125fbc949526f75211abe54b755f8524a7995016c8
SHA512 27f4fc896a623e4d20d5c0546f0a786090d9d5c925dc90f24d716790a031a485c2cd8e0583682c055eb1792057335e89953283287b385eec860d986b6cd88a7b

memory/4404-127-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4712-126-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2584-122-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bkoigdom.exe

MD5 63f3714c896304dba574aa9be429f094
SHA1 54a68f0d0d128d3ae3c1e26d71b403f4bc767026
SHA256 0f8f9db8c8297ee2f56c31e061c6d3c74d12df4346ba79a1c3b18d3a1b071c7b
SHA512 20b2e39bc91aaea69141bb1422d0c1ab72536fc7c74fd07f49ff8567c6b28297fbbfb90adbb5d03ccdf6bfe269841dd30c234db719cbc5b9821e555bbb5efc4e

memory/4680-112-0x0000000000400000-0x0000000000444000-memory.dmp

memory/384-99-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bfbaonae.exe

MD5 eb3e5b7236470ae591e3b79f45bfc6e3
SHA1 8fd3e424665d38e4a077c2a6d733cf6600dc58fd
SHA256 2c54827dc43cb8f003fcfc482358f760f07b1d0def1ed3ba5cfdecb979fe3898
SHA512 1b932c20b4cf5f9650891c78e367d73cdd4682390f00629212d1733bc9e7ad206c28cd2c43904090f2833c9874def205439eb83dba8dd6120385d0a0d486a6a5

memory/1732-86-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bheffh32.exe

MD5 d17c8e3f32b1c5d68d0baa3ff73afdad
SHA1 5751e3f8f155b5f1206580844dbd198547d26d0b
SHA256 f53542a29bf1556b9e9491ef906485a3bcb8228b0229c49836a3f238ec519114
SHA512 de9bef36443d726c767c86655a4360027c59c22f9932efc1c6a5ac58052c27973694b082d0150d4e38a1781a1c14543a5518f7efb9773d5cbf24969e8264aaed

memory/2008-135-0x0000000000400000-0x0000000000444000-memory.dmp

memory/752-134-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Bopocbcq.exe

MD5 e541d58d7c8930904e9f14d57daccb00
SHA1 67497f641834f0a53d433ebbdabdf283c3e86bf2
SHA256 8ea1a358a4ae77128205524634bc776d4cc73b81505b40505941beb16795714b
SHA512 01ed4e50e682908a581ab77123add1c84bcaf5a59e6ef3282320b6773be8a2b5d0dea42bc8099f91e94287e496fecb4fb1d19aa16862af909d6d1d3e0aa1f1e8

memory/4412-144-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4164-143-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cfigpm32.exe

MD5 5a4ce50eecf6e82d8aef59d1d8d0d975
SHA1 8649310db42ff3341609c2950869a5550a8443e3
SHA256 94707ec465fbbb7cb7e2326163fc171b30ee548f9500084833ad6eb9313c33e6
SHA512 0ab43d4029352c87d38e763666b9dd487e86236ad077110bfe6adc2691be5485ed69a4c83fe4b6da3905a77e185b1a93a021cbd08e657e4bfc6ea3b389e538ca

memory/224-153-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4980-152-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ckfphc32.exe

MD5 13f37183a2948d1491f44ebdeb7f194f
SHA1 9c178a19146a422f2461e34e798e79685b77e4be
SHA256 7d19f878b6447887a8cc0275469f11869c939f1492375f5664385c017965eae0
SHA512 0c23a0aea0d4a0fef94d8994c94bb0d4cd0f31b512461102db602b08268a5078bf10be2294dce841648113c38b55e728310193decc1b78ed65c8dc4ed09d6925

memory/4008-162-0x0000000000400000-0x0000000000444000-memory.dmp

memory/648-161-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cmflbf32.exe

MD5 24f144717e2b6262ebca09f36fda561f
SHA1 98acf47ae648e9deaf8bb60ea0ed762a030ddabf
SHA256 9fbbea7787265f62ec4b62759bf5bb88bef2ff134749017701a659eab066ad9b
SHA512 66646b1f7a5a312be104cb5ef54f7d9431a2fa81a231afcfad1f3ba65ca5eddb389dadd9deac4bc964c3ff71bc1a4b43b54f4cbbea1a218a68e5c7c459077523

memory/1932-175-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Codhnb32.exe

MD5 8467ac4738a52e30952d2ca8d2dc7b65
SHA1 d810ca85429dd6e1ebdd1b882a1717b677e2fce4
SHA256 3c81004f3295b3439f2218f96eadab69c42ab7159d93556d6a053849abc56da6
SHA512 c414a0591c5f10a741ad329785d4cf5e2c9299d5dd3dbce48bfb970606f318b7cdc4edc61d0834805d2dc97fa78c5c8c63da5d6d142d3faaea1b895ebc78c9ab

memory/1948-179-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2856-178-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cfnqklgh.exe

MD5 2949be032fb5457515de0b8e38dd23c0
SHA1 c83e3626ee6f317ea6d60633f5f8d5043800ea2a
SHA256 847407e2762c0bb33f03ecda79cc7ee7141da3e733f06f88170c1796d20635f2
SHA512 16deec624f4e7b806c46b32621fa137ff485a3083bb935b08b2564f34019f8fb341752f8a2636547c2f992187227c2e831bf19769a0b1d04462f6f6176d47726

memory/4580-188-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3288-187-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Ccbadp32.exe

MD5 3ebcc904ca910194a7fcacbd0c6084e1
SHA1 fcea61e86a80ad2e7a6e1c864bb81909ab29ef5e
SHA256 9e343267392a63d73125f5fd27c1004ca9120b70116c6d37fe404a000dff0098
SHA512 5fb8da0a7df05e8bbf0242b037afec6f91b7e95a3c515c46a17c078bc8a7ff829533f22b9d7e40ed8e16eb5fd83d563fd856f7531bea5170bba9cbf50420f6ce

memory/5100-196-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cioilg32.exe

MD5 d7ad1275b7098e676079fcd7ed01fc80
SHA1 3818c3e3cbe0a941478484103510a985c31544b6
SHA256 db1ce7ade9c7d0e53d2beb79fcb3a977abef7de9c31d0957e0b398b8d722aea0
SHA512 310e99a4c69b1815f69f3b9209484abcaf45106a66da4ab65cbe9f0bbad8b64f3e27275773d68f4479a60c6e14e534c52d12b968b4fe198ab1fd3ac3bc4c8d0f

memory/3344-204-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4404-212-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5084-213-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Cbgnemjj.exe

MD5 32177b9a4956bc91a1ae5b87d759a641
SHA1 490005d5575629d588e3150814c34bac120563f3
SHA256 3362435765644a75141c16c479081a37b6810ea18061fa1183d17613f3675d91
SHA512 c96e16aca66f58148f769c0a24f13cd9694beaa7cf068a7cc86edcda1b2e35f655674a766acbf04e639088b9e9e523aad72d35b894da5738ea8a9f235af82067

C:\Windows\SysWOW64\Ckpbnb32.exe

MD5 3042d708568edd1f7ce94e3b635194ca
SHA1 e45e199a08f84ed541788da0a6a18b7bb6d3d1f6
SHA256 934894f51a1a9d211265d0d85f139d6733d8580924a7b58b2ec9d74811cbc655
SHA512 f49d114e59d9773679cc309b384ed892ce75b1ac3d4b42553cb5be9030c23d6ac455fd593e7870562cfa091dcbad9d8c2e6173478190b7918475e267a7724634

memory/3256-223-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2008-221-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1696-231-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4412-230-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dfefkkqp.exe

MD5 5685cc6748a970327ca65cc4634462db
SHA1 4617303fbc4a0c5ab87867fb39c9140d4bdcb56b
SHA256 b7ef4cbef2db49adb3992c0d48801083ea5219a4e394f4e1e81f6c4a100c95d2
SHA512 d3f0331eb004b71937ca78e2d24bbfa0a2c5ec43fc021fccbbcfd0ce2a7fcaccce882e80200d27464501f6ce93d68c534f36a5bc3556f191f1a4946a3f47ab43

C:\Windows\SysWOW64\Dpnkdq32.exe

MD5 ff7e61d000ce7d36e31a5fb0b77be645
SHA1 09b8820acf0b35213ace42db7f2736a1ce9876cf
SHA256 e2f9a88972d8bd75fd6fc4c970400928ac97e12f5c5f3aa4d54fcb36eb5f57f7
SHA512 1c4446dfc96f7e48c3d17d62f76a43dfe6bafccebcf3b19e2f47ffb112832380a07cf83851653d884d14392d08c8bdbf943fddbdc0462da92cd158dac8e2f8bc

memory/3724-240-0x0000000000400000-0x0000000000444000-memory.dmp

memory/224-239-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Djcoai32.exe

MD5 c4c3416f0d6d73f5ed1a7edb2c02b9ec
SHA1 f3e682f3afe216b74ae83157c8eb3e4ba88f82ee
SHA256 1c6c4bb283d3add4f3072cb71dd6370b6086bbcb191b26e66e3a73f1461e9811
SHA512 517b9ba23922082f90ae499c2201e28ffe8ec7d7b99b9a4aec8cb35cfc4f66f30cc15cb98073a9db9c9d061f55f6b4754beaf92d6c4a8807951c355dd789bbac

memory/4008-248-0x0000000000400000-0x0000000000444000-memory.dmp

memory/580-250-0x0000000000400000-0x0000000000444000-memory.dmp

memory/468-258-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dkdliame.exe

MD5 dba0630127f094f8634381f2266a31b0
SHA1 36ad76b63c75d4cc76be990d7ee3fec4375cb518
SHA256 352a4551ca2b33b90efa7a03a03af015dd61cff86ab915e64ea0fe6b0f14e127
SHA512 476662af24a804b3c9ab4399baf5891f48777a0ab1bb74aaac6df258cd13c47bff08ee6a19afb3dfc76be2d1b6517225394f3adf61b4b1f88c01e52cd0ef123e

C:\Windows\SysWOW64\Dbndfl32.exe

MD5 578b4cd9561185c1c6787eea7dc42d95
SHA1 05d20b3c0b253add6a2d43e7b7f8f1e3c421a395
SHA256 f44e064f8575a5aa30e31f8863b4e428e5a13fc951efe20d5d69bce422d08abc
SHA512 5ccdcce4443d4312280f94ddd8694e967e70270533a6ac369e230111e04028d7ea3b75243c221a25457a558ab327de613b2b8e4723fd2b268acd61c26970389a

memory/2080-266-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1948-265-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4416-275-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4580-274-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Dpbdopck.exe

MD5 57441aecd6edb7c86b7a0c99ee973e15
SHA1 bf507b9be49763e4067003143e9add20894df793
SHA256 afe56886e5d43919a89ce5d3bbfeb4f5b0b734f972db4e5d7c722fe13bc71e51
SHA512 6b64daffdb667c71838544fa64c6eb1505d776f69558c7909017f77defb8f7f87f46d06ad6610f57e0461d30daf0e837e7ff243bbf0f9781a85358055af2d639

memory/5100-282-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2568-283-0x0000000000400000-0x0000000000444000-memory.dmp

memory/684-290-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3344-289-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4396-297-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5084-296-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2200-304-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3256-303-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3276-311-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1696-310-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4364-318-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3724-317-0x0000000000400000-0x0000000000444000-memory.dmp

memory/580-324-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4720-325-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2972-332-0x0000000000400000-0x0000000000444000-memory.dmp

memory/468-331-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4220-339-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2080-338-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4416-345-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Embddb32.exe

MD5 b390fe2b3564d9a9f38af04ca09edf40
SHA1 cd2abfc9671cf483244ecbb2f6eb097e8c617f63
SHA256 1d557e61cc81ce1510748ceea687bf962793c0b6484283d64e4bc3ae728d2c6d
SHA512 a34c68549c9085a418cccadceb2c202c7c61bfcbadcab8cc431baab5adb2ff08850559bfc5aa6ecd768396cfc4a82957aae9b6bc43e8131dad058fcd32ee9282

memory/1360-346-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2224-353-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2568-352-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Eiieicml.exe

MD5 a05b01a20bc21a1ec4742052db26f594
SHA1 65f5144ef2bf6c792ca7e1fd873c600623fb54d9
SHA256 c5fb9f6ebf2b94459de9b402b6df0b2940032839f9cca2a16efa84b356a45d7d
SHA512 6c08a052365ded06167ea459917784081ca860375337cebfc00d7dcad9d8048fe285fb5ac513b077c712e46271502aa572aa87784bf94f3ab16bd2108e98999f

memory/1496-360-0x0000000000400000-0x0000000000444000-memory.dmp

memory/684-359-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4396-366-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2020-367-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fbajbi32.exe

MD5 a5c0e4bbdfc3b0a105e2f39a7687733f
SHA1 f640db3632f0aed17e99a19f239898ed6eb600a5
SHA256 d536d831cd8e7cf96060680f32351c990642ed8825f95a70563c89682b7ad530
SHA512 6f5c52edcc22113cd2139b1678dc54af11e96210f89f075a6ce40142091458532e85d7c2581de917280312a19a402bd2b1f0aa50075d672a3fdae68e4b2714dd

memory/1892-374-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2200-373-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4200-381-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3276-380-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4364-387-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3248-388-0x0000000000400000-0x0000000000444000-memory.dmp

memory/868-395-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4720-394-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fjmkoeqi.exe

MD5 e97fff75ae632faf63399dea7ea77f83
SHA1 d1c5b26e5f8a498f59c141cb67d4eff4e77977b7
SHA256 eb38143422e00ae23aba1ae692090fc72dde4dc320c09411cd905d8d6f858671
SHA512 f76ebd4d1e9c7dd477c1dfde802c188e145002cdd2790122ba91f88e313dcdb12a1fbfd57987f0944b66465cd114ed214b7bf951ad30261ea3012787aa3eb5af

memory/5088-402-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2972-401-0x0000000000400000-0x0000000000444000-memory.dmp

memory/5040-409-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4220-408-0x0000000000400000-0x0000000000444000-memory.dmp

memory/100-416-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1360-415-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2224-422-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1480-423-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Fdglmkeg.exe

MD5 5c40da26f4adf1fa697d76a882243bc3
SHA1 9f2afa776c04e8be2e9528e642094f19c3d3450d
SHA256 cf1adc6e9cd39a9f7905a2083de01bcd472a2684f984de18c0d73ea99e82490f
SHA512 2debe1c76ee7eb2b98af32abe3c56c40b80f7cb8fb855825cb9255582607cf03dc64002dc16b23a4aad9d5e9b97d1a13c2c64ff272883659b03eb847df45b3e4

memory/1496-429-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Windows\SysWOW64\Gpqjglii.exe

MD5 ca0247b0549c840c49c5d0d694512be3
SHA1 0323b5f403793b067ed5fe3483b54d0509a5352c
SHA256 5c08cabacc7f7a4e349957dbc8d2279053b37eeeb3c2901ee6603a80fd69f067
SHA512 3e8112d3772c74defaf21dcc827abde90ba593a771ccb560fd75fbc250d2b2cf8fd2b7e953f4dbabeeb76dd29ab13181265ca2655b62490bfc571f9e896cf112

C:\Windows\SysWOW64\Gjfnedho.exe

MD5 0612657cca29caef08819ee0b161d82e
SHA1 20ad7d7ac6aa63641d7055e9aea16ed4525161c4
SHA256 9a4f96ae7f6f0153209917bbcf5c0cbe1fe2fdf9b45396c0644b8ffede2cd82b
SHA512 36b023272429b15543a0bf83ed3153d2b7536659cac4d35743440da889ec85b8c159d76cafd44a11918b99a59397858db724d73a033c509622ef5f3776d3ee5a

C:\Windows\SysWOW64\Gpcfmkff.exe

MD5 3d878d46455ab3278a1a8b1bd4bf2ac2
SHA1 1d2ba1aa60f703bba1524095ff54eb8108a24cc9
SHA256 e96d5fd309a294a39cfbbc043da96bc36deefa11c667ac98e1baf45e847cb307
SHA512 2911bfb2526e368e104fe6ff94d3fae9525e4aa57ac1dcb5fe72dfba4af4028a14c04c714e432ac91f9c29559082e404fb92124f6c9d7099ce65da17a6ad2544

C:\Windows\SysWOW64\Gikkfqmf.exe

MD5 47a0616081248bea167812f099c5101e
SHA1 9401451352bb09de9cf6aadb2582cf64f54fcbf8
SHA256 dc91eacfa8359eac27a376fb8379e39574344ee88e5a6cf6161de7323d8bd28e
SHA512 dbaedd313673108bb7d0a0674a265a5226add1759a924c333fbe86863b28dc852d08edec4e4f211f1bd4b19d41454accfbe3dd4a135ffa993165f3ed589e28ed

C:\Windows\SysWOW64\Hmnmgnoh.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Hmpjmn32.exe

MD5 80cf7cc904dd5569b35a6e75d0aef871
SHA1 40d3e34573c56ad8b88fca8e8e505c0cfdbf30f3
SHA256 bb047071f94700e4984fe07d5a141f5897073d1408a439f88c766afb8588e616
SHA512 364ee6cb78ecb2f8fac03c88bea8fb59c295a6136b903bba61febc4fb139f183fee56a75e89400044279fdac7559e2a89b1dedc87d013be5a8dc19930c032f03

C:\Windows\SysWOW64\Hlhccj32.exe

MD5 3a253e6b6c2844adc9392d65685ba08c
SHA1 61acc02a3070e720c0ddf6772a6004e1ffbbde08
SHA256 55a4312928e17f01064a551964d4924c281404161f699084e43746543715e401
SHA512 0a09c0f37262101d1c402fc9b4209ad355caf7fd82d5b57af5a7483f783e6a03dd32966c0f2eaa0bf3013ddf8b720ef2d9048cbe1507116e0bb47eee79f98105

C:\Windows\SysWOW64\Icdheded.exe

MD5 a280f6cefac96a6c91dbf66bf09394b9
SHA1 8a0edace2a5dfb55be87145397501b1a2e2b129c
SHA256 1914c720fb53afadcc4c2e54165e86f7bbfccb8ea81394e6e7bfcb4a837d46b7
SHA512 9b7601698dcc9d7dc10c7762089b5b68852d3667ccedeb4ee12562c590240c553831baa17fd64623d5247bc3c1ad0318d6623b26cfa209eea3f51aa8b8f7f811

C:\Windows\SysWOW64\Ilmmni32.exe

MD5 29309089cb8a815438bcc9263ea46331
SHA1 18c51da417daa38959eb2c6558347f1d0ad94fa0
SHA256 2adda0ee0191dc5f75a5067a4636c0a58f9d9a25fc63ac0278b35580b32397f1
SHA512 0b378219ddcf91fa278a7f0c665869274ac07833ce62ee216ec930fde0cc5d915cadcb844b9c91e22369396f98c280c49e44f073996ad77f3ca95fe1d6c087e3

C:\Windows\SysWOW64\Ipjedh32.exe

MD5 e0f586c4541c9815630ceac5c8c63bcb
SHA1 b517f5cfb247b28b359971e11544db6580bc22a2
SHA256 aaa71b1955c55b2d70903dfc47789db3f6f985a198cbc61f5195b2589d2e5b2d
SHA512 25242ac351a65d626baf3ec6c32a269bb8abbd828b50608ea93589c64ea6fde699ee9d59c4aa1f29ad0d8b919e85248dc2dcc4874454e102d4b05cc383ff6c61

C:\Windows\SysWOW64\Inqbclob.exe

MD5 a8d822923ee78f0c69f00ef76b101b87
SHA1 86a36991d8efcd2f99ad6ca135f069ffadb0b40c
SHA256 afe7a23937ad3e58659edecae58fc91d76c7a3447e3a9c598cf14a56641a37bc
SHA512 6ad9628a2bc94b96cb197adf2d410f89a1693db172d44d3f9563f0fcb977394a6393d88ca51526d098d4748c9372dfa66bcc8be1396c86b30ceaed1c903cceb3

C:\Windows\SysWOW64\Ikdcmpnl.exe

MD5 ae82ef1c981101732c83bbf081a6f7b5
SHA1 ee8c81460a19815d4f4c54da2f80d496255774ee
SHA256 94ea83965da93cd3dc8c29d74b03b26f4cd681a99c4d49195646c0c67c1f6a58
SHA512 3cb04ea47b91584483cce34303b2987778a5919f07fed4b49242d393610cf2830b5670af5d28b3b9b8a4403ef115cfd4310a16714bbb19df83fd93a3971dad51

C:\Windows\SysWOW64\Jdmgfedl.exe

MD5 6e73deb2a210210250dd35814290fd48
SHA1 09df027f40565321f1c1275ab0682711e5fb555c
SHA256 7f41ffa0d2f00ea89e46b7f6fcab524379a3fc1dd894eba0bb146dc498e21e7e
SHA512 81e029506995c39986898debaa03ef97fd210caaf047d2e467502f7893df7a4dbcc83e9ddf31b3dab0945dc89d285413960ac855cb637ed23bd47bdde87cde53

C:\Windows\SysWOW64\Jnelok32.exe

MD5 84bf80d2d7092257e7c63aabcdf7e6df
SHA1 d81db1053856766bc44b2682914411e5f80dfaf8
SHA256 83b7b064b86088bef733d26071982fd50fd1a1661a27c0d64c855a689bff2ce8
SHA512 182dbdfbf479ddc2b0b0de0904aa7e951aafabf725f1a1a170f50b76e5d8ee5efeb0e01a7b9b1e18990090ff7bee82be1e6afb5af5ec46f96f48a4a487b482d3

C:\Windows\SysWOW64\Jpfepf32.exe

MD5 f8f28afcc0ad02247a873bd9a45ff677
SHA1 5027dd20bc311dd7e3522b921e11eb70b4671c89
SHA256 590ec78ca1ae32f9f88ee68ab2fde813831cc66c4362617568b3b05112528f77
SHA512 d05d919729dc2add8ffd59072fb4b385b22e3f9301b8be120d7705c2fc58a88ffd021c9204b6ea48de5dbae0328265eb96a70f93202c3fb6c5e61e9a5ecd32c1

C:\Windows\SysWOW64\Jddnfd32.exe

MD5 f365849966552971a8a12236486b09a7
SHA1 20a2736366b60e69ef7916137289ea919446412e
SHA256 9b3149b4639b1df466f2754fbe1ff4b2ee08ac075ca5941b91f9100a0665d40f
SHA512 b9285d57da73415c6ef74887dc67eb0aa91d17eedd84fe1dfe357295faf956b7610c2fb68466e16aae3bd7642602bea73f292b0e28dd99ae6da3984438731f6f

C:\Windows\SysWOW64\Kclgmq32.exe

MD5 caf270920912aec960270a395ad0aa57
SHA1 760812ddc0bb11073aefb9ff11771dbb403ee609
SHA256 b1af98575d15d1d4090137009c51f9200fb1dfa81803186628e17dffb69056a7
SHA512 4b648edff62cf2afd7c4980cb38e1e8c6a26795cbf2e9e1e655665a67bb3032683763495c0743317fe3342501659b4e44292a18afe5fffdfff9161c45c56c9fa

C:\Windows\SysWOW64\Knfeeimj.exe

MD5 8c8083dd189ed12f1e594977907aaf44
SHA1 6092af334f909745c047f464bdd47a741ffc729c
SHA256 1031b5b53eac8757d39d3fedae638d67e466a07045bd9d026a641e4e6304f228
SHA512 4c091054b178042d91c98d9378cfa26bb17a9dec602740d07a2da5e53caecb9da7859a744ba735c64b74d168c25ec8e6674783f8dde69b1fda1ed9d38c4598c5

C:\Windows\SysWOW64\Kqfngd32.exe

MD5 a74030e7371090e886f1e3b1afcaefe0
SHA1 cda557e21a06f21f1e27795f096aa03e7887ad5c
SHA256 0294de7fd72a149cb8b2d8d3934ef8f4157685802e2ad29fe0abfc38d5952316
SHA512 98ff3fae19935341d31322ffd9bf8f6940984ce7677778aa88dc4a1b3ea0dc831c60f2c45e7cdef86060e41048ccb248e01d12146e7f12a22225ee8d96d05d41

C:\Windows\SysWOW64\Ljobpiql.exe

MD5 a1b9c9765c383ca0c6d0236ee66878ae
SHA1 7ee35df7b1274e70f35571f8117e15e64e7430cd
SHA256 95f27de8c05302584340c7ad0ff4a8f7382d83f4c3f90c99e6610d783c8d67ad
SHA512 9d4dc015527c83232b79a64c05403ccfe8a925a5a6b0733fee8cefc95e7e7d33010dd6b79d140aa34351e53c42d1f2c17d0ca1fa58714c077bc190a534ecfa81

C:\Windows\SysWOW64\Lddgmbpb.exe

MD5 eadd102d53e6b5cabd79b7536b776b36
SHA1 04b7c299f4e5254e01131e60c332bd9a850ae86d
SHA256 ca8c079e4701620512b6d794960427be69755cc7de8e8b6dbec72297e643f4cd
SHA512 1b0c281af80d736b62cd762c1da7722de83985cb48c170232a538de0fa8ab223a76bee799188c0b768e92975a960b33b6b5bb31a8184d4e1c9274e84f208ac42

C:\Windows\SysWOW64\Lnohlgep.exe

MD5 5525486fe6cc212147ed3b2a92a072a9
SHA1 43130f1a5e3572c4c5495b5fd3faeeb5e10c334c
SHA256 36e03fee81cdbc4dc882ae3cd1d99b3876fe56e1eb74c2ba713af2afe60eea04
SHA512 49d1b4e4c64c98c516d5726b150a468fec2e943990c1f7aa8204e2aa74dee4cf9d3f23eb898e3d96aac1ea8e70af0268a0b856e8e77797775193f7201935979e

C:\Windows\SysWOW64\Lqndhcdc.exe

MD5 3547116552f7d82067f3398629f0a752
SHA1 8526a93e876b38018397ad5ea9ff7ea97485e457
SHA256 aba2fefe259e3060f219ff65173667d8c776f4a7192c66835d6e6fe49a9ff047
SHA512 ffa401f932b22f4c623418241a741f8c38b2801565e604870beecc4f1506372b3a88819c675ef512e3df06ab50b637e019c06041ef2c033baa58cd2b911122fa

C:\Windows\SysWOW64\Lqbncb32.exe

MD5 1d1f62684e6325b3f10a9da506f923ae
SHA1 874101df14130b046be6b0e39368b8e0dc574487
SHA256 cad7008f1d219b7636d2749a74e3fd2f59e2eae150b9af8212c2fbb9a1d124da
SHA512 550d7ad70f82b36dc0b44b700f1c60fe36b7e377617e0b0e43fffba1697c5912ff90584058883afc0a49185ca7299a8d021c9dd7b199db64b0997b0cbfec8d2d

C:\Windows\SysWOW64\Mnfnlf32.exe

MD5 83b3bcafec0f48b67ff77ed7898fe1c2
SHA1 f8c14649adbcfb6f1476ca5a2ac05b3f8bc3c32c
SHA256 ca108416a087d62b6df80ac20992a2d77a961b50a815b79ee8983128a57cd111
SHA512 e00f745772cfcb411c81401265488496340a092ff2ed0c6819de46c1feab73da65b4831abe3e1b725edeb83045103533d77b45fc76a0bb8d428d5eaa0d9be845

C:\Windows\SysWOW64\Mjmoag32.exe

MD5 7e04a25ecc1dbd90a2ae71a2c669c7fc
SHA1 5e3c365d5d85c2ae302464cfc4c3500d6c881081
SHA256 4f1abcda37c61bd0ef111fb0888dbefe97c90d1948cfe60d83eccbefeb37a748
SHA512 dcaa60d4fba6441ce109d375325a15335365dcea1939d8437044544bceab99212d394aa8e1c300698138cbed45dd7f23f49e950f8ceecbd71147bb7d0b93e04f

C:\Windows\SysWOW64\Mkmkkjko.exe

MD5 ed432708634d6aae08ff5d4a0412e6fa
SHA1 2a935eee69d5e0937ad37251cb5a3164e2ff7358
SHA256 118301ce2887adb28407516546a98ff7c0749ac11752150ed234ba286d0195b3
SHA512 0ae3d3c59f891b9660c9b22b3d9ad6eb282f7c08be9a7a5040ce446ef4e62ed25814b8047daf175d42f1d6abee004777661d5a6d327b89829b0c7042a495c19c

C:\Windows\SysWOW64\Mchppmij.exe

MD5 770af0e04321d56c976a546d13081953
SHA1 7b83604863bc054654740d5fb41cb56628e4114b
SHA256 b9e7fc0fbee8159cd554d4a6e31ec12f88de555da4f314f37ba4b44721610aa5
SHA512 fdbac7fe32e0ad7da0d3dc9a7fc6eaa3138660b16eb4525581dcb34338ca6f9646dd17877764649d6609326fe3a6cd52004f43cd256c23677bf7165708810eb1

C:\Windows\SysWOW64\Mgehfkop.exe

MD5 2a141dd03092e5f3af972a7dc3ab73db
SHA1 b51698c0f12e512f4013eaafcbe6dcd8d0b2b3e8
SHA256 d471e259c2633169d1367ae159c97cb14afbc46d8c3d30c481f2c6526fc44479
SHA512 72755ed290b914cf77d2fdc2545a3f32dd3848b26a566461f16ea83724acc96e898352ed98d4124bda802486f1118ba229de0ac284fa6cff9b4a172845eed98f

C:\Windows\SysWOW64\Nclikl32.exe

MD5 b1858ca5fb4edcfa7f1894515489f7a9
SHA1 7f8a8706fd8320fab560386c856be202a216a80a
SHA256 84f2d7a0dfe480f66e1cb8e6295466c7b1d893c0a2b7479fc42b1686162aa874
SHA512 b79cf009fbb490968f1575157dae6c57554db0e9c6d2b1f927900c42a85ecfc3aad57a087d9d21c249cb0ae8b7ff9435fa158ecf2f31dc3f698bf8cab1f73a39

C:\Windows\SysWOW64\Nnbnhedj.exe

MD5 eabd2b6e92ea94b2f71674e848f4e1ab
SHA1 2c37a904e96e7685a9576206e80414eb45b41940
SHA256 7a0f2e455afb6b324a41c9e809b37e53481311e8d1a62df57e3a8c3718a40aba
SHA512 327e9aeb5141d2486c1f8032cdba440ce60b8b33cd49b44687dde75af39be76404f4329c35386184251fbbd1bf5364f39db338ed74fac3dc84514219f75d392b

C:\Windows\SysWOW64\Nabfjpak.exe

MD5 6bb2a6b911137ec845b1be7c0e1e567d
SHA1 3722ac91e8b9c43946cf8cddfdd01dba722ccec2
SHA256 0008f6da625ae399ccbb1ddebb7d559594881d151211d52210e2908ce1b83c06
SHA512 5060d577e183e66c52917b07d255b42663385e9f6ae668dff0831e6959a3bf494fbc0b2a7619c1686337532c49ee57c9a05e62c67518e2a8a2a2b0d17204f7cd

C:\Windows\SysWOW64\Oeehkn32.exe

MD5 7f93f5c4b84a2ed7847d2f1760f041eb
SHA1 4e2485cc3879be92c7f0021f84431d26783f6b6f
SHA256 a04f5fd9c8f331e7bce93645d4f9ee3f5c2499648bd572572340dda201a4e1eb
SHA512 333e4fc39eb54a83f9b9d7a9bfb760f4b3ebc6c9dc483444203394ac77cf8bb75f0ca54e1d689c8101db7819e5ce3a6154386fdd1d4615af938649e97ac119fb

C:\Windows\SysWOW64\Onnmdcjm.exe

MD5 1b768cafd128367ab7296c917bccf4f2
SHA1 737c293dea66d855d5a3a6698c9523305ddf7770
SHA256 a4507025a05aef664d57b47aa34265c9ff272c86d6bfa6631024b9ce240d2d59
SHA512 002ae1a9fb2e0e4ac9d4497a40503608f9532dce0852088deb4afe0aaa78be91e30825026c0e1026f4bcc4a87ccb7e8e7ef717212cc6457d1ba9c1823c9f7ccd

C:\Windows\SysWOW64\Odjeljhd.exe

MD5 02b0e1fb2b5d63e19fc122c49db0e197
SHA1 97597a48d48297d328760c6c807b7349019545aa
SHA256 941418f3d74fe8c40eb326e74722f2c6117470b48629fde1ff71386c977678fe
SHA512 c967a01a6a7bb0e111bea4d725cffc5ef5770a793734b635087ce39a1abfdb4a6b0fca9f1a60535bc6bba1a14a677e9e655c2a315be02e4614a895ea4c3389a5

C:\Windows\SysWOW64\Oaqbkn32.exe

MD5 96a91c8f6b03c8c4fe095115970bb532
SHA1 00551fe8c242d0cc72771c74a0c2d0fa7d144967
SHA256 e732a1e30c85847573f122bb8d65739f011c892158eabd877b561122532737af
SHA512 04315efa84398bec0bd41c7a27d51a5d4605d0f5a2f3ac411449d798856bc4387774b1216297461240f86c3d79c3c4c27c06858521563e92a77aaf66eac73c2c

C:\Windows\SysWOW64\Oodcdb32.exe

MD5 0b93c5cbad619d3b263a1def126b17af
SHA1 51685b32eade9121c4786fd43447d20b5cef6081
SHA256 5ed666408f8e7d3663bc4d6b28ad533b49706a57ed8c72b53513905eef484257
SHA512 79fdc491a5a8a88b44691c84daddd4362d868ba2fb877421f3249321f1060e11b42f170255d257c5c8629f594e5c72a320a85392ec1bb2f3589b0544fae8c1ff

C:\Windows\SysWOW64\Ohmhmh32.exe

MD5 fa12d9952e92673843835f25b2db2aaa
SHA1 da2381afe3de3ca7a3048cad3d51fe83999c7b9b
SHA256 9ca38cdbf9e6361067e010eab77fca7f4776133adc40bb11ec936ed94165825f
SHA512 7640da79fe7a1e3c05222bd3eb1b2d9676d9cfea967d75f30cbb8f8784ed1370dd91fb709cb0e2640c5ad795949860e125e4505b4729094f76a685ac0b2d002f

C:\Windows\SysWOW64\Omjpeo32.exe

MD5 ce80d5501eab4b83e48eeabb601acb90
SHA1 6f89b522a4fb94714591a89879cb35c98bcc452a
SHA256 42b730e9a75f2c060cb4e2ca17b05a80606b12139f68cbb6713f2a653912f9cf
SHA512 3b90574a1e359d212f93a587e9a23f266f92109bc452fc201548479aa892a314fc850044da0695c4d9ab925b5d3f6ab81fd7c0cae8cfa2c1ba04c1a9295b3e27

C:\Windows\SysWOW64\Poimpapp.exe

MD5 33ceba70ef4b66296bd8ba9f805a33f3
SHA1 126de554c58a301f7be40e3f8b74c67c7bc4e707
SHA256 ec204777be6382e79202dad9dd6650641e8380ca093ebdd45735f75e0104a586
SHA512 985c6aa68c4e55d669eede279736e4944d6bc9ba9c14f3097ac7e00b4c7fd53975dc6b972f2c578706ca1bff88cef70dd22e95d8efc2d1778d2c32e67132d757

C:\Windows\SysWOW64\Pefabkej.exe

MD5 9c0640a2f7181cc042aaf95cff2b4f2b
SHA1 3c7fb68642cd232169c0440018a4e3952a20813c
SHA256 520e4ac133d2e77af27686ac60dc8c8a22c9d161ff7f9fe57541775dcb299acc
SHA512 f9fbf0356a94138d244962fe5add6573b8e5732d18f237e40c579f68aebaea27eeee8d9db5d607dc4a1e5c0f160a4f11c96ec4f01ca3e0c847505b60e798e450

C:\Windows\SysWOW64\Palbgl32.exe

MD5 34beee3c0810bc560ff50f9ed099d716
SHA1 f783780701c58d51d78451aa15945fc538624a44
SHA256 c1ce36234e453beb9ee90dce6620e9cecbf497c842a7e94c37d91efbaed157b0
SHA512 e6dc4a05800bbc0b38070229f060e18cb12136d59abb2031e68799eafb376a43503b56669706f77ebce904bd54d1f2b6a321ddaf85080ef806ad4fc6b4366ced

C:\Windows\SysWOW64\Pmcclm32.exe

MD5 4348d3065506eb3b7bb4d854cd4e3e0f
SHA1 e1838679ab31013aa230d1ce1374ac2bc3cb93aa
SHA256 82115a22aa68a45c503ac422003e2e0397d38d77a5f63600347610d8e77a64d4
SHA512 e4ca131466e28d971611dfbeb265adb50fee3d323fbc8d46cc5e1c3ca81f076c5ac209e7017c32100a771ed652dcc5e011c9b0fd92681b063b64ea736bfa4f00

C:\Windows\SysWOW64\Phigif32.exe

MD5 bbbb7c270b6e5e0f41c39339d52becb2
SHA1 50b6846389c1cf38dd1be8abf68d7f06095fb9e1
SHA256 637485979ba075206be7d4b62b579847f80b9e8207b5c8597bc6b1b04ba94806
SHA512 cb4bb5767d5f94c8bffa28595bb114b9157c1590276081df333bc778140039d9b95748800b5c15c9af69b1a1572b245153b78572689470b4bdd78e9b8243115f

C:\Windows\SysWOW64\Qaalblgi.exe

MD5 de5f0ceff5d10edef0886c8aa6b49790
SHA1 0c3bcd8a5e6e03539c1ebd30f4d074fb0a383de9
SHA256 e16848586fe2253e49cf51ef7b686cdf2e22367a9ae472c9b79aafb38cccc376
SHA512 b88f283db414cbfef71becbf5fa89df64642efdf8b95ee3950ae3561a46283f8304a8bcff2241ec85904fffcc64dc0d0f6b17f5bf4f8f573404694bbe706ee82

C:\Windows\SysWOW64\Qdbdcg32.exe

MD5 c5ca6deb6b9bd5aadf356572237f57fc
SHA1 8d3c0867e02143c4ec284408080bb6f45a05db71
SHA256 d0dc75d9bd9550ad82939f0bf1e086751daf3c36def0f921d143388560e45dc0
SHA512 86b77cd5e3295ceba96e2fb1c7cc52e1bc83e341b0e590251d8d236e7ed619ce511273975dfb0c142f18d1a26f92839dfc797a49bbf0c6c4e717b92f8d813eda

C:\Windows\SysWOW64\Aeaanjkl.exe

MD5 f20b3873ae0770490d5f3c9bfaf3a95b
SHA1 ae3f3b9a36b80c3eba4c9ad0e76909424800d9d3
SHA256 d7581d03730bc2e6bc27ad43f44a1a09179936592eb503bdfc2c842aafc2a71f
SHA512 72f78faa23a0e79da3e7357edf7135f59826454440511b643212e6632e25ff4b055e46a931408640370a5271b5f7d2c36a58c097e530965bdf1612ab77bec7b8

C:\Windows\SysWOW64\Aojefobm.exe

MD5 180ba52ca4338b02ad09ca5d6274f44f
SHA1 280de83b037ab60a0056a22d1be89742c03146d9
SHA256 5c6958f9583e6dff8769a46b44ddf075fde941bad382ee0ba4e627ca2622495b
SHA512 6fb1b90a797e4978cb8eea3484af37e8f4d317f9b5a659f36b355c3c4de9e5a67280eeced8b2e34e19c3107dfce1743e2e03a99a601cccf22de64eaf5aac70c9

C:\Windows\SysWOW64\Bochmn32.exe

MD5 1cc0ab467cd2bb40c5027fa96044b47f
SHA1 f748e5718b4ede11e62ce5aa9219f0e2c79afa93
SHA256 3eb9c4a529e3158c2c902072bb5581865d75711968df1f5fd1d2e409a10c5792
SHA512 d973793a042f95cbab9de4998f3865b3668baf65b735a742f1550001093db061cf41e99b224fe10ef87a4ae36ae67709b160e76f1370d391c92c1dfd88388a65

C:\Windows\SysWOW64\Bafndi32.exe

MD5 d820096e6e7d0bead5a8db5d9d5ebb69
SHA1 8a75691ef4670bcaed70ea0c22be33a1b9d82037
SHA256 6dc84add55069a2cf74a1f6b4fcdf43c57f07373debdf8fce3b64cc917ed7440
SHA512 237980f9bf2610f67f0892620642018aeb4a62c9f44d13abcd3cba7c47e908cd2fccdc390e57f3b0984ed127ec0a5696ac76f200ce49d8bb8adccaea231d2d2d

C:\Windows\SysWOW64\Bdgged32.exe

MD5 ddb182ad65179ed1dd5dcae30b41ff93
SHA1 b0cab1fc0b8c54d96337f0f3fb8c21230d39bdc4
SHA256 577968a28426be029ea37b81e233868693065b3394a76a3c0bcfc49a4f08de19
SHA512 530755e09131ff63a1fea1d21f0590134de72d49655bcdbfe320b375d4630ee3ef3ffd256149d4151f90b3e7d8108e00b4ab3a196d3af5fff2f5e06c93ae141c

C:\Windows\SysWOW64\Bakgoh32.exe

MD5 ce47897e94ce08c3a88a476edd0709c6
SHA1 e49432775a73272ace971ecda8c40a1b806fdb66
SHA256 2dd5639d2a79a59cb3246e09be140e5507279c267e98579dfe180119e9c68f38
SHA512 b62bf01b94a9064fef475cd2c22290f3fa2e27933174079900b5e6c8cf802d9e675cdb5942e380d49e184f9531e4c63bb4b7fb0b39f661f93fd370082cab57ba

C:\Windows\SysWOW64\Cfipef32.exe

MD5 5847b44c5f2f3b05a5ac9e0e554ff484
SHA1 8ab94ff94e4a2e5d001011ce54b65b3ca47b6945
SHA256 00365629dbab54bb3d7948d3d0648ee7f795532ef821a35d1f55efa7373c3829
SHA512 f9281df67369dc8a35cf398a3fa648288dc157b4eddd407be6d1fc24553aa0c80dee50f1404c468ef625aac3be5ee4d2c7d35aaca2a098112fea4bb653967922

C:\Windows\SysWOW64\Ckmonl32.exe

MD5 6a2723a639ac2dc8b8eb4e3e91c4f134
SHA1 de782eefe20312ad9951ec022ce24845e57a26cf
SHA256 f00dbada972cfa8ca345c48c631dc9bb1cfd690cc6efa1fb32e2fee2630a2fc1
SHA512 75f87fdfb7ccf570977e5bca09bf718e2dd41294bf131d9b3d0cc128d4b65ddc22274f37d1d259eb96f1ab1e194296d4de774bcb51ec08979b7d35958cd25085

C:\Windows\SysWOW64\Eeelnp32.exe

MD5 f38796b1931fd59210e9860eff9aae8a
SHA1 18d2f845401509b7776005439deca927ff9399f6
SHA256 d911ec14b9173fc8dbc67cb9ed9c462a0e39695d82406fff17eec28a295421df
SHA512 1066aa3fdef05785b4b8e3643502de93b3ac4402c0954c7c67cc2b973b25637c1ca39cbe77568d4bbfdfa434f2b7a6baa179d87f47c1af17ff4053b4a616414a

C:\Windows\SysWOW64\Enpmld32.exe

MD5 47ab26d4f83d0074713fd7c96a9fd920
SHA1 d7e24b9f79b20cbb1e20327d3ed2eb5cce80de70
SHA256 ba497b5680d0f858ed8e9983de6abca4b0003f2450a209436ce2fc9f1199c526
SHA512 04dcafcc4dd3c744e5daa7ae36fd2ff44a48c3207d791c11f934532d2305856f7ff7fa456a6d88c4de6e6bf992d840c86ae80982160cb19f7f319a121638b294

C:\Windows\SysWOW64\Fealin32.exe

MD5 c38f06c6faa8520d6e5ab7db765b218b
SHA1 7eea7684f6b185c989b653bd91188460566966db
SHA256 46643b46254aa269858ea4b742f9443b99edf59e79df7e3324d11b8c9631faa9
SHA512 41b5afdd64d2eafd063a3c12a508b566e04438232bfdcb3a30366b7317cf5e082e63c6f75b65e711af8e874d4db99b54f86639fbc6c24d7948634a821805cd5a

C:\Windows\SysWOW64\Gmojkj32.exe

MD5 a9fe49696850a200b5d367088083689d
SHA1 daf613a3fe9a2eedf1f28cf3b14ba10d73a90643
SHA256 cf64d478fde408d9b431d370bd92f2bbc10bed3827195b230c541617613f50c2
SHA512 a9e75cf59191e2008df63ab3cd3019d8815f984ebd40f093334218c430fc9b5163789ba91bb4291c3a1d30e0f51d7cd6d46c5508da9134e4a779018ba7c4dc69

C:\Windows\SysWOW64\Gncchb32.exe

MD5 03934538739dafce525f6eedf6a22d0e
SHA1 3bb5a902017b43aacd5a869cef6992df4adcc955
SHA256 b30ab29de1265c5a269fedc6cb67bdbfb2876b39f5785008539a756484d8fc89
SHA512 40a7cad31367e02ca1010f26aecb64f80c59ab8d78e5d7310b55feeef496b8bddc3ecb74140ac6ea5bec9e96c8e7426f51a07fec55debdd05010ba3e2f5cf474

C:\Windows\SysWOW64\Gnepna32.exe

MD5 0a278466995cd102cf7c94fec2e67e14
SHA1 84d5e24ba3d7a6f2b8c5004117e22a8ff53c814c
SHA256 e5e6a3a652660731c664dfadc7fe866c4f57ab2aa42df8647a730fafd18022f4
SHA512 9e3bacf105812e1464a9ae36e75f8cbd76ed59612b088ce014b05776fa5d59d60ac027c22f09b667f1ac8c5f18eabbbc32643244eb3d4d3bc6f24b9af0a3bddb

C:\Windows\SysWOW64\Gmfplibd.exe

MD5 4a105b6ab5aa86ec28d7e6457cd76a8d
SHA1 6a48c55a0a031e31b8857255588b8b3885d6104d
SHA256 1c02b260c86db59a248fe160209220385f43cb324a6e05a74a07199eb4934324
SHA512 fd201a2d314e346f5f418307116fcc5e60806fe263cce2d27573affe65dfda8acd956a9738875338545ad4eb8dd707b2b333be58e4ab80cde99584b0f6a60241

C:\Windows\SysWOW64\Glkmmefl.exe

MD5 0e3aeb90cc33a24d3df4278dfdbeac4f
SHA1 a2a47387776fc65cae38c2db2cd3e8151fc9066e
SHA256 25f6aa1bee802448660cc3123008a1d00670bf200a4a9d5329209737b9faf1de
SHA512 e17fcc117e2a35bc908dfc0e65ed94e58a88867142f50bc1c588745e40ad0d97c6344924af5eeca5ff1686b81fa26000fdc3f1a5bb79e8b129b364ce8a0068c4

C:\Windows\SysWOW64\Hipmfjee.exe

MD5 ebb54b53284946faf707366709526cad
SHA1 02d7688bd6b78e567ff5244be42015cb9ac5fddd
SHA256 127a4472415802bdaf7b5f7a217780971a903716eec0345d62de7a1c200bd7af
SHA512 4b3efded177dbe5c2eb7bd8c12ef764cbf073977b93f005aa2534973d0cd1125de222936fafecae8c0930604fad6e30c5534dd4dd9f7f4cb63fb514c57aa7bb4

C:\Windows\SysWOW64\Holfoqcm.exe

MD5 dd199de9ac80868fad7cf1c40d01ed89
SHA1 b6c946bab980d36356b7fc6f4a640c9c87082cb2
SHA256 d2ba0195ca6e76558a8b118aef25c32d1b4c95a9413ca62f7783ca6679998501
SHA512 27be30dd357e0d11058c4ebf59352730cc043a99d5f8de0acbbf47c53e26e373cab31ea5dc6ec9d625ac0a445c3b5f67642ef86d60b573eca95242369d7960a2

C:\Windows\SysWOW64\Hoobdp32.exe

MD5 55031cd65dcc0904381eeac6d04514fa
SHA1 221cace0d5c8988fe04175ae8bc13d72439fa8a4
SHA256 6b48d70ee684fd2bf77f05b0d36b6cfca743967064992095abc800f2bcb6f66c
SHA512 5b6112becd1dd10e0975f541c84571c23e38f116f0ec86b8fa878752f737964fefc32f7f26411206b87045a984ededabade2291a9621fa1010948dc008233bf5

C:\Windows\SysWOW64\Hidgai32.exe

MD5 a85a83c7285530c4977b49777a01ee0e
SHA1 172ff93f04548af2be3b2436eb674e43ed9a5a95
SHA256 5d0d5f0f1dcffcc96f522ae72da00a3a176f232f05ccc45e2b83a44f70187f9f
SHA512 34f52d042cf4e42ce39224116af8bbabaf7aa25a6bac037aaacc0870ede032ed47705aba69e32126a1388ee584a6b7546e43de67bb1f878f013b7c9710dca4ca

C:\Windows\SysWOW64\Hfhgkmpj.exe

MD5 f2b9902092e276012adc8860a9c604aa
SHA1 32d8392f1d539130fae8fbd3a25adb2e709e2cf3
SHA256 aee1f9e437bad18d305f4a0e96ef8b8e87165c416f73b050cd53aefce1bf1989
SHA512 f9bc85cf159d4f1a11b91c925f3b2c336ddf056f01071046bcd80774337414b906fe5b2dcb990bbd7d1ba6bda89d06073803e06a6bb4530defcb3b725d8ec92a

C:\Windows\SysWOW64\Hlepcdoa.exe

MD5 f58cf8f26ed32b32dc3c2bc590568fc2
SHA1 c719f0d11cffcec50f263b15be795f5a4a7e286c
SHA256 5bc922244c2182eaa52a19d4a85b457449ab5d2376387fc007ce1ea56707a8af
SHA512 6b947e66efb3c88b5e1617d51055d0a035c027e0fb7eb3fef836345c813c4bbc6e83c034184b7369984c0c626a16eb01d5343f73959bf503d14a9489a8f0334d

C:\Windows\SysWOW64\Hoeieolb.exe

MD5 34a1c53ab95a5b15a4238b56ecc16a43
SHA1 c5a807465144898bbd137d850aa8cab908270030
SHA256 74308a3ca90caeb58d3901ce3e2fa988e3f31c0409ac9c33229166714261affb
SHA512 aec6c1b4b3c2626a7ed51b854e28b3e0751fc7dbe2b8e4239a2f041c8115d643dfca212056c317106d02d46dffe6bef268f9443342cab1991dc1e47c5048afb9

C:\Windows\SysWOW64\Iebngial.exe

MD5 50d9138730b022dff3544a5c05fa0f34
SHA1 8e44fb5bb1ffb59690fed1afad131d1a37939d93
SHA256 81d915f1afbdec77f554ea8a28a38f4b83b15ff8fc866a2787631644caecb73f
SHA512 e59133b291c3eff6b9e4f750555101e5693ec84891ee753de7a6fb4fe07ff236735c265ce7ae2d9dc34dfa04112630b3c2b23c36b0bb9ca6b34dffe955516cd3

C:\Windows\SysWOW64\Iojbpo32.exe

MD5 857db49b0d6e6d151d271d240d6c817f
SHA1 738390141c52cc4713a4efdf1f92d73e95e0f8be
SHA256 5d41bd2b2368ad6d1e723221e5b4711240b706447d6d3e73bd77f3bb54c90d11
SHA512 35627b2a90b83b385d7834c66dc6f08c0a79b91077a7520908ab49bd120a0d77453ca4882c76de6389dbd7193c66761c015a71133977cdd9efe191c9900e4d5d

C:\Windows\SysWOW64\Igdgglfl.exe

MD5 b1ca798816c57fdb13a31d998c4493b1
SHA1 1a5438d0dc71919834080ede133701225571c52f
SHA256 22216dd55ecb1eebc7126fa31e32659aa70dced57fa160157f0febad1124b065
SHA512 bf6d15a8c89185d0ce09bd4fbd263467b52ce396a361dd775b47c6cde40e44fdc0c9ece61dbbc9d92209691e64dd61297c3dea0c531c526934b99ac351977556

C:\Windows\SysWOW64\Ioolkncg.exe

MD5 4a2a80ce449b5367c2db7a6fa5d1c4a9
SHA1 b8ab9c4498e2d62c0aef787d3db617e385d354fa
SHA256 154b23fd82f537f844846f8653a7c99d488617e4f536ca6b977eb36710eea4db
SHA512 d9a45ffdb52e334bfaab50b4bd15a53252bda406ff8a4b2386c33088ae41494ee44c4724d8ce39218576a52a2270aef06b224e143c2babf50d64e969b318bbdd

C:\Windows\SysWOW64\Jghpbk32.exe

MD5 450a8259443f2707627d5651f0d65f5e
SHA1 98580d99d3fa724f66c9a511945cd07f77c68a83
SHA256 5efba1dcaf5dfc6580a44cc8a76aa7e8afafe524840e3a61725234df22ce86a3
SHA512 7d3e98bd4e3ccbabe11623682ce334d5df4c52c230b6c62ad206c88cdfd90bcb6768d140fd4f64e3fa91ead470cf72d6c1311085303104d13f85c3a57bb5bd9e

C:\Windows\SysWOW64\Jcoaglhk.exe

MD5 9e67979809cf8a9cb69aa3a613ee577d
SHA1 130c593a53bb441009de9a4587b660b1ac76ab37
SHA256 71090b25b2d91501ce04afb83165072c04b177e92efea96393cae9a3c0bb82c3
SHA512 ece4d257463d2cb74db170937c378e5b4ebfe7466eadc4836a24bbe5654e0259938763d9f115bd90ed26b0519991892c84500f8a94aed34e4584315174febeac

C:\Windows\SysWOW64\Jiiicf32.exe

MD5 d0ee1df1ddd6daa4a4cb965cf03df7c7
SHA1 48346ff055e53f2e7b85a6f0493ba10350c16ec0
SHA256 33d42bfd5ee0bcdcc580f674f7f610eec40f3f8f75050171e28171a08a7ded8f
SHA512 d0552aa98562ed39307f58d659c8d623a8fbba7d232d467d6736d2285659fe7fa729833f8cfdb06d670474673e4d30f4ff28a02788a51a8044749666b9c01b5f

C:\Windows\SysWOW64\Jilfifme.exe

MD5 b1c7804ec19f3e342a3829566723affc
SHA1 cb52e03d62e35b3afca2395ec35caf0ba0e703d3
SHA256 797a841df350d83c50c262afc844451d55f415720c400ce6cee4eb4419c3cd33
SHA512 e6acc5b276d734bf6b03232744c38a728ff6fccb2bad7f9692ee1cf4871b1ec6714baf0cd36b0c2077e207c2d7ab380754653a85ec0387a28bc1453d5e14cb5b

C:\Windows\SysWOW64\Jedccfqg.exe

MD5 b20bfff782778a2fdf239f95da15bcd0
SHA1 c617f862d28454430ffbd4ea08eb0678c1c09604
SHA256 931f558b70d16fa9287e5c42c3f2a1f0dd37cfa0bc28b463c4644341d1f3c842
SHA512 eb8c4972a50b618c17874481faffc651488d27469afd8b86d9520e710bac539281f9c27b4572797b381b9c9b91a00a4b531c88570921879bd6a06edc9a864b6f

C:\Windows\SysWOW64\Jnlkedai.exe

MD5 7955a20082e802609890e59c63d0b47d
SHA1 d79d160a2c5466522faad6079af07bb40932c1a4
SHA256 c98b4d7ea1ce8b26b2ecb11bff79a72f3c0f9251a43e71decc9d49293363cdab
SHA512 4e69ffc25fcd117ba3a6d46c7e913004a5bd076bc2021194624dfa8986ca97133356bc1fc76e05dcb2cd7f02a8f2e3cea05ac5298d5ab5f31aae7a19b06bdaec

C:\Windows\SysWOW64\Kcidmkpq.exe

MD5 d84ebc1942677c1a6e7beda4225b5da4
SHA1 df496a0e0ee22de28c2c0d7c82ee80830acef2f6
SHA256 2fb99d4c7ce2c1eeb614335c6511d508d4c2447bf11fb21708edc594e05e2f1d
SHA512 d34097144ce269f1aa75408c077d91e9c6b53dce6e788b750ea0092f6da657e0a842112c9ff912624cf9f378561fea54138b01811a313ba1be387a0972e4f885

C:\Windows\SysWOW64\Koodbl32.exe

MD5 011c2aa348b556dbc83fc57c6da3ee43
SHA1 2ee77067775376f7d114199781ce5c7be0683292
SHA256 55b76dbd32873fdb18fec82457b86ad0af922a318f49906ffea065260cbfc37f
SHA512 21c3115c5f23eb3315974fca3bad0b62b874ce76126966e6f4f7c204e875bacb9f8bbdbbbcb478eed0a440a6441b33f717e77d600799ca70e66db8fdac30793e

C:\Windows\SysWOW64\Knqepc32.exe

MD5 6760a8ebd1ef67701f01dac3dd068434
SHA1 8cda1de718c3cb813a205f261252fc3e55f426df
SHA256 bb72a88612765df8c8496a41fc4bc5e5d095bca716e5062c83a5b0cbd1446df4
SHA512 7ac4d441ae903577ca56a188f1a6aacab5b20cb96a040c3b99177fddbf0c0f1f11804ee07fe1d8dcb641421d91ca37d65434af8dd203e7dd61a138c1978c15b9

C:\Windows\SysWOW64\Kncaec32.exe

MD5 1c7663de2df6a830389abe33125b1186
SHA1 8607bbc86a2d8267d28d3f712a0e705c8516029e
SHA256 7f0a83074e96edbe965cf02e9321678c5fede282585462831bc43263f975c869
SHA512 91604a4eed89d48b4cb4b2723e38708fa92c8eae410914ed922e48164d612bcfeec3e56b5b88531de0eccd22512ceaf192c2cc2e2e5100464eea32bcb10a6550

C:\Windows\SysWOW64\Kodnmkap.exe

MD5 a599a31b81c1dc967a256958f0780b80
SHA1 e77fcc9765495bfdeb8468c9472e314f31a735d3
SHA256 58bac8cce8bcc7fa0658c9fece22b76e542b5524578885b9b1a09663735b0b6a
SHA512 2f21c4e9c975bd43a4fba69533bbe2572735a45838b1550582dd7b8516b04a1f4ea62afa427331b5b9748a62bf6430168e9dd54c5cdbb92979653d743da8e2fd

C:\Windows\SysWOW64\Kofkbk32.exe

MD5 f30b23990beff91d37f6046db42a8098
SHA1 26f99a16f07c1ad48aaf67ae98c85792cceae865
SHA256 d1d5a9b8acb0fac323c285e79cea4fe5622423bb29fdb343440e519fb8c70a8c
SHA512 b18d9ee15db8adee00f3a51eb21acf5b3d18539c5cba8c102274718bee92edb494c8a623da5e3d54626e61d3f0fb9f4b933c62e04d2a1f3d422679799ec02ad7

C:\Windows\SysWOW64\Lcdciiec.exe

MD5 9b2f6aa278ce2147cd11ad8cf11428bb
SHA1 bbb4274857deeda3bfdf26e8030065b8fa3f1d5b
SHA256 1ea21de0765eacde432e5e9bf55f5c0909f1d0a58adbdb1b97a209809f3e6dc7
SHA512 ff5d2649b35d586ffebc6c870e238eabadc88134f3ce66a2a92529ec4eb5b0a12358ff3e158b6f4d50d022357dafbcaea8c49a578f6bd28f249e6c0939e94180

C:\Windows\SysWOW64\Lokdnjkg.exe

MD5 8bde243f4424b61480743423ec6add09
SHA1 dd87e424fee6e7d814f5779c92d0117e36865952
SHA256 cece7ffa132102d6c1b1edeeebb393665c7fc112c466743f6e5967caaa9170f3
SHA512 3543f16503c009eb5de51dc279e26a603f4291456e69130e6fc61f8992a7aa96eb51876926e30bb68177ba9468433bd84da8eff9219160bf1a868dc2762eb1c4

C:\Windows\SysWOW64\Ljeafb32.exe

MD5 edcfaa8348ec53a7aab729760ef39ed5
SHA1 3db5e40fc9c945e6eba4624fbe3e27db12efb87c
SHA256 33b97d69f5dc33b716916f680e08dacb69a1a193260e3b3384fbca33277b0d23
SHA512 32281da59c3b971a0977555fad1e81202ee9455d7ae1dbe9cfa094a66fc999e598ee46a215a1479a73e05d474afe00d6a769977d992814ee49dc8f212247403f

C:\Windows\SysWOW64\Mqafhl32.exe

MD5 37e61a67dc67de67d68cbeec9c256ccd
SHA1 fd83ebbefec0af3fcf6c96dbf3d45c3b857e6523
SHA256 5eb8f217ffd8dcea780ef142e4aee9f30fdb31561319345632ffea679bf9c33e
SHA512 706c8290c9b7aa2b5bfc1456dcd897bde22f0b42fdcee545d80e0b4e0758a78536529cc69bacdbc26a64ed9d0a9f7934e1f45307346d1016f68496c2e1d656c0

C:\Windows\SysWOW64\Mfnoqc32.exe

MD5 403f2a1c89248ea24eb6d9a786ee2ce9
SHA1 fc2316f5873141fc7715e3254cae929c1349183b
SHA256 5361234dfd28eeb7c75c3375c42719e07a9bc544fdd3d722f81b1f233db98045
SHA512 786fe37d024420cc913f0539ef9912d8e3e511483a4c0f83fa3d1ffaede663668339522eaef1818a83002d957ab33c1067e9282f990a4cb2c44edfb475d99823

C:\Windows\SysWOW64\Mnhdgpii.exe

MD5 aa0d1b97322565d57a0bb0334cd05113
SHA1 0b5fe34c7a739bf7e3bd7106d20420f8f758c136
SHA256 d4d0ece5aef9220e85432a1972ea465d9d5bff6736b34370a03b6214e40cd10e
SHA512 753841d7698fcc8d92181833496c8758d26b35f4b050fecc5738795a33575df26def76ae58b7dd7e7d75911b993213d315176abb80adb9ccc58b9eb2f39d45a0

C:\Windows\SysWOW64\Mgphpe32.exe

MD5 2fbe71ebf46b73ae26c12f30da6dc04b
SHA1 e414b5dbafb06c23795b172436f891899ba7c7a0
SHA256 bf81d148381936749ee5705d80a09988358f1e849690d3fce6fd2d4ddf7ef4b2
SHA512 35cc3651d672fd07b5263215ccf3e3bcdc3a4cf65642f5c78d187c40444dae81be9f80919da19b7f696ebd49f7e80e415556e163d60260e78707577d07575ace

C:\Windows\SysWOW64\Mjaabq32.exe

MD5 48a64c04c68c7a066efc90824ea62daf
SHA1 1c7da68199f1dc6f0dc85b893a57d4fb272ac3b7
SHA256 1f9b2b283907a58f62330fae148b3da12d6e6ae268350c699f00ef7e61dae8f3
SHA512 c61a1e63f4069a8d8694f77b6292cc87fdac3f5d6d6456ba8720a19cdbc66d86f79258b5d523b3f3d903648d972284ddc3ee10882fb65df69d4d900bbe98eef1

C:\Windows\SysWOW64\Monjjgkb.exe

MD5 c0711b19049778c1a9a0c230166efca8
SHA1 072fdfb18f91305db9b050cb1dc8e1f5a2ffe365
SHA256 3da9ca1f5b75de79eb56fc84e9b1fd1a4b8da3518434af2ec06756f90f407fcb
SHA512 b6e0c8d2ae1e5359d8b84814b3631d84c1b02e478165c1e14c868cc40fb5939c6ad74b4d72dd4fc2900a6e56acebfa175831922cf3ddcf40dadc8c19eb5eae99

C:\Windows\SysWOW64\Nggnadib.exe

MD5 6ae39d1634113c253f74c36d543bdf00
SHA1 7ad4b35a8fb476d64d0796981b06934dd7fc0ed2
SHA256 0128b069339e672fd31ae9d4eb9b2962b4873499d9ca2bb35654b59847573299
SHA512 3a444b0f237d9b30989541c95d01188b16bbf4308cb3941857d205e6100f1b10fdffb84fa635de63c9db66567be9d494c93dee8a02c78b880ca0aea6dc8810bc

C:\Windows\SysWOW64\Njjdho32.exe

MD5 84ea6ab76ae6a5cc9e3e691479c44f8f
SHA1 d50d3b6bf6fffeb90d4911f05b790700a15ef86f
SHA256 8653ca7cf995be7f6bb0c0bc84d26d18cab60fadac0dd67c8a11097d78907885
SHA512 7d66e63832fd1bcdf68c14ffb07ec3a652de42f3b466a0400805a718da1c0ef3243c193f4a2b8313703c4381252bf26fe64e74715f18652a137e0b7c904f6096

C:\Windows\SysWOW64\Npgmpf32.exe

MD5 4525bda016ab7c8d17eb86374b5e18fc
SHA1 db6c63fd88e529febf9063cfc24a8d50f0fc4624
SHA256 e802b6fd559469f2e7da333d1e696620e946782f6156c7debfaaed0a3e3cdb71
SHA512 65cbd665359d81b1be46a8307d7d8673ad8474253e55a725f9f196b6669a787b04803eb27baeb738d6e9d3dde0d7813cecb90fc6c68a869d87bb615d9c2f24f3

C:\Windows\SysWOW64\Ocgbld32.exe

MD5 7f3052e9667c46f63a781dcba671b748
SHA1 25bdfb09667e9a35793ada552bf0c2c258ac4f35
SHA256 caba698e86fe8ad07fa7a52038c0989f20bdee8aac789d754e08b9603254c278
SHA512 4cf012f328bcfeac2430e3b6dc9fee2a4315fa89e65aa88a5d52eb81761ac550dd299b33ede71688205b5887bd0a92bb4917d9dee3d3e98fcd1abf59e2c5de8e

C:\Windows\SysWOW64\Ocjoadei.exe

MD5 460b93b166467f865106b4cf60523075
SHA1 0d4f25d62fba4995d7715abfbd118578f258171f
SHA256 1eafed1e5baf2ba193939c5bb205e29a5919e44ff96fede280ea4f9749d3886f
SHA512 0a6eb20c8b5b10f32f9396057be6129d94519dd64fed2ccfa4eee52b0221ff126904a82be641cacecd838644b5d69f55f6b9852a0c3fbdf626de39c5b94d3f00

C:\Windows\SysWOW64\Oanokhdb.exe

MD5 30825575a74d0d50055ba9cd16f68b5d
SHA1 d7090eba255367ad8f8cf8e70e0c1402f5f543c3
SHA256 04fed4e05ee9c3d3bfa193a984898c7ba8e9118151957f756ea250b6eefa598a
SHA512 6e93e1d93c153db1ccd72d922abe2881185245c654df9bb2a7a7ea4dbde5360a37ce089ccf165c89ee9ace3b1e0a95d950da434bd05b75d93b90a836c12fb139

C:\Windows\SysWOW64\Oaplqh32.exe

MD5 4ded6ab91f4b88e88ae87d823d56e134
SHA1 376b99c8a42d1b645310a3504111f826c86151ae
SHA256 a236d49272478e314dd040a91deb39d0f810024a520bc6c6e718d7992e2eb52d
SHA512 952ab3d8734713790907a44e24cbd10ce06f543fc0e868cce18df3432f2a2ee83d5dd76c19088135ef9df3ffb4fa6be733bb56169cbd8c023fb0930eb267c1ab

C:\Windows\SysWOW64\Oabhfg32.exe

MD5 9a963189a75ceb0525fcfbfb555484f3
SHA1 07ac3d4f08bbaa12a7e612221db66cba4df801bc
SHA256 828843928b33efa2cb1567bb3e5bd289a7974b5c15179085d8b7054acb9bbe68
SHA512 b6044c23e531d721a31bfad802f97453cd8da4913ad8e9b9d8c8c1a17efbb63dee98473ee9ceecfc65a6bc9f88a391adcd9c5aba6e32fc9b87d303ba0ef7940a

C:\Windows\SysWOW64\Pfoann32.exe

MD5 5d4267d3fc06da60d4dd047200defc9f
SHA1 b6e67bee2d7ba73db2c1e7ff92d02d71ebd352c0
SHA256 8693fc9ca6e52156909bd7150d178f4ad88ac1c60f5f5e3ff2e90a88c0630bea
SHA512 1894882c364e2ef3d551045267c8d07ea3c4cd246d97534961165e4fa8e30768ce807b84dca8217e0514d527ce39797112910e4d7bdf726152eafbeccd7d37c6

C:\Windows\SysWOW64\Pnfiplog.exe

MD5 33aaa933cfbb74aaecc7bdd28cc5bf77
SHA1 15026d219a534800c7b0debdd332f170c7557b36
SHA256 a49312c0db4bef7445039602e7d3171c93176cc738f66a41150f96ee522de2a5
SHA512 dad166a190a6ed7cbba02b64b10780f7a068e63fadb07ce9af3a549b383c327eaf7f3ca0cdd752d98ea4e7176764158b3b14df7dafa3df31657a84eee40396be

C:\Windows\SysWOW64\Pfandnla.exe

MD5 86446206cf0821c601925ca3bc36a62d
SHA1 9d56784593056ae89dcf26d1ee618b94fbc6837d
SHA256 87d7d14e70ea92b204b509bcd07d1090557b87013dedd18660540786a9ea705d
SHA512 36c142cbcbc7ab93623b318ee4f00373b2b82785ba39774d08301749108768dabfbae8d831774329ec62275a0928bb12087b2f3901f4107d2e2a7c920aca44f5

C:\Windows\SysWOW64\Pagbaglh.exe

MD5 da3ea52775d801fb9413132c07b3e5ed
SHA1 1ea083f0c58e297aa9f2e657d43b3f64efae835e
SHA256 24d217417febcab09cedf99539c77e9713beb65469512627052fe4a656b7cf9a
SHA512 a5026b9dd89cb149f41581cdc9a6856717774bc6d1d5df1edd9416f3b07edad58497adb74e4debb823551aeb69cd408c26797ce699743556bce418a9ba000fd2

C:\Windows\SysWOW64\Paiogf32.exe

MD5 8c754732957bcd47a0723e46f5f262df
SHA1 accccdb1962ff6228d389599f6609bcc0baaea1b
SHA256 43c5cab6f712d9c3bd5a2c446358798a16652a3fe087138491439f44130e7098
SHA512 6dcb5e2d437e424ba69d3c2b303018b6769d913b4c35e6293276c8896e8f1425a7eb0484030abf3178f840edfdc60d1aa0b9f99cf730d346b43a21b2bd7d1939

C:\Windows\SysWOW64\Qfkqjmdg.exe

MD5 471e7bb4e06707775f036902caef47e8
SHA1 c69b2e1e25c3f218a72ea8b0f0c9950f3dc387a8
SHA256 bd0a1594b4a58591e1ee3f8ac4c181fdf9544f13c8911a97010a23397bae6765
SHA512 84fd319432c474b4dbb2572c75411643d2cf4d6278ebd7ac3b6f70d90259c9d8722633b7568568bde4eb63950773dad5bb50b5bedb011727f6c8a18a528d7e28

C:\Windows\SysWOW64\Qaqegecm.exe

MD5 827e69be52f7f0b32bde1f5487867270
SHA1 d4f32b3e7e79ba7dacd82cc244f776846db11cb9
SHA256 11952378cfb94101463e490798389816db510f06a84b0e361f8e52d5b038b27f
SHA512 65905a883c18fb451d923b9ee76f5f32fdbbbcc8448262b3d74042739a0d56cd20f75f1e66026c5e6a8a506d1619aa20e9fb81453b88e759d0b68193bde8168b

C:\Windows\SysWOW64\Qjiipk32.exe

MD5 4d8f5c9a00c918f4709a0f62ce14587c
SHA1 ef4e72f723b997dc5d41e8aaa642a8a80dcac39f
SHA256 b6229552b4f7bf9d909ff1aaa30bc72f1cd689ea357cbc40ab7c93d3a71b12b2
SHA512 389f5ec0b4e2f4681bbeba928a13a20a44710ef36cef576a694d404837b019c970401be1cda04d017e15d3f6d5cd6974236d9a518a7e3947118ea4db17109006

C:\Windows\SysWOW64\Aokkahlo.exe

MD5 3c66bbd569239fef1944165f37218bc4
SHA1 7e9b63ddf387a79f05b3f39f5311cf322c9d2224
SHA256 df0df8404a75b9ad740c17bee75a313d5bd449630f20edbc8ad112c172bf74dc
SHA512 8a4e4a3bd1c92c2ae32a7cbf490ed6ba658366d156e1360564540a4adb5be485e0732c45cc9d5945440bab81fc9f90928ba6e36d3173ff10500d629354fdfed6

C:\Windows\SysWOW64\Ahfmpnql.exe

MD5 c88d1ad90fc7dee76f6c35ffaba5fcb4
SHA1 f0977933ec2e625034b1d11dd1d4f0aef37d2872
SHA256 defe0621fd4a24986cc9157068f96febb12d07078b4c9f3640b3aa565a8ea4d6
SHA512 e0742149a6c2ef31e1f7936fe7afd6590dc8f7fdf6e8ab839a9ff9cfe42a9f7504d6902f4d97a6d6126a1f299bc5b2c9df81fded23270798d027735082529775

C:\Windows\SysWOW64\Apaadpng.exe

MD5 671c9af9ddf2b62039c230b4797e9a03
SHA1 7186c7e874511107b3ef4198a78cca9bdf2ec77b
SHA256 283b64ba46e00c0b926bc8146c941c05cc006eb7a576d7f2a6c60e3d2b4b9d19
SHA512 ca38cca5944c73888bb82f6522164720d6713d6cecf60795f0c1bd6e88ebfd59231b8f2d282f21926343a0a630f4a70bf0a51a77715423dea1487005158b9058

C:\Windows\SysWOW64\Bkgeainn.exe

MD5 7dc71fb6426e998dd43125b45885fe33
SHA1 dc1bc4ac6d9e7e8ebcf433847c7203b3fbcd2094
SHA256 fbd13b224a310f07aff1c6239fc9d44d7c369230d36767698f93e3086e8acd70
SHA512 f9a16497fc7f0200762d5e0d6d0ecb36182f47d39f50b875fa30043c9ee21f0948c631438888df2882687837fc57bfc10ce199b8141406b7e10aae2232f509b8

C:\Windows\SysWOW64\Bhkfkmmg.exe

MD5 0378fcdccc56d6c65ce3d9ec774ea78f
SHA1 ce561af4c16028ebd3dc4f6ff1fb5d8ff9455251
SHA256 5539e62d236831a3e24e2f500a2d13a7cabf1d195e7e9a6dffcce205d3d53fe8
SHA512 bd99d9bfbb99d163be9b80d962132ad5cfee15b9fb42047d76fbdb6c97f0a315d261cd1c7afa5eae06b7d76638c7eeae5ebe6dc7a2eb873c740314b38aa3cda7

C:\Windows\SysWOW64\Bacjdbch.exe

MD5 34957c420ce378fe2cd2f9ce01e23372
SHA1 8bebf81e9065b89af72d63efe65a29276b60c4d7
SHA256 5faee282dcfc62c3045f0dcf284d009d8150df830569eb8ceb1d1c5a771f2d75
SHA512 6e2618751a64f697b687ba7b1522693786d230c8ce498707760ab08a683761275b6b1697e5d09a7dbe3321277737b5c540f063415bc85dad22973a62ca616476

C:\Windows\SysWOW64\Bgpcliao.exe

MD5 6a1bb99c3a750f7301f766a6270d262b
SHA1 e9a68b7c6a6cf4032e664b3f39456b971610ef04
SHA256 f9d67897c60c786f9fe5a818e4b71ddb81536544d0990477a80b75be991475f9
SHA512 b7c6c649bb14c626bddee82b633193dd18dd40318fbe106979523a660d02b3160414007cbe15b504041b1c9a9f5b5a954fe77aa2371544d29a8125b084c79347

C:\Windows\SysWOW64\Bgbpaipl.exe

MD5 82e3b5f5db1b9a263a7a784ce79a26b7
SHA1 f8aed8c6c054685041d266649621bf3cb748d2ed
SHA256 797df795a2751c9af6f33b0e8a3619a9c758a12140674de3ad4349d7a869a610
SHA512 ddbbf771c0f8e58ba079c5aaf70fe3b74ecc70e5601c3a8a3d611e144a0f825f5f02873dc5f3dd92fa34c0dac189a5bc076a51283dd37a1ac590926e197b9137

C:\Windows\SysWOW64\Bgelgi32.exe

MD5 6b74b4bf4b2f3b3e925810d2af2aded1
SHA1 dd9589b656c882e8103c1a87a72a83e5795fbbcf
SHA256 c43d245e86fd2422c002b00b11835fe22e53e66c1a6472831b5c9daaab6d39aa
SHA512 ac6ce2db8f65a07ea743df2c885aa4d499e11b45c8167b284c61fd1964b94476c1d2711d26468c79286a156d8589635063f1aa4abb8d8ecf6b82b0ea3880fcd7

C:\Windows\SysWOW64\Bajqda32.exe

MD5 fc2dd8bd0e5018958997dd2fbe62ff03
SHA1 b9635807907cd20c9eb77308cccf1939cb9f152e
SHA256 fadc822f7b290a583761cb25d374b35d37e9be1cbb256d23bf174b927687286e
SHA512 2deca80906b7a40071a496948db78e2c746e65aa9734977b9f42b1e63cd744d748e923547bde2d4e4738d51890e8273da4ded8257ce329e33699c8678c5c2854

C:\Windows\SysWOW64\Cglbhhga.exe

MD5 a420cc0131f6ccb3113c55fb1f6c07bc
SHA1 73da64eb1c5e6534d196c285322cc77fd293917a
SHA256 dc0d4bc25a15e77acb3fba67223e95c19ca4f179d9ddad1d57ec50b75f82a565
SHA512 2edb713b5813d66e9be0e373b3709bdb2631a59ae0328c753e44e04b98883d79751b28f405acd069eb60af9d9091ded1c72aff7d5a4a5f5adaa59d698fff2c99

C:\Windows\SysWOW64\Caageq32.exe

MD5 eca002eb36a60a827a5116492e138e12
SHA1 b02b41017d6908c6ab7d7ba18431043ff82676ac
SHA256 b5565d5a121751676cefd61c7992e18252a2863408b1f46ed9c7a462f830bd43
SHA512 94b59e18660669158128753c2af12329296b332680a6c06c6b5fc16bd67bdd98683e4038541031202f31db92f0f923db84a33251281176cb006bc00fab293915

C:\Windows\SysWOW64\Cnhgjaml.exe

MD5 a90ad0bd13592e6c3743a5c52b76fb84
SHA1 508c78c5547e4b15b7aef564e5af3e52f0c6de56
SHA256 4b6ae9136e40297d665f03f5d2a97a32d50c6cb8c79c18ed6dd31d811f2fd9cc
SHA512 e2ff689d6d2db18f9f5b69732289ee1ff1b77393398e78c25e265a05c1822398fa7a31b8cae9f9106d4547c1b5c6f4d8598674bad9def45269ed2e1af9471dde

C:\Windows\SysWOW64\Cgqlcg32.exe

MD5 d9af94775a3423e95c68552b0601e665
SHA1 9e5d919a6d093b7995b41ea77afac17d4f35271c
SHA256 23cdfd5e7946d0450aea0ac69b187cca9854f17d8385ab15745925116f05e9ba
SHA512 dd9de2059fabf80f3aab58c9c0335a52a35cba225cfe656d877b7ba68c4e959f4fe01b6c4af20502347ec83afcda25c6258a0d2d00b32951c2a812fc29c48313

C:\Windows\SysWOW64\Dgcihgaj.exe

MD5 01ccfd6510d62e5fcf436dce964c2254
SHA1 b761111d2b12c0d64bacc50f23e1b66e641f9ab9
SHA256 d6e7ca1bfe5e8beed6ecc3c4a0fc7f301cc60cabf5d7eb4758c3d2d022038ead
SHA512 698c9a27f275a972ef226086b9b2af3788f101bc4b3eec219083ec920377484d367f04d0bd2c8ec348426cdd9e37520894ddd7ecea7ae1b56478681eee20863c

C:\Windows\SysWOW64\Dkqaoe32.exe

MD5 1ea34d3623a549600a47a541070ef392
SHA1 caf7f8a4edf028d6003230b871f19beb0c73f514
SHA256 1b22433f64000a1ef73da17194925edc22b6a104d5f3dd9b7a569b53cf8f37f3
SHA512 7f6a1d8c2f6ecb47bc7b91b91850577a6bb250f8721023553a443973a3322571bb4282eafa75559cbae3c46c829b87d1c18e600996d32fd704c6f30d396cb48b