Malware Analysis Report

2025-03-15 09:15

Sample ID 240916-tek25awfpj
Target Backdoor.Win32.Berbew.AA.MTB-fdee74bf2879f90c5e4b53760b77d82b4992eccd051de82237b9e28e7c93d1c3N
SHA256 fdee74bf2879f90c5e4b53760b77d82b4992eccd051de82237b9e28e7c93d1c3
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdee74bf2879f90c5e4b53760b77d82b4992eccd051de82237b9e28e7c93d1c3

Threat Level: Known bad

The file Backdoor.Win32.Berbew.AA.MTB-fdee74bf2879f90c5e4b53760b77d82b4992eccd051de82237b9e28e7c93d1c3N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 15:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 15:58

Reported

2024-09-16 16:00

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjlmclqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgepom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Plmmif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnmoijje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eicedn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngqagcag.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hienlpel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olanmgig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekmhejao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gojiiafp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnfpinmi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afpjel32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmdjapgb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdjbiheb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alelqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bojomm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fbjena32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogekbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhhiemoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bafndi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdecgbfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Digehphc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Impliekg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpcapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lfeljd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bogkmgba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coegoe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkhkjd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpfepf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lncjlq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnafno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ondljl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gdlfhj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Plpjoe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imnocf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cncnob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phodcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chqogq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpggamqc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aonoao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlglidlo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfeljd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oaifpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gphphj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phigif32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eofgpikj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aojefobm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cohkokgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpelhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmmfmhll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmechmip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qoelkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcifkf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnhkbfme.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlmdbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbbpmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgmjmjnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mccfdmmo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fligqhga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kegpifod.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmkmjjaa.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ejfeng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiieicml.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpbmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbajbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjhacf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flinkojm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbcfhibj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fimodc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmikeaap.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpggamqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdccbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fipkjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpjcgm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffclcgfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmndpq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fffhifdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpnmbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdjibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gigaka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdlfhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfkbde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmdjapgb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdobnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkhkjd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gljgbllj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbdoof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gingkqkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gphphj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggahedjn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gipdap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdehni32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdejd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hibafp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hplicjok.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckeoeno.exe N/A
N/A N/A C:\Windows\SysWOW64\Hienlpel.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmpjmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdjbiheb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hginecde.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmbfbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdmoohbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcpojd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiiggoaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmechmip.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpcodihc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcblpdgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkicaahi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ingpmmgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Iljpij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idahjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icdheded.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilmmni32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idcepgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Icfekc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iknmla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inlihl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idfaefkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijcjmmil.exe N/A
N/A N/A C:\Windows\SysWOW64\Idhnkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijegcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkkpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jncoikmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdmgfedl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cndepccb.dll C:\Windows\SysWOW64\Pmaffnce.exe N/A
File created C:\Windows\SysWOW64\Igfclkdj.exe C:\Windows\SysWOW64\Ioolkncg.exe N/A
File created C:\Windows\SysWOW64\Kdmpmdpj.dll C:\Windows\SysWOW64\Klahfp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mogcihaj.exe C:\Windows\SysWOW64\Mnegbp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogekbb32.exe C:\Windows\SysWOW64\Oakbehfe.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnfnlf32.exe C:\Windows\SysWOW64\Mjkblhfo.exe N/A
File created C:\Windows\SysWOW64\Lejgpb32.dll C:\Windows\SysWOW64\Gbalopbn.exe N/A
File created C:\Windows\SysWOW64\Nmbjcljl.exe C:\Windows\SysWOW64\Mfhbga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdjibj32.exe C:\Windows\SysWOW64\Gpnmbl32.exe N/A
File created C:\Windows\SysWOW64\Mfgomdnj.dll C:\Windows\SysWOW64\Aaenbd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Caojpaij.exe C:\Windows\SysWOW64\Cncnob32.exe N/A
File opened for modification C:\Windows\SysWOW64\Inlihl32.exe C:\Windows\SysWOW64\Iknmla32.exe N/A
File created C:\Windows\SysWOW64\Leabba32.dll C:\Windows\SysWOW64\Inlihl32.exe N/A
File created C:\Windows\SysWOW64\Mmbanbmg.exe C:\Windows\SysWOW64\Mjdebfnd.exe N/A
File created C:\Windows\SysWOW64\Idllbp32.dll C:\Windows\SysWOW64\Aeaanjkl.exe N/A
File created C:\Windows\SysWOW64\Fbelcblk.exe C:\Windows\SysWOW64\Flkdfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nadleilm.exe C:\Windows\SysWOW64\Nnfpinmi.exe N/A
File created C:\Windows\SysWOW64\Bfpfngma.dll C:\Windows\SysWOW64\Gigaka32.exe N/A
File created C:\Windows\SysWOW64\Klbbcjfp.dll C:\Windows\SysWOW64\Okkdic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Efeihb32.exe C:\Windows\SysWOW64\Ennqfenp.exe N/A
File created C:\Windows\SysWOW64\Oclknk32.dll C:\Windows\SysWOW64\Fefedmil.exe N/A
File created C:\Windows\SysWOW64\Bfkegm32.dll C:\Windows\SysWOW64\Mkohaj32.exe N/A
File created C:\Windows\SysWOW64\Knenkbio.exe C:\Windows\SysWOW64\Kgkfnh32.exe N/A
File created C:\Windows\SysWOW64\Adhdjpjf.exe C:\Windows\SysWOW64\Amnlme32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkmkkjko.exe C:\Windows\SysWOW64\Mcecjmkl.exe N/A
File created C:\Windows\SysWOW64\Lcdciiec.exe C:\Windows\SysWOW64\Lpfgmnfp.exe N/A
File created C:\Windows\SysWOW64\Iinjhh32.exe C:\Windows\SysWOW64\Iebngial.exe N/A
File created C:\Windows\SysWOW64\Jinboekc.exe C:\Windows\SysWOW64\Jgpfbjlo.exe N/A
File created C:\Windows\SysWOW64\Npbceggm.exe C:\Windows\SysWOW64\Nnafno32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmeandma.exe C:\Windows\SysWOW64\Bkgeainn.exe N/A
File created C:\Windows\SysWOW64\Nhokljge.exe C:\Windows\SysWOW64\Nccokk32.exe N/A
File created C:\Windows\SysWOW64\Kjgeedch.exe C:\Windows\SysWOW64\Kcmmhj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cocacl32.exe C:\Windows\SysWOW64\Chiigadc.exe N/A
File created C:\Windows\SysWOW64\Doaneiop.exe C:\Windows\SysWOW64\Digehphc.exe N/A
File created C:\Windows\SysWOW64\Lippqp32.dll C:\Windows\SysWOW64\Fbgihaji.exe N/A
File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe C:\Windows\SysWOW64\Pdhkcb32.exe N/A
File created C:\Windows\SysWOW64\Chfegk32.exe C:\Windows\SysWOW64\Cponen32.exe N/A
File created C:\Windows\SysWOW64\Cncnob32.exe C:\Windows\SysWOW64\Ckebcg32.exe N/A
File created C:\Windows\SysWOW64\Pmmnjnld.dll C:\Windows\SysWOW64\Oeehkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe C:\Windows\SysWOW64\Ipjoja32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cofnik32.exe C:\Windows\SysWOW64\Chlflabp.exe N/A
File created C:\Windows\SysWOW64\Mlelal32.dll C:\Windows\SysWOW64\Ipjoja32.exe N/A
File created C:\Windows\SysWOW64\Lkeekk32.exe C:\Windows\SysWOW64\Lcnmin32.exe N/A
File created C:\Windows\SysWOW64\Nnfpinmi.exe C:\Windows\SysWOW64\Nfohgqlg.exe N/A
File created C:\Windows\SysWOW64\Ckebcg32.exe C:\Windows\SysWOW64\Chfegk32.exe N/A
File created C:\Windows\SysWOW64\Fqjmdflo.dll C:\Windows\SysWOW64\Lklbdm32.exe N/A
File created C:\Windows\SysWOW64\Nlhkgi32.exe C:\Windows\SysWOW64\Nenbjo32.exe N/A
File created C:\Windows\SysWOW64\Meepdp32.exe C:\Windows\SysWOW64\Mmnhcb32.exe N/A
File created C:\Windows\SysWOW64\Hfcnpn32.exe C:\Windows\SysWOW64\Holfoqcm.exe N/A
File created C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Ompfej32.exe N/A
File created C:\Windows\SysWOW64\Ojenek32.dll C:\Windows\SysWOW64\Opqofe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afpjel32.exe C:\Windows\SysWOW64\Ahmjjoig.exe N/A
File created C:\Windows\SysWOW64\Nlkfjqib.dll C:\Windows\SysWOW64\Nmlddqem.exe N/A
File created C:\Windows\SysWOW64\Nmnqjp32.exe C:\Windows\SysWOW64\Nlmdbh32.exe N/A
File created C:\Windows\SysWOW64\Efblbbqd.exe C:\Windows\SysWOW64\Ebgpad32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bhhiemoj.exe N/A
File created C:\Windows\SysWOW64\Bnlhncgi.exe C:\Windows\SysWOW64\Boihcf32.exe N/A
File created C:\Windows\SysWOW64\Lfojjf32.dll C:\Windows\SysWOW64\Jgnqgqan.exe N/A
File created C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Anobgl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe C:\Windows\SysWOW64\Lflbkcll.exe N/A
File created C:\Windows\SysWOW64\Mhegobpi.dll C:\Windows\SysWOW64\Imnocf32.exe N/A
File created C:\Windows\SysWOW64\Lfojmmbg.dll C:\Windows\SysWOW64\Paelfmaf.exe N/A
File created C:\Windows\SysWOW64\Gcedencn.dll C:\Windows\SysWOW64\Qhmqdemc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckclhn32.exe C:\Windows\SysWOW64\Bheplb32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amnlme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkjnfkma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dndnpf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpelhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcbfcigf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poimpapp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdmkhgho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gmojkj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnmmboed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iefgbh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaenbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahaceo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chnlgjlb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmaopfjm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnhkbfme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lflbkcll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Palklf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jqknkedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bemqih32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boihcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Megljppl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmennnni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adkqoohc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkeekk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oogpjbbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iipfmggc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgnlkfal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kclgmq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdpjlb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iohejo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqkqhm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adcjop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnfnlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oalipoiq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeokal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fneggdhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkpbin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcnmin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmgabcge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpfgmnfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmpjmn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqdaadln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gehbjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmepam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gimqajgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koaagkcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnldla32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldgccb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnadagbm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnangaoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cponen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljhefhha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gmdcfidg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knenkbio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogekbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnfpinmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gljgbllj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilmmni32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" C:\Windows\SysWOW64\Boldhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldqfd32.dll" C:\Windows\SysWOW64\Ojdnid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aefjii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iebngial.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll" C:\Windows\SysWOW64\Lfbped32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fimodc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qemhbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dngjff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" C:\Windows\SysWOW64\Jgpfbjlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nfjola32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmkmjjaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odoogi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiloco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnoaaaad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ocohmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kjjiej32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gpelhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gifkpknp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmnqjp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcbdgb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akepfpcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" C:\Windows\SysWOW64\Cofnik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iohejo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lqkqhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll" C:\Windows\SysWOW64\Cdpcal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdbfab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ioolkncg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" C:\Windows\SysWOW64\Boihcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phaahggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njhgbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll" C:\Windows\SysWOW64\Bhhiemoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bllbaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadmq32.dll" C:\Windows\SysWOW64\Oogpjbbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anmfbl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Imnocf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkgme32.dll" C:\Windows\SysWOW64\Oeokal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npiiffqe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgpcliao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmbanbmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Blgifbil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll" C:\Windows\SysWOW64\Dmennnni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jocefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anobgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdlfhj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lnohlgep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjokgg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbelcblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnmmboed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmndpq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidalg32.dll" C:\Windows\SysWOW64\Doaneiop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqlhmf32.dll" C:\Windows\SysWOW64\Hlepcdoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfpcoefj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhpofl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" C:\Windows\SysWOW64\Phigif32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Meepdp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiahnnph.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flkdfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mqkiok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" C:\Windows\SysWOW64\Mfhbga32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kqphfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Impliekg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" C:\Windows\SysWOW64\Johnamkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akccap32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Ejfeng32.exe
PID 3416 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Ejfeng32.exe
PID 3416 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Ejfeng32.exe
PID 1504 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Ejfeng32.exe C:\Windows\SysWOW64\Eiieicml.exe
PID 1504 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Ejfeng32.exe C:\Windows\SysWOW64\Eiieicml.exe
PID 1504 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Ejfeng32.exe C:\Windows\SysWOW64\Eiieicml.exe
PID 4764 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Eiieicml.exe C:\Windows\SysWOW64\Fpbmfn32.exe
PID 4764 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Eiieicml.exe C:\Windows\SysWOW64\Fpbmfn32.exe
PID 4764 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Eiieicml.exe C:\Windows\SysWOW64\Fpbmfn32.exe
PID 3504 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Fpbmfn32.exe C:\Windows\SysWOW64\Fbajbi32.exe
PID 3504 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Fpbmfn32.exe C:\Windows\SysWOW64\Fbajbi32.exe
PID 3504 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Fpbmfn32.exe C:\Windows\SysWOW64\Fbajbi32.exe
PID 4964 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Fbajbi32.exe C:\Windows\SysWOW64\Fjhacf32.exe
PID 4964 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Fbajbi32.exe C:\Windows\SysWOW64\Fjhacf32.exe
PID 4964 wrote to memory of 4440 N/A C:\Windows\SysWOW64\Fbajbi32.exe C:\Windows\SysWOW64\Fjhacf32.exe
PID 4440 wrote to memory of 3364 N/A C:\Windows\SysWOW64\Fjhacf32.exe C:\Windows\SysWOW64\Flinkojm.exe
PID 4440 wrote to memory of 3364 N/A C:\Windows\SysWOW64\Fjhacf32.exe C:\Windows\SysWOW64\Flinkojm.exe
PID 4440 wrote to memory of 3364 N/A C:\Windows\SysWOW64\Fjhacf32.exe C:\Windows\SysWOW64\Flinkojm.exe
PID 3364 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Flinkojm.exe C:\Windows\SysWOW64\Fbcfhibj.exe
PID 3364 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Flinkojm.exe C:\Windows\SysWOW64\Fbcfhibj.exe
PID 3364 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Flinkojm.exe C:\Windows\SysWOW64\Fbcfhibj.exe
PID 4848 wrote to memory of 4524 N/A C:\Windows\SysWOW64\Fbcfhibj.exe C:\Windows\SysWOW64\Fimodc32.exe
PID 4848 wrote to memory of 4524 N/A C:\Windows\SysWOW64\Fbcfhibj.exe C:\Windows\SysWOW64\Fimodc32.exe
PID 4848 wrote to memory of 4524 N/A C:\Windows\SysWOW64\Fbcfhibj.exe C:\Windows\SysWOW64\Fimodc32.exe
PID 4524 wrote to memory of 3740 N/A C:\Windows\SysWOW64\Fimodc32.exe C:\Windows\SysWOW64\Fmikeaap.exe
PID 4524 wrote to memory of 3740 N/A C:\Windows\SysWOW64\Fimodc32.exe C:\Windows\SysWOW64\Fmikeaap.exe
PID 4524 wrote to memory of 3740 N/A C:\Windows\SysWOW64\Fimodc32.exe C:\Windows\SysWOW64\Fmikeaap.exe
PID 3740 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Fmikeaap.exe C:\Windows\SysWOW64\Fpggamqc.exe
PID 3740 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Fmikeaap.exe C:\Windows\SysWOW64\Fpggamqc.exe
PID 3740 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Fmikeaap.exe C:\Windows\SysWOW64\Fpggamqc.exe
PID 1548 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Fpggamqc.exe C:\Windows\SysWOW64\Fdccbl32.exe
PID 1548 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Fpggamqc.exe C:\Windows\SysWOW64\Fdccbl32.exe
PID 1548 wrote to memory of 1016 N/A C:\Windows\SysWOW64\Fpggamqc.exe C:\Windows\SysWOW64\Fdccbl32.exe
PID 1016 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Fdccbl32.exe C:\Windows\SysWOW64\Fipkjb32.exe
PID 1016 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Fdccbl32.exe C:\Windows\SysWOW64\Fipkjb32.exe
PID 1016 wrote to memory of 3436 N/A C:\Windows\SysWOW64\Fdccbl32.exe C:\Windows\SysWOW64\Fipkjb32.exe
PID 3436 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Fipkjb32.exe C:\Windows\SysWOW64\Fpjcgm32.exe
PID 3436 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Fipkjb32.exe C:\Windows\SysWOW64\Fpjcgm32.exe
PID 3436 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Fipkjb32.exe C:\Windows\SysWOW64\Fpjcgm32.exe
PID 2960 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Fpjcgm32.exe C:\Windows\SysWOW64\Ffclcgfn.exe
PID 2960 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Fpjcgm32.exe C:\Windows\SysWOW64\Ffclcgfn.exe
PID 2960 wrote to memory of 1472 N/A C:\Windows\SysWOW64\Fpjcgm32.exe C:\Windows\SysWOW64\Ffclcgfn.exe
PID 1472 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Ffclcgfn.exe C:\Windows\SysWOW64\Fmndpq32.exe
PID 1472 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Ffclcgfn.exe C:\Windows\SysWOW64\Fmndpq32.exe
PID 1472 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Ffclcgfn.exe C:\Windows\SysWOW64\Fmndpq32.exe
PID 4744 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Fmndpq32.exe C:\Windows\SysWOW64\Fffhifdk.exe
PID 4744 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Fmndpq32.exe C:\Windows\SysWOW64\Fffhifdk.exe
PID 4744 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Fmndpq32.exe C:\Windows\SysWOW64\Fffhifdk.exe
PID 5032 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Fffhifdk.exe C:\Windows\SysWOW64\Gpnmbl32.exe
PID 5032 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Fffhifdk.exe C:\Windows\SysWOW64\Gpnmbl32.exe
PID 5032 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Fffhifdk.exe C:\Windows\SysWOW64\Gpnmbl32.exe
PID 3480 wrote to memory of 4732 N/A C:\Windows\SysWOW64\Gpnmbl32.exe C:\Windows\SysWOW64\Gdjibj32.exe
PID 3480 wrote to memory of 4732 N/A C:\Windows\SysWOW64\Gpnmbl32.exe C:\Windows\SysWOW64\Gdjibj32.exe
PID 3480 wrote to memory of 4732 N/A C:\Windows\SysWOW64\Gpnmbl32.exe C:\Windows\SysWOW64\Gdjibj32.exe
PID 4732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Gdjibj32.exe C:\Windows\SysWOW64\Gigaka32.exe
PID 4732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Gdjibj32.exe C:\Windows\SysWOW64\Gigaka32.exe
PID 4732 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Gdjibj32.exe C:\Windows\SysWOW64\Gigaka32.exe
PID 2752 wrote to memory of 800 N/A C:\Windows\SysWOW64\Gigaka32.exe C:\Windows\SysWOW64\Gdlfhj32.exe
PID 2752 wrote to memory of 800 N/A C:\Windows\SysWOW64\Gigaka32.exe C:\Windows\SysWOW64\Gdlfhj32.exe
PID 2752 wrote to memory of 800 N/A C:\Windows\SysWOW64\Gigaka32.exe C:\Windows\SysWOW64\Gdlfhj32.exe
PID 800 wrote to memory of 1660 N/A C:\Windows\SysWOW64\Gdlfhj32.exe C:\Windows\SysWOW64\Gfkbde32.exe
PID 800 wrote to memory of 1660 N/A C:\Windows\SysWOW64\Gdlfhj32.exe C:\Windows\SysWOW64\Gfkbde32.exe
PID 800 wrote to memory of 1660 N/A C:\Windows\SysWOW64\Gdlfhj32.exe C:\Windows\SysWOW64\Gfkbde32.exe
PID 1660 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Gfkbde32.exe C:\Windows\SysWOW64\Gmdjapgb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Eiieicml.exe

C:\Windows\system32\Eiieicml.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Fbajbi32.exe

C:\Windows\system32\Fbajbi32.exe

C:\Windows\SysWOW64\Fjhacf32.exe

C:\Windows\system32\Fjhacf32.exe

C:\Windows\SysWOW64\Flinkojm.exe

C:\Windows\system32\Flinkojm.exe

C:\Windows\SysWOW64\Fbcfhibj.exe

C:\Windows\system32\Fbcfhibj.exe

C:\Windows\SysWOW64\Fimodc32.exe

C:\Windows\system32\Fimodc32.exe

C:\Windows\SysWOW64\Fmikeaap.exe

C:\Windows\system32\Fmikeaap.exe

C:\Windows\SysWOW64\Fpggamqc.exe

C:\Windows\system32\Fpggamqc.exe

C:\Windows\SysWOW64\Fdccbl32.exe

C:\Windows\system32\Fdccbl32.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Ffclcgfn.exe

C:\Windows\system32\Ffclcgfn.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Fffhifdk.exe

C:\Windows\system32\Fffhifdk.exe

C:\Windows\SysWOW64\Gpnmbl32.exe

C:\Windows\system32\Gpnmbl32.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Gigaka32.exe

C:\Windows\system32\Gigaka32.exe

C:\Windows\SysWOW64\Gdlfhj32.exe

C:\Windows\system32\Gdlfhj32.exe

C:\Windows\SysWOW64\Gfkbde32.exe

C:\Windows\system32\Gfkbde32.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gdobnj32.exe

C:\Windows\system32\Gdobnj32.exe

C:\Windows\SysWOW64\Gkhkjd32.exe

C:\Windows\system32\Gkhkjd32.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gingkqkd.exe

C:\Windows\system32\Gingkqkd.exe

C:\Windows\SysWOW64\Gphphj32.exe

C:\Windows\system32\Gphphj32.exe

C:\Windows\SysWOW64\Ggahedjn.exe

C:\Windows\system32\Ggahedjn.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hplicjok.exe

C:\Windows\system32\Hplicjok.exe

C:\Windows\SysWOW64\Hckeoeno.exe

C:\Windows\system32\Hckeoeno.exe

C:\Windows\SysWOW64\Hienlpel.exe

C:\Windows\system32\Hienlpel.exe

C:\Windows\SysWOW64\Hmpjmn32.exe

C:\Windows\system32\Hmpjmn32.exe

C:\Windows\SysWOW64\Hdjbiheb.exe

C:\Windows\system32\Hdjbiheb.exe

C:\Windows\SysWOW64\Hginecde.exe

C:\Windows\system32\Hginecde.exe

C:\Windows\SysWOW64\Hmbfbn32.exe

C:\Windows\system32\Hmbfbn32.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hcpojd32.exe

C:\Windows\system32\Hcpojd32.exe

C:\Windows\SysWOW64\Hiiggoaf.exe

C:\Windows\system32\Hiiggoaf.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hpcodihc.exe

C:\Windows\system32\Hpcodihc.exe

C:\Windows\SysWOW64\Hcblpdgg.exe

C:\Windows\system32\Hcblpdgg.exe

C:\Windows\SysWOW64\Hkicaahi.exe

C:\Windows\system32\Hkicaahi.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Iljpij32.exe

C:\Windows\system32\Iljpij32.exe

C:\Windows\SysWOW64\Idahjg32.exe

C:\Windows\system32\Idahjg32.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Ilmmni32.exe

C:\Windows\system32\Ilmmni32.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Inlihl32.exe

C:\Windows\system32\Inlihl32.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Idhnkf32.exe

C:\Windows\system32\Idhnkf32.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jncoikmp.exe

C:\Windows\system32\Jncoikmp.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jlhljhbg.exe

C:\Windows\system32\Jlhljhbg.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jgnqgqan.exe

C:\Windows\system32\Jgnqgqan.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jlmfeg32.exe

C:\Windows\system32\Jlmfeg32.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jknfcofa.exe

C:\Windows\system32\Jknfcofa.exe

C:\Windows\SysWOW64\Jnlbojee.exe

C:\Windows\system32\Jnlbojee.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Jgeghp32.exe

C:\Windows\system32\Jgeghp32.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Kjepjkhf.exe

C:\Windows\system32\Kjepjkhf.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Kmfhkf32.exe

C:\Windows\system32\Kmfhkf32.exe

C:\Windows\SysWOW64\Kglmio32.exe

C:\Windows\system32\Kglmio32.exe

C:\Windows\SysWOW64\Kjjiej32.exe

C:\Windows\system32\Kjjiej32.exe

C:\Windows\SysWOW64\Kqdaadln.exe

C:\Windows\system32\Kqdaadln.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kkjeomld.exe

C:\Windows\system32\Kkjeomld.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Kdbjhbbd.exe

C:\Windows\system32\Kdbjhbbd.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lddgmbpb.exe

C:\Windows\system32\Lddgmbpb.exe

C:\Windows\SysWOW64\Lgccinoe.exe

C:\Windows\system32\Lgccinoe.exe

C:\Windows\SysWOW64\Ljaoeini.exe

C:\Windows\system32\Ljaoeini.exe

C:\Windows\SysWOW64\Lmpkadnm.exe

C:\Windows\system32\Lmpkadnm.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Lgepom32.exe

C:\Windows\system32\Lgepom32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lnohlgep.exe

C:\Windows\system32\Lnohlgep.exe

C:\Windows\SysWOW64\Lqndhcdc.exe

C:\Windows\system32\Lqndhcdc.exe

C:\Windows\SysWOW64\Lclpdncg.exe

C:\Windows\system32\Lclpdncg.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lnadagbm.exe

C:\Windows\system32\Lnadagbm.exe

C:\Windows\SysWOW64\Lqpamb32.exe

C:\Windows\system32\Lqpamb32.exe

C:\Windows\SysWOW64\Lcnmin32.exe

C:\Windows\system32\Lcnmin32.exe

C:\Windows\SysWOW64\Lkeekk32.exe

C:\Windows\system32\Lkeekk32.exe

C:\Windows\SysWOW64\Ljhefhha.exe

C:\Windows\system32\Ljhefhha.exe

C:\Windows\SysWOW64\Lmgabcge.exe

C:\Windows\system32\Lmgabcge.exe

C:\Windows\SysWOW64\Mglfplgk.exe

C:\Windows\system32\Mglfplgk.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Mnfnlf32.exe

C:\Windows\system32\Mnfnlf32.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Mnhkbfme.exe

C:\Windows\system32\Mnhkbfme.exe

C:\Windows\SysWOW64\Maggnali.exe

C:\Windows\system32\Maggnali.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mjokgg32.exe

C:\Windows\system32\Mjokgg32.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Meepdp32.exe

C:\Windows\system32\Meepdp32.exe

C:\Windows\SysWOW64\Mkohaj32.exe

C:\Windows\system32\Mkohaj32.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Megljppl.exe

C:\Windows\system32\Megljppl.exe

C:\Windows\SysWOW64\Mkadfj32.exe

C:\Windows\system32\Mkadfj32.exe

C:\Windows\SysWOW64\Mjdebfnd.exe

C:\Windows\system32\Mjdebfnd.exe

C:\Windows\SysWOW64\Mmbanbmg.exe

C:\Windows\system32\Mmbanbmg.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Napjdpcn.exe

C:\Windows\system32\Napjdpcn.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Nlfnaicd.exe

C:\Windows\system32\Nlfnaicd.exe

C:\Windows\SysWOW64\Nndjndbh.exe

C:\Windows\system32\Nndjndbh.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Nenbjo32.exe

C:\Windows\system32\Nenbjo32.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Nnfgcd32.exe

C:\Windows\system32\Nnfgcd32.exe

C:\Windows\SysWOW64\Nmigoagp.exe

C:\Windows\system32\Nmigoagp.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nhokljge.exe

C:\Windows\system32\Nhokljge.exe

C:\Windows\SysWOW64\Njmhhefi.exe

C:\Windows\system32\Njmhhefi.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Ndflak32.exe

C:\Windows\system32\Ndflak32.exe

C:\Windows\SysWOW64\Nlmdbh32.exe

C:\Windows\system32\Nlmdbh32.exe

C:\Windows\SysWOW64\Nmnqjp32.exe

C:\Windows\system32\Nmnqjp32.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Oalipoiq.exe

C:\Windows\system32\Oalipoiq.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Olanmgig.exe

C:\Windows\system32\Olanmgig.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Oobfob32.exe

C:\Windows\system32\Oobfob32.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Odalmibl.exe

C:\Windows\system32\Odalmibl.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Oogpjbbb.exe

C:\Windows\system32\Oogpjbbb.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Plkpcfal.exe

C:\Windows\system32\Plkpcfal.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Pecellgl.exe

C:\Windows\system32\Pecellgl.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Plmmif32.exe

C:\Windows\system32\Plmmif32.exe

C:\Windows\SysWOW64\Pmoiqneg.exe

C:\Windows\system32\Pmoiqneg.exe

C:\Windows\SysWOW64\Pefabkej.exe

C:\Windows\system32\Pefabkej.exe

C:\Windows\SysWOW64\Pdhbmh32.exe

C:\Windows\system32\Pdhbmh32.exe

C:\Windows\SysWOW64\Plpjoe32.exe

C:\Windows\system32\Plpjoe32.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Pehngkcg.exe

C:\Windows\system32\Pehngkcg.exe

C:\Windows\SysWOW64\Plbfdekd.exe

C:\Windows\system32\Plbfdekd.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Pdmkhgho.exe

C:\Windows\system32\Pdmkhgho.exe

C:\Windows\SysWOW64\Phigif32.exe

C:\Windows\system32\Phigif32.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qdphngfl.exe

C:\Windows\system32\Qdphngfl.exe

C:\Windows\SysWOW64\Qkipkani.exe

C:\Windows\system32\Qkipkani.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Qhmqdemc.exe

C:\Windows\system32\Qhmqdemc.exe

C:\Windows\SysWOW64\Qlimed32.exe

C:\Windows\system32\Qlimed32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Aogiap32.exe

C:\Windows\system32\Aogiap32.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Addaif32.exe

C:\Windows\system32\Addaif32.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Aojefobm.exe

C:\Windows\system32\Aojefobm.exe

C:\Windows\SysWOW64\Anmfbl32.exe

C:\Windows\system32\Anmfbl32.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Ahbjoe32.exe

C:\Windows\system32\Ahbjoe32.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Anobgl32.exe

C:\Windows\system32\Anobgl32.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Ahdged32.exe

C:\Windows\system32\Ahdged32.exe

C:\Windows\SysWOW64\Akccap32.exe

C:\Windows\system32\Akccap32.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Aamknj32.exe

C:\Windows\system32\Aamknj32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Akepfpcl.exe

C:\Windows\system32\Akepfpcl.exe

C:\Windows\SysWOW64\Anclbkbp.exe

C:\Windows\system32\Anclbkbp.exe

C:\Windows\SysWOW64\Aaohcj32.exe

C:\Windows\system32\Aaohcj32.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Bemqih32.exe

C:\Windows\system32\Bemqih32.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bepmoh32.exe

C:\Windows\system32\Bepmoh32.exe

C:\Windows\SysWOW64\Bhnikc32.exe

C:\Windows\system32\Bhnikc32.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bddjpd32.exe

C:\Windows\system32\Bddjpd32.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bhbcfbjk.exe

C:\Windows\system32\Bhbcfbjk.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bnoknihb.exe

C:\Windows\system32\Bnoknihb.exe

C:\Windows\SysWOW64\Bakgoh32.exe

C:\Windows\system32\Bakgoh32.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Camddhoi.exe

C:\Windows\system32\Camddhoi.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Ckeimm32.exe

C:\Windows\system32\Ckeimm32.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Chiigadc.exe

C:\Windows\system32\Chiigadc.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cnfaohbj.exe

C:\Windows\system32\Cnfaohbj.exe

C:\Windows\SysWOW64\Cdpjlb32.exe

C:\Windows\system32\Cdpjlb32.exe

C:\Windows\SysWOW64\Chlflabp.exe

C:\Windows\system32\Chlflabp.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Cfpffeaj.exe

C:\Windows\system32\Cfpffeaj.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cljobphg.exe

C:\Windows\system32\Cljobphg.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Cdecgbfa.exe

C:\Windows\system32\Cdecgbfa.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dnmhpg32.exe

C:\Windows\system32\Dnmhpg32.exe

C:\Windows\SysWOW64\Dbicpfdk.exe

C:\Windows\system32\Dbicpfdk.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Dfglfdkb.exe

C:\Windows\system32\Dfglfdkb.exe

C:\Windows\SysWOW64\Dheibpje.exe

C:\Windows\system32\Dheibpje.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Doaneiop.exe

C:\Windows\system32\Doaneiop.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Ekkkoj32.exe

C:\Windows\system32\Ekkkoj32.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Efpomccg.exe

C:\Windows\system32\Efpomccg.exe

C:\Windows\SysWOW64\Eiokinbk.exe

C:\Windows\system32\Eiokinbk.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Eiahnnph.exe

C:\Windows\system32\Eiahnnph.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Efeihb32.exe

C:\Windows\system32\Efeihb32.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Enpmld32.exe

C:\Windows\system32\Enpmld32.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Eppjfgcp.exe

C:\Windows\system32\Eppjfgcp.exe

C:\Windows\SysWOW64\Ebnfbcbc.exe

C:\Windows\system32\Ebnfbcbc.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Fmcjpl32.exe

C:\Windows\system32\Fmcjpl32.exe

C:\Windows\SysWOW64\Fneggdhg.exe

C:\Windows\system32\Fneggdhg.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fflohaij.exe

C:\Windows\system32\Fflohaij.exe

C:\Windows\SysWOW64\Fmfgek32.exe

C:\Windows\system32\Fmfgek32.exe

C:\Windows\SysWOW64\Fligqhga.exe

C:\Windows\system32\Fligqhga.exe

C:\Windows\SysWOW64\Fbbpmb32.exe

C:\Windows\system32\Fbbpmb32.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fmhdkknd.exe

C:\Windows\system32\Fmhdkknd.exe

C:\Windows\SysWOW64\Flkdfh32.exe

C:\Windows\system32\Flkdfh32.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Flmqlg32.exe

C:\Windows\system32\Flmqlg32.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Flpmagqi.exe

C:\Windows\system32\Flpmagqi.exe

C:\Windows\SysWOW64\Fbjena32.exe

C:\Windows\system32\Fbjena32.exe

C:\Windows\SysWOW64\Gehbjm32.exe

C:\Windows\system32\Gehbjm32.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gifkpknp.exe

C:\Windows\system32\Gifkpknp.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Windows\SysWOW64\Gihgfk32.exe

C:\Windows\system32\Gihgfk32.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Geohklaa.exe

C:\Windows\system32\Geohklaa.exe

C:\Windows\SysWOW64\Gikdkj32.exe

C:\Windows\system32\Gikdkj32.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Geaepk32.exe

C:\Windows\system32\Geaepk32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hfaajnfb.exe

C:\Windows\system32\Hfaajnfb.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Hpiecd32.exe

C:\Windows\system32\Hpiecd32.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hmmfmhll.exe

C:\Windows\system32\Hmmfmhll.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hlbcnd32.exe

C:\Windows\system32\Hlbcnd32.exe

C:\Windows\SysWOW64\Hpnoncim.exe

C:\Windows\system32\Hpnoncim.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hfjdqmng.exe

C:\Windows\system32\Hfjdqmng.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Iikmbh32.exe

C:\Windows\system32\Iikmbh32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Ipgbdbqb.exe

C:\Windows\system32\Ipgbdbqb.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Ipjoja32.exe

C:\Windows\system32\Ipjoja32.exe

C:\Windows\SysWOW64\Ibhkfm32.exe

C:\Windows\system32\Ibhkfm32.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Igfclkdj.exe

C:\Windows\system32\Igfclkdj.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Impliekg.exe

C:\Windows\system32\Impliekg.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jgmjmjnb.exe

C:\Windows\system32\Jgmjmjnb.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jpenfp32.exe

C:\Windows\system32\Jpenfp32.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jinboekc.exe

C:\Windows\system32\Jinboekc.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jedccfqg.exe

C:\Windows\system32\Jedccfqg.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kcidmkpq.exe

C:\Windows\system32\Kcidmkpq.exe

C:\Windows\SysWOW64\Kgdpni32.exe

C:\Windows\system32\Kgdpni32.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Knqepc32.exe

C:\Windows\system32\Knqepc32.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kjgeedch.exe

C:\Windows\system32\Kjgeedch.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kodnmkap.exe

C:\Windows\system32\Kodnmkap.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kpcjgnhb.exe

C:\Windows\system32\Kpcjgnhb.exe

C:\Windows\SysWOW64\Kcbfcigf.exe

C:\Windows\system32\Kcbfcigf.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Lqhdbm32.exe

C:\Windows\system32\Lqhdbm32.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Lfeljd32.exe

C:\Windows\system32\Lfeljd32.exe

C:\Windows\SysWOW64\Lnldla32.exe

C:\Windows\system32\Lnldla32.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Lfgipd32.exe

C:\Windows\system32\Lfgipd32.exe

C:\Windows\SysWOW64\Lnoaaaad.exe

C:\Windows\system32\Lnoaaaad.exe

C:\Windows\SysWOW64\Lqmmmmph.exe

C:\Windows\system32\Lqmmmmph.exe

C:\Windows\SysWOW64\Lckiihok.exe

C:\Windows\system32\Lckiihok.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lqojclne.exe

C:\Windows\system32\Lqojclne.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Lncjlq32.exe

C:\Windows\system32\Lncjlq32.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mqfpckhm.exe

C:\Windows\system32\Mqfpckhm.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mqimikfj.exe

C:\Windows\system32\Mqimikfj.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nncccnol.exe

C:\Windows\system32\Nncccnol.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Nfohgqlg.exe

C:\Windows\system32\Nfohgqlg.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Nadleilm.exe

C:\Windows\system32\Nadleilm.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Njmqnobn.exe

C:\Windows\system32\Njmqnobn.exe

C:\Windows\SysWOW64\Nmkmjjaa.exe

C:\Windows\system32\Nmkmjjaa.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Oaifpi32.exe

C:\Windows\system32\Oaifpi32.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Ompfej32.exe

C:\Windows\system32\Ompfej32.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Opqofe32.exe

C:\Windows\system32\Opqofe32.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Ondljl32.exe

C:\Windows\system32\Ondljl32.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Ocaebc32.exe

C:\Windows\system32\Ocaebc32.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aaenbd32.exe

C:\Windows\system32\Aaenbd32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Akpoaj32.exe

C:\Windows\system32\Akpoaj32.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Adkqoohc.exe

C:\Windows\system32\Adkqoohc.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bmhocd32.exe

C:\Windows\system32\Bmhocd32.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Conanfli.exe

C:\Windows\system32\Conanfli.exe

C:\Windows\SysWOW64\Cponen32.exe

C:\Windows\system32\Cponen32.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cocjiehd.exe

C:\Windows\system32\Cocjiehd.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 13204 -ip 13204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13204 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3416-0-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3416-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Ejfeng32.exe

MD5 fe2f856dcf7ca4b94717dc865b8935e5
SHA1 f9a808666df36eca002f683ef7a12e0cdf6a771d
SHA256 4e8826f43657a4b8e9febc6bfd7b6c0a0cbb2cdcbeb10895ad30c202b686e616
SHA512 ead70569513e775f8b2bd8725a0849de0a459f50add82f310b68a8b25b59829d27f380490f1f7a1a562d7c792fe99cffbb11c06e8478560c0b325c45b4fac17a

memory/1504-13-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eiieicml.exe

MD5 7b4a547e79839e16c213e1deeb6141dc
SHA1 0d75abe32e56c6da60f4668bf49ae2c8968e053b
SHA256 61df3bb8f6d78d9b7adf31eaf7cd517d15a2cae44c5790683dfcf2ca0a0934f0
SHA512 7672471977ecb406b617cc533473258dc4ae1f01ae3f63e4180eb6183a26f9c4352ab3d0524de14d08fd16e709577cc39754c02529101d74a6289c3162926cd4

memory/4764-17-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fpbmfn32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Fpbmfn32.exe

MD5 9a9108918852cdb58d28f8de14b1c402
SHA1 2890a5c14c5f5a9f666df6e3326ee1ca127c4f6a
SHA256 aa9f9dc96139d89aa38d3738bb3c6af3e4a950c8dfe246deafe6975797356f89
SHA512 7cee536bd1c70646b503f32109481610a49a0f529b7c0f836801e3b928fcc439a28a16117763ebfc26bc6df81bc9de584ae38efdce417303dd4374e8a63ffdd1

memory/3504-25-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fbajbi32.exe

MD5 b84011a8ba04269316f1a150c019db70
SHA1 a7d38c927408c03381d94f75b815a59244d07f4c
SHA256 4c78f0f72d4fc2904cfad04891d7272b4af5cdaaa013c4c087a86b39e1f66296
SHA512 2f114e10b99d8a768021682e92deb4da0f7ca74f2bbd8b64011b88679e399617f7b4f146c509576c3ac1304707bf2fd00eca682602482f54ad928c0e6fa371c8

memory/4964-33-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fjhacf32.exe

MD5 37b0c8439f999cf47059495c034f741a
SHA1 af7743fff68c1d99178ff0f4d01cf8e27836c667
SHA256 e4798e2717fd4d3f2727118fef316eef9b922511f36bd4f39e92d65c9c7ee4df
SHA512 8d050648afd5ed07cb6151b3807fab388078db3cfa868eb564642496d7360027f71a0d70f13afda23a7ac40f58cc282de3977b4e67b276f2ce90e4be1030f123

memory/4440-40-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Flinkojm.exe

MD5 e0dc33cbd4e9512caac5667041402f2f
SHA1 713d531bfefe4bce634abd5ac2c9542b48ccd8c3
SHA256 37bca188fd27a24ed23da35824b79c6ad6666ce18156816b8647d2a95a28bd37
SHA512 f0241d028c27edee608552b02d26115ee2edb4d6db58b5b2218082d1d43833bae4edc8c105b2383bd95986f42f86d7935472c4e89cf2d9007ea2a1b7dd9e8544

memory/3364-48-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fbcfhibj.exe

MD5 c5ddbb6c2c67a30b81ba0ec5c23014cc
SHA1 d3b64243552eb0f329feaef6b68156807b7e4475
SHA256 661b23dffa4228287515e67d5696165bb94677e01430b0423b7958994458eb8d
SHA512 9134bffb86c60a52dc11fe415993d0d24e6490a9465a865464e7c6ef77fa359219da9452114fe7982ac3bd1593894a1aa08687ace2ed00d88873e12ef98f2698

memory/4848-56-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fimodc32.exe

MD5 81cfa381d60a71cb83354221ee6d3770
SHA1 c6942bfba3a3a394e83ac55d8aad9dcccc88a590
SHA256 b9fc9287a5468ec4c826e85682d70fb7e71fcdcf51b4fcf0efe03efd91192edf
SHA512 d6730b3889842c3f9474b4e7165fa2ed9c21b3f41b5657ebd2e15a379140617f5d9af11ec9f41943ccd73b3f1e2311daa721e7b4a47f18fd0742d95e707f8d16

memory/4524-65-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fmikeaap.exe

MD5 2b5ca9dfeecbed24f2c1f500a8b9b60a
SHA1 22fd2303bde0c65c036eeea0de282322bfcbc40d
SHA256 67cb9d8045a8d888471254093ab5b55d978d1a6d2c0032e8ed9d41a633c580a1
SHA512 5ff21b7123670553e50b201cc96240fab5f40a9436ed79692a23b583c7d00df53174f9845b3d058e0fda9fb74089106fa562b2129d538f9a3fb81dda11c67927

memory/3740-73-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fpggamqc.exe

MD5 478d68fbd7381b1be6e4debd21079455
SHA1 5e86e1ad8ff7decf77633eeea24e17a5d9bdd313
SHA256 a8edf79167d1b57f0b55f18299c4c3c60b850604f45d82270243f27538e68315
SHA512 079a0428de6f13458ef8ddfe77d906ce536fa049a25fe33dead04aa5ebd04809d160b9f71a55517bd5ede1a09472662a602b5a4ae23d7fd1f0d59a46c4df2cb6

memory/1548-81-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fdccbl32.exe

MD5 9dcf8e0799f784211881b62ef737cb60
SHA1 141f2077a204ffe6605c6d6b84c43a7cf9d45050
SHA256 811c30d8e6b4131d011047bf7b7153ba4d14aeb854b048f73b2af0757fde5c4c
SHA512 ce951bf9aad0719f97b4c5d7fccdccf0d7b7ffc8276b417b17218898e48529f02b0e11088525a367182c70f0e073812cff285c31fec1149eb841d45c0c160142

memory/1016-89-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fipkjb32.exe

MD5 2d215cd16a04bac10303afd19f80ee37
SHA1 77eef8c0329a58f36057ae8cce3444759efd6eb7
SHA256 78bfa0d8508c0788cd858996a7579444fe4672ca3dfcf0448fb078be689eec9d
SHA512 e16f69217b380b77d8c9afe5ad4ab1f03031efd0be9873d11e80b4cd8b6b7f53ec3fc650f89f5fc5efd2d0b25c1a6f71e05817052a936a37f1f674d7f367c2a8

memory/3436-96-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fpjcgm32.exe

MD5 b02fa427e0d0c4d5aa181d3e06ba7670
SHA1 8f2528faa7b282015d139279e367efd500f323c5
SHA256 ba4f54632996f89448e3a9215885b1984dc611435a75266f6616d6c433c4fe28
SHA512 545e705b2cc54969c7f2abef18fd4caf4637f64eb13e826728ae19f4efc2f5364e2b85f026cc7dbdb6353d69dc4096d5b3e4cfe7774869acbed3afb765808299

memory/2960-104-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ffclcgfn.exe

MD5 ff06431449e5a649465d4f0797bcebf2
SHA1 edcef48eb6acd834890baebb25f5fca8322b0bca
SHA256 b41d01dce0fd1ef298fac1503c6a4db980fcfbbc8e31308231857bde927d2fa1
SHA512 25c1bc806ce4c4dbd876042df88621fb094f762ee9016a91cc32b089c4c1202bd422971648f55851ed4b6b180472f0fcdb8af76ae85cfe3d5d477747ff2bfee5

memory/1472-112-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fmndpq32.exe

MD5 9cfc4e282ac1a5448f5c432e8116502b
SHA1 87acfb705330240d64d6f0b132c1b8ef52c55c33
SHA256 72d3a5438938131ecf45965610ca16873dcdb6672ef3f1627d2dd8eca1153342
SHA512 ecd7f53c4322795fd903441397666a9861c97cfa6c8f9a92afe11d8815f6ec2030c2e61ede247bdc9c1183a8739cfdc6d4772c0cc35e1bbe092953ab6d8edf03

memory/4744-120-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5032-128-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Fffhifdk.exe

MD5 8df7ca933b268f2cd8ce92370d91e658
SHA1 bb308998b3dda365dc5a34a3df63546fa83b33a2
SHA256 ec95ee9dbc6de845ac9254f2510c3c226b6b00d97e3df03a873da7e937ed8b8a
SHA512 c138fe6620dc57253d2c70ae2ffd891e4b00769df109885c98e4d14926791e149b2e9477a7b5d4532e63b9dec0f5449fa2ae9df0caf7c29f3e3bf60adfd2d544

C:\Windows\SysWOW64\Gpnmbl32.exe

MD5 95f43a0ca260d2c72475d5e3407fd336
SHA1 ee61b7e62bb37277942b8c6f28d4a8d7962e1056
SHA256 12fac2b02491141a42c1daaf3fc72c29c41070220192f845c60d998f5e2b1421
SHA512 daa0898f197a0b7c3f13153eb9125802ecc8800507430aa6159f8567ae1605615616fd44837de8cf486ca0f49b9cb45afc2fb211cce56f4f0fa790130c574a41

memory/3480-141-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gdjibj32.exe

MD5 8dd359d7a283ec3233ab63b18e559ac1
SHA1 9d8e251abedecd60608d3ab453f7f284c2669bb1
SHA256 fb9168635c212b39d4dae70584a89d3ab5fbf61c6dae6bf7e93d50ba25ec048a
SHA512 47b7a124367bfbdfb2d432c394213f7c0b9f347d99cb6adfacb1bafba58939e50d2d09589fb6223cadbc925ef915344b99ef34368343b6b3a1f49305c122dc36

memory/4732-145-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gigaka32.exe

MD5 ab778d484cf3f985244990e79d0bad33
SHA1 da1327e3590c3d7f57047ff24e23b0d3db515cc6
SHA256 03bb7358895574d42d0625e5c40b314e6832a0687e22dfdca337756c388de113
SHA512 e04862bc2d8af581f1e3415400ff08bce6611ec933ef40b44895a1a13a364482b8209d0b86eb44c67d40b1369a179e069b438655b4e1354a994e46a5475209e2

memory/2752-152-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gdlfhj32.exe

MD5 2ca2bbfd889c5db1b435b899f81a69ed
SHA1 683c0c64216e1d524c4fb7c5ba8d1d99f7e1ea73
SHA256 6bbe901bf9dfab0af763326f7d8bd0c349bc748c1af34967b15b9e57f8e95833
SHA512 68cb8d2d0c92fb038bceac2f9c3dadb7792707d0ab593056d8261014073759b6714da89800d957effbba80ce68e2eb8bcf58e8c2661b1e39ee1d855ac1bea742

memory/800-160-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gfkbde32.exe

MD5 b0a01d46f41dfd7148e68cc051415828
SHA1 3c9762c396438114b288538659761b8af2414174
SHA256 f3c70ec7e81e7d45d3a07c6ec6764753a8b7995b5be08fa5251b842e7f4a0487
SHA512 cd120b390a657749ab90256abc6fd50a1c3b1a19b144deeea550044f388161e28b09558d7cbadcabb72dcf1df895f7a27a4c7231be92bd079c1a3e0f2006de4b

memory/1660-168-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gmdjapgb.exe

MD5 58cf7474a931fc6be545e30034b72ff3
SHA1 20eab89ee93289785d5b79529f61ffc765230cc4
SHA256 422c31257254265c86057b17094213978c5f6d8e9942b786051a1c6debe889e1
SHA512 34e1131087f1b17f1253a7c5331ae9dc8e3183cb1d884a35ee94f014c5b3206afc6ca01e66503c7b5043a9738d232bd1f0d9ffe9eb85e32535805dbdc83b5f07

memory/4912-176-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gdobnj32.exe

MD5 4c4ba9ff1b56b29c7c641e2685764669
SHA1 e4c56e45216985117787558905b1183428d05a1b
SHA256 f270303d35351636dfea87442cb823a0f5acf0c4b9e8343b8fa0c1afc2f724f0
SHA512 aa44dfd3699afa55862ce7c808f4ef1dd7fc0c431844038314143bc8353e0857d4a49636486aa1b8afbb1f6e56d195a973e2ca5c193e9bd303adadf9f603638d

memory/4768-184-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gkhkjd32.exe

MD5 6afe5987ac0dc8249e258c8a0e6d645f
SHA1 43332fb233bbebe29be7359d465d6921cf99f6eb
SHA256 0c5c822886670f14ba6642e231ae8f634a5ca16a968f586d9f97f1d306728b77
SHA512 679c31c1c4ad1bfddd34171d780df6732118708bd02b077d341afa8a97707d2da7037a144f3293401966769f6f2d06b7790b1cb39d26b467ddaa0ee25567ade3

memory/4312-192-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gljgbllj.exe

MD5 9b9d7f3c683cdcd30c8eb01532948f8b
SHA1 2330eaf2c8e37389b2a1b1fd7bd06cabf53f66e6
SHA256 4926144c68da94c1b3d6c525c4d6c8283daff20e0f86b334f85bbf38999b2832
SHA512 ae3539da929461872699e96f0cf061f3f5f42d93cc1eb27ebf780240c1b85b8ef62a0d5ecdf1b947b6a86661e178ba61c0a787baced531f27ab5a1aa664937af

memory/1436-200-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gbdoof32.exe

MD5 e4ac39cfb52983ab42149160f3a8fdcb
SHA1 8ffd2e7b131cd839c96d55c567e13d32880814ab
SHA256 14f8f6e8ab3b67c243b8f2db445a35f3e0cf0ccc1eda455fb293faebec974107
SHA512 078f4fb742301f8ddb26b8e55ffde1e1f35f060f10044925b36b74f1a07628690eb7004d866dcb689e8856c8a68dc1282fe89ad4028cd29b78647c4323d3fe29

memory/512-208-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gingkqkd.exe

MD5 716320a6f42d3b8fe10f247babf67d74
SHA1 49605e6b964ff9c9a9cf984fe4ecf16af0b8af0d
SHA256 fcff5b80bac92eb43d7bde3e2f089348b97bf51d3f7664c7f01513081cff0756
SHA512 b6a990782a320b0520911fdef3c41c4a9aa05f2e006924903c2ee69b8aeba91a00ad2c7ddbdd470ac44fb5c481c77d6baf0455548700e111b7b35fc19b01afa6

memory/3956-216-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gphphj32.exe

MD5 dca66e2088f41fec7b9c610cb70f7af1
SHA1 c47eff2648f699a97448adc41a4d5ce10e84d7c8
SHA256 974cebe887bffdcc20d703cdfddcc3a1d6f12ec63ec8a8986f3ea0ca4f3d8cd6
SHA512 b52dc0c6c28381963deef3a4bdd1ab3c31a2a06a0e9cc64c3c980d7fa7b47f739043f8ed4d0cf646361064e256e36aecd64ec635b55d6cf16ff0a1588c212523

memory/368-224-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ggahedjn.exe

MD5 69252e2bec41ed9ea20a8ee3066bf212
SHA1 b06af349999425f471a9c126f2926fd041836a39
SHA256 7b03c5388e9a9adbc09a6455a7c6dc00ace05914bc0fa72377d34e97685794e2
SHA512 1ec9160016e6069a26973bed196570ba2cddd622265ed55228c7e5726b8d3c67b0ed017c57ed68e5731bd8aff5be2d2895f05ba84b471e7f7c85f69e425f00df

memory/3500-232-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Gipdap32.exe

MD5 cd6ca98970cf76d980f6c1443150b021
SHA1 d7b3dd3242b5ab0d0f8661359dff732d0581512d
SHA256 a765786e1c412b4bdf00479f72474459f7315fa216ccf72fb6b52e16eb8580de
SHA512 594b8c1e177f34d8450badd6f93d313e7367b6b1bd496fb706f7bc4f27c96f2e21a086f39c7ce3f44832830d7adcc183fbdeb48486e921671d58da85ca7d6dea

memory/2336-241-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hdehni32.exe

MD5 fe6e10c080dd3818625ed8282e762c14
SHA1 aca03945a6694fbed9eea7ce1a520d6ede892cea
SHA256 52b1886dd2522e79269f9ae9f7c44700e1724fa14dfa55814b6b91a5ec10882a
SHA512 2a9aca1221546e992b9f47bcc09bb94d1fb3a5864d1da2bc5edf73f1ca2f905fec1a2f643f26c4f848bb25311d5457cecfb7b2b085b153c19b72a00b2193bb96

memory/2692-248-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hgdejd32.exe

MD5 bd44e11f1c2dade0e75ad912b3e74f5d
SHA1 6c8be656550f1dcf803acab2a41339994d6490f5
SHA256 78e58da70454ff210b6c424e88a58f44a100fad713c735d97e3382a63ea81dab
SHA512 8a5286397bcbff1b6b68c07dd1c02252fa9295d54718846a317c66b2fcc75c6c95a50a0f78aacf9ffe23667b0c10e2fdd48e96760461ecabd8b50a27b96ad55d

memory/2384-257-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3300-263-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hplicjok.exe

MD5 7b305d79f7c7db3591bc7c34434fd7b8
SHA1 4d6ea15b6d75c43e555622fcc65b4a3b4eec5c4e
SHA256 c92dc7a58bb0532876de8a66f436e53eb4c718e1aae3e0d3f7bd49ed6d757f9b
SHA512 8bc9d82b18e8857fbff543415e4b8779425f7c684c3da75b9218d0032f0440109b4786bd58c1951a4a4fa3a1f2ffba7b1850d81688bf336c8206617aedf1adf7

memory/4832-269-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5024-275-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hienlpel.exe

MD5 95f0d162e85e9b53e828081644d7353a
SHA1 83f5f4da9de8d7e8de6b81133729215d27d239b0
SHA256 5be1d805c0f1c7806d3d1634f68659f9ad93d1a65e09ffaf4986df8dca7c7d33
SHA512 32a93c13b5ed3b8334ac4143971efb12ceebf5ca5b403cd83b7be28bb081f3b447e79d70e1abfa06502b9849c67550d2d4effd73d61d0071cb0789c9f4fe9901

memory/2132-281-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2236-287-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hdjbiheb.exe

MD5 a87b57a45fdf80c7e008b60344c979ba
SHA1 d0d7a6f01338b27b2fea9966f64add8d5c4ff102
SHA256 65dba1c43c87c0a964dfe32012c3896a755d327cba432233003510faca3acd04
SHA512 4326f2697609b325f088a56e8c7d09cdb72064d2c0a8ab32a0312368ecaad855b3ffa32292b4be79bffcc346b22fdacf6bb9f410f442e5bd64bfb66298d5d960

memory/1144-293-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3608-299-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hmbfbn32.exe

MD5 b866d9d3d2483c071c2d4b9c822d3e30
SHA1 83eb51aa9cc929b69ab6f0dc7b8305273f811054
SHA256 95cb0cab71e820351a5890c0601e6e419ffa16a87f7e859870afdbbf98e0dfed
SHA512 54e350689e02df6a6e1c846100fb03f2bc3caf1f581b1580595575a12be2acfc87d6c2987f40deac6ff3b7e13b94333cc0dd1fb9ccb4eab3a7a6d46f9f504056

memory/4872-305-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3456-311-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1976-317-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Hiiggoaf.exe

MD5 ed5b39307ee486656ae60cf962a99dd1
SHA1 9273a9a5e87736c021028773bfbe71c17e682de7
SHA256 a21a364abe9c40d912010de3296b85faba28c37b5cfb16114e7410884fb61a77
SHA512 0dfdfc80cc572a2981f3241d9ee991cf9a9be8a8946c3c3ff2780f3a09b52df2e8c6007f1be4993bef6bc1db47c48330957a0753dbfefd7ed31dd3406ebe2510

memory/2332-327-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4424-329-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4844-335-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2168-341-0x0000000000400000-0x0000000000441000-memory.dmp

memory/656-347-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4356-353-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4192-359-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4072-369-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4552-371-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3156-383-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2728-382-0x0000000000400000-0x0000000000441000-memory.dmp

memory/5028-393-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1968-395-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2624-401-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4852-407-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1480-413-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Idhnkf32.exe

MD5 de74d3b72e2b9f223f8c35b493a14993
SHA1 a5f703294499cdd4903772ccbeb1bc727d2d1cfc
SHA256 be900394b57bfe5b122bce6ba06e4d16155d1ab7c613fd034f0ad73f1dbcc08c
SHA512 325937d9bfdc5cd7186e36263a0a0a6fb4aa0fdf8095c6e62d5f7110ccd12be7dafbf186328cc4198504c078da99e479ba69771df36bc8181e2840e595c7c353

memory/1664-419-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1052-425-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3064-431-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ikdcmpnl.exe

MD5 f48e1f8ff5d010a412c51e93c959acf8
SHA1 9c8f3d2db26bb98045908b1021dfac2697290c2f
SHA256 172f1fb160f4a341d3fa2bf3fe2b18b9f01965667b1a3362b34dab1a20c171f0
SHA512 37a57b41c7bb991b57da71adc69858012f5002e2a796fb1035039a42b567891118b3a440c8d5bb291e46de11b7c62292cfc6b88ed37672d5869e5a69ca41d737

memory/4160-437-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4068-443-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3568-453-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2316-455-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4664-461-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jcbdgb32.exe

MD5 e8f9765db30074f7898d74649e8f91ec
SHA1 6890045047ed597c00f8e003bdaaa0ce2f2f14fa
SHA256 dfdb86f695d39c9fa76d37365a8ca6fa0ac1b510f9413e353517192db3b9d3b3
SHA512 204014014556ccf7fef97d15cf4084fee61110b14e4adfa9478c79b3d53eee2508098a414c63161d98d173187bc840f9842312c179cd168c35a3f70005a1df86

memory/4656-467-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3840-473-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2648-479-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2864-485-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3440-491-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jjoiil32.exe

MD5 c8fc99c9511289a98823a8a414d172fa
SHA1 e132926a248f4381618c190c26d2cb45285057df
SHA256 45fda6b562af00031377d8a2eb9dbc5a30bdff5fa0290a46026913c9c74a2b99
SHA512 633547e9a05111cb46dca035efcc3ffe0aeaca1a3354339c337472028bd49007bbd536bfff91ccc4ec937b7b88440173f7aadb49b6e1aee6c3621a533af58c1d

memory/3992-501-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2828-507-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3228-509-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Jknfcofa.exe

MD5 2261c1940d908a0b709792ccf24a4ad1
SHA1 3cba8089b292c1052c6179272b8501339e75fca4
SHA256 94f3c1cccec15c0699c0a649bfc11509cb4664677488d8e8a9a99a67292ccb9f
SHA512 e70503ab1cb0e32a6663acdf5ca79b7ab537c9b12480e3a836525dc07256551fda876b8d16f950d00ac9f9bf98d3d6829aaac5ae22f1c0641c138b4da410ea61

memory/4384-515-0x0000000000400000-0x0000000000441000-memory.dmp

memory/740-525-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3372-527-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3476-537-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3416-539-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4116-540-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kmaopfjm.exe

MD5 99e3a357ad943eee258ed1c696d3ac51
SHA1 9205da7cc1551669a71facb220535ec6c2ab6323
SHA256 1e391a43fc1fd0a962873d9ed392401c396cb6a0c475b01ad3ce89ebd8c2eae4
SHA512 2b45e7500889719583a3839ce0b0f4c956a64e7466f4c112a47dd2acf32a7cf1b7f0b3a351b8073897bc305cd61d74ea77df0ec0ac6cb054ebfa1dcd9597b8a9

memory/2640-546-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1492-552-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4764-558-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3504-565-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1084-566-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1956-564-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4964-572-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4400-573-0x0000000000400000-0x0000000000441000-memory.dmp

memory/4440-579-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3916-580-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3364-586-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1180-587-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kglmio32.exe

MD5 96e4826dfdea8fc28e76b0bab487a33a
SHA1 99e6f8cf8d3d7c42f87b5612300534a67358e187
SHA256 614e9fa3dd158f7b1d8739445463e4b93bdcb14ebcc16866f4a9c3ed26ba7ad1
SHA512 df967c91223d5f07e9a8d622b348e618820ca823311993ba23eb5c0762b676d84af9fb7cc3f441d7455be789ef5e4c8d42b37b3a1e78d6fb3faa922efbb17609

memory/4848-593-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3472-594-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Kqdaadln.exe

MD5 2b7ef8df2708157e8773ae5230a55a32
SHA1 842c2b57ca4d9e634bd7d3048c5975aae4416881
SHA256 7c570bcddf6fc79a0efa220f0274e49983d1dab732ec0c9fb13ce70c0052c1cf
SHA512 5e9609887b2c1cab43b06cf95a2677d6cbf8c5a75626ec4fdd02072c1e6a981e99c4045ad99fa8b44da2a550b4a30b962875f2a4dcfa8872663e1ed52fc202ed

C:\Windows\SysWOW64\Kqfngd32.exe

MD5 842656d2e47069b3cafebecebe703416
SHA1 2e81fb950511d5a399eb66253aab5a801d857aee
SHA256 e5fd9de12af1488d6ebce3195a53f5d861c53c7b80c50143d106055129db1068
SHA512 18d6d6e9ee26ccdeb533277d70ec39f8a0b417e3f2604942cde0e4b8da51fa7260f8d515157bce6586b9e0bd39e8b60cc6dfa58b8f9a6599c39bcf474410e96d

C:\Windows\SysWOW64\Lklbdm32.exe

MD5 1612ef954b7332c3bd540d3198f6165b
SHA1 7626f2df321c490319c07ae485c94929e1b488d1
SHA256 8a9dcb19c874fb242b2274e70115f8c246c3e943b588a38e95bd886653d39428
SHA512 3edf929419f47413a439a4b440752bd60c3074d9f00e61a8a8cd1168548974bb7fd929e7eb6efbcb599b06011b4ecc5293fe31a7f0b0f998003596215ef27a90

C:\Windows\SysWOW64\Lddgmbpb.exe

MD5 6a29f73a43547efff063ddb18d8914c3
SHA1 bbbea420a478cb1e630ab3cc3bf7bd646c6279b4
SHA256 389cbcbc38484ec24c398cba02a33d1b8d815a02db70b7385694ee79617219cc
SHA512 b4bcea96eda539d8d3bb762a20727029bb13aebe9c3cada244ce608d5076ba976eec59ded743854e4a4a2789e7caf24888904a3a9265eb952f3bd776df6b80fa

C:\Windows\SysWOW64\Ljaoeini.exe

MD5 e237048b706808339fc6c50b7f52a478
SHA1 0c287e89f11e525000e636260f0e2cfab2c4292a
SHA256 7fe97300d0c6e3a081633f156adfca480adc28af015bc569a1af9af01c0c21ea
SHA512 6a2c28a0e626f9ef2c9726df83550d2202fb5d6cffc33187d14a6fd05687cdc6bc496cafbf3d2797b739b598d2331a88d3b2a13e23b49729dd49cc094bfb5c49

C:\Windows\SysWOW64\Mccfdmmo.exe

MD5 ac38f3eca6276f0ad2bd6c7f228c6e62
SHA1 f05c2f6aded71b367867044f8640353e75bff69d
SHA256 b0be66d6ce32d2964bcec9f7865e467767b59f36069a0403593685e50d0a9a3e
SHA512 7092e4e991d9472b9789ff5937ce02f7f14c8f2088f7a8ca786878458cda83a6a6af5a7856665910fe773dd865993296c0359ee35e6b73b2abd89511ead79d62

C:\Windows\SysWOW64\Mkmkkjko.exe

MD5 5ec6fbdd9799ea246da9d99474f2e3ad
SHA1 ace40638a64e15d7afa6ca513536f09b004e07a8
SHA256 4f3dee39cc8fc6964e15131efa7aebb88c25f0e1afff8c1017751e4cc532049e
SHA512 624496d0d8cad3803ecf72f82ce90d3f0ac2b55a8c54fe76707f09a3f33e168660dd37610471ed7164b68d2f8e7378f2110439530f72298e49ed456add186aaa

C:\Windows\SysWOW64\Mkohaj32.exe

MD5 1832c905df174f31ca213b2707a907eb
SHA1 8b9a57fb2fda6e3cd1f56a4d8b7d0405c89e9f28
SHA256 5f8d80f2cee98036f16ec10615f713f5724f88577871fc0f88a18bde5969a196
SHA512 6ee4742ccb722ee098e63a0b57a2cca810f07d8ae8a007584aaaee91a832eaf0f30b86eae9328bfd9a18b7a326f69c12b8d4befca7b55e09c2b6d5445beeab5b

C:\Windows\SysWOW64\Mkadfj32.exe

MD5 0bf11aaeafc9a031b871850cbee2e7fe
SHA1 d3826ca7668b91395ca6af53d2df1256402f1013
SHA256 e5467186e4d76ec290d61973d8f0f7ee3d27085b5c1cd62c9210710ee37718e5
SHA512 6890ff57c237519a0e078cb710aaf9d5b3e5a1f7f51d3c79a621b4d461ccaaef5229c4f27542e91c72ed4ad83da4c8e4e9ddf8f3df38581f70b33ff5e593cbf7

C:\Windows\SysWOW64\Nnbnhedj.exe

MD5 9b5c29e98d5392c0b4f0500739a92b61
SHA1 200ecc37008eaa8ffd5fd90d9117c7e1212d3582
SHA256 d89ff4d949cf73a4c0695cfade743d88cc7fb927d103d1d99c0ca8784ab5c494
SHA512 4ae39d0f9730d24bf84327d50d3107ceada7a63b4b37cfffcc7193d2aa862b566983e86ffb725810887771dc7bfa9d3a3d49b26e694f2658b66b808d1f7edab0

C:\Windows\SysWOW64\Nlhkgi32.exe

MD5 010a597975e2ec6e1f25164dba9d6227
SHA1 49ac18f3c84ec092f9e25c45c24b3e71e0c2fb2b
SHA256 952fffca111bd2c92b12a1aa1722e2fadf72c089fb0f6b8ef9ec4ffcf6c886a4
SHA512 80fe3e9c12eeda95e85d13c6ddf8eb26b68e98a19a754328b0e46a74beb8fd96d6a9d731e473dc90c8b8d5c5105d940aba7a98d339ceced3cdda168b5879accd

C:\Windows\SysWOW64\Nccokk32.exe

MD5 2ae7d0182a39ee6cb48615f0484eec6e
SHA1 7a537713f8eb1c2c6b8ced2ea15dc99d86793288
SHA256 65500b79e59bde2a8ffd94a970cdb5b0092b996d5e6052b44eb577d3c94cd651
SHA512 96e347dce69a3db94ad091280b5fe06e29b650486313c62a0a406b2c55f11f74992cb56883ee7108e8f3227817d1c9c8a6bcb009a732a476320059672763d455

C:\Windows\SysWOW64\Ojbacd32.exe

MD5 185a93356f037b1546277a33321e80fd
SHA1 1dec07147ec3b04dcac923679e6183a7af61ef40
SHA256 29e9e899a2900cbc7a1ff75a81dc591b16aff7c78596dda72c3540df4facc1aa
SHA512 c02b49fac24953e2ac55da7b0352544ff45921cb7e0ce98dfd33d90e56784772feddf8882e4ab2e00f78463becbec7d8bd4819bf7ec0eccdee81d778753ee333

C:\Windows\SysWOW64\Odoogi32.exe

MD5 134d93e3a14a9e1867f9771133647cd5
SHA1 5e55992d1dfae20ddfbd5fc1d6aa019f1e60369b
SHA256 2cd1d1b892df255778f965f502aa12c1fe412271c58708088c8340e00392d2ba
SHA512 de8eb5e3bbbdc79480b22bfdddd28548f351f4f7f2f8e55316e645b5b52f15e6fe11caca9779612a58116bef958452c964cd5e69bc0f446edb40aa8b76ae0c78

C:\Windows\SysWOW64\Okkdic32.exe

MD5 38508e80c31546eef21391d421406540
SHA1 e1048a494c37e11b507ce57435aaf1a59e6da8f0
SHA256 d5ac37dd0b365c53b140dcfadbf25084d936dd2463424e668da3ddccccc5f8f9
SHA512 76148c38856c6795b193dce054a496ace01fbf983d71918333baa7ae58587d0b7bc4adce2d9d0efe026377459fec2f727e23df75823b0806dd1d17fd6e1b9016

C:\Windows\SysWOW64\Phodcg32.exe

MD5 c9888ba97c6d8d0e0fed0f4a6053f92a
SHA1 5ca2975bcfb4f247304502b0c41afbf4fdeaf088
SHA256 e8e81232f6b39665836aa16e3e7a78a654fdf849332c7e56ded58158ccba7bbd
SHA512 0baa99f69adb68ab96f1009849bc37864f9614a46b857f0a54e338b19eb4fb81e9c6002eddc9c043382abca011383870dd784196f1cca0938fa53c5bf1907ec3

C:\Windows\SysWOW64\Pecellgl.exe

MD5 4468348a0a448b6bf1ed832b21ec2868
SHA1 ec27d71515a32bebef69411745e0013452c57437
SHA256 14752b5e9f8d9bf581e63c3ac6759d27d963af4b737c721f57ec65b773cee3c9
SHA512 18ef8802be6dc84689d518c974492f9d49130e19297efb5304dcec5b61287028a7da5fff29dc7979df1bd4db4bb0cb0c72f99f2e9ba7b1cc1a5f936819bbfdcd

C:\Windows\SysWOW64\Pmoiqneg.exe

MD5 ef74b8421c7b3400b48ae2cea5812660
SHA1 68125b30b0865030fe3c21aa11139f7dbdfdeb8f
SHA256 9230ea19c926c0a70598835db4fed62dfca30c155465c0e98e4a577aac2842ed
SHA512 557262582854dca6b10ae8baf64e13addc66839a7902d7b48ad2b9e3728ee54f2e0900369d235d13222731072a9653a36be17e686160672ae3a05cfc25a0a2fe

C:\Windows\SysWOW64\Plpjoe32.exe

MD5 df77723eb75438d0deaf73ce9214de55
SHA1 3c710128bd3bbc0c48f47f097b8017f65a8a714f
SHA256 8f6fc30c178af8f2caed4b9805242a01f1eb18b718aa321086d878892bde3eee
SHA512 265946c61da9faf3d66fe731740ea060ebc24ddab64eb59a50ea70357f568f3f791c6c3eefa0241d5fc1de9cac3cf20c73daebb4e86ae98347d4f9defa26951e

C:\Windows\SysWOW64\Qemhbj32.exe

MD5 cd0c68f3949780012b0018565e973498
SHA1 2b990c3503933f68ca6edb5d9566ce07f91cd3dd
SHA256 ceb63dfef11232390890e2905a4f0686a5b41ebac3c1acffd6caafb01bd841f8
SHA512 7d27fba0afd273c715c3991a6047725c6ad8b9f5c22067938c3972939dd44e57a76a65fbf62ba7149361c1d13c44284d73e0d01f0baf8472559c5b3ec42b25fe

C:\Windows\SysWOW64\Qkipkani.exe

MD5 58a1ebdda67199a29cc7de88af422832
SHA1 69ed5eff682d49f8e3a142676d9353823d67fa7d
SHA256 3fffb1126c0239262c1e2dc5e5752699c576ccb55a8d8b7b2cfbddfc5f132556
SHA512 3a3e088ae4cdc8dd0a7cc3c684e56d72f386f99ef238ae92bbb54e91d90aca5cc3bd380854312b0d350e6b32abf6fb886c17d0ff5b648fe29c5048d9d8bb35d3

C:\Windows\SysWOW64\Qeodhjmo.exe

MD5 c0d5442abb41ccf02dfbf0a7707612f6
SHA1 10e8efb2b1a340ea68e12e7d1abe9c38c2a0b229
SHA256 7649eafff35b2d8d56c4c7797b490d32ca351d1e8c8dd568911e33b61d8a2f67
SHA512 a2a0911fa3340668602c638c03cab5703ff879718443d7b7bd71d5eda5322535dcb58fccbf3adbd6e4d138fab795d6cc219b3b37d37c723f16241d7ab043cc9a

C:\Windows\SysWOW64\Aeaanjkl.exe

MD5 2c474eaa52042965c339750f8f6210bd
SHA1 2c64ceb69d3791fb10f1f180f3b67d605c162b59
SHA256 36c83d46643610c316a77f0a2051457c0e47cb595878d3feff7ec0d3f7338ad3
SHA512 b343183af85a45253921766df0d0975311747a5b91998967bdd9719a00d12018bd35cd850bb05c255bca90e4cd24a06773b975137d3155b8cb675528b18b2521

C:\Windows\SysWOW64\Adfnofpd.exe

MD5 f7c1b2661cffc23391a5974ce208f7a1
SHA1 2ee0639baeed7a7d23eb73c5141bc82001413ded
SHA256 a449a6629cd8c44b0efcc0f08f7a96f7702a08e1cee88762997d8f4a64ff35b5
SHA512 7dbefbd9640c6645cf5b17b25c48c7d06a8d8958c253858f52402055ef99423ab0911acdac594327c656f7d90933417e246df18f042d4309bf5301650f1b0a7f

C:\Windows\SysWOW64\Aolblopj.exe

MD5 b82acd53ebd0def52088aba583466784
SHA1 33d1a6dc0657ec4aae1039ab772d8a0d6e48a15d
SHA256 0fa4633c74a0fe9eaaba5bdb951fbc8889c7d01d94efe22c431a5c5419e641ff
SHA512 861a6b7e99830d88a4761a30565fdee2e9a35a5855b7af07b51aada3e99a69181c3fa2217307d24c87a73894bbd02f102549bbcc7a25ce1b518eb52345a16e40

C:\Windows\SysWOW64\Aefjii32.exe

MD5 b906ee4c771f208615d18f02e68c6cc9
SHA1 41b3c843141affa404fbe7f43ca8484866efe0e7
SHA256 ffbc7b47d3ba8b3d23806ff820f20c32d9198093fa2bd96c152f5c5beb3b1396
SHA512 c712ff3a400d031a4f3d26f199f0afada02972c3449031e9137bb2270e34fddf59b47bbb8408a8617ed5ea5c36eaedb1711833bd274f57ff6c3711207ea8fd53

C:\Windows\SysWOW64\Akccap32.exe

MD5 53e61c9e25ccf5a18141d4bcf5993eea
SHA1 2c0254b9373ec090d3a0ddda9b1a43aefa61d807
SHA256 be828a6091f248cf4ffdac7ee1f4156056a0d44d5e992f83f9d6d77a7e6d871f
SHA512 9c332121b7d787ee5cd73a675b764470297d2c1caff45499a1e7bd212f4f05830f3651480fa61a386f0f9d2dd8139d97ebc3d780eb9bc1454f516ac1676ee4ef

C:\Windows\SysWOW64\Albpkc32.exe

MD5 9cce543c315a161f0f7760324c55b66a
SHA1 d1561720f5a592396ffc0b9dbc022753a75e2e23
SHA256 6110f9b04a6f147847d7e946bd7ca2a65ffc803913e35abbf4016e8822c4ff24
SHA512 97f248f79a2b513048f91fd54a6c2e7df7484b71717de88b61f5fb8ac6183208c7ddf6074d4eb80ee90420c7ba8e50e583c6d597a55c76a859d53039d11685cc

C:\Windows\SysWOW64\Aaohcj32.exe

MD5 26535f6f3755c0bea629d10835c080c6
SHA1 e9f680bacf0ee21cbba77a971d65574cb1013f7a
SHA256 37112b9063c234e15054a568efea9a420daf2629df643681b55740961116375d
SHA512 6cd98ec52d103389dedfa84651cbedfe41d52821f7cfe49f9b0b9bd9cad5513c1dfd27695bfb705011c1074e0b26ee5a12dc161662fa8937969bdce6dc9b1071

C:\Windows\SysWOW64\Bemqih32.exe

MD5 945704a8634ceb0385656d20d2b9759f
SHA1 c160ca673923aaf631e5bcf90c98164f4e191122
SHA256 1c2df23ce80a5c70d49fc7b7619c82180a805af734ff002a579ffcc1cf036717
SHA512 d9ef5251ee6afd351bc673c7abfeb167681a6350d491e1c70d1cf19ae071bd83718703ed2b6d83a20f461cdcd86040c9a15448ae58d5de6cf43c2406ffdc1c28

C:\Windows\SysWOW64\Badanigc.exe

MD5 c2afc1ddf0031cf425557a2f77cbb316
SHA1 f03b467aefbe6b5f7b5a6a5509cc910aa53e956f
SHA256 1c926382c8a4abe3f632cbbbb4e2066cdee39e31254588eb719c2781f54778dc
SHA512 16474d189d7ce51b880b31029620b8c2de07b040dc7a75a60ec2ae6e27e45ce3c60ec00d221715492e0393ecb742f86a139ce095fb8b5793f3be3bcfd0fa73c5

C:\Windows\SysWOW64\Bllbaa32.exe

MD5 b90ec38b14a496c7e2e453f72711d301
SHA1 cd2185bec82970a71aa926d506022a1e2845ee3a
SHA256 1088f9918954351a6ddb0276e9bd27e60c90d13ada44f70cf0f1d9f284ff3328
SHA512 07a410d753e4d9ce703aa5ba2080ae286892b43321139a612251a70a36e5b1f4fe7f17a009c4e0fdb435f322c5b3ac3ec767c665b1797d0ab42914aec4b9f9bc

C:\Windows\SysWOW64\Bdgged32.exe

MD5 f071102237ed22056ccf43c0856b5da1
SHA1 ce7a9a9a4bf0ab8e022adb1db2d6dd0d4bb6d873
SHA256 372cbd9d42439e5200bec0861ffb1f2c616f6e0bec9bec647e43a93bb74c6a32
SHA512 6bde633e4e61d6b181c39fb59533d71f33a2beab054a0ed9489170ffe86e5811bf46942ef3c285568a970d90dc9341fdeb83b7f791156f75c9cbb7d36ae13713

C:\Windows\SysWOW64\Bkaobnio.exe

MD5 e030d35e2207fbdc19e181b87589cc8a
SHA1 e724be556509ce232d97f196d7492f75579c9214
SHA256 829b18c9d420fcf2679e3033d23902384a2bb3f3c8dcaa7b1b79ea0c9c989901
SHA512 7161e0f1b6190dbb48ba9de9d65674f6a922e4707ce17d7dce14f9b6851b109a44118272c006ddbb0378c823515811c93461f0dfb88fadac0ff72122d319bbd5

C:\Windows\SysWOW64\Bheplb32.exe

MD5 f2fc83258e1ea1beadd800aa1f256b94
SHA1 7e9f5a1c11af0c596c0a7f291d9c312d4db55ba6
SHA256 3a9c980a0379782813845bf66915601d5a2a3510338b12a2bffcd8085b0848b2
SHA512 ed211aff53342296763be93a7027a23e0b57f65718fc8ef28c4340d01cf24193771cdb29ee3badba7b9ae12452ac287e41a5b5d7eff201b4deabd086bd746e3a

C:\Windows\SysWOW64\Camddhoi.exe

MD5 2209baa3a406304c3b0663cf919c8a13
SHA1 4f266759e4c57a2f78f5804617c64a28c1941575
SHA256 5b49827a23b3a9621a327a908a9b2169aaab9e3bb9921d4ab05b5538b0977e24
SHA512 1157f3d44cb6192437693bef60fa787095e0808368903d81294b8f8b16904964fc73904227eca5aa19c5544fe54724ca961b25320ad3173d1b930ab715e9005e

C:\Windows\SysWOW64\Ckeimm32.exe

MD5 17ac414e565bb17c672d19c655e6c30f
SHA1 7c872a4cf7308f7309992268ffdd3aa8c679dfd0
SHA256 ccbdcb7f06e8a66e5ab6c2e8b3cd2662ea7d393f0fead3753212b9f88d760b63
SHA512 3bc25820f5419fca449761b750cd2dc3b8b4762a191a410cdba0484e819172d674ef58019be0e82f9ba50ffad7f04309801d4acbc748f3a70d8bac58c8467912

C:\Windows\SysWOW64\Cdpjlb32.exe

MD5 33617165c6a4c63b50c8192475ef644c
SHA1 a90046af029a37aec7daf3d9f9234083ca90da79
SHA256 3686a36006d81c93fca6f5552752e51500ff51c281880d06c6a46d7a49be9a02
SHA512 2b4a92a0e9f57b75535f844d3ad855ae33a7c91baeca347359f9420f52e278f2d471ff09c764c6b3540a48e842422485c17f4286df51ed1cdd1d49d1008347ad

C:\Windows\SysWOW64\Cofnik32.exe

MD5 467e9797dd9a3e69ed9b5115929824b6
SHA1 a8a4c23848faa2d7d08b54345728f548e41c9242
SHA256 7278596b23a852f1b5f437f13b67fc83de6791ba461d3624c2107fd3dcf249ce
SHA512 6e7a4943e4e9c6fae15ae5874836cddfd332145bc6295b766c45c3b75a614149084f7aab309fe3c92ce614312406bc984e73ec40b6e475378ccda70793d6750e

C:\Windows\SysWOW64\Cljobphg.exe

MD5 a2450bd7f3d19373f25e867ba2099f48
SHA1 8f23efe1cf2ed663274daedc80141935dad0cd52
SHA256 624888231d3456914333eea81dc5ba286aad5e502791dd1d6df052592e3ca3f9
SHA512 b371d433af81acb32bdfa08f3482d7e7194357051f6a071dab70326b252616090f4a0bae8263324be20c12dd362199d2a3025333de691133a103d29f9f5c721b

C:\Windows\SysWOW64\Cdecgbfa.exe

MD5 88b1e21e114c642c2bbf29fb09f10414
SHA1 9da2fbe073a9cad9e92269f5f0f44e388101abab
SHA256 37cb94cae756888e28bca46ffceec86eef70b2bcc2e3f284f7e9a019cb42a260
SHA512 b25dc72ed569aa457b95f251cd3a3c4b3ddb8a4b6883dc0041e21e6291bbc0f89edeb6ec14826aafead89dac7800aef059898814739f60bac198dcf2c001a54e

C:\Windows\SysWOW64\Dhclmp32.exe

MD5 3c5756155d4db0cb44596ca0fde542d5
SHA1 f2a8a2cbbd5d5bdf8c88c1b13a53b419031d9d6f
SHA256 12fb0104176bcd38f256d728c73da0e0eb7342328e498b0e0c49f24e35c69c38
SHA512 4556ba83c387bf032c390d82772a3cb52a7fa72bb81217ed547daf3f3410ca43f0b04dcf200be2bfff2813ef58b64df27569720bd1ec6ceeaa68044df27a056d

C:\Windows\SysWOW64\Dnpdegjp.exe

MD5 ff5761ee308dc572fec87ecf40bbfe72
SHA1 edde3d10a4830696cd05ee7baf0b230f0a18199b
SHA256 fbf81d7d784bf1f4d321529ee80c98a1d0cbcbd9b20539a440757b36f12ae395
SHA512 1045627acba0d8cd017b07110ad774b40188f9260099ed99ae85d59cfc214c32195d891465ffbbd59d48a0247f6714ea9f1ce9e3598752b0d0786520730ea2e8

C:\Windows\SysWOW64\Dheibpje.exe

MD5 8180495637f10812c8c845db5209c6b5
SHA1 47b46a93d62c10167822b612948959a4d14e5452
SHA256 f8e06165c5f2b913e24f864c5b7841c63ed0804052a1f266eaee7b62749dd602
SHA512 3629bc29dfb2fc1a1ed9f9ea9ec4f143389a53c8e070fb7e9e006415186e9b28e3a1d1d9e5fa3b8b7050248ee763c7f511b35ea320d8ebe1a5fb77e58e6a3f55

C:\Windows\SysWOW64\Digehphc.exe

MD5 717dfc0ba533ac9b9ae70f2644f8e8ad
SHA1 ae4ea7201b82235942bcd7a64f1646eedfc221c0
SHA256 88610f5ba8021eb8dbdaf1a01b9b73bb98d9de8e87d392b19f4688a18368cdec
SHA512 bb673486619cd0c75564dcf4c461c405c0cfad00bd5a58d797426c6491f6bb3a132929347dba27de79b004da0461291e69da0fdc3697c75fba6d93b6709b8f5b

C:\Windows\SysWOW64\Dflfac32.exe

MD5 fb21f7ba9fc8b5b0f2b4de85f7d3243a
SHA1 4625f9958f61a7305560ecb832675f2dcfa70939
SHA256 55f8ca27a702e43c58620b8bf34ffec5cf8d8d9263f1eeec47ff36949c98928e
SHA512 a998707719069568c10412cb61906e901ffc0f0277c85630735599cdd634e1b2f005b5a8b1d05f17a929d64914a150b606cdae8fdc5d2d4461ad653ce3474efa

C:\Windows\SysWOW64\Dngjff32.exe

MD5 ed72681ee69c0d91ccbebe5fa9f4677b
SHA1 d0cbca64ad175acee7f54c8eeea2ac799711d1c8
SHA256 d625f688a52205d041610742c41d35669f95193c4c7b0ce3da9f93b2a754bffd
SHA512 94f71392d0ff6c85ef903f3e219019c24d4b8c3dbcc9379dbc1d8e7eae22f131c6bc0b2015ab6a2fc3088a7a7cb5b19cd1afe22532de8b512271bfd8855d32fc

C:\Windows\SysWOW64\Efpomccg.exe

MD5 a43a796a243e66893f7afcdc229126a1
SHA1 4be79dcd4fb27e349442db74d8c1b7c1c873351b
SHA256 22be84b74814571ed75f3fae397a090819989dbfe9e87f5ce15d92854e154cb6
SHA512 1bb4741966cc044cd608786b43852050ff4e2c29e48720657b8dc46a458c1d77e3b72f2dba90286bda9e81b535810762ab75196e8afa5b4638cfaeb64960e762

C:\Windows\SysWOW64\Ebgpad32.exe

MD5 54925040ab935e9b20862d212f555f1a
SHA1 f3e3e95593ce6866e3b83f1fa938dfd228b39d9b
SHA256 0e1af6eaae0b1825c6d502aeaa7c3ae4351419f3cd2f083055015496bf461f25
SHA512 89e6a6d83306834ac1eb59cb7bb9be822b54b89c0e49929096ece13bed46c1237e98bf23b358d8f411daac652010a840f80e875c0b71dc6adaddbf643df4dbd0

C:\Windows\SysWOW64\Efeihb32.exe

MD5 062af1b08a2d7dc62085c718b09bf9cc
SHA1 3a8c4cf2fd8977cf53f60417376c62e8fc1a5b5a
SHA256 c21bdeb3927fa73f642f4fb4d9183dbceaa81a8e722e541c05841119a4d43eb1
SHA512 7e2846ed001dc6b113e1647ae2e749461bd64add6bf4de0797672e84b3456256966415dd1a3982f3f620cac7a891ced23057a26aa57ddcdfb09a455dc20e5a17

C:\Windows\SysWOW64\Ekaapi32.exe

MD5 d2988aa230d9ec5e97d726825f596520
SHA1 ab2da7d2ef18bc11066f6fb427815515572d0108
SHA256 a3ea32dffc0d5361edcc5138ec0ffa3ddff977485bc3fe1e55d7af7c7b8d4704
SHA512 24403ffc568ebe2897db98e3e2e16a06b2e7a6de5164d1ea8b0f95dcd3eef2c613ce283fc6a321b654d5f3e75c6d2388b0d0fe57530ed00f5755ac8dfdcd554a

C:\Windows\SysWOW64\Eifaim32.exe

MD5 7582f48708ab42690faafe1567116453
SHA1 fb2beb8568e02191863a8749694d01b4d8be9dbb
SHA256 a5ca8316bee73a0f5fd2f393a9088f97c7c4bc05c6dd3e13a9b2bc37c9007df1
SHA512 b159e8c95e0bff850b57120f3cb3ea78f743bffa68ba9dbe9c2e792733789686f8ca3b57ac75c9a7084136c2f988e84b1a0a44f096e619497674bccd09822923

C:\Windows\SysWOW64\Fneggdhg.exe

MD5 8d32997a66fafa70cee07d54852f02b3
SHA1 6264e45fb9fd2441a6405ff40b23b9cd06bcf66f
SHA256 a71842c32e6b2cb7c5e5272a951bec95d046f061cea6aff2f77551b79aa1df70
SHA512 b1a1b927324901446199d856d0a4384b3f6e71295a8b0971c46f59b9c6069069bbf17882e8c3dc4305049ed7cd671d33fc3f09465d13d06d232efa364f08750d

C:\Windows\SysWOW64\Fflohaij.exe

MD5 18a8f5287fd4464fe810c20c47960e51
SHA1 2ed0dad6168c272ef12be261987e1a05b9f03265
SHA256 a976f913fc084828524cf8160a16c14564ee5cdd2f925319235d60fb457c8cf7
SHA512 3e1b8d584d97565ef0ac3d9574cc50a46d1d29a26b9cb59e45f19a1ee8dc50e97230954217431f29f7e6dd9f3ae4489d3675f28be65dcac35b4d0ffdee653005

C:\Windows\SysWOW64\Fmhdkknd.exe

MD5 62cf588e0eea0b0da7eaf7d063b84fc0
SHA1 3fbe463abe50a0d530514637fc6e821c7e8ce979
SHA256 09794e918d548ca524796294f7bb70147286302c6e2e02cf6e0785a9028da166
SHA512 a192adc1d351ec5cde3c007e50a05373550e65b03ac294e0f0917f1ef2ec691a3c3832c38413d080c5c22d78d171d8fa16e26b022de6152ea2aec6283bb93d58

C:\Windows\SysWOW64\Flmqlg32.exe

MD5 6313c4b76246ee86ce70977e7f7483a1
SHA1 e25efe3370816fe16ba7505d0dca9827a26847d8
SHA256 a69c1e5586eb0b4527a797396fb40a8e05ade7d4864032b03798273e3d911da3
SHA512 d725b544b6d34c321659cb626d736de04b385b9b2f5af7310cb0a4ba1bff4ae25a49abd84c06d2925556873aa725ff41812368a1e53a4c6614d8fead33aae7c5

C:\Windows\SysWOW64\Fbjena32.exe

MD5 f7917d53e45d519e27581afa023d349b
SHA1 4edfb6973ee16f9c993c5b04c7003a34c20b3817
SHA256 2e860e878c44ad11b6b3e62074923a0dccc950835c7161894b7bd41b084ba872
SHA512 4140fc1837dcdea1b4fb7a188a14de53ff9cae08417959b6db372a1397d8521e2e968d47816e008076862684d87d9c7c0972c243a67a0aa786cd7dc835519855

C:\Windows\SysWOW64\Gmojkj32.exe

MD5 37b4c0dff04e956ae3c90f945f574409
SHA1 8ea84cd9569dd348493f2abc2d56438cbd404c34
SHA256 18adeb78dff30443363b328583193149ff117af7c246105345cc74d2a89a57a2
SHA512 2fe7e229bf989fc1774252ff6ce7c1cfe1d79cd3f979e3ee0fd97223bbdb1a454d7a0df426f05802ed573ab1c7303d23468f86e7e4504b7c3f3976322403b627

C:\Windows\SysWOW64\Gifkpknp.exe

MD5 1ab5fc3c661703e8a79bd48c4071e990
SHA1 f768b5c7693a97a60df8fbe873db01c5e933fdd3
SHA256 e97106f0f56583305262dfda8422e21f61e6cd7962c4f2a6e128f7e6152b7083
SHA512 1cef2c1847482f077f0261cf6984d63a69f0ded2a6909e63b14a51a177226b7ec7a1aef5f5665a2e7511475aae0223d4ccde4308b94cd1e2cdf94a6bf53e37fb

C:\Windows\SysWOW64\Gihgfk32.exe

MD5 62d9b4479bfe2e601570f2d24b8be9a9
SHA1 09320895ba739ecbe5ad97998567bc0c84b252dc
SHA256 cb5295b68f070d0b4f0ca3be672f9fdb1184046193b09c1d93bfef06ffa5e2d6
SHA512 17f41fac8f1533a4afdf242c081f32a9529eeddfdbc664b065006f99972d829f32dd049a59e18bd106173a3bbd9739fb6941777054eb0cfaacb547dd8606450d

C:\Windows\SysWOW64\Gnepna32.exe

MD5 14df941ac62ab4fdc46288f433606805
SHA1 879a97a2c4c2184a6a9f90af492d80ed1ea67621
SHA256 127b2333a5c593ff6b01dea48662d65c1b58178bf8384b49e2d6d9fa6061bceb
SHA512 b2503e5f303d0ffceb5fcb0bacfd8200d61e62846294e693e214802b084edcca1f8a9432c21022502a5910e410604dd09f33d3ee7caf4078893b1412a04a126b

C:\Windows\SysWOW64\Gpelhd32.exe

MD5 46ef57f97b1dec5e4e8a3128365ee020
SHA1 220d8e2abe38614c9ee3099d016ea002be9bcd11
SHA256 57e20e03a3bd6af5488283f26eda3bc94dafbcc3e0c5e6a33e47254c54495871
SHA512 b48972b60c9b3d323dce295b26f1da0c24b6fda52ef6ca9f17eb8cae345b6d2a001e8769ff14be24c129768f15ca84f9f68b19e263c86883dfd48b4f0a38edb9

C:\Windows\SysWOW64\Geaepk32.exe

MD5 f3d34b1cf24317025dac0f846b0cc25e
SHA1 7eb88df7774b181d8036682c336e0f701ab6cacb
SHA256 4e080f0922afc2cc668feef120828e9d35e3469daa19115d0321e9a048e5823b
SHA512 f8aba9d577d335b65ca58b4140539713092e0fa8aed7c82a468a83da7e9a5fa5d8105484dab6e5316efbc6c4d40f81373887d77aae7dd3069f9b0cb7a240ddc0

C:\Windows\SysWOW64\Gojiiafp.exe

MD5 0d939bbc3acc45155a37b08675b8e33d
SHA1 0f3808681babb92e0d269eb327e7ddc19ce3d7fa
SHA256 3ebd192334cbae906c53971d7f2058f4c2405adc6aea13cab1fe873d0c971030
SHA512 727adc791e2f8b8dd00bcefa6697170e8dfa07dc2ee800ace1f1ac4e38eb527223ccfdf3eb8835b76395cbfc5d59204e73265b85c6ac9e269e0d16ed7f80482a

C:\Windows\SysWOW64\Hmkigh32.exe

MD5 d3eaca776c9b4548a4216a4588b4a8a4
SHA1 f68790d9a3c1321be4288bd437c258de7139cbc7
SHA256 0dd9f93bed54fec90818e7b840c335e583af9c6fcf74c28479adb475da62583a
SHA512 09f9da93e5f10aac8f55e70bc4efbea9ddb6f6151f59068f2f02092ee31ffb48b95c7d49e8d9a7d19fbfa6184b20da9e869bfc21839cae4e4044b4b0fd11a9c0

C:\Windows\SysWOW64\Hlglidlo.exe

MD5 3b74a9c8efa0ff822da870f3d99106f5
SHA1 8c8c45e349e4298728aa023365595304ac1dac72
SHA256 3f9f093986010a2aac5544d306e083cfda56f7753b568940232f1c1ac63c01cf
SHA512 d485fbaccb09b150cbb802ede5008c0465daa6ce496c6472797eb72ae845f4989bf47af3e88cce7a0d828ff8e6cc48de86954b0becf2936d6a9b9dee2cc053ad

C:\Windows\SysWOW64\Ipeeobbe.exe

MD5 93f76616572748f64c7996b66286a1ad
SHA1 5d98c893901a6fe0ed533ed0f603bc8c1c2c58f3
SHA256 d91461bcd86cf8441f857a6e0b057c07e3475ee2831dc9496fd099c724314234
SHA512 83a6d6bcdbb2a4eaedbe70bae4f103a503dc82da4bb2b7bd54884cb656678a89a5c2c69dab018daed6dcfdb82736053c35738b7f3a711aaed6699b7dabcac010

C:\Windows\SysWOW64\Iebngial.exe

MD5 d0eac0b34049fde46049d0a1e6e2c0b0
SHA1 02626c486401e1fdd35251c8bc4652b2dd464abe
SHA256 4416af6fa9a1b4b7074e94f9d2037b2c13d2d41b5d7fd47a582d4a4fed742470
SHA512 3ea435f8e2339c35060d3f1a7748e448b0fcd2b5ef1ed790e6f9eb6173577621e389764fad73aaec37c78b29b3d98a335d001e0c8f7fb772fb859a2065d79dbc

C:\Windows\SysWOW64\Ipgbdbqb.exe

MD5 021108c4d42c9aa8ac5b32b36f4bd2f2
SHA1 fc4c7afdc666e918b68a9a2a2eed4c951f8b03bc
SHA256 8e8f3a5036c1b95a0e5dddbf9fddbbebffbea7fbdd0226f3a6dcfa73275aba91
SHA512 4dd43dcb789ae8eb2583c45306b01bdf665313c645d7cc25edd7b4a34ab1a4cf5c1c91ed536313fc51e61b3954f9a584295e82c9ffd8d11f4c1b737afb183de1

C:\Windows\SysWOW64\Igajal32.exe

MD5 bbc2793f68f1fb3da9620b517a3b2a92
SHA1 8d52174f23893f4bf15a75b22ddd04fffe5f4229
SHA256 7527b140109a402e09863759d03ea0e69971c28f278cafabcb0f2d1561c26c4e
SHA512 5493664a60d84dd4e6f21c80ac959bef45f02ff4febd3115b490f7d58e3f8fbc1e93e1d8627bc8a38db5a1c4d441656cbc8674d18251d767a9886503c1e25c6e

C:\Windows\SysWOW64\Ipjoja32.exe

MD5 2ed5423cee11de88f770d0e0a553c009
SHA1 9bb6a615fde4985e858400432bf9004e4b8ad486
SHA256 07b5d5a3a4b651d187b9a6295c63ccacf534f56b52041860b31b5cae206df505
SHA512 2e319f0f1e3c4bf6bf36af2f2fba452ddad236a759c6a98f7374f61719c30921626e1fa34bb6a55698d6d5a183fcdf14f0a538de6a03ce65c056bfe9d0316019

C:\Windows\SysWOW64\Ioolkncg.exe

MD5 314d55b095eb495be3beecd4fcab711f
SHA1 3dc7ef3eed524a1bf87389d2fe39dc241a9350b2
SHA256 c2985d2213f752214aa286bbc11e90ccd535bdf7437ad7ead3be0c15d3a2f32f
SHA512 4352a5be6bb8fae5d55c4b7cbe3ac167ca3b86bd4a8800a7ac17541cf6b3cb77e1d52d72ec9f14e739cb14975e4bad1540d529fc0ea21d4a5b316d42a5e14e5e

C:\Windows\SysWOW64\Jcmdaljn.exe

MD5 2a5220a2d4ecb135dcdce264c7da4247
SHA1 8f2fbfd14f7bda59be32d552bb3616bfb96067ba
SHA256 94e828e916a79488484bd8931f1aefa95e4a3fddcf0e6eae6f492ac84a5581f5
SHA512 3e72bbe5ad4f2a8a000ab74742a4db9833ff51b860a036cd18179db6a378072568ce80f1c2161256264fc9463d160073fb0537b0f84ee43fc86cf618f18d890d

C:\Windows\SysWOW64\Jocefm32.exe

MD5 81147004beea6b736f4a4d1459abbbca
SHA1 bfa2b093d86a1c39941c66cb8bb2fef9cceb1083
SHA256 8b9f6b3e5d3e6928aec792bf09891dc0397da301128961ba045bca92cb490d0d
SHA512 57bc5322708aab8d911bd71dc8c255295f6a45453a7a6049f200f080da8e9d088cfc356fcf729038aec521068784e5cd1710e315a814ec1376a3b35af46d9268

C:\Windows\SysWOW64\Jgmjmjnb.exe

MD5 78bea534f690db52e9bb0c49d67056e8
SHA1 1ea384221a71cc89e3e849e46e4e7a18dd6d11ec
SHA256 64782d57f4a514aa0aa5259f18552b5578943a1469cde401027f21c33425f8ce
SHA512 b8e75bdd517b33c0662abc55c5548ad2e32abc8d85c670cd4fb742859505abd40c56bcc35a15e4df930be4d944a5c0418175fc0e197bd61db86cb5766d823795

C:\Windows\SysWOW64\Jphkkpbp.exe

MD5 9d5304e6669d323177919772a0907f93
SHA1 a04428069e0bbd15e9f13819ec64e4ed6685f3b2
SHA256 293044f45fe8608601d21eb3a597ed1521168b68f0a113d10ed3c1bf44bdfb5c
SHA512 b4255eaaa31ec0d5ffcfa07f33af243d834b1111e009358cf010de7a8ea208627eb1550054889e9e35607decf9b8523f1d2962396c284920a0edbeb5075b4d0f

C:\Windows\SysWOW64\Klahfp32.exe

MD5 d026de250ba8cfabbcb072ca5efb8dc7
SHA1 13a002b9236fa446f7b6ab2938d3f8f3e77f5c4e
SHA256 8e42734af223207ce1cf54e6f94a2497bb6d305c58ae87198007ec028d72e841
SHA512 a8b05a15c81be774763e6988380f85b20a7513c14f86a1d8c19112b4da4a46afbdd36255a5b043a3f2bd13e12d03324d8f1aaf2ab7810f3f940a282ee48356bb

C:\Windows\SysWOW64\Koaagkcb.exe

MD5 14b59ae9a2ac101d4801e2b195c02104
SHA1 f3be5d31adcad7ac518308188c7dcfae4f9790fe
SHA256 d197affb796b5ccbd6893dde355cb6038c2e3ce59e1ff97408c8ff7c7005b84d
SHA512 664ba38f5e5d806610d10510c1160f7b2a1e155e5a3951c3313ae782dc31e958baae2e8445e5cdc9bb61835b436b5285b09dec6703a019270f80618bc636fd99

C:\Windows\SysWOW64\Kjgeedch.exe

MD5 cb7218540d0715e16f68c09d34898bd2
SHA1 99478a5278c7a4878f6b3b0fec8a306bb8cb11bc
SHA256 3c896325ec32ff86221b8c13d5814ecf843b75e407d840399dae6bcb510d35f7
SHA512 3773ebbdcd3014470f76a970a9662dd4b3734be654830019d4cf36673e46278585f299023e541c712fb1fc21332de5a48502436f9981d56f413cf782ade8658b

C:\Windows\SysWOW64\Kgkfnh32.exe

MD5 3b07cfdb876f3ea952ef21dcd6c53897
SHA1 ba7a714bc17ac931558143c64637062aee00e92e
SHA256 e2b66c770ee2e20780b06ba47cc7556ec2a7e00e09ff9681226de37fbecc0e74
SHA512 97aa41ca5273b9a4fd66e736f76e3918f14b23eee6fe0ffe591bd9a7111c9b1fa83a4fc91430c48bd92d0dbd3ad8d325f247f1b65c28c4101c3565e6bee98a5c

C:\Windows\SysWOW64\Kpcjgnhb.exe

MD5 344abbd58b89a531f691d06a44d52ad0
SHA1 413223cb618158e7c15b02c52ec3636972f6ad19
SHA256 1d65866e77972b74850f5b6d0c5d7fa64cce985ec3e5ec4dcd4a0cf56d56dbca
SHA512 69000a97ce89707e93d3d9d67cdc83156b2ba0912336d582fc781458e797a124da71ef370317c35cb50c87dc78e9ab0591f8d9aff6f3509e4f4eadbdcde905a4

C:\Windows\SysWOW64\Lfgipd32.exe

MD5 fb4fb2e74b3060f93842587cee361d05
SHA1 f5d21d47fae982b7771572dbf27f28b0cbd3fb41
SHA256 1e420d267afa5699b2da751fd504095379cd4ff65e7b49a4c1bcaabcf226a818
SHA512 176824c0c9936f29c78aef4eac42b403e0e333a94ee35584b71f68c0eb2586b4a397b0afde9bfed0fcbad39139d854864aecd6e812993fc55d0f9bccb59b0c81

C:\Windows\SysWOW64\Lflbkcll.exe

MD5 c19e4305918400e4bfb0aea577ce79ff
SHA1 241a36cdef997c8257cf300735886befc1ebc233
SHA256 24e48d97b291b26246a9cb23d8333b838d92d120b5cf2d771b5bfe04bd7c1f08
SHA512 c6049d8a42db5c09ee159955e90b040c482baa3832930292e1939b8f0a74b8359fe1d767e2759cbb59e18f01ee25879848f3d17a79e40f6832ddbc0ea8fb6a95

C:\Windows\SysWOW64\Mqafhl32.exe

MD5 d4a82f789f64c891fb3e8d31e3ae024e
SHA1 7b18597692775bec7e3ecf5dcf0a374761ca16e3
SHA256 cf48a545dc5e34159a9078e9dfad0edcbb4d00584bab3e16b0ac066cbf9f83a9
SHA512 eb82b3ed29c1fc2c7ba4b563c954c8d0d6a3b94f373b0e2c3fc2c04ab4928c4e790dc640306d13c9169cbf88d388ce2b8351f69a0783f41fda161b3d718727f0

C:\Windows\SysWOW64\Mogcihaj.exe

MD5 ae6fd444f8f30b3c757dabae3e6f8e17
SHA1 91bf2412915b943ded65f1fe4d1aa29445734377
SHA256 906a61137ebc65c0a7e5d921d873be0874514dfa05c487a74a829367f171bed4
SHA512 2dfe266c9e58aeebb0673ae72bda4101f5e059f7dc55e12a7f938e7103c09d89250b41485b3dee724b7dd7ec7445407374ec83f46e8e1eb2b9e495133f5a1d84

C:\Windows\SysWOW64\Mjlhgaqp.exe

MD5 ade341e092cb2df1d2428087f780e208
SHA1 87cb959dea67f5e34af46bf59d35aa3ffe339fbd
SHA256 bf3279555ccb43644fa988ca723c846bfc26514007649e410201ce921f957c61
SHA512 23e13a56e86000f2d30d74695e06afdb72a153aa0a1ef93681d886288fcb3639854fcdf785de2fae83c10c016c640ba4360012beacfedbe0ef9aeee36b89dba3

C:\Windows\SysWOW64\Mqimikfj.exe

MD5 e9cf7c6bc00602ce39afe0d785af29bc
SHA1 e508fa95faed834daf94b5e10b288981f0ce3499
SHA256 5a4f0cb0939bade106fd96f599397f4289f2ef47cd8616493a0a58ad43ad83e6
SHA512 595b3c842ec749dab6fea8be5bc171efa0da046f795f08158070cf6187c27549d6ac170f93100b696601c97bec1039201421f4210b17d8d46b1d238916ff86f4

C:\Windows\SysWOW64\Nmbjcljl.exe

MD5 7ab4ec736a6c89f6371afd57e80f2a54
SHA1 2cefd7f21d855a9ca307a908802df7702975f9b1
SHA256 d4367b93277283abfd95718a034e5b2c7f430f3fca114215ac99c76cca00a668
SHA512 94766a05df706a499261fce5af2c0d4577f2e4fa62f59b480d9a9fdf028b3a5f3bb7908cabd79f908d623cb9ec4ac450fdb9ba48322ff9ae2b815a05a9d07679

C:\Windows\SysWOW64\Ncqlkemc.exe

MD5 25dbb134a6053a7e76e270728ba5debd
SHA1 e82363c7b20882f007c8cf47e02adc29b8dd181e
SHA256 1c015c51bdd0040f71c87df35867d1d1e4a74a6b39da13ff3f9d403c0f27f069
SHA512 daba8893d4338a6656ee2192b6c01748b34c524d7fb6754cd59de522025d5b5397a87e6eb498a7f51ed7a5c40502402f30e3f3c3c622b10e67a2db88164fa115

C:\Windows\SysWOW64\Ngqagcag.exe

MD5 14ec7c37ecf3fdfdd8bd6857f2e16737
SHA1 ce1bb456389829c1d7e3dda8d0f8c47478b1730c
SHA256 b442b6d51b8ea543493bfe9ae36a844e34d08a9f8f5a6486f1a3968f7f9fa5ff
SHA512 a1b141f41204a4fd1ab3b99527cc3891297b31ce5db53ed18d4e3d111f4988d9b39b0245ff45365a4e75e4b27e49d0a9b5d9777b500c1b9bec9df22a8d883e69

C:\Windows\SysWOW64\Ogcnmc32.exe

MD5 e2eb4b0492102e13f92f81f81d36217c
SHA1 8c483d96d0d728d2fd20e82b8521b29098f471c7
SHA256 4ccb22edb05ffd80baa06099685f8db6dce7c4e7af4a0fb2fa094338a51082cb
SHA512 7df1b06321fcf1320cc725cbaef896c433120b043127f941e3f1b2f4ee77679bef42213a7d23f8caf7db746fe18ac7adc2952b56556db454127b81668ed41dd4

C:\Windows\SysWOW64\Ocohmc32.exe

MD5 413ed8795aad1e6e712a933f732a606f
SHA1 986e114220d93dfc343aa04379b14ebb53e35a2d
SHA256 ed59d5a5186204bbc0c01d6d2b69daea41efd957d1aa681dae420e26899c79f8
SHA512 880765560d208a138cf116a4fa5adb34f5930083ccc0638c93ac88b50d7a71b3e89efa293fda6e76e35c9d02861fbf492cd8498d43d2eaa28dc544a54b1168ca

C:\Windows\SysWOW64\Pfandnla.exe

MD5 14d77f989e6645d2345dcd7c07166157
SHA1 627b19744f46c5275d6491f49f4d656f0ff44e52
SHA256 5872c4b67e7059ad37e32f9c79cc5af6f823c394b7a82825ae863cea5cbf8b4b
SHA512 ef8e5294f039d86a6181b6749484ae377da8ca1ccc1e9c3cc083f6182538cf15e9f21cb00ac38adc4c4a3b0f5f023ac04b49a6ecbd778521cf670b90813f4cf7

C:\Windows\SysWOW64\Pdmdnadc.exe

MD5 010c4230bddd9095d07ea460ce1736c2
SHA1 4d308ccaef18cbd059d028f2596beaa4e6330321
SHA256 99d8f4ea215afd2d2e7ec8d0b015dd0796b77b3524d5aa328cd1eb9012f75ad1
SHA512 0628554cce4d190f187450c023ab526309600a5216e7a373485d41b3aaf9d0c50892e1afaa65b11d555bf23cc310c725ff82db9d1154f57d8b275df86da0e517

C:\Windows\SysWOW64\Ahofoogd.exe

MD5 9b6ed51facc45b3bf43dbaa12f6afcb6
SHA1 2cd8702ac3f04554588ac8ec096ed17a5adf6e35
SHA256 757015febde84ed1a5f0af49b0f5067c1f57bddc637a3cf05fa9c84cd56f724c
SHA512 115c90bb7651c5e760f01ace64eb8023ae85d7b2a84604ee2dd4424ea3c0c9aeb7c976bafde6109f158caf9950245860fae98aeeeafcf009d80625863fa2315c

C:\Windows\SysWOW64\Apjkcadp.exe

MD5 8cc67f2cc2c5297d3e5c0e41e5bb40e0
SHA1 0981bdfa757e54e9a1e8de2ebe919eaab2a15d5d
SHA256 82f7bd3e57c72458b927aae41001ad7776b9a5d875383c323f310611ab95c4fe
SHA512 69bbe54391b60ade2bbd85dacd7bbe9054b018106807487c1649a5b47c6d49c9ffaffc7a2c6e94d1627dfd1c5638297660e49e0b21fde4596adb2d54f50f4520

C:\Windows\SysWOW64\Adkqoohc.exe

MD5 319886fe5e66bc9f2561c5c6436c52dd
SHA1 71005c337760484bbc481e6825055caa9101b41b
SHA256 41ccecdd0a28195655bd60ec9d0d02d18114f42ceaf7f21c1909d7dc3418bee2
SHA512 7a5005ae94889231392a718adeb5e48987b561b716b48bafbffd9f1050d3f0fdbd15b0e824720c96d102dd332c33e1ca9265046b479a661964bcdcc5602bc71f

C:\Windows\SysWOW64\Aopemh32.exe

MD5 ccbd459273eb82d572e7b78e3746a39d
SHA1 349ea0a38be70b6b7678dff7844acfc18cd99a5d
SHA256 8672580412ae07f9fa7bf6004edf2a3a044ef0d043abae90855b4cd39871d092
SHA512 25b60fd121948565f7036332956e80746cc2800a9317707b89f8692340f8b2c0b3c5bd908ca08bee3f4e00c65604c95c052b78b1fd0ccb3a5dc92678b96cccbe

C:\Windows\SysWOW64\Bgelgi32.exe

MD5 295ec5cd04125aa5093444035213270c
SHA1 249b7923008f07add22cb395475fc73c05fb6796
SHA256 6ed4c5e6f7f54fe18da1f018c795eafe9bec92f78127480c07ca688b3fb60c90
SHA512 8d11117b2f897ee1498107cdde78be089d3bfd3504696989b2b35e13a6ccfd6924d7cd858c9842021303a8d382c86e6d8b10946e1d7ef8825678b1410c16b447

C:\Windows\SysWOW64\Conanfli.exe

MD5 20ba417b4db6a5b2051131b42329c78d
SHA1 a56f17b4a223279555a98d4772db9ad0db9cba4b
SHA256 27370d6dccd4494c681ea60fcc115dcf1a1f6897d0cd9f644c7bb2980587c97f
SHA512 1c8d0997d6964ceba0fe599888a95c3065c68555ab1af0e0327b89704f80ac05feb3ad883db0917d80796351cff9586681ffd5f243f1d3a0ac51f04bc0bf1dda

C:\Windows\SysWOW64\Cdmfllhn.exe

MD5 1fe45c8f84c11648d7397d76c4884683
SHA1 ca1c21ae2fbb10c47d1434b601abfb2f5359dd83
SHA256 48f6af30c089473c5acf6058206ff0da07bf8d0ea5f1039cb50f2206a460a271
SHA512 e5217eb6c59de3a758f165611301ea153e1bd93ed43888b6b9a71a72971c13d36c733ae7b681fb259e431b79a4cc1175fb82a13210ac51de667faacc71eceb97

C:\Windows\SysWOW64\Caageq32.exe

MD5 2dfb4b1080e809911d97f7ffd5686de0
SHA1 353d5b3bc2b0dce1ad08bab991edade5daedfacf
SHA256 20308a661f1e8a8a735115a6870f5e98a5f759d96da2a8a5e5813e4010bf1128
SHA512 bd52040905734738c5617f6a0b6776d2bd9eef87d7ef5bb720314dd73fb8be1451a0733a605f52a4acbb55989e2f217fab621c42315e3d22e40b860a0ad3ee6d

C:\Windows\SysWOW64\Cnjdpaki.exe

MD5 c1f40e8ee8c4a9e7d21ee3d3caaed1a4
SHA1 74d87381621d9c8dc51ee067a02f93064a3bd029
SHA256 0de35734221013eb41b16510f2f8d66d06ea88f5312f7919b1781116271738a0
SHA512 42c1875e5415d2619bb4598fba8808d2f3ab69cf4809aa55153e113d009098c516dab4f4e7f0e9be2f7a7b0dfad2cbdc4869436c8485c61b559be1ad8b6fbe7c

C:\Windows\SysWOW64\Dnmaea32.exe

MD5 e05fc24ec36ef04b12456c4997a1dc6a
SHA1 848ef15e2be1026455d7d503345f12da31ed9814
SHA256 1a76bc9c8db2ce663a6ef2e5093929401000b09e78261be4ec61d07c2fb18b80
SHA512 dee7168c32c2f69e0e1811816ddbbcfa578234d5da7bc5d0ba03601b03fa0a347071c1288d0b7d3cdd4732162f4ff4ee5988b706df0c91dc7f051be248167733

C:\Windows\SysWOW64\Dhbebj32.exe

MD5 4f8c649c5a2f11cc76be49f163a6c36b
SHA1 06e9f6541693f36bc75280b6e02aa4fdd9307264
SHA256 5d9531b701823d7624d3e40e4bd61ceb84cf0c507b404ca403ba66626f56844a
SHA512 ea831185e9d9c2ad4ac0a16ef86b75db55d0aa877acbec90c56b06ba2e37764bac285ce0bcd3d5284db6fb0bcac677eedc92d71cfaf25182c9018c87eecdcab1

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 15:58

Reported

2024-09-16 16:00

Platform

win7-20240903-en

Max time kernel

38s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckmfbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghkbepop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkkgkla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hembfo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmkdpafo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipkmal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppcplg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcgfcbbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Faanibeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Facjobce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpkehbjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fknlmggc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndfmgdeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pigkjmap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gfaodclg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnboonmb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cecnflpd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpiobh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekgineko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeecibci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gjjoob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqhffj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bimnqk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjnjhcqo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fldeakgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfclic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Holqbipe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Giolpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pigkjmap.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epmdljal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fogkhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghkbepop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gjjoob32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhmpmcaq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obpccped.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhoeqide.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkdclgpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdafkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gqmqkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofgfio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckmfbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eeecibci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecidbfbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eehpoaaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fcipaien.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgfjld32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcdinbdk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amjmpk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkdclgpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipkmal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcagma32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phaegfpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecidbfbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobnljhp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ooianpif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qcdinbdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epmdljal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fogkhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Giolpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjnjhcqo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flfbfken.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icdllk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alojlgii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmclem32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mmgoqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcagma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkehbjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgfjld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnboonmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhmpmcaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmjhejph.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndfmgdeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofdicodf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofgfio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obngnphg.exe N/A
N/A N/A C:\Windows\SysWOW64\Obpccped.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbpio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooianpif.exe N/A
N/A N/A C:\Windows\SysWOW64\Phaegfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcbmend.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigkjmap.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppcplg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhoeqide.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcdinbdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgfcbbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Alojlgii.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqapek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anepooja.exe N/A
N/A N/A C:\Windows\SysWOW64\Amjmpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqhffj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfeonq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfgkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdclgpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bihdfkoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bimnqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjnjhcqo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cecnflpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckmfbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Camlpldf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmclem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cijmjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpiobh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmcidqlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekgineko.exe N/A
N/A N/A C:\Windows\SysWOW64\Eaaajo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egnjbfqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiocdand.exe N/A
N/A N/A C:\Windows\SysWOW64\Eddgaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeecibci.exe N/A
N/A N/A C:\Windows\SysWOW64\Emmljodk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecidbfbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eehpoaaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Epmdljal.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejmda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fldeakgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Faanibeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Flfbfken.exe N/A
N/A N/A C:\Windows\SysWOW64\Facjobce.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdafkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fogkhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddcqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fknlmggc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcipaien.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqmqkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjeedcjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobnljhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkbepop.exe N/A
N/A N/A C:\Windows\SysWOW64\Godjaj32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmgoqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmgoqg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcagma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcagma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkehbjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkehbjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgfjld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgfjld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnboonmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnboonmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhmpmcaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhmpmcaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmjhejph.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmjhejph.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndfmgdeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndfmgdeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofdicodf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofdicodf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofgfio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofgfio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obngnphg.exe N/A
N/A N/A C:\Windows\SysWOW64\Obngnphg.exe N/A
N/A N/A C:\Windows\SysWOW64\Obpccped.exe N/A
N/A N/A C:\Windows\SysWOW64\Obpccped.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbpio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbpio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooianpif.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooianpif.exe N/A
N/A N/A C:\Windows\SysWOW64\Phaegfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Phaegfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcbmend.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcbmend.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigkjmap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pigkjmap.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppcplg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppcplg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhoeqide.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhoeqide.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcdinbdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcdinbdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgfcbbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgfcbbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Alojlgii.exe N/A
N/A N/A C:\Windows\SysWOW64\Alojlgii.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqapek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqapek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anepooja.exe N/A
N/A N/A C:\Windows\SysWOW64\Anepooja.exe N/A
N/A N/A C:\Windows\SysWOW64\Amjmpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amjmpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqhffj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqhffj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfeonq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfeonq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfgkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfgkdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdclgpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkdclgpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bihdfkoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bihdfkoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bimnqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bimnqk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Egnjbfqc.exe C:\Windows\SysWOW64\Eaaajo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkbepop.exe C:\Windows\SysWOW64\Gobnljhp.exe N/A
File created C:\Windows\SysWOW64\Gqmqkn32.exe C:\Windows\SysWOW64\Fcipaien.exe N/A
File created C:\Windows\SysWOW64\Mgfjld32.exe C:\Windows\SysWOW64\Mpkehbjm.exe N/A
File opened for modification C:\Windows\SysWOW64\Phcbmend.exe C:\Windows\SysWOW64\Phaegfpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cijmjn32.exe C:\Windows\SysWOW64\Cmclem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmcidqlf.exe C:\Windows\SysWOW64\Dpiobh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ecidbfbb.exe C:\Windows\SysWOW64\Emmljodk.exe N/A
File created C:\Windows\SysWOW64\Ilbnfmhd.exe C:\Windows\SysWOW64\Ipkmal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iifnpagn.exe C:\Windows\SysWOW64\Ilbnfmhd.exe N/A
File created C:\Windows\SysWOW64\Qcdinbdk.exe C:\Windows\SysWOW64\Qhoeqide.exe N/A
File opened for modification C:\Windows\SysWOW64\Eddgaj32.exe C:\Windows\SysWOW64\Eiocdand.exe N/A
File created C:\Windows\SysWOW64\Kcliqaid.dll C:\Windows\SysWOW64\Facjobce.exe N/A
File created C:\Windows\SysWOW64\Fddcqm32.exe C:\Windows\SysWOW64\Fogkhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Giolpo32.exe C:\Windows\SysWOW64\Gfaodclg.exe N/A
File opened for modification C:\Windows\SysWOW64\Icdllk32.exe C:\Windows\SysWOW64\Hmkdpafo.exe N/A
File opened for modification C:\Windows\SysWOW64\Amjmpk32.exe C:\Windows\SysWOW64\Anepooja.exe N/A
File created C:\Windows\SysWOW64\Bkdclgpl.exe C:\Windows\SysWOW64\Bfgkdp32.exe N/A
File created C:\Windows\SysWOW64\Ckmfbf32.exe C:\Windows\SysWOW64\Cecnflpd.exe N/A
File created C:\Windows\SysWOW64\Gjjoob32.exe C:\Windows\SysWOW64\Godjaj32.exe N/A
File created C:\Windows\SysWOW64\Hgnkgjgh.exe C:\Windows\SysWOW64\Hnegod32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fddcqm32.exe C:\Windows\SysWOW64\Fogkhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpkehbjm.exe C:\Windows\SysWOW64\Mcagma32.exe N/A
File created C:\Windows\SysWOW64\Ebljbhhn.dll C:\Windows\SysWOW64\Obngnphg.exe N/A
File created C:\Windows\SysWOW64\Mniiepja.dll C:\Windows\SysWOW64\Ooianpif.exe N/A
File created C:\Windows\SysWOW64\Cecnflpd.exe C:\Windows\SysWOW64\Cjnjhcqo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cecnflpd.exe C:\Windows\SysWOW64\Cjnjhcqo.exe N/A
File created C:\Windows\SysWOW64\Gmjjblih.dll C:\Windows\SysWOW64\Cmclem32.exe N/A
File created C:\Windows\SysWOW64\Lgkhdo32.dll C:\Windows\SysWOW64\Dmcidqlf.exe N/A
File created C:\Windows\SysWOW64\Flfbfken.exe C:\Windows\SysWOW64\Faanibeh.exe N/A
File created C:\Windows\SysWOW64\Kqeeabhm.dll C:\Windows\SysWOW64\Gjeedcjh.exe N/A
File created C:\Windows\SysWOW64\Hcnfllcd.exe C:\Windows\SysWOW64\Hblidd32.exe N/A
File created C:\Windows\SysWOW64\Mmgoqg32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndfmgdeb.exe C:\Windows\SysWOW64\Nmjhejph.exe N/A
File created C:\Windows\SysWOW64\Pffdfm32.dll C:\Windows\SysWOW64\Giolpo32.exe N/A
File created C:\Windows\SysWOW64\Mlcipnga.dll C:\Windows\SysWOW64\Hnegod32.exe N/A
File created C:\Windows\SysWOW64\Ipkmal32.exe C:\Windows\SysWOW64\Icdllk32.exe N/A
File created C:\Windows\SysWOW64\Oinplk32.dll C:\Windows\SysWOW64\Nnboonmb.exe N/A
File created C:\Windows\SysWOW64\Phcbmend.exe C:\Windows\SysWOW64\Phaegfpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfeonq32.exe C:\Windows\SysWOW64\Bqhffj32.exe N/A
File created C:\Windows\SysWOW64\Akdmoj32.dll C:\Windows\SysWOW64\Bkdclgpl.exe N/A
File created C:\Windows\SysWOW64\Qkpmkopd.dll C:\Windows\SysWOW64\Mgfjld32.exe N/A
File created C:\Windows\SysWOW64\Bqhffj32.exe C:\Windows\SysWOW64\Amjmpk32.exe N/A
File created C:\Windows\SysWOW64\Cklljn32.dll C:\Windows\SysWOW64\Bqhffj32.exe N/A
File created C:\Windows\SysWOW64\Miocfn32.dll C:\Windows\SysWOW64\Ecidbfbb.exe N/A
File created C:\Windows\SysWOW64\Gdfpjl32.dll C:\Windows\SysWOW64\Faanibeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkdclgpl.exe C:\Windows\SysWOW64\Bfgkdp32.exe N/A
File created C:\Windows\SysWOW64\Cijmjn32.exe C:\Windows\SysWOW64\Cmclem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eaaajo32.exe C:\Windows\SysWOW64\Ekgineko.exe N/A
File created C:\Windows\SysWOW64\Epmdljal.exe C:\Windows\SysWOW64\Eehpoaaf.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmclem32.exe C:\Windows\SysWOW64\Camlpldf.exe N/A
File created C:\Windows\SysWOW64\Fejmda32.exe C:\Windows\SysWOW64\Epmdljal.exe N/A
File created C:\Windows\SysWOW64\Gndjpoaa.dll C:\Windows\SysWOW64\Icdllk32.exe N/A
File created C:\Windows\SysWOW64\Bfgkdp32.exe C:\Windows\SysWOW64\Bfeonq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qcdinbdk.exe C:\Windows\SysWOW64\Qhoeqide.exe N/A
File created C:\Windows\SysWOW64\Emmljodk.exe C:\Windows\SysWOW64\Eeecibci.exe N/A
File opened for modification C:\Windows\SysWOW64\Fogkhf32.exe C:\Windows\SysWOW64\Fdafkm32.exe N/A
File created C:\Windows\SysWOW64\Qhoeqide.exe C:\Windows\SysWOW64\Ppcplg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiahfo32.exe C:\Windows\SysWOW64\Gfclic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gjeedcjh.exe C:\Windows\SysWOW64\Gqmqkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Godjaj32.exe C:\Windows\SysWOW64\Ghkbepop.exe N/A
File opened for modification C:\Windows\SysWOW64\Hehikpol.exe C:\Windows\SysWOW64\Holqbipe.exe N/A
File opened for modification C:\Windows\SysWOW64\Pigkjmap.exe C:\Windows\SysWOW64\Phcbmend.exe N/A
File created C:\Windows\SysWOW64\Fcipaien.exe C:\Windows\SysWOW64\Fknlmggc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iifnpagn.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfaodclg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hiahfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obbpio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pigkjmap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqhffj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfeonq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emmljodk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epmdljal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhoeqide.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpiobh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eeecibci.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fknlmggc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfclic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iifnpagn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fejmda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmkdpafo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcagma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ooianpif.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkdclgpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckmfbf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egnjbfqc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecidbfbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmclem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cijmjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flfbfken.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gjeedcjh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hembfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgnkgjgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqapek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bihdfkoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Camlpldf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghkbepop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phcbmend.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppcplg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eddgaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Faanibeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fogkhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fddcqm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhmpmcaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eehpoaaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gqmqkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gobnljhp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkkkgkla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpkehbjm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgfjld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfgkdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eiocdand.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hblidd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obpccped.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anepooja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amjmpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eaaajo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjgnhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjnjhcqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fldeakgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hehikpol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilbnfmhd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icdllk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmgoqg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndfmgdeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alojlgii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bimnqk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekgineko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnegod32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfcmcce.dll" C:\Windows\SysWOW64\Obbpio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfeonq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Camlpldf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eddgaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefqjm32.dll" C:\Windows\SysWOW64\Fogkhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imekobfb.dll" C:\Windows\SysWOW64\Fcipaien.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpkehbjm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofgfio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghkbepop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hjgnhf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cecnflpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiahfo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ppcplg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amjmpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obbpio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cecnflpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obngnphg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obpccped.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eaaajo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flfbfken.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hembfo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qcgfcbbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajijco32.dll" C:\Windows\SysWOW64\Eaaajo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfafnphf.dll" C:\Windows\SysWOW64\Ppcplg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eehpoaaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogccico.dll" C:\Windows\SysWOW64\Fknlmggc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qanlji32.dll" C:\Windows\SysWOW64\Mcagma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phaegfpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pigkjmap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epmdljal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdafkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqagfen.dll" C:\Windows\SysWOW64\Fdafkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbebkmci.dll" C:\Windows\SysWOW64\Ilbnfmhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkpmkopd.dll" C:\Windows\SysWOW64\Mgfjld32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phcbmend.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnfdgld.dll" C:\Windows\SysWOW64\Fldeakgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Giolpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifddon32.dll" C:\Windows\SysWOW64\Mmgoqg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhmpmcaq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkdclgpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcipnga.dll" C:\Windows\SysWOW64\Hnegod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcofleb.dll" C:\Windows\SysWOW64\Gfaodclg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keqmohcg.dll" C:\Windows\SysWOW64\Hgnkgjgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bihdfkoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehgnffj.dll" C:\Windows\SysWOW64\Bihdfkoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palffa32.dll" C:\Windows\SysWOW64\Fejmda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flfbfken.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnboonmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ppcplg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckmfbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmcidqlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Egnjbfqc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fejmda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giemme32.dll" C:\Windows\SysWOW64\Gkkkgkla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anepooja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcpho32.dll" C:\Windows\SysWOW64\Phaegfpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anepooja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fddcqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmgoqg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ooianpif.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fcipaien.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alojlgii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fknlmggc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mmgoqg32.exe
PID 2292 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mmgoqg32.exe
PID 2292 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mmgoqg32.exe
PID 2292 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe C:\Windows\SysWOW64\Mmgoqg32.exe
PID 2812 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mmgoqg32.exe C:\Windows\SysWOW64\Mcagma32.exe
PID 2812 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mmgoqg32.exe C:\Windows\SysWOW64\Mcagma32.exe
PID 2812 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mmgoqg32.exe C:\Windows\SysWOW64\Mcagma32.exe
PID 2812 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mmgoqg32.exe C:\Windows\SysWOW64\Mcagma32.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Mcagma32.exe C:\Windows\SysWOW64\Mpkehbjm.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Mcagma32.exe C:\Windows\SysWOW64\Mpkehbjm.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Mcagma32.exe C:\Windows\SysWOW64\Mpkehbjm.exe
PID 2684 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Mcagma32.exe C:\Windows\SysWOW64\Mpkehbjm.exe
PID 2672 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Mpkehbjm.exe C:\Windows\SysWOW64\Mgfjld32.exe
PID 2672 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Mpkehbjm.exe C:\Windows\SysWOW64\Mgfjld32.exe
PID 2672 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Mpkehbjm.exe C:\Windows\SysWOW64\Mgfjld32.exe
PID 2672 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Mpkehbjm.exe C:\Windows\SysWOW64\Mgfjld32.exe
PID 2828 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Mgfjld32.exe C:\Windows\SysWOW64\Nnboonmb.exe
PID 2828 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Mgfjld32.exe C:\Windows\SysWOW64\Nnboonmb.exe
PID 2828 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Mgfjld32.exe C:\Windows\SysWOW64\Nnboonmb.exe
PID 2828 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Mgfjld32.exe C:\Windows\SysWOW64\Nnboonmb.exe
PID 2580 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Nnboonmb.exe C:\Windows\SysWOW64\Nhmpmcaq.exe
PID 2580 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Nnboonmb.exe C:\Windows\SysWOW64\Nhmpmcaq.exe
PID 2580 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Nnboonmb.exe C:\Windows\SysWOW64\Nhmpmcaq.exe
PID 2580 wrote to memory of 2984 N/A C:\Windows\SysWOW64\Nnboonmb.exe C:\Windows\SysWOW64\Nhmpmcaq.exe
PID 2984 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Nhmpmcaq.exe C:\Windows\SysWOW64\Nmjhejph.exe
PID 2984 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Nhmpmcaq.exe C:\Windows\SysWOW64\Nmjhejph.exe
PID 2984 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Nhmpmcaq.exe C:\Windows\SysWOW64\Nmjhejph.exe
PID 2984 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Nhmpmcaq.exe C:\Windows\SysWOW64\Nmjhejph.exe
PID 2832 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nmjhejph.exe C:\Windows\SysWOW64\Ndfmgdeb.exe
PID 2832 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nmjhejph.exe C:\Windows\SysWOW64\Ndfmgdeb.exe
PID 2832 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nmjhejph.exe C:\Windows\SysWOW64\Ndfmgdeb.exe
PID 2832 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Nmjhejph.exe C:\Windows\SysWOW64\Ndfmgdeb.exe
PID 2396 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Ndfmgdeb.exe C:\Windows\SysWOW64\Ofdicodf.exe
PID 2396 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Ndfmgdeb.exe C:\Windows\SysWOW64\Ofdicodf.exe
PID 2396 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Ndfmgdeb.exe C:\Windows\SysWOW64\Ofdicodf.exe
PID 2396 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Ndfmgdeb.exe C:\Windows\SysWOW64\Ofdicodf.exe
PID 2012 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Ofdicodf.exe C:\Windows\SysWOW64\Ofgfio32.exe
PID 2012 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Ofdicodf.exe C:\Windows\SysWOW64\Ofgfio32.exe
PID 2012 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Ofdicodf.exe C:\Windows\SysWOW64\Ofgfio32.exe
PID 2012 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Ofdicodf.exe C:\Windows\SysWOW64\Ofgfio32.exe
PID 2504 wrote to memory of 472 N/A C:\Windows\SysWOW64\Ofgfio32.exe C:\Windows\SysWOW64\Obngnphg.exe
PID 2504 wrote to memory of 472 N/A C:\Windows\SysWOW64\Ofgfio32.exe C:\Windows\SysWOW64\Obngnphg.exe
PID 2504 wrote to memory of 472 N/A C:\Windows\SysWOW64\Ofgfio32.exe C:\Windows\SysWOW64\Obngnphg.exe
PID 2504 wrote to memory of 472 N/A C:\Windows\SysWOW64\Ofgfio32.exe C:\Windows\SysWOW64\Obngnphg.exe
PID 472 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Obngnphg.exe C:\Windows\SysWOW64\Obpccped.exe
PID 472 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Obngnphg.exe C:\Windows\SysWOW64\Obpccped.exe
PID 472 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Obngnphg.exe C:\Windows\SysWOW64\Obpccped.exe
PID 472 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Obngnphg.exe C:\Windows\SysWOW64\Obpccped.exe
PID 1716 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Obpccped.exe C:\Windows\SysWOW64\Obbpio32.exe
PID 1716 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Obpccped.exe C:\Windows\SysWOW64\Obbpio32.exe
PID 1716 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Obpccped.exe C:\Windows\SysWOW64\Obbpio32.exe
PID 1716 wrote to memory of 1616 N/A C:\Windows\SysWOW64\Obpccped.exe C:\Windows\SysWOW64\Obbpio32.exe
PID 1616 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Obbpio32.exe C:\Windows\SysWOW64\Ooianpif.exe
PID 1616 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Obbpio32.exe C:\Windows\SysWOW64\Ooianpif.exe
PID 1616 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Obbpio32.exe C:\Windows\SysWOW64\Ooianpif.exe
PID 1616 wrote to memory of 1916 N/A C:\Windows\SysWOW64\Obbpio32.exe C:\Windows\SysWOW64\Ooianpif.exe
PID 1916 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Ooianpif.exe C:\Windows\SysWOW64\Phaegfpg.exe
PID 1916 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Ooianpif.exe C:\Windows\SysWOW64\Phaegfpg.exe
PID 1916 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Ooianpif.exe C:\Windows\SysWOW64\Phaegfpg.exe
PID 1916 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Ooianpif.exe C:\Windows\SysWOW64\Phaegfpg.exe
PID 2120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Phaegfpg.exe C:\Windows\SysWOW64\Phcbmend.exe
PID 2120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Phaegfpg.exe C:\Windows\SysWOW64\Phcbmend.exe
PID 2120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Phaegfpg.exe C:\Windows\SysWOW64\Phcbmend.exe
PID 2120 wrote to memory of 1864 N/A C:\Windows\SysWOW64\Phaegfpg.exe C:\Windows\SysWOW64\Phcbmend.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.AA.exe"

C:\Windows\SysWOW64\Mmgoqg32.exe

C:\Windows\system32\Mmgoqg32.exe

C:\Windows\SysWOW64\Mcagma32.exe

C:\Windows\system32\Mcagma32.exe

C:\Windows\SysWOW64\Mpkehbjm.exe

C:\Windows\system32\Mpkehbjm.exe

C:\Windows\SysWOW64\Mgfjld32.exe

C:\Windows\system32\Mgfjld32.exe

C:\Windows\SysWOW64\Nnboonmb.exe

C:\Windows\system32\Nnboonmb.exe

C:\Windows\SysWOW64\Nhmpmcaq.exe

C:\Windows\system32\Nhmpmcaq.exe

C:\Windows\SysWOW64\Nmjhejph.exe

C:\Windows\system32\Nmjhejph.exe

C:\Windows\SysWOW64\Ndfmgdeb.exe

C:\Windows\system32\Ndfmgdeb.exe

C:\Windows\SysWOW64\Ofdicodf.exe

C:\Windows\system32\Ofdicodf.exe

C:\Windows\SysWOW64\Ofgfio32.exe

C:\Windows\system32\Ofgfio32.exe

C:\Windows\SysWOW64\Obngnphg.exe

C:\Windows\system32\Obngnphg.exe

C:\Windows\SysWOW64\Obpccped.exe

C:\Windows\system32\Obpccped.exe

C:\Windows\SysWOW64\Obbpio32.exe

C:\Windows\system32\Obbpio32.exe

C:\Windows\SysWOW64\Ooianpif.exe

C:\Windows\system32\Ooianpif.exe

C:\Windows\SysWOW64\Phaegfpg.exe

C:\Windows\system32\Phaegfpg.exe

C:\Windows\SysWOW64\Phcbmend.exe

C:\Windows\system32\Phcbmend.exe

C:\Windows\SysWOW64\Pigkjmap.exe

C:\Windows\system32\Pigkjmap.exe

C:\Windows\SysWOW64\Ppcplg32.exe

C:\Windows\system32\Ppcplg32.exe

C:\Windows\SysWOW64\Qhoeqide.exe

C:\Windows\system32\Qhoeqide.exe

C:\Windows\SysWOW64\Qcdinbdk.exe

C:\Windows\system32\Qcdinbdk.exe

C:\Windows\SysWOW64\Qcgfcbbh.exe

C:\Windows\system32\Qcgfcbbh.exe

C:\Windows\SysWOW64\Alojlgii.exe

C:\Windows\system32\Alojlgii.exe

C:\Windows\SysWOW64\Aqapek32.exe

C:\Windows\system32\Aqapek32.exe

C:\Windows\SysWOW64\Anepooja.exe

C:\Windows\system32\Anepooja.exe

C:\Windows\SysWOW64\Amjmpk32.exe

C:\Windows\system32\Amjmpk32.exe

C:\Windows\SysWOW64\Bqhffj32.exe

C:\Windows\system32\Bqhffj32.exe

C:\Windows\SysWOW64\Bfeonq32.exe

C:\Windows\system32\Bfeonq32.exe

C:\Windows\SysWOW64\Bfgkdp32.exe

C:\Windows\system32\Bfgkdp32.exe

C:\Windows\SysWOW64\Bkdclgpl.exe

C:\Windows\system32\Bkdclgpl.exe

C:\Windows\SysWOW64\Bihdfkoe.exe

C:\Windows\system32\Bihdfkoe.exe

C:\Windows\SysWOW64\Bimnqk32.exe

C:\Windows\system32\Bimnqk32.exe

C:\Windows\SysWOW64\Cjnjhcqo.exe

C:\Windows\system32\Cjnjhcqo.exe

C:\Windows\SysWOW64\Cecnflpd.exe

C:\Windows\system32\Cecnflpd.exe

C:\Windows\SysWOW64\Ckmfbf32.exe

C:\Windows\system32\Ckmfbf32.exe

C:\Windows\SysWOW64\Camlpldf.exe

C:\Windows\system32\Camlpldf.exe

C:\Windows\SysWOW64\Cmclem32.exe

C:\Windows\system32\Cmclem32.exe

C:\Windows\SysWOW64\Cijmjn32.exe

C:\Windows\system32\Cijmjn32.exe

C:\Windows\SysWOW64\Dpiobh32.exe

C:\Windows\system32\Dpiobh32.exe

C:\Windows\SysWOW64\Dmcidqlf.exe

C:\Windows\system32\Dmcidqlf.exe

C:\Windows\SysWOW64\Ekgineko.exe

C:\Windows\system32\Ekgineko.exe

C:\Windows\SysWOW64\Eaaajo32.exe

C:\Windows\system32\Eaaajo32.exe

C:\Windows\SysWOW64\Egnjbfqc.exe

C:\Windows\system32\Egnjbfqc.exe

C:\Windows\SysWOW64\Eiocdand.exe

C:\Windows\system32\Eiocdand.exe

C:\Windows\SysWOW64\Eddgaj32.exe

C:\Windows\system32\Eddgaj32.exe

C:\Windows\SysWOW64\Eeecibci.exe

C:\Windows\system32\Eeecibci.exe

C:\Windows\SysWOW64\Emmljodk.exe

C:\Windows\system32\Emmljodk.exe

C:\Windows\SysWOW64\Ecidbfbb.exe

C:\Windows\system32\Ecidbfbb.exe

C:\Windows\SysWOW64\Eehpoaaf.exe

C:\Windows\system32\Eehpoaaf.exe

C:\Windows\SysWOW64\Epmdljal.exe

C:\Windows\system32\Epmdljal.exe

C:\Windows\SysWOW64\Fejmda32.exe

C:\Windows\system32\Fejmda32.exe

C:\Windows\SysWOW64\Fldeakgp.exe

C:\Windows\system32\Fldeakgp.exe

C:\Windows\SysWOW64\Faanibeh.exe

C:\Windows\system32\Faanibeh.exe

C:\Windows\SysWOW64\Flfbfken.exe

C:\Windows\system32\Flfbfken.exe

C:\Windows\SysWOW64\Facjobce.exe

C:\Windows\system32\Facjobce.exe

C:\Windows\SysWOW64\Fdafkm32.exe

C:\Windows\system32\Fdafkm32.exe

C:\Windows\SysWOW64\Fogkhf32.exe

C:\Windows\system32\Fogkhf32.exe

C:\Windows\SysWOW64\Fddcqm32.exe

C:\Windows\system32\Fddcqm32.exe

C:\Windows\SysWOW64\Fknlmggc.exe

C:\Windows\system32\Fknlmggc.exe

C:\Windows\SysWOW64\Fcipaien.exe

C:\Windows\system32\Fcipaien.exe

C:\Windows\SysWOW64\Gqmqkn32.exe

C:\Windows\system32\Gqmqkn32.exe

C:\Windows\SysWOW64\Gjeedcjh.exe

C:\Windows\system32\Gjeedcjh.exe

C:\Windows\SysWOW64\Gobnljhp.exe

C:\Windows\system32\Gobnljhp.exe

C:\Windows\SysWOW64\Ghkbepop.exe

C:\Windows\system32\Ghkbepop.exe

C:\Windows\SysWOW64\Godjaj32.exe

C:\Windows\system32\Godjaj32.exe

C:\Windows\SysWOW64\Gjjoob32.exe

C:\Windows\system32\Gjjoob32.exe

C:\Windows\SysWOW64\Gkkkgkla.exe

C:\Windows\system32\Gkkkgkla.exe

C:\Windows\SysWOW64\Gfaodclg.exe

C:\Windows\system32\Gfaodclg.exe

C:\Windows\SysWOW64\Giolpo32.exe

C:\Windows\system32\Giolpo32.exe

C:\Windows\SysWOW64\Gfclic32.exe

C:\Windows\system32\Gfclic32.exe

C:\Windows\SysWOW64\Hiahfo32.exe

C:\Windows\system32\Hiahfo32.exe

C:\Windows\SysWOW64\Holqbipe.exe

C:\Windows\system32\Holqbipe.exe

C:\Windows\SysWOW64\Hehikpol.exe

C:\Windows\system32\Hehikpol.exe

C:\Windows\SysWOW64\Hblidd32.exe

C:\Windows\system32\Hblidd32.exe

C:\Windows\SysWOW64\Hcnfllcd.exe

C:\Windows\system32\Hcnfllcd.exe

C:\Windows\SysWOW64\Hjgnhf32.exe

C:\Windows\system32\Hjgnhf32.exe

C:\Windows\SysWOW64\Hembfo32.exe

C:\Windows\system32\Hembfo32.exe

C:\Windows\SysWOW64\Hnegod32.exe

C:\Windows\system32\Hnegod32.exe

C:\Windows\SysWOW64\Hgnkgjgh.exe

C:\Windows\system32\Hgnkgjgh.exe

C:\Windows\SysWOW64\Hmkdpafo.exe

C:\Windows\system32\Hmkdpafo.exe

C:\Windows\SysWOW64\Icdllk32.exe

C:\Windows\system32\Icdllk32.exe

C:\Windows\SysWOW64\Ipkmal32.exe

C:\Windows\system32\Ipkmal32.exe

C:\Windows\SysWOW64\Ilbnfmhd.exe

C:\Windows\system32\Ilbnfmhd.exe

C:\Windows\SysWOW64\Iifnpagn.exe

C:\Windows\system32\Iifnpagn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 140

Network

N/A

Files

memory/2292-0-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2812-22-0x0000000000270000-0x00000000002B1000-memory.dmp

C:\Windows\SysWOW64\Mmgoqg32.exe

MD5 9dfa3ee56645156e8dd7542d434a59dc
SHA1 cf739931171a1df644702ba67e2cf87c2d7e3790
SHA256 0cb92059a8c8fa334cb61dd08748fcba87a91b0393eb6a450b6ec0ba6224754a
SHA512 e00a0e439240a3d92904d33d6f956b5ffa99db04065f50c9cb67421c6730b6af282464147501cb63c88e2fcd02dba0d1a9880ca4683c5e0d0aba8a7813307695

memory/2292-17-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2812-20-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Mcagma32.exe

MD5 23d70a150a49f4679c37d872c24613e4
SHA1 6eeb136c2f3f2f417c58b9f9560ae25d2c94d813
SHA256 4392597c7e4c04d27db8c81a0657aa41a99ca878b84aeda1021a453eeda4a323
SHA512 4663bb1fd156c739dacdf88ce46a888a5c30831b65fdc1de0a90b27c8141b5eaa8e549cce58018e3e84e402bfe174cf447b4776b0bb84f258387967b9d55a5b9

memory/2292-18-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2684-28-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Mgfjld32.exe

MD5 1a4f4c825307b529baff202099cde42e
SHA1 800bb535d5f550a3e9d351bc060f7dea62326df9
SHA256 0195646cc0b35bb0c00cda3728666322122a23367116988b04d68698f12423d6
SHA512 052a4eabe365701e657209e3416203839674277cc3d63801c5d71425c11b4cfbded48fdad4e78847c8e5fbc70d4209fa351393fa8d9e92227afccac60dc0667f

memory/2828-56-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Mpkehbjm.exe

MD5 082c8868a17f1b23b01acd3a6df8da4f
SHA1 14ba465e0a627891647a33d3bb4aec08f4a76ebb
SHA256 acf7e44c74da6dd48315855a471bc7d638acc5349afd8ed5051d54e9eb72fabb
SHA512 c88c23a375a4b4c04d4cd3f7518e7376f67c633540d96dc1fc6f219ac5b21958dc88c6c908760b3f2c0a5ac39475f9e1706b79fb5efccd6dcf98390ef55b0ef2

memory/2672-54-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2684-53-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2684-52-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Nnboonmb.exe

MD5 39fbf3e9ffb0a40d8520c8b630a1e500
SHA1 c1d0015b63a42e70844279c0700fff4af489c32a
SHA256 1813af4bcf55b81262ebe741573980feeeb7afa7de4725eeffdabf52f61f839a
SHA512 6c1d929af7415b53bcaef370377309561bf9ad4e2b4c8386bdac23b8226aad53869c35699d64af2aabdcd616813b3c657a35b095086ea42ec60ccdca1fc33af2

memory/2580-70-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2828-69-0x0000000000220000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\Nhmpmcaq.exe

MD5 ed213d2dfc7253b208219ae18d81ccba
SHA1 c353bb8a4ec1e8d6bc9fd2626ba970b540d409e9
SHA256 7c4b46acbfd1084dceca8f1245fb73a596d29651c5802a39995f4dfcec0f2563
SHA512 6299b9ad3432c2c1cd95c336c49112db8074a976d687110b4b06aeb126a9447d4e87e711e4ceb590d611a0405c1d9704b5d97f520322c6e22b92ee946972d5d1

\Windows\SysWOW64\Nmjhejph.exe

MD5 2e24b6a96f398549e8e24374a590a0c2
SHA1 ff31dd9ef964cb7cc5cc6a29746e5c630ebeef0d
SHA256 dcb0d082dc65f671ffa583af60f504a6b6b3c7cb8231be5a4c1f4ed3da006680
SHA512 a98cbc46ce9bab569e12fee5eaebf8b756c9116b9922c9dbb93a191965cb049555aa692f4c03707d0f0ac254cd8e17a59b73764bf85fbb489f640fe1ec50a9d2

memory/2984-85-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2832-98-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2984-96-0x0000000001B90000-0x0000000001BD1000-memory.dmp

memory/2580-83-0x00000000002D0000-0x0000000000311000-memory.dmp

\Windows\SysWOW64\Ndfmgdeb.exe

MD5 dfc5686754bee26298b7d8644315382e
SHA1 88a026ae70f927a6dc1ea8f9f4dba87d180d2740
SHA256 8efa89578d44cb1b85d203198ecd1f11736fa4e199e94cc6256856724eba0fa3
SHA512 018c60d3a4ddab6818fe0ffb810a8d2ac9293d8464282848117ce0bbbdc9620b949ec53028c4b25f78de7961fa6b010ae79b5d80c21ffd5546d61c2ea58b62c0

memory/2396-119-0x0000000000220000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\Ofdicodf.exe

MD5 9e0160f8975595ea0ff9dab7280da7d9
SHA1 5c6debd31682a567d23cd836571ba8c1cf9d4577
SHA256 5f14c974840baca34543917d2bc31bc90a1cadfd4d7f44559a922961dd01b7ed
SHA512 758948e454f41c084872f8b07eeb2bfb6df134317c0c36a4d50f5ac7c81e5b4ab4a1816f7ce13e9929a7a70d54eb11e7f1160ba2210381864dc8960f8b041807

memory/2832-110-0x0000000000220000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\Ofgfio32.exe

MD5 18aa786d903c328b60baca7033123c85
SHA1 c85f9cd0dab6ca2788520e5f6a42fbd9f868de8a
SHA256 758093b82cdf355310e2df264877414f819e38d9aef7cdd00fa6f5da61a645da
SHA512 32ffc83ca2d790b9ad723b8e0b9c50ed94f996d6227c201088d0c428c5e0afc708af55dbb3c7359e181a457dcd573b044e7673f0a09724becaae06398c5729fd

memory/2012-132-0x0000000000310000-0x0000000000351000-memory.dmp

\Windows\SysWOW64\Obngnphg.exe

MD5 5b926c10be6770a97b3c3399a41eb3e1
SHA1 6b94db1cee84456ab9260462941ff1daf31d5219
SHA256 a584341aeee4c4b58627a62ff1a891cbddf9deccb15620fed04323ce4f7a6010
SHA512 58693ec8db86366ad1d877841111241c265f9ac86ad175005964fd02de2c13c8ae742d68e6b0043acd8181fbab2ac7cb1d3f5257332b6a4efd70156918a80561

memory/472-150-0x0000000000400000-0x0000000000441000-memory.dmp

\Windows\SysWOW64\Obpccped.exe

MD5 f0dfe2a1629e70c2e9f85d3caa6800c6
SHA1 efc413138c7548ac7c0ec12eab63e0f94ce2206e
SHA256 5593481fd2554fc4457a726a86209fe3efd356efe88a095d100b0052903fa53f
SHA512 cc2709052a779037cc7737c4151644549daa53674e3095dd32e2785a0511d13330fd97f0ee0b79eb68afd25182b59d82c9617227654af55ebae056bd392eb789

memory/472-158-0x00000000002C0000-0x0000000000301000-memory.dmp

\Windows\SysWOW64\Obbpio32.exe

MD5 89bffaa28ba3b222ef6adcdebac60cbd
SHA1 da260c96a1408f6d40dca5345ba16ca1930c78c1
SHA256 20ba8654ca6b1ba1f85758a072da44099d50101d7fbfd8da5d33fb49855775f7
SHA512 f6428083b3350995386cb7bbe13e160aac0b226cb158b5156eceaef6f337aa33866cd8f4e46cd2ee138301dd6a624cce3357d2086968d23523f4177204cb5a10

memory/1716-171-0x0000000000230000-0x0000000000271000-memory.dmp

memory/1616-184-0x0000000000220000-0x0000000000261000-memory.dmp

\Windows\SysWOW64\Ooianpif.exe

MD5 5547093d9aa3595e6c080ce8474f99f4
SHA1 6ca883e44b5906ecb53f8aed10fa1571634d25ab
SHA256 37dd9b9fd2cb712e96f9da8fae6ade0c676316a5d5fc33a6e67a49d9045a27e9
SHA512 e894d0d144b69e4d51790958ba5fe04e909468d50f8e963e645d7312458e14d56f0523e6f5f0a02c981ab96ebc77afb7ba45caffac60797d973db0e51234826f

\Windows\SysWOW64\Phaegfpg.exe

MD5 ff92c3593d6c433deb8db84fe617b3e7
SHA1 7cfb4b4799ef578285b4fd82a593ec6a9e35855e
SHA256 fca314b4dedce4ebd9ee1a451c0888643db084cca1843c61bf963ecb1c28d46a
SHA512 37ce9c34dd3ea878f4032b093f92059a875e32f5bae8c7097014b11c6943176aefb0a582675b715245a96f9b033b1f47f8b2a402d5687301d098f26b5651bd49

memory/1916-201-0x00000000002E0000-0x0000000000321000-memory.dmp

\Windows\SysWOW64\Phcbmend.exe

MD5 2848a5de222614c9a53cc13559da4526
SHA1 e7cf79b904b9a2928477c165d1a2895380c8cfb0
SHA256 5788964d89c5dca088d228e066196bd4839d7cd19abcbdfef900a028238c00e6
SHA512 0b42b95156c090f438f618c9ae12bf7ab87f72225d9bc25027171a6b6d0bcc8f2d9b0896541338f170931bd862c3a1b8d7270aad44d69f9bbc41b436bf34ba9b

memory/2120-210-0x0000000000280000-0x00000000002C1000-memory.dmp

memory/1864-216-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1864-223-0x0000000000450000-0x0000000000491000-memory.dmp

C:\Windows\SysWOW64\Pigkjmap.exe

MD5 00c872ad9b31e5bd9cc85ad4805f03e0
SHA1 7db4f440e905dc5d4c2202d30bd5f806ada54e9a
SHA256 055485c776283ce828023f7e87c46045f57e8828bdfc13dda8caf033c1dea4ec
SHA512 ed11436839ea3c980b8d95d6c6c386e52de59c7ebb82bd4484a1516b284e8ff80c890900f5fb25e0a163e44c259d178f87f42427e81c9ded2ac7dc09d04ad514

memory/600-232-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Ppcplg32.exe

MD5 6fbbcb4f61f5f4059a464f0c654ad568
SHA1 0861797fbd9f77499ec8b072185df6d5bb5b3c37
SHA256 6c1ffdec142c642af76292bc01a20a687dbdfa91a6094ebcb995b7ad5ed356ab
SHA512 7ce3dd090edf12baeb9398528eb133a18afc9ee1ed4dc419f6d25cd158ab42c881c29c99ae898c5280a7e29e3e3144ef3be7c1c770939b03e2cbb32abaacb3d3

memory/940-240-0x0000000000400000-0x0000000000441000-memory.dmp

memory/920-247-0x0000000000400000-0x0000000000441000-memory.dmp

memory/940-246-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/940-245-0x00000000002D0000-0x0000000000311000-memory.dmp

C:\Windows\SysWOW64\Qhoeqide.exe

MD5 1d4cdb91b6127745a6a7ed7dd5cf07f1
SHA1 f18cdc9cb96ff0d274d932fee63c95bcef5f4145
SHA256 10a5b470f6694cbf7ca6fe4996ef6d7c182854bd21913d91d3e277a6120b01b3
SHA512 45fd05923293b8dbabff7767533c0b60174646b3d622ed73ac2ed06be0d66c636a83e99211b64c3d6b8d5e5b82ffe19fd54943e25e139c1e32b0474d8a02834c

C:\Windows\SysWOW64\Qcdinbdk.exe

MD5 4a90a6168aa40d276d14301f4430e484
SHA1 5f65a985d2c2a8200763c605b0337bf69e08f8d8
SHA256 d590741fb1aca780ec9b05d04d797aa8b629a5f167a0e7646c79c8d6074d9653
SHA512 e1299a7822e2790ef4a683b04aa5b8d3d6192f9443acb54325b9e31a2e88159af50c3d258f885680d3a649eff5fa1e58933db734a598a29b7e62530c890b6b7b

memory/920-257-0x0000000000220000-0x0000000000261000-memory.dmp

memory/920-256-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Qcgfcbbh.exe

MD5 29167e40ea3ad0902f2880b61b0b3144
SHA1 854524d35f847899809cacc0824eb73631700345
SHA256 3ffeb151200eb160acac2c823d7c31a68f5e4628de8daf6183e5e8330e2b7a49
SHA512 2374552bc73246e408cddbad6a6254d36e0c092982789545d3593e17f091b9f962bac6580d88454f893313af253832a5bf8af33f3254789b011626ebbff2eeb7

memory/1984-270-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2404-268-0x0000000000230000-0x0000000000271000-memory.dmp

memory/2404-267-0x0000000000230000-0x0000000000271000-memory.dmp

memory/2404-266-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1984-275-0x00000000001B0000-0x00000000001F1000-memory.dmp

memory/700-283-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1984-279-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Alojlgii.exe

MD5 436cb4cfdd26fe7f786634e46fd94905
SHA1 bb142304271af8d64077737cd5393dc6e3da084d
SHA256 9e9a3bcb3367a2fc59fd44b0811ea16ca6661dc3b5680a41e0e999eab0e459be
SHA512 22dd3456eae27e0df01ce39b9caa8849d51c0f0c6b95dea21f8a3eea9b958ed405ace243ea32216b4da7c0b4548fff467db7e4e7169124197eb0f9325b42e52c

C:\Windows\SysWOW64\Aqapek32.exe

MD5 2164716016886db5dabfba47e37d5534
SHA1 4188f2772d2b1fb1ed58e6cafb5e568aea987fff
SHA256 9a7701be711fbb2d30c38d56eb906d9d20e9b8a3ee4d8744342b917614048b9c
SHA512 caa325e059eead21abc8380c34c85c02c8b5c1744a2b7e82fe5bd8564bbfd4718ed970819432495f25cd3420e95f1c86108d92f54f69dd100e26765968520921

memory/700-289-0x0000000000450000-0x0000000000491000-memory.dmp

memory/700-290-0x0000000000450000-0x0000000000491000-memory.dmp

memory/1060-295-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1060-301-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1060-300-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Anepooja.exe

MD5 551637308bf731047794d07c7ed698fd
SHA1 1d719040be05c58faffb642f4748193883322db5
SHA256 0fc6bb3819292902804a82bf8db6f239e8535052f967a6ab02488fa07202616d
SHA512 b2aee31028ebcd642a827727d11dc3c6284eb762e6585d2c13b95586ce91799a7cca471c8b0a8b0602ebc2412b351a296360fbf92ad5981139c6bceeb6bb1db4

memory/2068-306-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Amjmpk32.exe

MD5 6604ffc2fabbbe12eb4e7480aa6f9f05
SHA1 abf4c438a2d06ddce4242e6f7988df3260317509
SHA256 ed0d0da03af3dcb340bbaeaad590d2b60da484824da8cd266f117cff4e3c9c97
SHA512 79c7bf01ba09f76063955a35482c38172cd5093fd60b0ded3a3604d466cb6333c29ba976e509cff871a1c7a39e769d61a7c04dc44d208a5d479cd23cde3a131a

memory/2068-311-0x00000000002A0000-0x00000000002E1000-memory.dmp

memory/2476-317-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2068-312-0x00000000002A0000-0x00000000002E1000-memory.dmp

memory/2476-323-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2476-322-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Bfeonq32.exe

MD5 24481bc4dfffb056f161d3e3b5a03b61
SHA1 de62567dadb41bec07b3bb2fb1bb3d22c1188173
SHA256 b305880f10029bdf8b7c949eedfa1124e988b3bd1beda7e56b3777f4792bda13
SHA512 6458c199b7f72c3ee49d365e7fe537fe690292ef316b0ea308566de819c143ea333cbbd2338b05eed8d86ad24d97604747cef79e8e260ab60d37652edadf9427

memory/2760-329-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Bqhffj32.exe

MD5 e292dba12ff936fe1f286a9f1d3694ab
SHA1 60248cc2f98d1d40ad4d4ed74d87cbc88c577b66
SHA256 b2fe482bbafe7f3f6ba506668a3ad744bb0bb7650edaf17d02f5aee4fe70dc0e
SHA512 5972a258d8512ee28d00ffd7b0869b970e03d43908720416bae8c88a1442d1399aca61228542a6b656637d084be7d83857df9595f8c2e654e9f1201dd833ae50

memory/2760-334-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2768-339-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2696-345-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Bfgkdp32.exe

MD5 a794e5fe6543ad9d03a7f59093708aef
SHA1 a178217e1b9c2e0465e8f6faeb47402b28332f3a
SHA256 4cdd9c54156b7a47f79f15d0e755a831da5623fde35d313d5e0a46959f004bb1
SHA512 8751b6339071e8843df3dca2362a113bc05160632d42cc72d55654a7e0da66cfd2e4b10497493fb33418378d54fcc64f608d299b701d96a33f53a0ef445e6ac5

memory/2768-344-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2760-333-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2560-362-0x0000000000300000-0x0000000000341000-memory.dmp

memory/2560-360-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2696-358-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Bihdfkoe.exe

MD5 b4417ac8f88cfc1dfeba77f3c63e5601
SHA1 01af9748269f926d169e005e2e95f8a22da26f52
SHA256 4d1a931de3b8a3d62b5414f483bd98e2934a74931a9fd38b302e4ffebd558d94
SHA512 758be78e9119bbf3c25053604e794d979656b8b6446c83aa01ee6d77bd660c2cd74e78a46807f497824c606f34718717d41b69bdbcc1d67fc232e8beeff5abe6

memory/2696-354-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Bkdclgpl.exe

MD5 430bace2be987fc8a1a1addb6b799a4b
SHA1 e822426b9a7b9565dbeeddf736b4954b4e516045
SHA256 beb5f9036db41e25b7c133e20ad5b62bf36e53ccd67ec0689a0b0bce4a9f6a0e
SHA512 182b9aeb26bd18f88f8c9d3811671c73042832a30e5e5ed491f461f9e4b55d903234ae12256fdddd042175f8b6724b2277e8d45c40a20a55c0eadb2eb4d01ea3

memory/2704-367-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2560-366-0x0000000000300000-0x0000000000341000-memory.dmp

memory/2704-381-0x00000000003B0000-0x00000000003F1000-memory.dmp

memory/2704-376-0x00000000003B0000-0x00000000003F1000-memory.dmp

C:\Windows\SysWOW64\Bimnqk32.exe

MD5 dfca2414aa4f3b7244f074b3d627c0a0
SHA1 a15a9d58ce21e5245576745785ce422fa25955b7
SHA256 4a2d0e3aec9012d97a01525f48d898f44a9c3f046546f62c75f3741b257bc4ee
SHA512 674cac5d80d78fba55061e5a3b6274236fd62d4c0bf4b06a59d65acec367e8844cfc7b8d2d716c4a81f740fac4f3f88b4b8b8c9d3126e83d8673078835571757

memory/2612-382-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Cecnflpd.exe

MD5 589afb284dc88100aba4ec72bb89dd33
SHA1 711a3ab2095609a1aad67e3e5ed2df7c326a7abc
SHA256 c578320f4a0f07fc3b2deac9f59a6daecb6e522c273f5f3859569e14b6033e9b
SHA512 813e26d3bbe8959911a128e197072eab89b0a5d7f297af1ecadbe34e62deb34ee342e1b8c659bb0a326a803ed347e5a4945e798badb41ab277745ffc8eac8852

C:\Windows\SysWOW64\Cjnjhcqo.exe

MD5 ebec159f94a26e6138413226f042ec07
SHA1 1a8acc2b19d5a7ce630d262dd4ee60abe6947932
SHA256 b7c5e0738dda7bebb53fbae86291f78832264d48925254bfd23f0527a8e1749d
SHA512 858280567cc13fed5f7155f6bbf1e4de15c591e175abcfd6e3e3d8696228e36e825b2c451615d350313497c35091281665189a8c33d38e27190cf611fd5ea0e3

memory/2292-398-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2516-397-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3012-396-0x0000000000220000-0x0000000000261000-memory.dmp

memory/3012-395-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ckmfbf32.exe

MD5 94656108539e2722e04c0f5a8ea32c1c
SHA1 8e7aa048742502b4d96d08b8a422721e4ce715e6
SHA256 16b78fb02367a88ad70fe7919a5dd9dc6d07b8efe87477db2e655f9f01f71327
SHA512 a9d8fd8cb047ef07cb3cfbc12bdd6d7ad745990270da4655afdec6014e3f6b3b4465664480b50e40a8a952e8ebad4602a80c6eb8172482ab26fe8d3fe57bfd4c

memory/2292-408-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2248-409-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2516-407-0x00000000002B0000-0x00000000002F1000-memory.dmp

C:\Windows\SysWOW64\Camlpldf.exe

MD5 7221b3c2bf75adb610bb13289ab8700b
SHA1 fbae9bc8178216b2ff246ee47d92703bcd9932bb
SHA256 afd7390004979c87a2ce6fbd85218ca8fc8fa5983e5a081cb352f43ccd97bd9f
SHA512 9c9ae16868ce982ab53ad5e388c01197e342ccac72a3ac9d9d431d8ff0e2d5e1f9bee307e0e89df09b1e6ad84a65ecaea8180c69b1824bda03b0610e4d0e3c4b

memory/2684-415-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1876-424-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2684-419-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1960-435-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2828-434-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2828-433-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2580-429-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Cmclem32.exe

MD5 25b27c8f811728ed8e0a393d1a478f66
SHA1 18e39997645516b9e86fd8e5449f326e906cd8c8
SHA256 8d40f0e071570a52d5dc59c075dd49ee86a256efb52444ccbfe0aa9482c60386
SHA512 59ac50b3166a0d34e8b0730ffdc8715d01d7fa6a3c5e906167ea440afd8065a12117241d051a45a72578df1bf972d6165c474fd53154f12142ffb0d31e0e928c

memory/2580-444-0x00000000002D0000-0x0000000000311000-memory.dmp

memory/1456-443-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1960-442-0x0000000000220000-0x0000000000261000-memory.dmp

memory/2828-441-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Cijmjn32.exe

MD5 975b5429cec2b987d15ca5fab549826c
SHA1 93b49d1487f171469a66314733811f0aa6c4ce59
SHA256 8ee9705c97810a58b302102956cd184b458649a34e667816f35af968861aae92
SHA512 432a372c8ef24fa4fc861ce04d5ba1893ae34e26017b0b467989d88309cde16ec59bdc3ab13493b4e0ad54df53d7be942f5581c124acb767f1dde8d0abaeca47

memory/1456-454-0x00000000002E0000-0x0000000000321000-memory.dmp

memory/2984-453-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Dpiobh32.exe

MD5 ffeca05e1fd2f633c7a7e4aa396dbe58
SHA1 6cc9ec764e0bc4813d59b93eddd011d7e156e989
SHA256 dc80d9417e9bc158ce3c913d8ab6ed7a9e65a2f1d197b30b3441d97740a74b92
SHA512 a40a59b459e3845ea206f29580e227eb7b25aa1374e25f6bd4dc235cff92b31b1b9d721a0cfdc0a397449f24dcf3963db113b0ad0dd91422ed6e145fd949f087

C:\Windows\SysWOW64\Dmcidqlf.exe

MD5 00bb2cf364c4008914d429e7e9df60d5
SHA1 b91fea129a52ddc1b6e8c11f7b95546bda9e1773
SHA256 22620a5b0f2c5b251bdd67b97eb35bac5c499052c9fc67972c2820d576fd1ed4
SHA512 881464c6d13526b70e1f3cc300f0f3a48480dfae0475e511c8985bd8bf8699bf043198db5434eedce90864177258ca6c213ab942e3a8785103091b4b3ddd9d0f

memory/2832-464-0x0000000000400000-0x0000000000441000-memory.dmp

memory/928-469-0x0000000000400000-0x0000000000441000-memory.dmp

memory/572-459-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Ekgineko.exe

MD5 9370c955953e724795edaeff9dc3e970
SHA1 53726bc1788acd8f16c46df862713820ebf02f85
SHA256 67faf2b3b935a8a0aaec117810d3ce90cd3db19f9987aa269d556d6c0637d6f3
SHA512 85d967b3376af752f54c2931be088c2193391f9011bb7507a8c89af15a7f960913c8c26517f8da9706bfb49f8868ae2786d7e3f1c3d10dbabe445ccd85a0071e

memory/2204-478-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2204-483-0x0000000000220000-0x0000000000261000-memory.dmp

memory/1040-486-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2396-484-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\Eaaajo32.exe

MD5 8461aa1da5b8eea79db18376c590d181
SHA1 6e2b8f02a28dfc7f7361c129bf1266c52725529a
SHA256 f9a0c04f1084d919eeea9f75314271441d7844059c5fe450d1971c558ee3afa3
SHA512 892b622fa048f9bf7976beb837faffa249781cd236134c5b66639bf091828600517dc1ddb1f105de382c68b888815a4cc8e5d0910d0caf3bb8cde821f54ecb28

C:\Windows\SysWOW64\Egnjbfqc.exe

MD5 a615448f092e8aea0053476ca7477500
SHA1 df96899103d7dcc5c3b80c426e8bcd4144e3034f
SHA256 0c327814997f9fc09652daa2ac3edb73c88cdb279fb595a755c0078e7f2952b9
SHA512 0e14eac36cf11769154f4de76a2aa8a7d8a16fd944af1176d82684ce1a4497cf008c83372d131b3bd74cff384dfa04ba15fe036f3c7d874147b13e6a5077e026

memory/1040-494-0x0000000000220000-0x0000000000261000-memory.dmp

C:\Windows\SysWOW64\Eiocdand.exe

MD5 83fb970ac0d0baeb4f8c0e1df2c84b18
SHA1 ee622e6ff10304d46743ef9c68b9b79e4c16b27a
SHA256 c0d2b8cc89131f2db694d83974343ce9b367410e921df92cca06eb963d33fd5c
SHA512 00558febc3125892d55bb6aa4db5ef0165eae34780769fa963e54e7f64ae4b5ebad4b0d8efbd823d7acc5d126ecf7fdcaa9ba6ae68e10b2edb41125ea3c5e3da

memory/1728-500-0x00000000001B0000-0x00000000001F1000-memory.dmp

C:\Windows\SysWOW64\Eddgaj32.exe

MD5 151f601ff695b487d76250a53cbf7f22
SHA1 d2e473adbdf719b4f4f8edf787c70f10df7c9668
SHA256 e4d0f2abee351b1a433c68f3b63a984e013c2d30ba00e88db07423cea06ead11
SHA512 84d3793a2d70b2fd80efda283f50e0b467f2c472c7e8e1926ee254bc182f61539dab2376cbc3a95362edc44cde6cd3db8e3d626fc3ffbeed3e91ec5f77c22ccf

C:\Windows\SysWOW64\Eeecibci.exe

MD5 6bf30851eff427b8ab5e5e42d73e334d
SHA1 a63216bc5551c837ddd9fba9570ef82553fbb9de
SHA256 74b32a545937748023865a22e5e67c5e0f028f580fa1077eadf1a26ec4daede5
SHA512 eb3105985523bbcd9d74b7d386ab53d85e8cf19fde9ff2ff8f321bb3dd9134fc58d9cc91cbad02562bb3c49c9727bfdeeb55108240d856fb4296ed12830896cd

C:\Windows\SysWOW64\Emmljodk.exe

MD5 2b1b1f6d18e60ef0d1969a036c1149d9
SHA1 c84df1bf414fa52ea530eaef7d4065eb60a5bbd0
SHA256 2f91e43213d8f51abe535b817022fa4b21119215c8ad58b66aa2d3ed1b070aac
SHA512 98ece3ea81ca36b2e792e34e043e5db3d28312c73e1d8dd7c0856df9fd04460c49ccb6eb70db596fb62af5223b4587da881831bd797a2f926d6662e85730d061

C:\Windows\SysWOW64\Ecidbfbb.exe

MD5 7c19cb7b861f820eb9ce40f6dab89a6a
SHA1 261e4929e8035e338e0047f286d645b6cdbbad63
SHA256 ec0df6b7ebb9196e5ef7d849f55f8c330cf9d2fd4a016ac5478c22ce57f79d82
SHA512 c8f51bd9c00d577810664de5e2f3855228148eec629c169c0d9cbcd5f1554d095988cf5777b3569b481a099ba6c3d0b3a18e6e559fc5998e0c6450c86ccfd0c8

C:\Windows\SysWOW64\Eehpoaaf.exe

MD5 1fc7ec918155a5e191e8b9d940bd6bfa
SHA1 363cf0d7e985b472ec07876429530fca9faaaf92
SHA256 e25af929353492ee591b37b710475fa795172e9149cd4d3382449d98ae667a7b
SHA512 8e8dee54ebb446edccdcdd8622366e461151515037aa512708b6a0e8615c6761db73c27b4b73bc2d5851529f8667f4cdf1c88b2515be7ceec2859436dcd43ee8

C:\Windows\SysWOW64\Epmdljal.exe

MD5 ee5b3ae317db059ef63a17c9fc24f86c
SHA1 758b49046bb4e6a42f936f65a92a69daf7c75df1
SHA256 fd8b7887bbeb8c0680121cf3918f5ebf62d70b34ff6b483d143dfa81625b2ea4
SHA512 1c4253651d74f0970d11ef20dd152d55c5646b83e501ec3fb7462d6ff917e4c12110f6eea3b0d020f5af01de2588d5e6ccfa2cae82bce7c8ed52774e40980f72

C:\Windows\SysWOW64\Fejmda32.exe

MD5 c933dbdb2adaa4c05ab165be5ff1fe03
SHA1 559c9a8dd2b228136553a4c73e3a7b9f3751eea8
SHA256 f286cc4ad4ca651a0fc21d0009eaa74f7ec4f1df9df1364ef50379554e6f637d
SHA512 f8ffb0cb56710b64e9778617cb8658d656dfca153070ca1cfc2c503a1744255f380a58864311ef701905d6accaa95cbe527e859dde2af772e11c4b1abb484042

C:\Windows\SysWOW64\Fldeakgp.exe

MD5 ac3d4cbcf50d0e614a02711c0023b526
SHA1 99ae9f08a00569f838b2b81f20f4ecf9edd29d29
SHA256 f8bb93ab9488bc6e944a26fc9abd2a21f64ca0d08f38b27fe9fa12e809b6aea0
SHA512 222c52be1019f0e74fc21f30f077be641125a88ef58bd233b7a53852a8e64ca0937afa24e07d53a7e8564c5ba5eeac4f5708f253ace1b5c1c96de745d79449c5

C:\Windows\SysWOW64\Faanibeh.exe

MD5 568745d813266896b9c99f5c2a07adba
SHA1 00eeb090c909a95b527d5c3a06f5ec85e9d2aeb3
SHA256 bacce64e004c8b323745c5bc3a7c8550cf1b122c1405a32698dfa2ef73f52243
SHA512 9290d96379d8dbd5276decb9671ed38bc2167c97eb9b9307876b787e3b9f04eeb1ac77af1e0c2b52da7301b81b94eeaf210793a658b080bc2cc42d0db91e4c34

C:\Windows\SysWOW64\Flfbfken.exe

MD5 52593c07847a399d3922c82f5f3f6b97
SHA1 54e13613c17325abdd77c3684cf926b05661a816
SHA256 0f9cfa05dcf3fb464505b0d0e430bdfa925c9804e2c734cc9c729ea0c40fc621
SHA512 b9971d8d8a9f2a1c83f5a7dc4e108e1d1502156c7956cba2450ad76f6ab18d3df50753a74a07ffde5c7f75e5000fa8e7e55b7f92573b718eb1693ac8fa32c4bb

C:\Windows\SysWOW64\Facjobce.exe

MD5 c69a031c1d516be4bb3a0ab38d1d5ffa
SHA1 28e0e5c7d6a7ede5f00b329e3123d0d46eab326a
SHA256 dddbf8cd0d4861e48657ca7d9f16d73f6c82c2ded830449b597048f16c252c23
SHA512 d33ea0819ab4fe7d433557a3f21cbcb823464009a7f07a7963928a589af6c92176fd0159f07c5b3368b48184a28de4f12b1f42383b41991abc0a658618d2133f

C:\Windows\SysWOW64\Fdafkm32.exe

MD5 9df30b8c9d2773db8921926a9095836e
SHA1 43d938f8a96d5cd07081d2882cd2877164ba5b2b
SHA256 ac0ff5e875fbdbab19c5dd383cc9562b8022a30c2214d6299533e349b5c2abb4
SHA512 ff9b51be4b962c2c2986d041d4b86cf0800cb972f68bb70463875c103269b33f4ebbef76c65c7b215555208ae61aaa192aa8331715808965065cb7d307e91c5b

C:\Windows\SysWOW64\Fogkhf32.exe

MD5 bb7bebf12c447d4e13687ace00eee9c5
SHA1 61cc1e94077d4dbcd2297019cc010557e6b58137
SHA256 483e4b169f4775234a461e95cdb1c4e603427663a222761126474c3af5f78ae6
SHA512 27b65ddd2e1deef8a60b4966eab352ee9e6c0be90a838b46121d7cd8bbe7e1c89bd63f0704843718bab6b588b08efad47995fd5c71740a6b10fffac5bcd09cfc

C:\Windows\SysWOW64\Fddcqm32.exe

MD5 c76404b7dc6cbb32ceefed850dbfc2cb
SHA1 6bd2c25a6dff01a9d2d8318d416bcebfd99c07be
SHA256 3d5714ae34dff27bd81b83418ed32fe9bf70f3e47e073d70ab3f88c1954e09c4
SHA512 ae57e4096c1e48a4c79b4b45cf72f127c643e4d9c5603b1a922e8e6dec375c6ab76cb2ed0f3bec81805d3df640c2dc6d42084571bd90398bb48a772741e94d08

C:\Windows\SysWOW64\Fknlmggc.exe

MD5 5b5ea84e1f651a9df666c70a15c59344
SHA1 95a41717518755e88475b6eca6d09dc5d6c3acdd
SHA256 bca0ac0addbe1fe0c410d504257c24952ccda183281ec1b0741cf98feec4727b
SHA512 7067a2791076c4414317737efebbdb8203b8fac4ae52c7c5215461f20b002885faeb1a4afb70a042a093e74c5aa3f0ea626451e854bd009ee3d0cfe95023a081

C:\Windows\SysWOW64\Fcipaien.exe

MD5 c54ef118929ebb80d88d7ac0c751dc59
SHA1 4dc0af5e9f61bf102efed4a44da9111da0ce8607
SHA256 a54d2ca14a83322d8d4f9b1f589fbd945e99594d6a6a92cc1dab7671e578f870
SHA512 42b143463fd8db726dd3685cad69ccab2283fb870d024ff7413641702126d80faeead5fbfe51e3ce7e2460699a5fba4c4340e7626591b199a1a28c14452ad1f0

C:\Windows\SysWOW64\Gqmqkn32.exe

MD5 3733275e95dfa97fc397aed928fc2083
SHA1 7651429875d8ec1bd614fa0403cfb70c27f05543
SHA256 25d79a05f27b969c08f37d73ee115182b3aacd9820f667cef55793b73851cf47
SHA512 3ab87ed20aa90bf74ec43193f1f978af91fd6e4ae7bd6f6507d562ac4792c24d19e3d338cb31c6e24c6a169da8fa7cfe2e2afd88aed620ba3bc12659be1fb46d

C:\Windows\SysWOW64\Gjeedcjh.exe

MD5 233e2276a608759962828f1a54253009
SHA1 2fe721314c3c1071ed104d4aeafedbcccd6d51ae
SHA256 c92af0c0c1b03f06bfb84fcad0e5cb0b3b6a0d19448b232f4e83f42751d8e60e
SHA512 da9fb21a7ded5e6ea00f7bae9659c7b844bee7e809c21324c3f4728619a978ad0794b62c4cd0c0367eeba253d830335f0a0151ff500619e5b3c553da80f6af39

C:\Windows\SysWOW64\Gobnljhp.exe

MD5 54e9917cb5548378ef285634996e9150
SHA1 bcafcb8b26203c0dbb4ff9341231570c58a283d7
SHA256 4c30930c7b6a35931e91f150ead0b567dc0cf617c65e78ca104b263f3c0a4429
SHA512 59beb0c36c5820a2099c74b9489911721df8dd42e462ed41418078f5037ca855e9ced1dda4f726aa07f5ebe17ab5e1e52af40d4389303ed0f71dc7510cf2d625

C:\Windows\SysWOW64\Ghkbepop.exe

MD5 bc50576679dbcf0d185c2fd2f1400e16
SHA1 9ab9ace15c3ce1b52c099c7f3bed2c84fb1d005c
SHA256 b4ba47a376a6c07fd2bd1f97d9f5b3d7d8a084acf69125585217ced6f6c79e9d
SHA512 ccb5fbb83751bdf4225187f02c1f2e6dda082ab5d8ddfd6e3555767454fff2bcae3cf61e20fd47e2fe34361420145af6934e51dece224122f812ecccd6a2de86

C:\Windows\SysWOW64\Godjaj32.exe

MD5 02ea96f66a3f79ff0abafe6ab2bd8e01
SHA1 25d66359ebc2d5d8fa44067cc218ef6a9f66a2c4
SHA256 ccc6da320bc52650694abe1ccdc48b4ecd596f245d226a1d950a04fcbc3b0d32
SHA512 760405ea8a95ec21c936b46c09ce34f278e5751df8c41feed2b6874f6f18c5f75eef32e53818a8b070260306dae856392fac72aec828eb1bca048c5b7b2f1322

C:\Windows\SysWOW64\Gjjoob32.exe

MD5 f7f6c2c85ec26ad1ff445f74cc378769
SHA1 b39823a0716b5b84224105d66ac8577f7f9e35e1
SHA256 856dde79863adb388e3651ba73f85e8a4e238ba4f263374f758b374ff222acb7
SHA512 98f3061977d995f55367e3cea03495ebc724e26f0fc0ee17248ec31d7bf7a1d941f8cd94f6adc33496c3ca14b3e0a73933821fb8fe42bbfd4684e56a6fbae8eb

C:\Windows\SysWOW64\Gkkkgkla.exe

MD5 7d3360fa3a80fcad9f2945610aca1202
SHA1 b8d59060af759d1a102d22e1f4dd4db421ba56cb
SHA256 45cbb4a4aeb3de1efad0695b2b9d3f13cc84eda05cc28315a197f3dbfe8e219c
SHA512 a22f4a0ae27beee94b859ad9f3e8a423340634bad885228865099cce90f1767a0272bd7739a786710cbb00f7ee6e67b11396a4953552a68f2bf690bfc3edcf49

C:\Windows\SysWOW64\Gfaodclg.exe

MD5 c6d98ced7c6b110931b39c47d845a928
SHA1 a5cc452532a08f8386492df06a92d40d64e40591
SHA256 3528f09f18e24cc218f1f01b08568b4433a7adbcf45b752890e747e3625c9b54
SHA512 d949be6334e54367f714872a98b082ff34bd3e6756ac64d27d19728933dde0b1d69860de2d199ed6ef96f1fe3ae17d85e631a55dacea0776500e8f78b5600676

C:\Windows\SysWOW64\Giolpo32.exe

MD5 df4dcb05683c8fe0cb993351f7ecb3d4
SHA1 c59f0e69b9b322cc83824e1388bb854b9f2095c4
SHA256 980d5dac407924b120f1a4dbc523d84ffa652414013a81408f12cfd17ef68fa2
SHA512 4cd6a0b7ba06fa636e93ffd955210c642837425b7da216f164e3bb70da0b69d7e3996be0a30531f621b9bcae593d7503b1c874619ba3b81b0b1d02ffecaa275a

C:\Windows\SysWOW64\Gfclic32.exe

MD5 58f5103648b84dcad76b6f8cd206aa1a
SHA1 8064b422cb77077b762ab9a825c60b75f231f26c
SHA256 6b1976b73d6f6d806c0151db3abdd56efff1efa1c11dda40ec8322696701930e
SHA512 a43fd62c4da70c61f87a61def2b27824a443f6952f72fb26165f2ca86379b6c4143161da33a628c973fdea466f8827579c2f560debc943c6b4d63f20f88210c4

C:\Windows\SysWOW64\Hiahfo32.exe

MD5 2482b10648e61c6357c95c52ffe3e380
SHA1 cdf29327bf14b94c0f4944fbeb694eabbd12eac6
SHA256 2f539d4134a13bdfc1e5e11dc165d90c50dfb18f78fa184d92e2c5b88b4d9b7e
SHA512 2a909e8c4e547bed298ab9004fdc708780cb2f29c45ba9647c644e45433d4dec7805a44b66f3f8a6d7fbaf7ec6ac4eff7f5bc611034d3af00f9756df43411472

C:\Windows\SysWOW64\Hehikpol.exe

MD5 8d216944c4e118521dae87ed8590cf3e
SHA1 808d9943680475388e67a008a6f135e7d17a514f
SHA256 a7914b4b833a296bf0d217f2279781fe61518c52d91f9d3139162cccaa6d81a1
SHA512 e859e5d7a386602c42d69c949424537ce5d392fe3f18077edf128f4c8da865db40e861c3f28c40f494de489deb1621b958274e1297b766fc413c636792406213

C:\Windows\SysWOW64\Hblidd32.exe

MD5 7da3de54c85893b426346f9944ce955a
SHA1 46a89f3b3df64c17b18a1e15ccd27b5f53f525f1
SHA256 e01c0e94c7c7a51018c0ecc65bad1af17d5e0c65215d6317def33f33886c9bf3
SHA512 a39a136bc6541d0a0c251c4cd75b414688f26d72ce4eff33d6fcc03fc324d87e021bed3a2efa07d504b511824baf7851941395728f3698e6d10d15fd9925c684

C:\Windows\SysWOW64\Hcnfllcd.exe

MD5 8181ede91d7263dd9a6881a0eada6d31
SHA1 e563a007d5ae7568b25142e84840e546a8dcba64
SHA256 3c63921f3da4f069330cbae60341a8802d9a368c7f0e9ff0df722f7f4b7a7c98
SHA512 c9c54c50753844cda26aa376cc1f9e0d6b5c5f5d04547b39c000c35dffc1f35b56d4a682d8e544db6363e0b21f2a3d089350e5db04266deb31c80ef58947269f

C:\Windows\SysWOW64\Hjgnhf32.exe

MD5 9a925968b221498b6cbd40b4c6eb3d5c
SHA1 c7654ee5727df712a50f3cf3270b62f552dcd6e2
SHA256 a3001f2800d9c3a0d122e6142f63a1cbc819b4da6ec34e4452ea4c7e0f94f206
SHA512 430ac5f289356b95566a522c34a2ce8a7e19fdba2ffccb8793b7eb12211e57fec8a5fe025a8a237ffba67b1c00e806fb507b8e7b08959e7d839b8628ffbe0878

C:\Windows\SysWOW64\Hembfo32.exe

MD5 4f178fd18dc888ce018d880ff92545a4
SHA1 498aa64b437551ac824fe1695d2eecdbb63097e8
SHA256 b79f9258c29ad652cf3fd8740b905996ddd65adc209eb51e9ce90558fea22e74
SHA512 98237b1e7e9a282a183d3d143386ff7d9c15ff210969a4ec54e5785be04a7a57219b7936d6861f17fefd89b9ff0899ace5e126722152b87d4a375cfdd1379aaf

C:\Windows\SysWOW64\Hnegod32.exe

MD5 647944b96f0ef75793cb5263b72350af
SHA1 4030a34eeba55904969ed187410b917ab5e0ee83
SHA256 103676639d6180e76949b6fd98ca50c16d3a04a617401d9d8c087978a409174e
SHA512 cb94457e4d131f7dbbddfd175be13cedf5f43f994cc1aaad4ec4af346562e8921d63ecb61e78f7fd3a006ea89fb8aed9ee5f5495430e29d3774ed2afa61f3e03

C:\Windows\SysWOW64\Hgnkgjgh.exe

MD5 c723d2ffb27e6da13b665f112c667d96
SHA1 90d43bb4553833ad7270182b5bc97153f350b8e1
SHA256 a995180025dd7831b1574fb209017a8b805cc62b6e031acb2f077b80a4a5520b
SHA512 16354da131c1d17807569ee5a1f3074b55a181775c4417780656c5add8542cace4161435d82b382a650f3ec096b7ecde4f6330dc74a381598bb7225ebda3b3f7

C:\Windows\SysWOW64\Hmkdpafo.exe

MD5 e8860908d8f33feacf2cda85b8080e31
SHA1 184b78919f4cd7c9d5adbede648acffef94e650a
SHA256 cf1b349cd73c05cfa0c41f058883ecbe038fec9c5eeff50d0e78886d01e39167
SHA512 8fbf0f50a90e68546c6c483be1c14c93347b46e937154de756979a7329d9701bbd993d177563fb619c126550e55390784e87cafa60ee72c9db787e44e2a95d3c

C:\Windows\SysWOW64\Icdllk32.exe

MD5 edc59ee765fefafe8b8996ecc21eb254
SHA1 d7b951f1e312d87e7b2c9bf04487b69b77e956bf
SHA256 1e1bc27d30b91f1ba14963f31062c696d68b2f140eb37ecdd52262f98ef89ac3
SHA512 56552719ebbc6f4d030f38d7ff0bcfb1b6b2dd2284b4c6be518021c2d813351249dedf38e69f718ad30d433fb2a2f0b2c0b1e77818da22129907bbf90a546fb7

C:\Windows\SysWOW64\Ipkmal32.exe

MD5 a299a24c6a7b79326fd350f2590a8336
SHA1 b09d58e7d1fb0da9dc76afda34cb6a1799d39f36
SHA256 c5f77a3a07cff93e76ffe7964a20a296bfa5392d2dee52fc43704c041b54dbac
SHA512 4e638c39917c745be73c9305613343a35c0c49a2e780e747962dd10389de101e43b54e44d89598d8e9376a0dd566b540607bde12fb0619c9598ec3a5c9827b1c

C:\Windows\SysWOW64\Ilbnfmhd.exe

MD5 feb26147210122ce5da5b263e97ad72d
SHA1 9129603ba7ffb330f345e08a54c2d25638f2f911
SHA256 ccf95ebdb741a6f9ea462af02fb4b4bbcff6309ff8654d3b17d34bb3d1689247
SHA512 3b0445c28a773d20a530fe0ea2ee7a32ca30717f5d307364471610137b1cf2e48f292fcb50367ced1981e53e1f6f02099f73dab1351a866bac887e84807b2830

C:\Windows\SysWOW64\Iifnpagn.exe

MD5 a26efe825cfd761feb95c0215beacbef
SHA1 9859ddb98a04f905a6b9dbbdfbdce5f1e0a0938e
SHA256 808373ab6635315e6c100ba572eca94d9fba05b7d4f01c55bb72c2667adf4782
SHA512 51de44c5066c9a16ae7b021d7f3d78b0fbca5a2652d8a41eb37066cc587ac30d010cd5ed9e583f407d40c5c5d53b1b011537cabfc6363fa4ef59fb053f10627e