Malware Analysis Report

2025-03-15 09:04

Sample ID 240916-th96eswhmq
Target Backdoor.Win32.Padodor.SK.MTB-eed17cb561c3c0f502e114cc22dd632261579f6bfe3fa2bbe52278604b970d63N
SHA256 eed17cb561c3c0f502e114cc22dd632261579f6bfe3fa2bbe52278604b970d63
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eed17cb561c3c0f502e114cc22dd632261579f6bfe3fa2bbe52278604b970d63

Threat Level: Known bad

The file Backdoor.Win32.Padodor.SK.MTB-eed17cb561c3c0f502e114cc22dd632261579f6bfe3fa2bbe52278604b970d63N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 16:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 16:04

Reported

2024-09-16 16:06

Platform

win7-20240704-en

Max time kernel

80s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfhkhd32.exe N/A

Berbew

backdoor berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cebeem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cgoelh32.exe N/A
File created C:\Windows\SysWOW64\Fkdqjn32.dll C:\Windows\SysWOW64\Cnmfdb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbblda32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
File created C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Cbblda32.exe C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
File created C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Ednoihel.dll C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cbblda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cebeem32.exe N/A
File created C:\Windows\SysWOW64\Kaqnpc32.dll C:\Windows\SysWOW64\Cebeem32.exe N/A
File created C:\Windows\SysWOW64\Niebgj32.dll C:\Windows\SysWOW64\Cgaaah32.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Jidmcq32.dll C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Fnbkfl32.dll C:\Windows\SysWOW64\Cnimiblo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File created C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cnmfdb32.exe N/A
File created C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cgoelh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Pobghn32.dll C:\Windows\SysWOW64\Cgoelh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cnmfdb32.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbblda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cebeem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnmfdb32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cbblda32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Cbblda32.exe
PID 2192 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Cbblda32.exe
PID 2192 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Cbblda32.exe
PID 2192 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Cbblda32.exe
PID 2300 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Cbblda32.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2300 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Cbblda32.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2300 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Cbblda32.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2300 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Cbblda32.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2636 wrote to memory of 776 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 2636 wrote to memory of 776 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 2636 wrote to memory of 776 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 2636 wrote to memory of 776 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 776 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cebeem32.exe
PID 776 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cebeem32.exe
PID 776 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cebeem32.exe
PID 776 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cebeem32.exe
PID 2676 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cgaaah32.exe
PID 2676 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cgaaah32.exe
PID 2676 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cgaaah32.exe
PID 2676 wrote to memory of 2452 N/A C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cgaaah32.exe
PID 2452 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cnmfdb32.exe
PID 2452 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cnmfdb32.exe
PID 2452 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cnmfdb32.exe
PID 2452 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cnmfdb32.exe
PID 2060 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2060 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2060 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2060 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 1656 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 1656 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 1656 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 1656 wrote to memory of 2732 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Cnmfdb32.exe

C:\Windows\system32\Cnmfdb32.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 144

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Cbblda32.exe

MD5 acc967b6198de6ac859d69fe395a2e61
SHA1 d50a51570062e6bf53eb9705ad81ac2517f44303
SHA256 85a04780330a41ca9c49a107fd6f3ed95a6a0adc832962f8411dda4fb924d6db
SHA512 118ad27a49773fcdcc7f24964e1fb9a0454225c30d707e15720d9dab0802ce44b368b04ffa8a738dd33d331462d2e7c6d709e4c5c3594678d117cabda9c5b640

memory/2192-12-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2300-14-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-13-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Cgoelh32.exe

MD5 9fbf184ea03e2e5dfa49275f1cf42e1b
SHA1 10e9659ca5b3af9823fc60ec6d95fab87b46210a
SHA256 5fe63d39dd7424d7805bd5597787ba57cfef721cf86a2f7622e88c5a8f1d1c75
SHA512 ae20467a4bbec58af7c3ecad5647dc08d2c0bba58de5f3b06ccb9d1e04a77b4f48ec7e8676701a473ebc27591b7457f43470d436761d0d13d4f65d5876deb6e1

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 c77c8677a9958ae44149a2e4ea543fbc
SHA1 11f20cacc3672fe16d5f3b385d14584eda83f322
SHA256 ea4845f1662744d16544a61391a44c8fb26929070d6e007480c42219259c3ba6
SHA512 56ad95d61904534b59713648c1f6753a5ae9b129be9c6ede5968b7b344fe99dc9b73b0454b49522a51b2880fdeb06bbec71ed1bc1ec41e412e5cb3a2a36e50c8

memory/776-40-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Cebeem32.exe

MD5 636dac539f42777bb5a223a5ff76a42d
SHA1 e82b94702908d3ba52e1e7a84dd3f1e26d9337eb
SHA256 d332e7f227cac4818eb3ce205d2c2ceb4f5cf761525e5810f69028073a70dc82
SHA512 ec8bd8ae39a39eec28b5db56ccddca6ab87106f256b61fc2fe53a3ddc4824d5279bd3eb145a261a382225699642a19da62a89336020eed629c3059f8c99b8f21

memory/2676-57-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2636-38-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Kaqnpc32.dll

MD5 4f972a7592e0c7dd63ca0739bc6a9230
SHA1 0d6a69edbfe329e44ed2b1f95f0e3eba62fd27ad
SHA256 972b38488b74ebf82e887b8f9ea290a74defd26f67be7b681abd2694c46fea9b
SHA512 45b73becca4b6161a20066aaddfde0c88deb277b4afc9a9c2f8abeaca96acbc12b2537458da69c3a58e541b54af88ac7c10b96bb9bf4db8763177026d69f989e

\Windows\SysWOW64\Cgaaah32.exe

MD5 fd8d1d17611cbb3d1be225ce1dfeb5c6
SHA1 cbd7eda77133f642c528da2401d177d1371ddde9
SHA256 5a5d66eed5917f8e9569bf7b980b1b66005efe26261964d945dc59b3eab1d262
SHA512 974b3225c232e61f351f76411e6fdf163a72e0bd3b8a7a5c5066db7120a155b0c1678e168c4944eddaa172ed067fcb677a547e3b62914680fa6ef37233e77e6c

memory/2676-60-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2452-67-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Cnmfdb32.exe

MD5 efa99c0636caf366c867cf24d645fbf6
SHA1 d9f3fac836c5057e6061f3e2eada42cebfb74bbf
SHA256 acbecce322e42a7c26f8a9819fd12a8d8c074831429a66251488c49670c9f2ad
SHA512 6c1c7cc0df6e7b09a63d8a1f11673cb55db60852e2cc74ea2634e788b123da38bbf7b93b8b773146c754ff2acdf257d1d09bed054d1cac42fc04e08050833845

memory/2060-80-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Cfhkhd32.exe

MD5 ea625d283ca44debb5a678fc2eeb2384
SHA1 0d12912599bdba0653ec47d719b9e1f7aed05a3a
SHA256 e760e306c50fc43a6ff02568311c99801d535a0e7188fb36f866386cb3ddf143
SHA512 575f2d691ad83dd5872d013c468e057fa5930644e96cee4d4d26947984651167ea5a885ec1b7cf428168c353f8924fda127c9de97af984b61a0d27f07e60e5cf

memory/2060-88-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Dpapaj32.exe

MD5 bd2b4153283e32d994ea25a332c245ee
SHA1 7ad9da038e478346153c4661ab1a3986a4c73a71
SHA256 db34caac1e6361163ec7146a3dc2da3456ab0983ebb162c3cf928674d1615907
SHA512 4926d35b9710253b3262b07949ba6cb6ab0d504a1974ea6d7347718f828718ce8876410587d9aad0b9381bac619e28a65335e00e5848d2bc6a2b0af56ff78815

memory/2732-106-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-113-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2300-114-0x0000000000400000-0x0000000000435000-memory.dmp

memory/776-115-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2676-116-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2452-117-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2060-118-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1656-119-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2732-120-0x0000000000400000-0x0000000000435000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 16:04

Reported

2024-09-16 16:06

Platform

win10v2004-20240910-en

Max time kernel

94s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hihibbjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iojkeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jifecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nblolm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oihmedma.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocnabm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaldccip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cggimh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kidben32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjidgkog.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofgdcipq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fajbjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ggfglb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ookoaokf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omdieb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Boenhgdd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cacckp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edplhjhi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filapfbo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jikoopij.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jlikkkhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbccge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ipbaol32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Joqafgni.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ledepn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcfbkpab.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obnehj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbihjifh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jojdlfeo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kapfiqoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oihmedma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ilkoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqmojd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pbcncibp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ganldgib.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaebef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ieagmcmq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dakikoom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iijfhbhl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jadgnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhanngbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjaleemj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kadpdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfkkqmiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njjmni32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjaleemj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eohmkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hnbeeiji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njjmni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Heegad32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhgiim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jojdlfeo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Noblkqca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbepme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lindkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cglbhhga.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmeandma.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnajppda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hhaggp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kemooo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lcmodajm.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Aphnnafb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahofoogd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aknbkjfh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aagkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfgdpmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpoaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amnlme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adhdjpjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aggpfkjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Aonhghjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaldccip.exe N/A
N/A N/A C:\Windows\SysWOW64\Adkqoohc.exe N/A
N/A N/A C:\Windows\SysWOW64\Akdilipp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaoaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmmeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkgeainn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmeandma.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdojjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgnffj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boenhgdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bacjdbch.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhmbqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bogkmgba.exe N/A
N/A N/A C:\Windows\SysWOW64\Baegibae.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphgeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgbpaipl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnlhncgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdfpkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgelgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnoddcef.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpmapodj.exe N/A
N/A N/A C:\Windows\SysWOW64\Chdialdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cggimh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Conanfli.exe N/A
N/A N/A C:\Windows\SysWOW64\Cponen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgifbhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckebcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cncnob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpbjkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmfllhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cglbhhga.exe N/A
N/A N/A C:\Windows\SysWOW64\Cocjiehd.exe N/A
N/A N/A C:\Windows\SysWOW64\Caageq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Chkobkod.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckjknfnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnhgjaml.exe N/A
N/A N/A C:\Windows\SysWOW64\Cacckp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdbpgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgqlcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklhcfle.exe N/A
N/A N/A C:\Windows\SysWOW64\Dddllkbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dojqjdbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgeenfog.exe N/A
N/A N/A C:\Windows\SysWOW64\Dolmodpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dakikoom.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhdbhifj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnajppda.exe N/A
N/A N/A C:\Windows\SysWOW64\Damfao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddkbmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkekjdck.exe N/A
N/A N/A C:\Windows\SysWOW64\Dndgfpbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkhgod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebaplnie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Jcoiaikp.dll C:\Windows\SysWOW64\Jhgiim32.exe N/A
File created C:\Windows\SysWOW64\Gbhhqamj.dll C:\Windows\SysWOW64\Nmfmde32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ookoaokf.exe C:\Windows\SysWOW64\Oiagde32.exe N/A
File opened for modification C:\Windows\SysWOW64\Filapfbo.exe C:\Windows\SysWOW64\Fkhpfbce.exe N/A
File created C:\Windows\SysWOW64\Heegad32.exe C:\Windows\SysWOW64\Hbgkei32.exe N/A
File created C:\Windows\SysWOW64\Eajbghaq.dll C:\Windows\SysWOW64\Hbgkei32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilkoim32.exe C:\Windows\SysWOW64\Ihpcinld.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbccge32.exe C:\Windows\SysWOW64\Jlikkkhn.exe N/A
File created C:\Windows\SysWOW64\Bpldbefn.dll C:\Windows\SysWOW64\Oiagde32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ppnenlka.exe C:\Windows\SysWOW64\Pmphaaln.exe N/A
File created C:\Windows\SysWOW64\Klndfj32.exe C:\Windows\SysWOW64\Kiphjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lindkm32.exe C:\Windows\SysWOW64\Lcclncbh.exe N/A
File created C:\Windows\SysWOW64\Mcaipa32.exe C:\Windows\SysWOW64\Mlhqcgnk.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqbala32.exe C:\Windows\SysWOW64\Ojhiogdd.exe N/A
File created C:\Windows\SysWOW64\Qkhnbpne.dll C:\Windows\SysWOW64\Adkqoohc.exe N/A
File created C:\Windows\SysWOW64\Phlepppi.dll C:\Windows\SysWOW64\Akdilipp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacckp32.exe C:\Windows\SysWOW64\Cnhgjaml.exe N/A
File created C:\Windows\SysWOW64\Gpaihooo.exe C:\Windows\SysWOW64\Glfmgp32.exe N/A
File created C:\Windows\SysWOW64\Mmmncpmp.dll C:\Windows\SysWOW64\Iahgad32.exe N/A
File created C:\Windows\SysWOW64\Lodabb32.dll C:\Windows\SysWOW64\Oifppdpd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieojgc32.exe C:\Windows\SysWOW64\Inebjihf.exe N/A
File created C:\Windows\SysWOW64\Kidben32.exe C:\Windows\SysWOW64\Kcjjhdjb.exe N/A
File created C:\Windows\SysWOW64\Lplfcf32.exe C:\Windows\SysWOW64\Lhenai32.exe N/A
File created C:\Windows\SysWOW64\Nmdkcj32.dll C:\Windows\SysWOW64\Ljdkll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Akdilipp.exe C:\Windows\SysWOW64\Adkqoohc.exe N/A
File opened for modification C:\Windows\SysWOW64\Dndgfpbo.exe C:\Windows\SysWOW64\Dkekjdck.exe N/A
File created C:\Windows\SysWOW64\Mpaqbf32.dll C:\Windows\SysWOW64\Hbihjifh.exe N/A
File created C:\Windows\SysWOW64\Ipbaol32.exe C:\Windows\SysWOW64\Hihibbjo.exe N/A
File created C:\Windows\SysWOW64\Mpeiie32.exe C:\Windows\SysWOW64\Mjlalkmd.exe N/A
File created C:\Windows\SysWOW64\Ofgdcipq.exe C:\Windows\SysWOW64\Ocihgnam.exe N/A
File created C:\Windows\SysWOW64\Oncelonn.dll C:\Windows\SysWOW64\Edbiniff.exe N/A
File created C:\Windows\SysWOW64\Gakbde32.dll C:\Windows\SysWOW64\Hhfpbpdo.exe N/A
File created C:\Windows\SysWOW64\Mgfhfd32.dll C:\Windows\SysWOW64\Kocgbend.exe N/A
File opened for modification C:\Windows\SysWOW64\Mbgeqmjp.exe C:\Windows\SysWOW64\Mpeiie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amnlme32.exe C:\Windows\SysWOW64\Akpoaj32.exe N/A
File created C:\Windows\SysWOW64\Qnbidcgp.dll C:\Windows\SysWOW64\Bkgeainn.exe N/A
File opened for modification C:\Windows\SysWOW64\Conanfli.exe C:\Windows\SysWOW64\Cggimh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe C:\Windows\SysWOW64\Cpbjkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcfbkpab.exe C:\Windows\SysWOW64\Mlljnf32.exe N/A
File created C:\Windows\SysWOW64\Llgdkbfj.dll C:\Windows\SysWOW64\Nfldgk32.exe N/A
File created C:\Windows\SysWOW64\Obnehj32.exe C:\Windows\SysWOW64\Oophlo32.exe N/A
File created C:\Windows\SysWOW64\Ocnabm32.exe C:\Windows\SysWOW64\Omdieb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe C:\Windows\SysWOW64\Ofgdcipq.exe N/A
File created C:\Windows\SysWOW64\Pjjfdfbb.exe C:\Windows\SysWOW64\Pbcncibp.exe N/A
File created C:\Windows\SysWOW64\Bogkmgba.exe C:\Windows\SysWOW64\Bhmbqm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebifmm32.exe C:\Windows\SysWOW64\Ehpadhll.exe N/A
File created C:\Windows\SysWOW64\Hihibbjo.exe C:\Windows\SysWOW64\Haaaaeim.exe N/A
File opened for modification C:\Windows\SysWOW64\Khlklj32.exe C:\Windows\SysWOW64\Kemooo32.exe N/A
File created C:\Windows\SysWOW64\Gnobcjlg.dll C:\Windows\SysWOW64\Ggfglb32.exe N/A
File created C:\Windows\SysWOW64\Gaebef32.exe C:\Windows\SysWOW64\Geoapenf.exe N/A
File created C:\Windows\SysWOW64\Lllagh32.exe C:\Windows\SysWOW64\Lindkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfccogfc.exe C:\Windows\SysWOW64\Pbhgoh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmeandma.exe C:\Windows\SysWOW64\Bkgeainn.exe N/A
File created C:\Windows\SysWOW64\Anfmbd32.dll C:\Windows\SysWOW64\Dnajppda.exe N/A
File created C:\Windows\SysWOW64\Ebaplnie.exe C:\Windows\SysWOW64\Dkhgod32.exe N/A
File created C:\Windows\SysWOW64\Fdnhih32.exe C:\Windows\SysWOW64\Figgdg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocdnln32.exe C:\Windows\SysWOW64\Nmjfodne.exe N/A
File created C:\Windows\SysWOW64\Nnndji32.dll C:\Windows\SysWOW64\Oiccje32.exe N/A
File created C:\Windows\SysWOW64\Omdieb32.exe C:\Windows\SysWOW64\Oihmedma.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpaihooo.exe C:\Windows\SysWOW64\Glfmgp32.exe N/A
File created C:\Windows\SysWOW64\Joqafgni.exe C:\Windows\SysWOW64\Jhgiim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhplpl32.exe C:\Windows\SysWOW64\Jafdcbge.exe N/A
File created C:\Windows\SysWOW64\Nckkfp32.exe C:\Windows\SysWOW64\Nqmojd32.exe N/A
File created C:\Windows\SysWOW64\Jgbfjmkq.dll C:\Windows\SysWOW64\Mjpjgj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Pififb32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhimhobl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcaipa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Noblkqca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebaplnie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Giecfejd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gnblnlhl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iijfhbhl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnhgjaml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iialhaad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcmodajm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Objkmkjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pafkgphl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdfpkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boenhgdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkekjdck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebdlangb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jifecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfepdg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkhgod32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kidben32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Piocecgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cglbhhga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eohmkb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebfign32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Inebjihf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cncnob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieagmcmq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibgdlg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcclncbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Legben32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlmchoan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhfpbpdo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nciopppp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fajbjh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chkobkod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjlalkmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Galoohke.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbccge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofgdcipq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Damfao32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipbaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jihbip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpeiie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bogkmgba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfpell32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpepbgbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mablfnne.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqmojd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocnabm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Geoapenf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jldbpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jikoopij.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofckhj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppgomnai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgeenfog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ggfglb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljdkll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obqanjdb.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll" C:\Windows\SysWOW64\Nblolm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoejj32.dll" C:\Windows\SysWOW64\Obnehj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdfpkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Klekfinp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Klndfj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lcfidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpeiie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll" C:\Windows\SysWOW64\Pbcncibp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pbhgoh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dakikoom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hlmchoan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" C:\Windows\SysWOW64\Ipbaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iojkeh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iahgad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll" C:\Windows\SysWOW64\Mpeiie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Edplhjhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Galoohke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll" C:\Windows\SysWOW64\Cglbhhga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll" C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dakikoom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkcqhdh.dll" C:\Windows\SysWOW64\Dkhgod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jaonbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kemooo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bacjdbch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmphaaln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll" C:\Windows\SysWOW64\Nijqcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oqklkbbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akdilipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffaen32.dll" C:\Windows\SysWOW64\Ppgomnai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" C:\Windows\SysWOW64\Chdialdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" C:\Windows\SysWOW64\Dolmodpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mbgeqmjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" C:\Windows\SysWOW64\Piocecgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nijqcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cklhcfle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkekjdck.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Finnef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nfldgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll" C:\Windows\SysWOW64\Nbebbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll" C:\Windows\SysWOW64\Ookoaokf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aonhghjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cglbhhga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Khiofk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mlljnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" C:\Windows\SysWOW64\Aphnnafb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ihbponja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hihibbjo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Khiofk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nciopppp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ocihgnam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ojhiogdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll" C:\Windows\SysWOW64\Pjjfdfbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Geoapenf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Inebjihf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll" C:\Windows\SysWOW64\Ilkoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lhcali32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll" C:\Windows\SysWOW64\Oihmedma.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ddkbmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Filapfbo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Aphnnafb.exe
PID 5036 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Aphnnafb.exe
PID 5036 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe C:\Windows\SysWOW64\Aphnnafb.exe
PID 3764 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Ahofoogd.exe
PID 3764 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Ahofoogd.exe
PID 3764 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Aphnnafb.exe C:\Windows\SysWOW64\Ahofoogd.exe
PID 3092 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ahofoogd.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 3092 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ahofoogd.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 3092 wrote to memory of 3328 N/A C:\Windows\SysWOW64\Ahofoogd.exe C:\Windows\SysWOW64\Aknbkjfh.exe
PID 3328 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aagkhd32.exe
PID 3328 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aagkhd32.exe
PID 3328 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aagkhd32.exe
PID 2024 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Aagkhd32.exe C:\Windows\SysWOW64\Adfgdpmi.exe
PID 2024 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Aagkhd32.exe C:\Windows\SysWOW64\Adfgdpmi.exe
PID 2024 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Aagkhd32.exe C:\Windows\SysWOW64\Adfgdpmi.exe
PID 4848 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Akpoaj32.exe
PID 4848 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Akpoaj32.exe
PID 4848 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Akpoaj32.exe
PID 2380 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Akpoaj32.exe C:\Windows\SysWOW64\Amnlme32.exe
PID 2380 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Akpoaj32.exe C:\Windows\SysWOW64\Amnlme32.exe
PID 2380 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Akpoaj32.exe C:\Windows\SysWOW64\Amnlme32.exe
PID 2172 wrote to memory of 116 N/A C:\Windows\SysWOW64\Amnlme32.exe C:\Windows\SysWOW64\Adhdjpjf.exe
PID 2172 wrote to memory of 116 N/A C:\Windows\SysWOW64\Amnlme32.exe C:\Windows\SysWOW64\Adhdjpjf.exe
PID 2172 wrote to memory of 116 N/A C:\Windows\SysWOW64\Amnlme32.exe C:\Windows\SysWOW64\Adhdjpjf.exe
PID 116 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Adhdjpjf.exe C:\Windows\SysWOW64\Aggpfkjj.exe
PID 116 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Adhdjpjf.exe C:\Windows\SysWOW64\Aggpfkjj.exe
PID 116 wrote to memory of 2084 N/A C:\Windows\SysWOW64\Adhdjpjf.exe C:\Windows\SysWOW64\Aggpfkjj.exe
PID 2084 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Aonhghjl.exe
PID 2084 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Aonhghjl.exe
PID 2084 wrote to memory of 4080 N/A C:\Windows\SysWOW64\Aggpfkjj.exe C:\Windows\SysWOW64\Aonhghjl.exe
PID 4080 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Aonhghjl.exe C:\Windows\SysWOW64\Aaldccip.exe
PID 4080 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Aonhghjl.exe C:\Windows\SysWOW64\Aaldccip.exe
PID 4080 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Aonhghjl.exe C:\Windows\SysWOW64\Aaldccip.exe
PID 4276 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Aaldccip.exe C:\Windows\SysWOW64\Adkqoohc.exe
PID 4276 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Aaldccip.exe C:\Windows\SysWOW64\Adkqoohc.exe
PID 4276 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Aaldccip.exe C:\Windows\SysWOW64\Adkqoohc.exe
PID 4864 wrote to memory of 1184 N/A C:\Windows\SysWOW64\Adkqoohc.exe C:\Windows\SysWOW64\Akdilipp.exe
PID 4864 wrote to memory of 1184 N/A C:\Windows\SysWOW64\Adkqoohc.exe C:\Windows\SysWOW64\Akdilipp.exe
PID 4864 wrote to memory of 1184 N/A C:\Windows\SysWOW64\Adkqoohc.exe C:\Windows\SysWOW64\Akdilipp.exe
PID 1184 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Akdilipp.exe C:\Windows\SysWOW64\Aaoaic32.exe
PID 1184 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Akdilipp.exe C:\Windows\SysWOW64\Aaoaic32.exe
PID 1184 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Akdilipp.exe C:\Windows\SysWOW64\Aaoaic32.exe
PID 2008 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Aaoaic32.exe C:\Windows\SysWOW64\Bdmmeo32.exe
PID 2008 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Aaoaic32.exe C:\Windows\SysWOW64\Bdmmeo32.exe
PID 2008 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Aaoaic32.exe C:\Windows\SysWOW64\Bdmmeo32.exe
PID 1936 wrote to memory of 4124 N/A C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Bkgeainn.exe
PID 1936 wrote to memory of 4124 N/A C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Bkgeainn.exe
PID 1936 wrote to memory of 4124 N/A C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Bkgeainn.exe
PID 4124 wrote to memory of 528 N/A C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bmeandma.exe
PID 4124 wrote to memory of 528 N/A C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bmeandma.exe
PID 4124 wrote to memory of 528 N/A C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bmeandma.exe
PID 528 wrote to memory of 4112 N/A C:\Windows\SysWOW64\Bmeandma.exe C:\Windows\SysWOW64\Bdojjo32.exe
PID 528 wrote to memory of 4112 N/A C:\Windows\SysWOW64\Bmeandma.exe C:\Windows\SysWOW64\Bdojjo32.exe
PID 528 wrote to memory of 4112 N/A C:\Windows\SysWOW64\Bmeandma.exe C:\Windows\SysWOW64\Bdojjo32.exe
PID 4112 wrote to memory of 4264 N/A C:\Windows\SysWOW64\Bdojjo32.exe C:\Windows\SysWOW64\Bgnffj32.exe
PID 4112 wrote to memory of 4264 N/A C:\Windows\SysWOW64\Bdojjo32.exe C:\Windows\SysWOW64\Bgnffj32.exe
PID 4112 wrote to memory of 4264 N/A C:\Windows\SysWOW64\Bdojjo32.exe C:\Windows\SysWOW64\Bgnffj32.exe
PID 4264 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Bgnffj32.exe C:\Windows\SysWOW64\Boenhgdd.exe
PID 4264 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Bgnffj32.exe C:\Windows\SysWOW64\Boenhgdd.exe
PID 4264 wrote to memory of 2240 N/A C:\Windows\SysWOW64\Bgnffj32.exe C:\Windows\SysWOW64\Boenhgdd.exe
PID 2240 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Boenhgdd.exe C:\Windows\SysWOW64\Bacjdbch.exe
PID 2240 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Boenhgdd.exe C:\Windows\SysWOW64\Bacjdbch.exe
PID 2240 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Boenhgdd.exe C:\Windows\SysWOW64\Bacjdbch.exe
PID 2012 wrote to memory of 4672 N/A C:\Windows\SysWOW64\Bacjdbch.exe C:\Windows\SysWOW64\Bhmbqm32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe

"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Akpoaj32.exe

C:\Windows\system32\Akpoaj32.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Aaldccip.exe

C:\Windows\system32\Aaldccip.exe

C:\Windows\SysWOW64\Adkqoohc.exe

C:\Windows\system32\Adkqoohc.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Aaoaic32.exe

C:\Windows\system32\Aaoaic32.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Conanfli.exe

C:\Windows\system32\Conanfli.exe

C:\Windows\SysWOW64\Cponen32.exe

C:\Windows\system32\Cponen32.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Cocjiehd.exe

C:\Windows\system32\Cocjiehd.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cnhgjaml.exe

C:\Windows\system32\Cnhgjaml.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Cdbpgl32.exe

C:\Windows\system32\Cdbpgl32.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cklhcfle.exe

C:\Windows\system32\Cklhcfle.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dgeenfog.exe

C:\Windows\system32\Dgeenfog.exe

C:\Windows\SysWOW64\Dolmodpi.exe

C:\Windows\system32\Dolmodpi.exe

C:\Windows\SysWOW64\Dakikoom.exe

C:\Windows\system32\Dakikoom.exe

C:\Windows\SysWOW64\Dhdbhifj.exe

C:\Windows\system32\Dhdbhifj.exe

C:\Windows\SysWOW64\Dnajppda.exe

C:\Windows\system32\Dnajppda.exe

C:\Windows\SysWOW64\Damfao32.exe

C:\Windows\system32\Damfao32.exe

C:\Windows\SysWOW64\Ddkbmj32.exe

C:\Windows\system32\Ddkbmj32.exe

C:\Windows\SysWOW64\Dkekjdck.exe

C:\Windows\system32\Dkekjdck.exe

C:\Windows\SysWOW64\Dndgfpbo.exe

C:\Windows\system32\Dndgfpbo.exe

C:\Windows\SysWOW64\Dkhgod32.exe

C:\Windows\system32\Dkhgod32.exe

C:\Windows\SysWOW64\Ebaplnie.exe

C:\Windows\system32\Ebaplnie.exe

C:\Windows\SysWOW64\Edplhjhi.exe

C:\Windows\system32\Edplhjhi.exe

C:\Windows\SysWOW64\Ekjded32.exe

C:\Windows\system32\Ekjded32.exe

C:\Windows\SysWOW64\Ebdlangb.exe

C:\Windows\system32\Ebdlangb.exe

C:\Windows\SysWOW64\Edbiniff.exe

C:\Windows\system32\Edbiniff.exe

C:\Windows\SysWOW64\Eohmkb32.exe

C:\Windows\system32\Eohmkb32.exe

C:\Windows\SysWOW64\Ebfign32.exe

C:\Windows\system32\Ebfign32.exe

C:\Windows\SysWOW64\Ehpadhll.exe

C:\Windows\system32\Ehpadhll.exe

C:\Windows\SysWOW64\Ebifmm32.exe

C:\Windows\system32\Ebifmm32.exe

C:\Windows\SysWOW64\Ebkbbmqj.exe

C:\Windows\system32\Ebkbbmqj.exe

C:\Windows\SysWOW64\Fqppci32.exe

C:\Windows\system32\Fqppci32.exe

C:\Windows\SysWOW64\Figgdg32.exe

C:\Windows\system32\Figgdg32.exe

C:\Windows\SysWOW64\Fdnhih32.exe

C:\Windows\system32\Fdnhih32.exe

C:\Windows\SysWOW64\Fkhpfbce.exe

C:\Windows\system32\Fkhpfbce.exe

C:\Windows\SysWOW64\Filapfbo.exe

C:\Windows\system32\Filapfbo.exe

C:\Windows\SysWOW64\Fofilp32.exe

C:\Windows\system32\Fofilp32.exe

C:\Windows\SysWOW64\Finnef32.exe

C:\Windows\system32\Finnef32.exe

C:\Windows\SysWOW64\Fnkfmm32.exe

C:\Windows\system32\Fnkfmm32.exe

C:\Windows\SysWOW64\Fajbjh32.exe

C:\Windows\system32\Fajbjh32.exe

C:\Windows\SysWOW64\Galoohke.exe

C:\Windows\system32\Galoohke.exe

C:\Windows\SysWOW64\Ggfglb32.exe

C:\Windows\system32\Ggfglb32.exe

C:\Windows\SysWOW64\Ganldgib.exe

C:\Windows\system32\Ganldgib.exe

C:\Windows\SysWOW64\Giecfejd.exe

C:\Windows\system32\Giecfejd.exe

C:\Windows\SysWOW64\Gnblnlhl.exe

C:\Windows\system32\Gnblnlhl.exe

C:\Windows\SysWOW64\Gihpkd32.exe

C:\Windows\system32\Gihpkd32.exe

C:\Windows\SysWOW64\Glfmgp32.exe

C:\Windows\system32\Glfmgp32.exe

C:\Windows\SysWOW64\Gpaihooo.exe

C:\Windows\system32\Gpaihooo.exe

C:\Windows\SysWOW64\Geoapenf.exe

C:\Windows\system32\Geoapenf.exe

C:\Windows\SysWOW64\Gaebef32.exe

C:\Windows\system32\Gaebef32.exe

C:\Windows\SysWOW64\Hnibokbd.exe

C:\Windows\system32\Hnibokbd.exe

C:\Windows\SysWOW64\Hahokfag.exe

C:\Windows\system32\Hahokfag.exe

C:\Windows\SysWOW64\Hhaggp32.exe

C:\Windows\system32\Hhaggp32.exe

C:\Windows\SysWOW64\Hlmchoan.exe

C:\Windows\system32\Hlmchoan.exe

C:\Windows\SysWOW64\Hbgkei32.exe

C:\Windows\system32\Hbgkei32.exe

C:\Windows\SysWOW64\Heegad32.exe

C:\Windows\system32\Heegad32.exe

C:\Windows\SysWOW64\Hlppno32.exe

C:\Windows\system32\Hlppno32.exe

C:\Windows\SysWOW64\Hbihjifh.exe

C:\Windows\system32\Hbihjifh.exe

C:\Windows\SysWOW64\Halhfe32.exe

C:\Windows\system32\Halhfe32.exe

C:\Windows\SysWOW64\Hhfpbpdo.exe

C:\Windows\system32\Hhfpbpdo.exe

C:\Windows\SysWOW64\Hlblcn32.exe

C:\Windows\system32\Hlblcn32.exe

C:\Windows\SysWOW64\Hbldphde.exe

C:\Windows\system32\Hbldphde.exe

C:\Windows\SysWOW64\Hejqldci.exe

C:\Windows\system32\Hejqldci.exe

C:\Windows\SysWOW64\Hhimhobl.exe

C:\Windows\system32\Hhimhobl.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Haaaaeim.exe

C:\Windows\system32\Haaaaeim.exe

C:\Windows\SysWOW64\Hihibbjo.exe

C:\Windows\system32\Hihibbjo.exe

C:\Windows\SysWOW64\Ipbaol32.exe

C:\Windows\system32\Ipbaol32.exe

C:\Windows\SysWOW64\Inebjihf.exe

C:\Windows\system32\Inebjihf.exe

C:\Windows\SysWOW64\Ieojgc32.exe

C:\Windows\system32\Ieojgc32.exe

C:\Windows\SysWOW64\Iijfhbhl.exe

C:\Windows\system32\Iijfhbhl.exe

C:\Windows\SysWOW64\Ipdndloi.exe

C:\Windows\system32\Ipdndloi.exe

C:\Windows\SysWOW64\Iogopi32.exe

C:\Windows\system32\Iogopi32.exe

C:\Windows\SysWOW64\Ieagmcmq.exe

C:\Windows\system32\Ieagmcmq.exe

C:\Windows\SysWOW64\Ihpcinld.exe

C:\Windows\system32\Ihpcinld.exe

C:\Windows\SysWOW64\Ilkoim32.exe

C:\Windows\system32\Ilkoim32.exe

C:\Windows\SysWOW64\Iojkeh32.exe

C:\Windows\system32\Iojkeh32.exe

C:\Windows\SysWOW64\Iahgad32.exe

C:\Windows\system32\Iahgad32.exe

C:\Windows\SysWOW64\Ihbponja.exe

C:\Windows\system32\Ihbponja.exe

C:\Windows\SysWOW64\Iolhkh32.exe

C:\Windows\system32\Iolhkh32.exe

C:\Windows\SysWOW64\Ibgdlg32.exe

C:\Windows\system32\Ibgdlg32.exe

C:\Windows\SysWOW64\Iialhaad.exe

C:\Windows\system32\Iialhaad.exe

C:\Windows\SysWOW64\Ilphdlqh.exe

C:\Windows\system32\Ilphdlqh.exe

C:\Windows\SysWOW64\Iondqhpl.exe

C:\Windows\system32\Iondqhpl.exe

C:\Windows\SysWOW64\Iehmmb32.exe

C:\Windows\system32\Iehmmb32.exe

C:\Windows\SysWOW64\Jhgiim32.exe

C:\Windows\system32\Jhgiim32.exe

C:\Windows\SysWOW64\Joqafgni.exe

C:\Windows\system32\Joqafgni.exe

C:\Windows\SysWOW64\Jaonbc32.exe

C:\Windows\system32\Jaonbc32.exe

C:\Windows\SysWOW64\Jifecp32.exe

C:\Windows\system32\Jifecp32.exe

C:\Windows\SysWOW64\Jldbpl32.exe

C:\Windows\system32\Jldbpl32.exe

C:\Windows\SysWOW64\Jocnlg32.exe

C:\Windows\system32\Jocnlg32.exe

C:\Windows\SysWOW64\Jihbip32.exe

C:\Windows\system32\Jihbip32.exe

C:\Windows\SysWOW64\Jpbjfjci.exe

C:\Windows\system32\Jpbjfjci.exe

C:\Windows\SysWOW64\Jadgnb32.exe

C:\Windows\system32\Jadgnb32.exe

C:\Windows\SysWOW64\Jikoopij.exe

C:\Windows\system32\Jikoopij.exe

C:\Windows\SysWOW64\Jlikkkhn.exe

C:\Windows\system32\Jlikkkhn.exe

C:\Windows\SysWOW64\Jbccge32.exe

C:\Windows\system32\Jbccge32.exe

C:\Windows\SysWOW64\Jafdcbge.exe

C:\Windows\system32\Jafdcbge.exe

C:\Windows\SysWOW64\Jhplpl32.exe

C:\Windows\system32\Jhplpl32.exe

C:\Windows\SysWOW64\Jojdlfeo.exe

C:\Windows\system32\Jojdlfeo.exe

C:\Windows\SysWOW64\Jbepme32.exe

C:\Windows\system32\Jbepme32.exe

C:\Windows\SysWOW64\Kiphjo32.exe

C:\Windows\system32\Kiphjo32.exe

C:\Windows\SysWOW64\Klndfj32.exe

C:\Windows\system32\Klndfj32.exe

C:\Windows\SysWOW64\Kbhmbdle.exe

C:\Windows\system32\Kbhmbdle.exe

C:\Windows\SysWOW64\Kefiopki.exe

C:\Windows\system32\Kefiopki.exe

C:\Windows\SysWOW64\Klpakj32.exe

C:\Windows\system32\Klpakj32.exe

C:\Windows\SysWOW64\Koonge32.exe

C:\Windows\system32\Koonge32.exe

C:\Windows\SysWOW64\Kcjjhdjb.exe

C:\Windows\system32\Kcjjhdjb.exe

C:\Windows\SysWOW64\Kidben32.exe

C:\Windows\system32\Kidben32.exe

C:\Windows\SysWOW64\Kapfiqoj.exe

C:\Windows\system32\Kapfiqoj.exe

C:\Windows\SysWOW64\Khiofk32.exe

C:\Windows\system32\Khiofk32.exe

C:\Windows\SysWOW64\Klekfinp.exe

C:\Windows\system32\Klekfinp.exe

C:\Windows\SysWOW64\Kocgbend.exe

C:\Windows\system32\Kocgbend.exe

C:\Windows\SysWOW64\Kemooo32.exe

C:\Windows\system32\Kemooo32.exe

C:\Windows\SysWOW64\Khlklj32.exe

C:\Windows\system32\Khlklj32.exe

C:\Windows\SysWOW64\Kofdhd32.exe

C:\Windows\system32\Kofdhd32.exe

C:\Windows\SysWOW64\Kadpdp32.exe

C:\Windows\system32\Kadpdp32.exe

C:\Windows\SysWOW64\Lhnhajba.exe

C:\Windows\system32\Lhnhajba.exe

C:\Windows\SysWOW64\Lpepbgbd.exe

C:\Windows\system32\Lpepbgbd.exe

C:\Windows\SysWOW64\Lcclncbh.exe

C:\Windows\system32\Lcclncbh.exe

C:\Windows\SysWOW64\Lindkm32.exe

C:\Windows\system32\Lindkm32.exe

C:\Windows\SysWOW64\Lllagh32.exe

C:\Windows\system32\Lllagh32.exe

C:\Windows\SysWOW64\Lcfidb32.exe

C:\Windows\system32\Lcfidb32.exe

C:\Windows\SysWOW64\Ledepn32.exe

C:\Windows\system32\Ledepn32.exe

C:\Windows\SysWOW64\Lhcali32.exe

C:\Windows\system32\Lhcali32.exe

C:\Windows\SysWOW64\Lomjicei.exe

C:\Windows\system32\Lomjicei.exe

C:\Windows\SysWOW64\Legben32.exe

C:\Windows\system32\Legben32.exe

C:\Windows\SysWOW64\Lhenai32.exe

C:\Windows\system32\Lhenai32.exe

C:\Windows\SysWOW64\Lplfcf32.exe

C:\Windows\system32\Lplfcf32.exe

C:\Windows\SysWOW64\Lancko32.exe

C:\Windows\system32\Lancko32.exe

C:\Windows\SysWOW64\Ljdkll32.exe

C:\Windows\system32\Ljdkll32.exe

C:\Windows\SysWOW64\Lhgkgijg.exe

C:\Windows\system32\Lhgkgijg.exe

C:\Windows\SysWOW64\Lcmodajm.exe

C:\Windows\system32\Lcmodajm.exe

C:\Windows\SysWOW64\Mfkkqmiq.exe

C:\Windows\system32\Mfkkqmiq.exe

C:\Windows\SysWOW64\Mledmg32.exe

C:\Windows\system32\Mledmg32.exe

C:\Windows\SysWOW64\Mpapnfhg.exe

C:\Windows\system32\Mpapnfhg.exe

C:\Windows\SysWOW64\Mablfnne.exe

C:\Windows\system32\Mablfnne.exe

C:\Windows\SysWOW64\Mjidgkog.exe

C:\Windows\system32\Mjidgkog.exe

C:\Windows\SysWOW64\Mlhqcgnk.exe

C:\Windows\system32\Mlhqcgnk.exe

C:\Windows\SysWOW64\Mcaipa32.exe

C:\Windows\system32\Mcaipa32.exe

C:\Windows\SysWOW64\Mfpell32.exe

C:\Windows\system32\Mfpell32.exe

C:\Windows\SysWOW64\Mjlalkmd.exe

C:\Windows\system32\Mjlalkmd.exe

C:\Windows\SysWOW64\Mpeiie32.exe

C:\Windows\system32\Mpeiie32.exe

C:\Windows\SysWOW64\Mbgeqmjp.exe

C:\Windows\system32\Mbgeqmjp.exe

C:\Windows\SysWOW64\Mhanngbl.exe

C:\Windows\system32\Mhanngbl.exe

C:\Windows\SysWOW64\Mlljnf32.exe

C:\Windows\system32\Mlljnf32.exe

C:\Windows\SysWOW64\Mcfbkpab.exe

C:\Windows\system32\Mcfbkpab.exe

C:\Windows\SysWOW64\Mjpjgj32.exe

C:\Windows\system32\Mjpjgj32.exe

C:\Windows\SysWOW64\Mlofcf32.exe

C:\Windows\system32\Mlofcf32.exe

C:\Windows\SysWOW64\Nciopppp.exe

C:\Windows\system32\Nciopppp.exe

C:\Windows\SysWOW64\Nblolm32.exe

C:\Windows\system32\Nblolm32.exe

C:\Windows\SysWOW64\Nhegig32.exe

C:\Windows\system32\Nhegig32.exe

C:\Windows\SysWOW64\Nqmojd32.exe

C:\Windows\system32\Nqmojd32.exe

C:\Windows\SysWOW64\Nckkfp32.exe

C:\Windows\system32\Nckkfp32.exe

C:\Windows\SysWOW64\Njedbjej.exe

C:\Windows\system32\Njedbjej.exe

C:\Windows\SysWOW64\Nmcpoedn.exe

C:\Windows\system32\Nmcpoedn.exe

C:\Windows\SysWOW64\Noblkqca.exe

C:\Windows\system32\Noblkqca.exe

C:\Windows\SysWOW64\Nfldgk32.exe

C:\Windows\system32\Nfldgk32.exe

C:\Windows\SysWOW64\Nijqcf32.exe

C:\Windows\system32\Nijqcf32.exe

C:\Windows\SysWOW64\Nmfmde32.exe

C:\Windows\system32\Nmfmde32.exe

C:\Windows\SysWOW64\Nqaiecjd.exe

C:\Windows\system32\Nqaiecjd.exe

C:\Windows\SysWOW64\Nbbeml32.exe

C:\Windows\system32\Nbbeml32.exe

C:\Windows\SysWOW64\Njjmni32.exe

C:\Windows\system32\Njjmni32.exe

C:\Windows\SysWOW64\Nqcejcha.exe

C:\Windows\system32\Nqcejcha.exe

C:\Windows\SysWOW64\Nbebbk32.exe

C:\Windows\system32\Nbebbk32.exe

C:\Windows\SysWOW64\Njljch32.exe

C:\Windows\system32\Njljch32.exe

C:\Windows\SysWOW64\Nmjfodne.exe

C:\Windows\system32\Nmjfodne.exe

C:\Windows\SysWOW64\Ocdnln32.exe

C:\Windows\system32\Ocdnln32.exe

C:\Windows\SysWOW64\Ofckhj32.exe

C:\Windows\system32\Ofckhj32.exe

C:\Windows\SysWOW64\Oiagde32.exe

C:\Windows\system32\Oiagde32.exe

C:\Windows\SysWOW64\Ookoaokf.exe

C:\Windows\system32\Ookoaokf.exe

C:\Windows\SysWOW64\Objkmkjj.exe

C:\Windows\system32\Objkmkjj.exe

C:\Windows\SysWOW64\Oiccje32.exe

C:\Windows\system32\Oiccje32.exe

C:\Windows\SysWOW64\Oqklkbbi.exe

C:\Windows\system32\Oqklkbbi.exe

C:\Windows\SysWOW64\Ocihgnam.exe

C:\Windows\system32\Ocihgnam.exe

C:\Windows\SysWOW64\Ofgdcipq.exe

C:\Windows\system32\Ofgdcipq.exe

C:\Windows\SysWOW64\Oifppdpd.exe

C:\Windows\system32\Oifppdpd.exe

C:\Windows\SysWOW64\Oophlo32.exe

C:\Windows\system32\Oophlo32.exe

C:\Windows\SysWOW64\Obnehj32.exe

C:\Windows\system32\Obnehj32.exe

C:\Windows\SysWOW64\Oihmedma.exe

C:\Windows\system32\Oihmedma.exe

C:\Windows\SysWOW64\Omdieb32.exe

C:\Windows\system32\Omdieb32.exe

C:\Windows\SysWOW64\Ocnabm32.exe

C:\Windows\system32\Ocnabm32.exe

C:\Windows\SysWOW64\Obqanjdb.exe

C:\Windows\system32\Obqanjdb.exe

C:\Windows\SysWOW64\Ojhiogdd.exe

C:\Windows\system32\Ojhiogdd.exe

C:\Windows\SysWOW64\Pqbala32.exe

C:\Windows\system32\Pqbala32.exe

C:\Windows\SysWOW64\Pbcncibp.exe

C:\Windows\system32\Pbcncibp.exe

C:\Windows\SysWOW64\Pjjfdfbb.exe

C:\Windows\system32\Pjjfdfbb.exe

C:\Windows\SysWOW64\Pimfpc32.exe

C:\Windows\system32\Pimfpc32.exe

C:\Windows\SysWOW64\Ppgomnai.exe

C:\Windows\system32\Ppgomnai.exe

C:\Windows\SysWOW64\Pfagighf.exe

C:\Windows\system32\Pfagighf.exe

C:\Windows\SysWOW64\Piocecgj.exe

C:\Windows\system32\Piocecgj.exe

C:\Windows\SysWOW64\Pafkgphl.exe

C:\Windows\system32\Pafkgphl.exe

C:\Windows\SysWOW64\Pbhgoh32.exe

C:\Windows\system32\Pbhgoh32.exe

C:\Windows\SysWOW64\Pfccogfc.exe

C:\Windows\system32\Pfccogfc.exe

C:\Windows\SysWOW64\Pmmlla32.exe

C:\Windows\system32\Pmmlla32.exe

C:\Windows\SysWOW64\Paihlpfi.exe

C:\Windows\system32\Paihlpfi.exe

C:\Windows\SysWOW64\Pfepdg32.exe

C:\Windows\system32\Pfepdg32.exe

C:\Windows\SysWOW64\Pjaleemj.exe

C:\Windows\system32\Pjaleemj.exe

C:\Windows\SysWOW64\Pmphaaln.exe

C:\Windows\system32\Pmphaaln.exe

C:\Windows\SysWOW64\Ppnenlka.exe

C:\Windows\system32\Ppnenlka.exe

C:\Windows\SysWOW64\Pfhmjf32.exe

C:\Windows\system32\Pfhmjf32.exe

C:\Windows\SysWOW64\Pififb32.exe

C:\Windows\system32\Pififb32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8016 -ip 8016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8016 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/5036-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aphnnafb.exe

MD5 42c3f1c899a048b0f34d10deb25082cd
SHA1 7e1c245affcb849e970782f4da4abec88c0677f8
SHA256 a3733c0b96ff5fffb87cc9a61bd97318a8893761c672b9937145555e74c7e68b
SHA512 54a9007c94f16316aa8aab0f2877bf57a4374997d3f931219d2b7b935bd417cf899c4e61d88fbd26f59d25878639a12dcfe54aac03a2585bb811a8f74c2b1c0a

memory/3764-7-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ahofoogd.exe

MD5 1fc9eec38c4cd05eaafd554acc9729ab
SHA1 4cbcc69733306b7182592128a063e66aa9793d1b
SHA256 0eda7adecc92ccfbe46448283078155b46542053255b6f8ceb58d69eb67de11f
SHA512 787e884f43271e2e5b74d8eb1368c023feaaed3e9f161b2fe9337a08ea6a9aaea4c004f66932c6d9c8f984034b860db397b281d7941f490509715f4ca6137ba3

memory/3092-16-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aknbkjfh.exe

MD5 6fbacab4b5b4e2d4b6e4c6e2b9a5ef83
SHA1 32e35a9822732f780a192721d6b2009a2bf4594a
SHA256 3caf9f039a467e7d95f6e4010995a666e992dc0467febbb6e11ec77dc7ae50bf
SHA512 9135501333a694da1bac1fddc233e9726c169752a3505115bcd7101ac52e0eab7206ecd0d65bae515230641547ca7128ccf05d6a4f89484fc25679c0f4e11740

memory/3328-23-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aagkhd32.exe

MD5 431fdf7c752ff8122efa75d2dd4a0892
SHA1 bbe636c9ceeb7f358443fffd35c2713d003cc901
SHA256 2417ecc1ae9b90058e99958e4e830bc1c6ce1af1c7204e434105b694d45f2026
SHA512 c6a67fc87a7ebaacc1850556606c2efe1366a685b4392d6c080b1c9e970ec307a8cc8eeea0ea8abcade2ae90826a64863c21314f449b1619a188958ed0cc9526

memory/2024-31-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Geqnma32.dll

MD5 f157bb734332f1421c0381b051d6b4ca
SHA1 1b45b9ee6e305214a0a61c700c420fee8cae1632
SHA256 0d44bf3c4201c0b367c304e3a87b5aff3ebf111d708265271b1fef9c23e846f2
SHA512 9c998b308bdfc8e336d6ac7cf64354eedd4a13aff69e02b62ca8d201a90bddc2533f452043b8c1c08a1a90c32c5fd2480085dba89f77e0e9c2dfbefb3ee3dd8c

C:\Windows\SysWOW64\Adfgdpmi.exe

MD5 6c895ca261450d315ba995b3aad5474b
SHA1 393e8036019a43fd82710deeccfb31a61187e141
SHA256 1495b84fd4089cc49b9dac5ab8e28edb2f2ac554da0b6a67893e2d65dec93aba
SHA512 c6ad2ad73b8be4ec928942d00a439c4cf3efcecafb797ee6c5758ec4468542d0af97a5e2bb0aa46600004e12ec41b3d96de0c80cfb1d116ce5010e7b0d955f7b

memory/4848-39-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Akpoaj32.exe

MD5 9e5da6a61642053fc9c29c64e3f70c60
SHA1 199a382979331a05d5dfbcd0ec83c12d81847616
SHA256 6658f655a76905f25335373d554b67566be26f90207739b21a13cd0a443dee61
SHA512 119e425f4f152ba4bb033458597138589e7d1f7e52f1226e0e849c19b5895346a696531bd35fc1244068aaab0b1b52222a1f2facb9bbb2448d2b763f12ebaec9

memory/2380-48-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Amnlme32.exe

MD5 b609c9ff3538d663cbee4a9254a3d92c
SHA1 e8f0394f39e260cc46b533c61d6a8b103b673e0f
SHA256 5b1b0821a084a21d4316f0cee0aea8d8df7f365126ec7455150ed4dde4e8fc01
SHA512 415d497ea59c651c764ae4ce2bc9993c740750d9258170694d174b5b6cb1ab025b4d519c04814cc15d2747c3dc3e8a7d3b113c2051ee5fb15c1234ea1bdd3573

memory/2172-55-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Adhdjpjf.exe

MD5 3feb0e4a08c3a87e00446599d646816f
SHA1 873c30e167c557364d4dd02dc1199c1c5ff99bcc
SHA256 f69ef05350736e87b18477f4dcbf289733cfeea8658fd19c46d369394882810e
SHA512 b6e4b978e1dbd7d221287017e1f1ff707c2ad7eed025b61d5658dd098b469579dd6ad6ff7c49299cdaaee0f8f7dc02b0554ac8c93773d619a92c02673c8e3ccb

memory/116-63-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aggpfkjj.exe

MD5 380dc53dc941f483a9a6bfde36e47106
SHA1 445dc02742c8270c063f0cac69d648d566eafacb
SHA256 fe0be74169cb87630441e65d022831c9f55b9315b0e79c33d7f8f6a8cd4b56a9
SHA512 5c8c2323cf15a816632ae8967012c8ba51d611b03b18b4b0e87ee66bbe7c5c7a387a9c171ece4196ded0bd17f44ec17fbcda5770a214655a218ec26e97fb0839

memory/2084-72-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aonhghjl.exe

MD5 35c3fe29015478aaf8a884fab7f56ab1
SHA1 d35f159fdfb8f0c399b0cd612e3a6430e4bcd2ef
SHA256 4e69e01f58e17bb01947dd7c10c2f11c89f1b7489a37df1d02d0c840cd01687b
SHA512 70c1072020af2f661f8006e2642172b2ebbf26c54ff81841389e835f2d0be4195036d704c9e4b1ddf8b5c6fc3098aef0e919781a969fd7b8405d64aba3e60f3a

memory/4080-80-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aaldccip.exe

MD5 8b8124ed3ab8e1fa08248487933c78a6
SHA1 93e76bc4bacaf66726893e15310a44e9291c4337
SHA256 2e852812fc3cc220618fc20f40d0fa008b899243c554132b8d1cc601683aef76
SHA512 6496b3e1693a0c2706a4fea3e42c14209c7c71b4b1941bb8c909b9395f3636a26311908d8f512581b5fe69b26d4c493246ff495fc90c9992ee96081070ebc5f9

memory/4276-87-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Adkqoohc.exe

MD5 57830b072c8333a66acaa49b8e905d06
SHA1 95bb27cb5d58cf1b9416d96c7b0ad9213960194f
SHA256 5f6b56daf41a2d449b4e98c778325a748cc014fb65db261cf0dee9657bb21528
SHA512 b0851ef4560f6f30aa354cc820a55e2632f053fe18adac49c5b9764ff404d164b37f2f4fd8368a6eeaabefaba303c2d169470a31553a78fdea0b43cd19d1843e

memory/4864-95-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Akdilipp.exe

MD5 d445f619091891a92c4ed8e81ac3e848
SHA1 04206d4daac501bfddc314d69fdfaaaf4a100b1d
SHA256 f8e88a4fabdc74a93012574aa552718aef98cb791c9b403954067b1e3990bbda
SHA512 bf23567ba12a4ac6fcd1916fc89bb2eddd73818c1413d740007786ddf80c4ef5c8a4f56451bed60c4ca41a0a498db696cb1cc06bde3cab003f75c63f70543321

memory/1184-104-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aaoaic32.exe

MD5 42b20e99894cde2f887c8a9465602953
SHA1 d50890f737aa85bdbf5b6968da8460ac6b2f8bd9
SHA256 38158d9db69b6811ed8007934f3f64dd6c988d24f92475f2927e1560ece9626d
SHA512 0726515abc75db5aa0e753271d6524112b7e81392d9ab7a4983a00f668752755ac6bbaad95a9fa025cb2d95561eb9f1035734ff6e9aa9955d01413c503cf3424

memory/2008-112-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bdmmeo32.exe

MD5 e86d118d978b2fc3d2fcdf6eb3cf6549
SHA1 bc170d5af7d115b7cf8c8c840f0abbbc08c6c925
SHA256 6d766a5d1d10acc22d233edb4a11070536303756dcdf33ba15edb642be766956
SHA512 3af50e7adca43d7d4112fd86327b424dbc0c1b1f37303000078870e21e9ba1cc320d0733063a44ff6832cc09fb7e8e230398eab3c554920e1544add4010841ac

memory/1936-119-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bkgeainn.exe

MD5 deaf6dbdace6ee426219c6c6d47c64cf
SHA1 5eb75599c970af06623f62e58a0ba093e8c61b8c
SHA256 a19f0915a8ebe6eec50b428609cf4a8527225fd4261807677e4fadc81836395a
SHA512 5e6699c36e7e5d225abffcf8cec346c199d41d11df4340598cd46057d8ff053aa20b3e038292cb7987b4254c1ddc61e1b739ea3e32c1d6836af319b1ac1ad324

memory/4124-128-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bmeandma.exe

MD5 cce4189e6aff62a62868d21e4aaaf8e3
SHA1 54fb154a56afd1de703e1c793cc537d8128c5c30
SHA256 d194c16cc5154953969c8590b0928d4e4ed32f652f31f1667a99f186267b38c6
SHA512 50c7255e1dd6328a72df84d3cf9804a3695f733e57fb1b495b041ccd8ed9e26836bddde387a2c1f3085d9381bbbd973b2d9df025881f191ac58e36a336919b54

memory/528-135-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bdojjo32.exe

MD5 3d57a38d528db0ff77ef65dab13b5921
SHA1 64e139d42d379afddca6cbb20a6b57e05325d8e3
SHA256 209663a3888fa1e65f32df2af14ec1610aec3851587262e8c2232f3a20ff28ec
SHA512 88e8673ea659a12d958865c02bbe72ecd8289c32bcfcc1233b36c78b13611de1efae8b589c99e0ff884b11c6b4861127aa9fe0f3cd186290fc0ebdd8a40537a7

memory/4112-143-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bgnffj32.exe

MD5 4302860e76c1a74b7ed2e890e865faff
SHA1 5026cdb6711fb87f304f06ab763a50ab4cccc624
SHA256 9759e84f03eee18a711d87cce7403bc1fa2457b4620da1b4526dfaa9ef17766b
SHA512 9b4f9d7b0c063d45553db130ed9d3d97c9e72b32a2bd6233680a50a957b94ea3f6bf1cd6ec4c1c0a2b3960a43dc94d309984ba6e7047a7b92bcd46b73a432a7c

memory/4264-151-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Boenhgdd.exe

MD5 17cf7e7c22b412e00fcef5a5a5e271e7
SHA1 95465c11b54ee4f8e584b185f9f1c3c6aa6e4b6a
SHA256 2663c62574b40423ada886fc09924b8505dd7c4f83032d431dcc95ea58102255
SHA512 fffc744e94dbc9914c70fa9cc625e9ee681679beb472580a212ddcf533bba424e63c77ef939b9cb1fd0a445cbcefc545152332bd8bae41d5d47f1687b740cd4b

memory/2240-159-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2012-167-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bacjdbch.exe

MD5 d056e525f3126c8518ed573b6d051c40
SHA1 ac92f0d3b847387be113069b3a435ce4fc461de6
SHA256 a056ea8478ab60524ef6c50a6c1a325af41cf4c4708997a73d266f47f2d8f7bb
SHA512 e9683163d36c7a9fb1447e40be27be0cac0778a7ee5aa4e6eaa8222fd1bf2b11daeb02f3594a7f2aae866240d9cf337cf6e19395cc5f72ad2e61f56f9d37f015

C:\Windows\SysWOW64\Bhmbqm32.exe

MD5 aa2d799b2e7a7307b29ecf9ca37ae7ba
SHA1 c3cf25aed70f07036068f0c95d05a834882ebf30
SHA256 612650c8d5a59a85f1e79a29a3c0019e549a8ce1487639506c1ec246121a6059
SHA512 222fc0319d6a596953caa89d5d0b08d2967b75e9696c55843969cb2b98c2d10b96a21e5cf40f833d22f3c46aa4496031b11a022e7ef22e8334e50e4dc7739b3d

memory/4672-175-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1128-183-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bogkmgba.exe

MD5 08ce63acf062599e851aedc891902d07
SHA1 bc1964792c3f5c852c78854bac50adb05768fa84
SHA256 9861dbdb0388ec596332bd5f38f588dd3b22f30ded3d55f17ce8aac5764264cb
SHA512 2bc372677b28f5a59479d3647e1f291471ef1d780b8959affdb0bd3742563b1536acf11d528c78fc5e81ca81e6ae9f4a9b103b6628491a613ef694e544e843df

C:\Windows\SysWOW64\Baegibae.exe

MD5 cae0b5afac2d8caa7e5ee297254630cd
SHA1 68f649a4f3ee8e457ca4fd3a42a45e4092347972
SHA256 2bbbb23ac31ad16b4ca1912c0a8c7365771f8d8c16cd938c885cfb100bf9cb7a
SHA512 a5ed4a6a38e978a8f94220b60d6ef9c8a5e042b5af66bbef0919e9032fd63f5f1cd2cad1dcbfe10abcd9b473ac911378efd6d0fa774e8ce90196496375c7d930

memory/1072-196-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bphgeo32.exe

MD5 4ecb1952a6d85072124661196478b3b5
SHA1 cf0e6b9bd5a8484736fa34ea5ed8470544d5b82f
SHA256 8126b5bbbff76ff8321cbdd5d2b0738f51eb3f88eb921e57e9726030bc5a4008
SHA512 f1a2a15da95553843f5f5f0cae159960487003aadb541ca3a62f5f77145da640b0bfb9096a57091698c4a8511afde8b7f9748010600b7141a1532f15dc24868b

memory/3980-199-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4516-207-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bgbpaipl.exe

MD5 13d1cedc9514f18d3f86d585a67bc02e
SHA1 f3a1055b5dfb2a14f03b9364a2db7736dae792a0
SHA256 9462b4b0319a7760a48d95ffd3112964e025f383af6a42d0c3c6b8843fd88004
SHA512 f5047d9d5fe2ad6b7db788bfd203efd9c0361c76707e2d62d0350bba38c8eb8a2b7826d968b738bcefa02aae991d0590c5bd5c5f45ae5769bc185aa6d9b6ffcd

C:\Windows\SysWOW64\Bnlhncgi.exe

MD5 48453517e212970f77e78156eb1998ae
SHA1 2a03d0f081692b6cbfb273a0f7c47b00c11f4368
SHA256 17b4dbe51d058337f2fa1ee10c84094190450582f84e56a85b8f8dde7a98addd
SHA512 44b02afe99e045064227fc42fbae3ac430e8a18a2ae676201e6dd4e2f2425529da19f7f8c85ce773489b004c5a30079824c97c9c8a0779b5561747ec4adf1bfc

memory/4044-215-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bdfpkm32.exe

MD5 b4a09c5e4321d784ad345cd725f6ee0c
SHA1 595b4dc39717d81ccaad5d883b5f05c16b028afd
SHA256 b72e9ef5f9833d37f8add6c2a3412cf786317c35673c0fd1d9aaa53876895470
SHA512 74c0ea2c614b0ff80c722400f7af5f1fbe0a5dad40c507259877b0307f9eb83fdf91856e243ff748fde083c6fbf2c5eddf0317611620d33deabe028247f8bc23

memory/4152-223-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bgelgi32.exe

MD5 e3233b78ead91a1d88830077d825bed7
SHA1 e055583757d371dd94ce6f5bd4022dc05a1fbc15
SHA256 675d677a23997c8620d64c0f18c737fc8789338b17668bcbc0c2386ecf25018d
SHA512 570733c7081f617db15d73d1f4c4e6b0b19703d5ccd2431a8a1535269e5181845a2fa89c185e9d1d1648fd20ceae8c1af9039a679d3618c71b6aec1456a04908

memory/4452-231-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bnoddcef.exe

MD5 9eb9d2b4c7823ec56e7529f4a3486800
SHA1 f35d97e07fc0f2accc885320ca984aeea29aa174
SHA256 92d7a9b19d481105443e23af715cafd1497baa2e088a9d1f34e5d73f42ddd856
SHA512 ac7d6e10b134df403f0e22ce637443bf59221db1f758dfb905a87454d8d1410e4c2efaed0d80a98c78bf7c2ed0e5ee8b8554a16b4d8b069020df56adf2474dd5

memory/4280-239-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cpmapodj.exe

MD5 2ca41e6f31033f5cf3e2bb6f49095a5d
SHA1 46c942fd24df4337726ba3d3e5926fb9b57dfd11
SHA256 55bf1e634e37713f55dcd74a15c76e1a1258b1809411e54bbb90571fa62ac696
SHA512 f6e68e33371a5572935f046ef74f410be96d4c90ef20066ad9f8196380848f629087c54f96a4db8f16d207d1127b355fd54cadda52fcc1718273ddde23686f97

memory/3420-252-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Chdialdl.exe

MD5 f2786672694eae0e665dc8818c899543
SHA1 0d8f827fb1dd70762fd6b163b785e8dc6e74b3bd
SHA256 ccc89a6b414498f24867bc262c545f255a5929ba02f3bf3405a23d4cfcee00a4
SHA512 f7a31d8f81b2bffc42f07545805962faa8cb11772a4d58394bc0d257ea78a1ac3d7daac41e873c186155b1e207a30e2a958f3f26fa0a2a4e84ae6864bba887af

memory/2076-260-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1220-262-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Conanfli.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3568-268-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2416-274-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2568-280-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5040-286-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cncnob32.exe

MD5 1baa09fc1ad37f4f45fcb66285c66083
SHA1 145bce052b4de43ddccf9ad85a96d54949d02599
SHA256 81502437574e8c37eb9a172fdb6ec966ce5f70659b275667b13d47ccdc6a7ebb
SHA512 a46c3002cde8b04ba8f65fb12c2cb71c02bfa72bffbe2a44d562f8e34bcc15477febd71c064a7b2aabbb13b75d637b76728c44d9d568055283df39cebf3b518f

memory/2116-292-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4360-298-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4764-304-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3184-310-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3424-320-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1684-326-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3716-328-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1940-334-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4996-340-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2128-350-0x0000000000400000-0x0000000000435000-memory.dmp

memory/624-356-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1708-362-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3952-364-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2560-370-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4404-376-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dojqjdbl.exe

MD5 ccfe9fd2282c98792d9c57bbd500882d
SHA1 09a1dce53d2934188c3c2b000003ff3c4e2e4ae0
SHA256 d0563d832322e86d262c4939ea9b44c99aeea66b847237cb6fe5eebf450d120a
SHA512 8dddcc06cba529bddb826f56bfd625b997a2309266a02eb3ac992c3f6f699589daf152e367bf680e5f986bb8aaea74f2b67c5601eb815ae8c300fe2e69de59d4

memory/4464-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2316-388-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1568-394-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3296-400-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dhdbhifj.exe

MD5 5ced1aa84f2b73929ec2a66d01645257
SHA1 cf7465ee8e7a8e7642c6a89fb8c597be5042fbd1
SHA256 f4ed4326e5b057555457c30f010ff762b06ee684a6044f806c07a68317812727
SHA512 567e623bb13be2dd751b131584aa3592dc4bdcc5cfc109c594284f366d3901b33269a8b407e6d52b3e9dcedb8b987a162b884a9d363b28aff6598cf8a22f62bc

memory/5116-406-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2436-412-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Damfao32.exe

MD5 b7630e6f46a419290dbc1f57ef9438bd
SHA1 adf374576449c54b16ac13830de513dc5072e140
SHA256 0f5a40fb43c8e211bc5b33ea90055867ff6d4f760ed9af90a10341e588a9ad1a
SHA512 c0bd3be568372661493ec4f100606a2adc62c9458382dd70b68a2eedd3f46231fa5f73651d1d85646e8b5e74d8aeea95c44d902ed66cfd1158995ce2324a3822

memory/1596-422-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4908-424-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dkekjdck.exe

MD5 e03e8b54f538cff172d9a8aa9b5ace7a
SHA1 91daa368c4844082e71aacd66c6c729b110482d9
SHA256 8aac6f2b0b11b98a1e552e66b9729143b785ad0c9af44fa4dfe3719150c573fb
SHA512 184912c532d4fc33abd55632342e107ca0e03cbb173be130e22409a616d28a8bfda90f8be21d72ce25a568ae97db99c3a4c4d7aeae7dfc89d89464d23f36e51b

memory/4916-430-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1192-436-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1532-442-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4344-448-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1932-454-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2716-460-0x0000000000400000-0x0000000000435000-memory.dmp

memory/788-466-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3984-472-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Eohmkb32.exe

MD5 4984b1c6f59db950bf0d996cf5c94420
SHA1 bceaf964693822aa09e5ac989719c5b17fb7fdf2
SHA256 1d4c6f4448f79f1d9ecea1d4304766f35b8f0e09a5eaac98bc42d2dac94684ee
SHA512 b15e01a2635da900b897e7a3573bf300544ec6702dd2237cf027c340fbb4ef6dee802ffa983543cd74b6316535caf113f4aed98adda9b7e7d82fa483b5849acc

memory/1788-482-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5072-484-0x0000000000400000-0x0000000000435000-memory.dmp

memory/516-490-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3844-496-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2052-502-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2980-508-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2656-514-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4008-520-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4948-526-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2504-532-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4596-538-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Finnef32.exe

MD5 ebdac419e5d17652bf66afe000e296e1
SHA1 ec057555de5dc0d069bc089b0efda49dc4e6598a
SHA256 8c2a82112ab5e61e8dfa749e9c9b988ab2ee3cc3d6723c970161b204589d26b1
SHA512 4f04e4a3c4b5a13630e39b53f302acffeb55c6c134e0f0c51fb0a446f7632bd603a536946f0b28c3300d52d93329f61908b16fd4f4e60f8ba355601534f626b2

memory/5036-544-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1692-545-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1648-552-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3764-551-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3092-558-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1616-559-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2188-566-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3328-565-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3612-573-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2024-572-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4848-579-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3692-580-0x0000000000400000-0x0000000000435000-memory.dmp

memory/776-587-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2380-586-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2172-593-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3040-594-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Geoapenf.exe

MD5 606730078ba33a019b36573b4d065701
SHA1 461b8342de091324db3ef3ffa150327f1aabf048
SHA256 21de8033298890b9490f31a564ca109b0e518a8103a479a35be18d7374121886
SHA512 c8fec946cf3fdb1a0d81cbd448b85e5707e7dcdd3810f1ff0e85d05764f7e5376a9a4ba3bc6c04db8d3822d6005c67398fbc7027ce0cf539c8b69705362cfc3a

C:\Windows\SysWOW64\Hnibokbd.exe

MD5 2cbef1df5e51e94b9c79d1bf2bbf9be1
SHA1 7ae3b6635b25ab651c72223f52fbf460efc13f8a
SHA256 eedbb23de7dd47977b4367492139d3f7aeee6fec3854cbc83f404fe2f57ce250
SHA512 ea13ed329b5f3172e41792fd56c11dc7b8a4da54356e73cb93b754a9f769fb1b4ca52049ce5280e5451fc8da3fbf71f2ff510c10abbb83557055563698ac9003

C:\Windows\SysWOW64\Hbgkei32.exe

MD5 45d3482450dbfb820af2e52bf4b1762a
SHA1 00806978569298b6bb0e7a8484e176b421315584
SHA256 1b559f7cfdd4088a76533074ab656a0af2a2db47b3f7b7c817b41ef85cfe7340
SHA512 27665eec301b990db50f5fa5f3abe162abc3a7dcc001456703f02e44c27796a174b7482babee1c295423f61d12676f761d8f64a8f0a897b3dcbf4f1d51046280

C:\Windows\SysWOW64\Hhfpbpdo.exe

MD5 27c93814082cb5fdceac1e2ed9afbc7a
SHA1 54f6000699af44dd3d5766214f0917f6c2f1864f
SHA256 8f78a724f0289d8003da058d2ac2513da7e5f432519c2f59733710f75b17cb13
SHA512 3036006ee57462ef7c096d0be9b652e5981f7d91e191f9ae7e8da60527f6d177b6d9515cf0912f47594ca7b020da97d31cbe66722f26e23290286e50b245347f

C:\Windows\SysWOW64\Hejqldci.exe

MD5 9dac23bdf1b714892a16793ae5df9e8a
SHA1 72f47077730548671a5a4ccd16a8ce94086de2ea
SHA256 042fed8591453db221a284588aeb1ac48663485bb15efaa827630f3c8bc282aa
SHA512 6dd6d38e4ac174cfdf68d017634294418e9e21bcc60427466b1bbde72ff0e0bfb8b7f3ff0defee7205aaffef8e7c9d535ab22cf0d06f9c5a6f2be8a8f6254f91

C:\Windows\SysWOW64\Ieojgc32.exe

MD5 3342a3d5e31c091dcfe24b4a1d9a7047
SHA1 356f8f20691c4046aa5457f863c7af71b4ebd67b
SHA256 4596673e399f83982eca9b68103a6247382c400b6864d71c6c2420f33408440b
SHA512 67a5ebef0008d6e4be4eebf6836010e7692629b7480a786a75a3247b9c3253ea033e30cae9d74ed97d30e1d0dbe49dc4b6c899f03f471a48663041b017b89617

C:\Windows\SysWOW64\Ipdndloi.exe

MD5 84a8c8bd9404e9606b81ca44f52ef008
SHA1 dd9520e61de0f3492c7478ddb83d7998f7c80fef
SHA256 cf57582901bcf2ee4163ccf12368cae479649cae82f5df0a32cd1015f14e8642
SHA512 d2409f77721332f22de3f57eec4a34911bb8dbb8d68aea04540538367dbfb30e20ceb55ce4ab39019decd4cb51f0babd9821de1e578330b7f1d9a229f022ce80

C:\Windows\SysWOW64\Ieagmcmq.exe

MD5 a02438585a1d1d6c2f6f36fa0fcfc1f6
SHA1 f1b64a9afaa6a126732ce9682e2466a36cfe4ca0
SHA256 201706cddcfde87868de5bb843a472f91be71f7acaff73fc2284a61ed2a140b6
SHA512 edf4517569989b761ec234d0b90adab9c676cced2c6deed490c1c76aa786bd974d5336bac6fc13b3ce57ef9eb8e812f83ed909523ce6eee905df46bc345f1546

C:\Windows\SysWOW64\Ihbponja.exe

MD5 5c405dc349bbce16b9c13650ae162aa9
SHA1 a47ac25fd39e4c1457a0f64cecad4099f476556f
SHA256 48b862963bd7ef6c5df66db5088099944cbfb769a59b87dea677234694e35d2e
SHA512 8f063f9d29ec07c47a76758515f678c02a796c1caa316bb62132095573648a2983880c1193ef8f40fe6b03af860c9705f95eca744a3f37843f42c4a20c164525

C:\Windows\SysWOW64\Iialhaad.exe

MD5 26b7afd2a65301ddd79038325bff17a1
SHA1 c67109c0c96345890cce4ddcc61dd73245afc81b
SHA256 194255fc30f5cbbe468130464baba4f039ac66d6f9bdde4ab0ac72e6ac813d84
SHA512 c8af806b8ab62ced6ddcc3cb201748bc1987c03375723766f9d4e448c3737822a173d9f5bfd6d8446319e43e5f100c1d8fddb42169a8ba543b5956e0877ada73

C:\Windows\SysWOW64\Jhgiim32.exe

MD5 4eb9ef3a796b8086f7ed88af87c62adb
SHA1 957ddbbd71290df535ce6feb0cddb850e421a4be
SHA256 b88e10a0b49588540e472839e6cf5a9ac6427c4d92eee1196f851dd5bbd60e10
SHA512 ddb5876ca9feae16cec3293c64a595f3a254f3e452363f0f6742b1742de1a9863d39127bc5afd93041b196e0355b0cdd96cb5b9dcb6810ea06cd44148b7b101f

C:\Windows\SysWOW64\Jaonbc32.exe

MD5 33c6e59a468edd4588a84caf4994c4b1
SHA1 4a896c2f368cf04dcc5ef48facb6c3c7a39e79f0
SHA256 75c17202197577071e2b1bb5a71a7ab040b5c1bd74ea77888157e77944f7c141
SHA512 e46c67352c376103c17c647e0b586e73bf74cea88a57f73292557be67fb2605d47398d80eedb2a727527213854674cdf45a60d80fe0f390b1abaf9524c82f316

C:\Windows\SysWOW64\Jldbpl32.exe

MD5 3257b4be4cd2b9fd50d9c2b4de2472ad
SHA1 01639ef552d443f8e16037c04b8ebb1e9a33e753
SHA256 73e508a90547a2948f45ce588595f72045a22acecfea545f5de094906e17fad2
SHA512 ddee0c2c797ed74f185f023652e14ddf08e5fc536fde8fa29faec3878691648fe9875c580179c4b64935d77ef3abec21a8f16a496d3672cfda6fcfc276341938

C:\Windows\SysWOW64\Jihbip32.exe

MD5 082ee98b5df7e1b3bcdc17a677103cc8
SHA1 0fb61012530487f8be0263c763ccd3c71ae1a09b
SHA256 bbd755c310cbe7f6af70d76a311d4995a9dfb45b280ecfe61c9660f57ca848b8
SHA512 687a30e7953870bc0824949163d7a98c65047ec7d17db075934fc1a874922a25509213dbe6db460924abce420c463926db897438cd4a53c67b4408f4ff78b356

C:\Windows\SysWOW64\Jlikkkhn.exe

MD5 4dd3e2529d5ac9b2cff5d50d9b2f280d
SHA1 15be7e9d8f84cbc63e3fa1c24fdaaad9ea5b1db7
SHA256 0ef3e732412d49fcebeb03ee2e0dc9f950566b12da4042c03e6484e2ba6b76f5
SHA512 b44a3274413783a12c4bc3766c460ae70883e3fc6d011f477632ca31481792d284a7969c00090fac2186333fa116772adc27f4895f13c11a015919f12ef9df46

C:\Windows\SysWOW64\Jhplpl32.exe

MD5 2610eb477a592d85fa5ce579db63a22b
SHA1 c62da383a4923fd5d5d9f12cd35eace73cecb737
SHA256 8ed5180268f479ac379419380aa1ca79392c8d621f938a70cd2df0cc5bd828c8
SHA512 d1142f529f7dd76ac41d3f9e699fd1751e668aaa92afbf86e73731b5e21d4d1b80b04ee59a6d8e26d90dc48d751b3a01019fa0b3f1d212cffe9ebdf46254fe9b

C:\Windows\SysWOW64\Kiphjo32.exe

MD5 941432191b6a5d5818ded09660ba42d6
SHA1 ab31f4b24ac9ea9c890dd8356dff41bb3eeaca97
SHA256 adcc891776ac5e05226ea2def3040a7a7641d89a68a2ade7d74637e2f5009b5a
SHA512 9ca99717ee565e695bdad260e8ef8837bc6b3aa37382167e63adbdd044c69792811166e7f9bf3d4bd815932382a38620db75e249c2c579aa82dc97d440de110d

C:\Windows\SysWOW64\Kbhmbdle.exe

MD5 04cedc1deda7c5a015ac1f6f5d1c5b77
SHA1 9b20db5ca6921b22974afc9f73cd2db06a2027f6
SHA256 11347717a1288ac8504efddc905fc3b548061dbaf9055d7be6eaa10c156e8211
SHA512 272937fa79091f3eb37545d81508e8deadce8eed3189912590b7dac6957e2136cfed502e7422936de305bd693532a6ed01c280eb4f7bc09d2b9cd2e8539d8402

C:\Windows\SysWOW64\Kidben32.exe

MD5 7c5f37a1222658866f4b8c5d623ec59f
SHA1 216d96ebca9751d354861e0aed1357e3627a2703
SHA256 49662679cf5e561e1bdbfde711855e186f9edee887da1a0c84ccfd1cc7b76ea5
SHA512 90d23b9e16bf7860dcfcd0c5358172a127c176c3230680ccb51f83125066e0064b33f706c8e7207e193e956a7dbd216bb960b573c5647a2cdabbb8ed41fa0e33

C:\Windows\SysWOW64\Kemooo32.exe

MD5 6503b08ef6871ac84c84d33d038a93fc
SHA1 98e66bcd3e61b74d36bd9ad1e580f3fe0a5c01f1
SHA256 e2957ed20fb9b04c2fee818cec2d7799ffa0e5d8681b6f9eeafeb234b4363949
SHA512 d86c075bd0d6748b668df4f72d7571fb8d451f50d3ee3a4ec9bd7d3a49a63bc45eb60d03ca85b7b0d16d0f9a786e5e19ef5f5dfcc84e392ed115f2710d860436

C:\Windows\SysWOW64\Kofdhd32.exe

MD5 021695f2121309608bce803ef1f29c56
SHA1 86de6b6f28235d02b0ffc62801bea17d5906cfdb
SHA256 303744a32041d32c4158a79c47a9277d2f71934b83d691c91407d06d71fe64fa
SHA512 0e6471283b4626d6a62d359af3bc4329bd1eaca4b2f611eb7cf3652240148535ce907bef231e6428702df01b68a4fb95ccaaf4a40a901169dda6ab56b6733bc1

C:\Windows\SysWOW64\Lpepbgbd.exe

MD5 f402129aee4897308136e6351e937226
SHA1 3c5c6d92b7303e0924415190b7d17b17511a258e
SHA256 0fb590ce71343d0da8cb7b417c0a836e14117850daace0f0cf4a919b270b8a81
SHA512 6d6ebb56489dca93581e02a2fb92adbf92ce2524ddf67873630f5307148fa0db6fd8c55d7c7b61ea0db5c20c48f788913497d53b9143f6823b157221592c07ed

C:\Windows\SysWOW64\Lindkm32.exe

MD5 8a6cfc3094081940fe41ce481dc6c131
SHA1 686498328dea55d2b43a6e8d94c4621a87960db0
SHA256 c9b60cce56fcde63bdb70a9b9c8e76ffc708c1ed2241457e3d3b75caa17b2ea0
SHA512 cf7425f2d5031a1adf0b36720daa70f94ff74e36d151bdff4dee0ff71a9142edb64f8afe5b8f810a5b98837ae6eb233a208e09bffcedf93599c664cdfc33cb0b

C:\Windows\SysWOW64\Lcfidb32.exe

MD5 1855e24d11991b72e842bd4fc44b6ac8
SHA1 e93bb2ef6ef99133f4d506a15be787a68bc4706c
SHA256 a90ec279c069cc4fe39db763991e8e78465c9052fcdb0fcf8a25f96f3e80bb53
SHA512 f6ef2e86f779eab323c831ff97709f64a6c95ff7f78d2af67384bf38aaaeb6a39990dc160af8a4a6bac0af3b1ddf8ead547a84a922c98e60eb5c684a0b5905c0

C:\Windows\SysWOW64\Lomjicei.exe

MD5 d1482b7a771f6fb11f4e4b2bb95aae45
SHA1 afddb39abde35086f58d98e73977e1d0def78469
SHA256 225a6d8d4a18f4a0302226ad3b57d9477b25dc82928949ab57276e36f673d10e
SHA512 a42a101e0c80bc38c867ebb1d804e38474c38c6075213f12f24db6e869424e34aa980e3868868ed043ecc94c14414de7bf5ec0c66c02c9f3381ca6cc83ac380e

C:\Windows\SysWOW64\Lancko32.exe

MD5 72d371a0e878eaa98c660d872bcd611a
SHA1 f8493da4cfa3e8c5f2ba30fd1a78f842bf1c2b59
SHA256 35c20173f3807d0e3a1d264ae378c628cd3fd222b4c874ea5c8751205b3fcbe1
SHA512 5d88e04a028d1e676e53f008639ecae4e97c4475093158b7b28f1b7e2cd2fde6e5f528371012e9d465fa61ffd76d5507eaa7b91b6bb020c5350e3524108ebfb0

C:\Windows\SysWOW64\Lcmodajm.exe

MD5 954fa521eab455610f5f8f4ba337a787
SHA1 d128d3c4acf0eab5455e9431f2f16665e7b164fb
SHA256 0f26608f77c753580bd61c68058c4838138edf1082274ebe3cb1eb344373a4b4
SHA512 71f7c5f88f0c4b768f96b0f0839ef3ab1f79bc87eac42895e9f14c7ec07b91be03ee36cc16c952e1ef050303d9eaddf8f04210dee671eb3762e64a0d526a3cf8

C:\Windows\SysWOW64\Mjidgkog.exe

MD5 e20454558f80f418e0ecf202a6d7d5d2
SHA1 6f7c44d6d0405e6d0c81eb92658ff98edb827d37
SHA256 f187ac40357ee95919e02b1d9601d305fe2548059261214fbc7a2a6c72fc0542
SHA512 cc8c8782d055068c259e29ce4d5df5c4d8d5ff3313f755bfd735f52fce3b17d5e35663e3f483312bc84dc347ebb202420772169067b18ee9e05468a988483ab8

C:\Windows\SysWOW64\Mcaipa32.exe

MD5 63067a7515aabd49dcc637d123a399d9
SHA1 a47070ef15ca81131110659a792c4fc5fba1c6ce
SHA256 ff9863e8d000bd4cd7f7e0a8fb110aa95bf8024c012a09b2c1ea28d68930c8fe
SHA512 01ea8d1a30fc891ca46626052824c6bcd2ad6a093fa2ed15f3a6ffa00ae6535a3124d412c3c81989d511dbd4f447c1904752fde50b33f37937823dc59bea96ff

C:\Windows\SysWOW64\Mpeiie32.exe

MD5 da4ec5d4048c8ae7682e0cf8df6f8e78
SHA1 9fd61350f7d6e95dce0b33325f850d6469228657
SHA256 7bf0549bcd8c75c0021129cc3e86a16bcb39435ea386e926413aa6a1554f3828
SHA512 2f76f38c3520c4ba1bc528f4f26e77bac918e483224d4ee21623d8aefbcae42f1f7d2270689ff1473fb3239eb7081359cf24298dcbb80c5e7c0c9d1aa84b946f

C:\Windows\SysWOW64\Nhegig32.exe

MD5 1605ab67a246f45d820b3ce6967edf37
SHA1 84a88b0f490621a6fc3e8175e9ffd5827314c098
SHA256 977cb6d7ed680ca25449938cc13dd091f9f88f5b8ad03be24420f389cbb07ead
SHA512 c2ed64517c8edf7a7df7d9960393233490c077164a7592cc57ca6c993acb09c51bf594d810425816f08dd72430855208ef794515c27c3a7a8fe5b2811feeb4c3

C:\Windows\SysWOW64\Njedbjej.exe

MD5 e05090c3e2f11cce0244f820952b2d18
SHA1 f6388cae123cff2397eb2ff3a02a9ba9edd90c99
SHA256 923fa86380caf6bb6307a1dd72aa322f4857e1836f9ab5cd98e465fa92103638
SHA512 164c0bdaf8a64fcb61ab40cf231c5e4336b7625d675bd3e07fc4b56bdbc638285b5a0bb19201edb232727d58f5dd8bc69d6bdd7f2c6e8ea69db420e087858c97

C:\Windows\SysWOW64\Nqcejcha.exe

MD5 fd8eca34b76f45ecff46776cbde3ea78
SHA1 4b85f8579b7f50b05f8c4855d1a9ac10016c4be8
SHA256 7e9a1440f8ecd610336648fe017b11c1627ef35cf2612bf0baf933593254b8e6
SHA512 9e310f41fa4bc0a96ddedc026f51423e054759522995c03c30a17ea9f4a2afce16bc2e719a06af6172587630e1c5f4840170a70c029d3d5d266d103a271aad35

C:\Windows\SysWOW64\Ocdnln32.exe

MD5 0d7859590243a1ba5282fbdb7a21fc83
SHA1 22b46b346a96569ec8314b47db91a85c582256e7
SHA256 21f0abee480ac520a7a3d1fe3eb60b7e430646218ada685c8bbd5fe159285570
SHA512 591f7bb0f7f92338284eb9d392cd2aac75ade2612a615d85e59c839f84db4ca8fe940a1c9c36f97e2e32dddc0eda5012119a28a4fbd598b8d605908980f46879

C:\Windows\SysWOW64\Ookoaokf.exe

MD5 8b02f799ae175cbe43b485a4c1a62030
SHA1 31d155fa7b864987fae5d8da2fb2322341cbcfa0
SHA256 489d664fec944c0e65eb97b211602ea74eb0e4ed8f539bd7b91646c38e7132b6
SHA512 063008f4dbb18adaa01267f14132d1b7e66211ee05cc96f370f516dd185c31b84183b4e915732837775b20879cc81bd3bfeb9d1aaaaf48018b3db1f6137cd0f5

C:\Windows\SysWOW64\Oiccje32.exe

MD5 b4e55035fc748b9389f1925b2809c5d6
SHA1 152422b1f4cb14eca4a65f761b54220b238b6aee
SHA256 d8f536a71f84e03e06b94fd6547e30b50a37a9d35f69e2abc96ea87f19cee498
SHA512 679f752090089c9b7138354b8cd4ceabf7a99e7a63a42eb9ae2843ab1a144e24b5846b58f4ed83ce572b0802627d17d5f0c6dc0c79cd28e45a4043486caf3aa6

C:\Windows\SysWOW64\Ocihgnam.exe

MD5 5393481039927994dc2fab628b7f60d2
SHA1 dbb057a55c75dd51169349d3d3310775417246a9
SHA256 e8dbb08df64ede81fb3b9ec026cf92bf617408b0fb8739e72844912660624e22
SHA512 7a8f6b9fdc92cc8057ff4ea39c3dcb82f35693c3a93a4706853324ebac73f3074c71ccebf8dd114da1a6c66f0492d955d3c8e262ff1b5e1d1ae3783897f5e5f1

C:\Windows\SysWOW64\Oophlo32.exe

MD5 8d5cacae0debddcf82b64aaade07f97a
SHA1 89576b675ccb611c1efd4a17d7c589a6a8c14941
SHA256 6280515694f2efbdb6e03b9c086cc6d08fbab7a1fce87f278f5492f032829073
SHA512 a891ef928e9c9f6ddf94945fc5b210534204125fc7d9df2613f0c2122795a88c9aaa897a695b40d7d5bb08ab6ca25460a281b94ad65b5306f38cc0e031ff6d67

C:\Windows\SysWOW64\Ocnabm32.exe

MD5 9e49a6658b1700d52f3a01727202f66d
SHA1 5f3fbbcc818b2902e5d711cd6bb05462de757003
SHA256 061358ecfd7277ccdcb5887f520515166170ff3aa6d5364440aff9b9aa76620d
SHA512 917669abc698f89d783f7ba915bdc31748b5f12c6eef7a7e7fbf07ac3cab9cc7d71ee3fe794a3d5f449b43f7ffa3a1cb9ade4a3cb76b302a7a4f5c86239d7bce

C:\Windows\SysWOW64\Pqbala32.exe

MD5 3f51dedd11128fbeacb111e9b2bf0d05
SHA1 cd0ae3ea3ca793f95e30c407978331fb5837edee
SHA256 254338b79ef866d4279f44e61468ec645b2e0a58bd4a94d698af0365770694be
SHA512 8cd57400974fa7e1a13f4e61759b15cf87b7745c20265e3e21c94e402bee238e107756e3cb273ecf0ed8c002c059a2b4a1b2653c02c294fcb83d9191eae790a9

C:\Windows\SysWOW64\Piocecgj.exe

MD5 02389cfcd0d5e57f28ceff512d5d7de8
SHA1 8db0e7b74cf896d78f710735e2cfb994f212f53b
SHA256 1543832d42a99ca94f6d12159526ad1e288947700a8ec26c40e9f79bfaf43126
SHA512 aed0c23596dd7be70e7acc2d7f7d80cdc039169dab6ac06e9c6305b99ff880a4cb2875dc287ff4835e000a6271ced3f0743943ca76874de52289685923a888eb

C:\Windows\SysWOW64\Pfepdg32.exe

MD5 43a58c24971df9e0a53479a823918bc5
SHA1 a523076ae8b08d41c01abcf73532f5f6899cebf8
SHA256 93cd4157ca0b5314bc74db4c3733894175a31711a45563ad78317fd5cefbd7c6
SHA512 947a56154b89a3c2bc439fcff49ef001152f60c02eee5efecde353ad37bce86608e468708094b138d4deeebcc2fe3d9d2e6b019a30cdb4e46580101c1a9b559b

C:\Windows\SysWOW64\Pfhmjf32.exe

MD5 41c716545133ed2a377c7d09aa1dc877
SHA1 20169af0977ebda17c06dc8089c5960c060f2fe2
SHA256 ca206a23eb318d4511ba83feca9167fb3ad219ed5e8d2e8c2360cc36430ce197
SHA512 aa61c3cef7f7cd3fa7d587056f1a6634a842e3c5a176915f024ba6971831f4651fcd83bba1eee73b32a2150f7b443d0286cd937acc862bf34f8ee7d6dc7ccaa7