Malware Analysis Report

2025-01-22 23:29

Sample ID 240916-rw9eyasgjl
Target Trojan.Win32.Cerber.pz-320a853b2629bca03607ebacd24fdbc9760e1dbf5945f5afd95a5636e7bb51c5N
SHA256 320a853b2629bca03607ebacd24fdbc9760e1dbf5945f5afd95a5636e7bb51c5
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

320a853b2629bca03607ebacd24fdbc9760e1dbf5945f5afd95a5636e7bb51c5

Threat Level: Known bad

The file Trojan.Win32.Cerber.pz-320a853b2629bca03607ebacd24fdbc9760e1dbf5945f5afd95a5636e7bb51c5N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 14:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 14:33

Reported

2024-09-16 14:35

Platform

win7-20240903-en

Max time kernel

39s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgdciiod.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llbnnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfceom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Monjcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mblcin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccpqjfnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efeoedjo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Heakefnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hmqieh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgbfcjag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Efpbih32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fldabn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lajmkhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mbopon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djjeedhp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpmkbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jngkdj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmhhae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhikae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beldao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpimbcnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklaipbj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nianjl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpfoboml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiockd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kobkbaac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knjdimdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcppgbjd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngencpel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngencpel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmlglb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjhopjqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcbmmbhb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Neohqicc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Heakefnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccnddg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bacefpbg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djlbkcfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djlbkcfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Edofbpja.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiockd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndiomdde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffeldglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kobkbaac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhpabdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npppaejj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efeoedjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgbmco32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lknebaba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjlejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egkehllh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ehfhgogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fcdbcloi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lflonn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcppgbjd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nejkdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghpkbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpoibp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfopdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lehfafgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcbmmbhb.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Admgglep.exe N/A
N/A N/A C:\Windows\SysWOW64\Beldao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bacefpbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpjnmlel.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpmkbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnddg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccpqjfnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbfcjag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgdciiod.exe N/A
N/A N/A C:\Windows\SysWOW64\Dajgfboj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgildi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjeedhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlbkcfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfbbpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efeoedjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehfhgogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Egkehllh.exe N/A
N/A N/A C:\Windows\SysWOW64\Edofbpja.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpbih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcdbcloi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlglb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffeldglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fladmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fldabn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijnabef.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbbbjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghpkbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghddnnfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieaef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpoibp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmcikd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Heakefnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpfoboml.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiockd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Holldk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmqieh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iopeoknn.exe N/A
N/A N/A C:\Windows\SysWOW64\Idmnga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jngkdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbedkhie.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgbmco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmoekf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdiho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmabqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kggfnoch.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmdofebo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kobkbaac.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjhopjqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkilgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfopdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmhhae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knjdimdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfaljjdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknebaba.exe N/A
N/A N/A C:\Windows\SysWOW64\Lajmkhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Llpaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lehfafgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbnnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lflonn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcppgbjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljjhdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbmmbhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjlejl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpimbcnf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
N/A N/A C:\Windows\SysWOW64\Admgglep.exe N/A
N/A N/A C:\Windows\SysWOW64\Admgglep.exe N/A
N/A N/A C:\Windows\SysWOW64\Beldao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beldao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bacefpbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bacefpbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpjnmlel.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpjnmlel.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpmkbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpmkbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnddg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccnddg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccpqjfnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccpqjfnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbfcjag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgbfcjag.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgdciiod.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgdciiod.exe N/A
N/A N/A C:\Windows\SysWOW64\Dajgfboj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dajgfboj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgildi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgildi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjeedhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjeedhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlbkcfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlbkcfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfbbpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfbbpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efeoedjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Efeoedjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehfhgogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehfhgogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Egkehllh.exe N/A
N/A N/A C:\Windows\SysWOW64\Egkehllh.exe N/A
N/A N/A C:\Windows\SysWOW64\Edofbpja.exe N/A
N/A N/A C:\Windows\SysWOW64\Edofbpja.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpbih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpbih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcdbcloi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcdbcloi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlglb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlglb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffeldglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffeldglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fladmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fladmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fldabn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fldabn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijnabef.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijnabef.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbbbjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbbbjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghpkbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghpkbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghddnnfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghddnnfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieaef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieaef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpoibp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpoibp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmcikd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmcikd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nlnjkhha.dll C:\Windows\SysWOW64\Npppaejj.exe N/A
File created C:\Windows\SysWOW64\Knjdimdh.exe C:\Windows\SysWOW64\Kmhhae32.exe N/A
File created C:\Windows\SysWOW64\Chehgk32.dll C:\Windows\SysWOW64\Efpbih32.exe N/A
File created C:\Windows\SysWOW64\Kmoekf32.exe C:\Windows\SysWOW64\Jgbmco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nafiej32.exe C:\Windows\SysWOW64\Nklaipbj.exe N/A
File created C:\Windows\SysWOW64\Blagna32.dll C:\Windows\SysWOW64\Ogjhnp32.exe N/A
File created C:\Windows\SysWOW64\Pfmden32.dll C:\Windows\SysWOW64\Egkehllh.exe N/A
File created C:\Windows\SysWOW64\Jbedkhie.exe C:\Windows\SysWOW64\Jngkdj32.exe N/A
File created C:\Windows\SysWOW64\Kmabqf32.exe C:\Windows\SysWOW64\Kgdiho32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djjeedhp.exe C:\Windows\SysWOW64\Dgildi32.exe N/A
File created C:\Windows\SysWOW64\Dabniqgg.dll C:\Windows\SysWOW64\Dajgfboj.exe N/A
File created C:\Windows\SysWOW64\Djlbkcfn.exe C:\Windows\SysWOW64\Djjeedhp.exe N/A
File created C:\Windows\SysWOW64\Fldabn32.exe C:\Windows\SysWOW64\Fladmn32.exe N/A
File created C:\Windows\SysWOW64\Ogjhnp32.exe C:\Windows\SysWOW64\Npppaejj.exe N/A
File created C:\Windows\SysWOW64\Dajgfboj.exe C:\Windows\SysWOW64\Cgdciiod.exe N/A
File created C:\Windows\SysWOW64\Bnddck32.dll C:\Windows\SysWOW64\Kmhhae32.exe N/A
File created C:\Windows\SysWOW64\Ooicngen.dll C:\Windows\SysWOW64\Nejkdm32.exe N/A
File created C:\Windows\SysWOW64\Pmnonj32.dll C:\Windows\SysWOW64\Cgbfcjag.exe N/A
File created C:\Windows\SysWOW64\Dgmeoach.dll C:\Windows\SysWOW64\Fmlglb32.exe N/A
File created C:\Windows\SysWOW64\Kppjhkhn.dll C:\Windows\SysWOW64\Kmabqf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmhhae32.exe C:\Windows\SysWOW64\Kfopdk32.exe N/A
File created C:\Windows\SysWOW64\Cldcdi32.dll C:\Windows\SysWOW64\Lknebaba.exe N/A
File created C:\Windows\SysWOW64\Eobohl32.dll C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
File created C:\Windows\SysWOW64\Gibcam32.dll C:\Windows\SysWOW64\Mhikae32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccpqjfnh.exe C:\Windows\SysWOW64\Ccnddg32.exe N/A
File created C:\Windows\SysWOW64\Ghddnnfi.exe C:\Windows\SysWOW64\Ghpkbn32.exe N/A
File created C:\Windows\SysWOW64\Lehfafgp.exe C:\Windows\SysWOW64\Llpaha32.exe N/A
File created C:\Windows\SysWOW64\Ngencpel.exe C:\Windows\SysWOW64\Npkfff32.exe N/A
File created C:\Windows\SysWOW64\Kpijio32.dll C:\Windows\SysWOW64\Bacefpbg.exe N/A
File created C:\Windows\SysWOW64\Llpaha32.exe C:\Windows\SysWOW64\Lajmkhai.exe N/A
File opened for modification C:\Windows\SysWOW64\Npppaejj.exe C:\Windows\SysWOW64\Nejkdm32.exe N/A
File created C:\Windows\SysWOW64\Cocgje32.dll C:\Windows\SysWOW64\Gieaef32.exe N/A
File created C:\Windows\SysWOW64\Kfopdk32.exe C:\Windows\SysWOW64\Kkilgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Llpaha32.exe C:\Windows\SysWOW64\Lajmkhai.exe N/A
File opened for modification C:\Windows\SysWOW64\Mfceom32.exe C:\Windows\SysWOW64\Mpimbcnf.exe N/A
File created C:\Windows\SysWOW64\Mehbpjjk.exe C:\Windows\SysWOW64\Monjcp32.exe N/A
File created C:\Windows\SysWOW64\Ffeldglk.exe C:\Windows\SysWOW64\Fmlglb32.exe N/A
File created C:\Windows\SysWOW64\Keokbali.dll C:\Windows\SysWOW64\Kkilgb32.exe N/A
File created C:\Windows\SysWOW64\Llbnnq32.exe C:\Windows\SysWOW64\Lehfafgp.exe N/A
File created C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Neohqicc.exe N/A
File created C:\Windows\SysWOW64\Elegeihb.dll C:\Windows\SysWOW64\Dfbbpd32.exe N/A
File created C:\Windows\SysWOW64\Olnnai32.dll C:\Windows\SysWOW64\Jgbmco32.exe N/A
File created C:\Windows\SysWOW64\Kgdiho32.exe C:\Windows\SysWOW64\Kmoekf32.exe N/A
File created C:\Windows\SysWOW64\Kkilgb32.exe C:\Windows\SysWOW64\Kjhopjqi.exe N/A
File created C:\Windows\SysWOW64\Kfaljjdj.exe C:\Windows\SysWOW64\Knjdimdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcppgbjd.exe C:\Windows\SysWOW64\Lflonn32.exe N/A
File created C:\Windows\SysWOW64\Mpimbcnf.exe C:\Windows\SysWOW64\Mjlejl32.exe N/A
File created C:\Windows\SysWOW64\Jmemme32.dll C:\Windows\SysWOW64\Mjlejl32.exe N/A
File created C:\Windows\SysWOW64\Jejffpah.dll C:\Windows\SysWOW64\Holldk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nianjl32.exe C:\Windows\SysWOW64\Nhpabdqd.exe N/A
File created C:\Windows\SysWOW64\Gmcikd32.exe C:\Windows\SysWOW64\Gpoibp32.exe N/A
File created C:\Windows\SysWOW64\Holldk32.exe C:\Windows\SysWOW64\Hiockd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Holldk32.exe C:\Windows\SysWOW64\Hiockd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kggfnoch.exe C:\Windows\SysWOW64\Kmabqf32.exe N/A
File created C:\Windows\SysWOW64\Iaalhl32.dll C:\Windows\SysWOW64\Kfopdk32.exe N/A
File created C:\Windows\SysWOW64\Ecmdqkbq.dll C:\Windows\SysWOW64\Nianjl32.exe N/A
File created C:\Windows\SysWOW64\Ghpkbn32.exe C:\Windows\SysWOW64\Gbbbjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Llbnnq32.exe C:\Windows\SysWOW64\Lehfafgp.exe N/A
File created C:\Windows\SysWOW64\Qnogkqfo.dll C:\Windows\SysWOW64\Hmqieh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbedkhie.exe C:\Windows\SysWOW64\Jngkdj32.exe N/A
File created C:\Windows\SysWOW64\Mhikae32.exe C:\Windows\SysWOW64\Mblcin32.exe N/A
File created C:\Windows\SysWOW64\Gemldo32.dll C:\Windows\SysWOW64\Gmcikd32.exe N/A
File created C:\Windows\SysWOW64\Mbopon32.exe C:\Windows\SysWOW64\Mhikae32.exe N/A
File opened for modification C:\Windows\SysWOW64\Edofbpja.exe C:\Windows\SysWOW64\Egkehllh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Opblgehg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ehfhgogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmqieh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jngkdj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kggfnoch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmhhae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npkfff32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpmkbl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dajgfboj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gieaef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Heakefnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgdiho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcbmmbhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcppgbjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efpbih32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hiockd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iopeoknn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfopdk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djjeedhp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egkehllh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpfoboml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ffeldglk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lknebaba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbopon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Admgglep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccnddg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fcdbcloi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfbbpd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Holldk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mehbpjjk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Monjcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhikae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neohqicc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpoibp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmoekf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kobkbaac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhpabdqd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nejkdm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccpqjfnh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkilgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llpaha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bacefpbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmabqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjhopjqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fijnabef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmdofebo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lehfafgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llbnnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lflonn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bpjnmlel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Edofbpja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfceom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjlejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndiomdde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beldao32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fldabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knjdimdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpimbcnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mblcin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgdciiod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efeoedjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghpkbn32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bpmkbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lflonn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" C:\Windows\SysWOW64\Lknebaba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Heakefnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnigi32.dll" C:\Windows\SysWOW64\Kjhopjqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keokbali.dll" C:\Windows\SysWOW64\Kkilgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakpllpl.dll" C:\Windows\SysWOW64\Npkfff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll" C:\Windows\SysWOW64\Bpmkbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccpqjfnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjlejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhpabdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndiomdde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beldao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dajgfboj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kggfnoch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mblcin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Neohqicc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nklaipbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bpmkbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Heakefnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jngkdj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncccnh.dll" C:\Windows\SysWOW64\Heakefnf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljjhdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mehbpjjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgildi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acheia32.dll" C:\Windows\SysWOW64\Llbnnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmemme32.dll" C:\Windows\SysWOW64\Mjlejl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idmnga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfaljjdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohkdfhge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjocaab.dll" C:\Windows\SysWOW64\Knjdimdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpfoboml.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iopeoknn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kjhopjqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciifcjnd.dll" C:\Windows\SysWOW64\Kfaljjdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llbnnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlgdhcmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhpabdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noplll32.dll" C:\Windows\SysWOW64\Ndiomdde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijio32.dll" C:\Windows\SysWOW64\Bacefpbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgdciiod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Knjdimdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll" C:\Windows\SysWOW64\Ogjhnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahlfoh32.dll" C:\Windows\SysWOW64\Mfceom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mehbpjjk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhikae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfbbpd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpfoboml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnogkqfo.dll" C:\Windows\SysWOW64\Hmqieh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemldo32.dll" C:\Windows\SysWOW64\Gmcikd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mlgdhcmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djlbkcfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danpld32.dll" C:\Windows\SysWOW64\Ghddnnfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gieaef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fcdbcloi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffeldglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnickdla.dll" C:\Windows\SysWOW64\Mblcin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Egkehllh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Edofbpja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Efpbih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fladmn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjeman32.dll" C:\Windows\SysWOW64\Jbedkhie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Admgglep.exe
PID 2124 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Admgglep.exe
PID 2124 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Admgglep.exe
PID 2124 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Admgglep.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Admgglep.exe C:\Windows\SysWOW64\Beldao32.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Admgglep.exe C:\Windows\SysWOW64\Beldao32.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Admgglep.exe C:\Windows\SysWOW64\Beldao32.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Admgglep.exe C:\Windows\SysWOW64\Beldao32.exe
PID 2632 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Beldao32.exe C:\Windows\SysWOW64\Bacefpbg.exe
PID 2632 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Beldao32.exe C:\Windows\SysWOW64\Bacefpbg.exe
PID 2632 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Beldao32.exe C:\Windows\SysWOW64\Bacefpbg.exe
PID 2632 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Beldao32.exe C:\Windows\SysWOW64\Bacefpbg.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Bacefpbg.exe C:\Windows\SysWOW64\Bpjnmlel.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Bacefpbg.exe C:\Windows\SysWOW64\Bpjnmlel.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Bacefpbg.exe C:\Windows\SysWOW64\Bpjnmlel.exe
PID 2952 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Bacefpbg.exe C:\Windows\SysWOW64\Bpjnmlel.exe
PID 2760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Bpjnmlel.exe C:\Windows\SysWOW64\Bpmkbl32.exe
PID 2760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Bpjnmlel.exe C:\Windows\SysWOW64\Bpmkbl32.exe
PID 2760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Bpjnmlel.exe C:\Windows\SysWOW64\Bpmkbl32.exe
PID 2760 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Bpjnmlel.exe C:\Windows\SysWOW64\Bpmkbl32.exe
PID 1656 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bpmkbl32.exe C:\Windows\SysWOW64\Ccnddg32.exe
PID 1656 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bpmkbl32.exe C:\Windows\SysWOW64\Ccnddg32.exe
PID 1656 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bpmkbl32.exe C:\Windows\SysWOW64\Ccnddg32.exe
PID 1656 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Bpmkbl32.exe C:\Windows\SysWOW64\Ccnddg32.exe
PID 2556 wrote to memory of 316 N/A C:\Windows\SysWOW64\Ccnddg32.exe C:\Windows\SysWOW64\Ccpqjfnh.exe
PID 2556 wrote to memory of 316 N/A C:\Windows\SysWOW64\Ccnddg32.exe C:\Windows\SysWOW64\Ccpqjfnh.exe
PID 2556 wrote to memory of 316 N/A C:\Windows\SysWOW64\Ccnddg32.exe C:\Windows\SysWOW64\Ccpqjfnh.exe
PID 2556 wrote to memory of 316 N/A C:\Windows\SysWOW64\Ccnddg32.exe C:\Windows\SysWOW64\Ccpqjfnh.exe
PID 316 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ccpqjfnh.exe C:\Windows\SysWOW64\Cgbfcjag.exe
PID 316 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ccpqjfnh.exe C:\Windows\SysWOW64\Cgbfcjag.exe
PID 316 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ccpqjfnh.exe C:\Windows\SysWOW64\Cgbfcjag.exe
PID 316 wrote to memory of 432 N/A C:\Windows\SysWOW64\Ccpqjfnh.exe C:\Windows\SysWOW64\Cgbfcjag.exe
PID 432 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Cgbfcjag.exe C:\Windows\SysWOW64\Cgdciiod.exe
PID 432 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Cgbfcjag.exe C:\Windows\SysWOW64\Cgdciiod.exe
PID 432 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Cgbfcjag.exe C:\Windows\SysWOW64\Cgdciiod.exe
PID 432 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Cgbfcjag.exe C:\Windows\SysWOW64\Cgdciiod.exe
PID 2816 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cgdciiod.exe C:\Windows\SysWOW64\Dajgfboj.exe
PID 2816 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cgdciiod.exe C:\Windows\SysWOW64\Dajgfboj.exe
PID 2816 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cgdciiod.exe C:\Windows\SysWOW64\Dajgfboj.exe
PID 2816 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Cgdciiod.exe C:\Windows\SysWOW64\Dajgfboj.exe
PID 2912 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Dajgfboj.exe C:\Windows\SysWOW64\Dgildi32.exe
PID 2912 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Dajgfboj.exe C:\Windows\SysWOW64\Dgildi32.exe
PID 2912 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Dajgfboj.exe C:\Windows\SysWOW64\Dgildi32.exe
PID 2912 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Dajgfboj.exe C:\Windows\SysWOW64\Dgildi32.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Dgildi32.exe C:\Windows\SysWOW64\Djjeedhp.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Dgildi32.exe C:\Windows\SysWOW64\Djjeedhp.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Dgildi32.exe C:\Windows\SysWOW64\Djjeedhp.exe
PID 2184 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Dgildi32.exe C:\Windows\SysWOW64\Djjeedhp.exe
PID 3016 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Djjeedhp.exe C:\Windows\SysWOW64\Djlbkcfn.exe
PID 3016 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Djjeedhp.exe C:\Windows\SysWOW64\Djlbkcfn.exe
PID 3016 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Djjeedhp.exe C:\Windows\SysWOW64\Djlbkcfn.exe
PID 3016 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Djjeedhp.exe C:\Windows\SysWOW64\Djlbkcfn.exe
PID 1960 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Djlbkcfn.exe C:\Windows\SysWOW64\Dfbbpd32.exe
PID 1960 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Djlbkcfn.exe C:\Windows\SysWOW64\Dfbbpd32.exe
PID 1960 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Djlbkcfn.exe C:\Windows\SysWOW64\Dfbbpd32.exe
PID 1960 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Djlbkcfn.exe C:\Windows\SysWOW64\Dfbbpd32.exe
PID 1724 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Dfbbpd32.exe C:\Windows\SysWOW64\Efeoedjo.exe
PID 1724 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Dfbbpd32.exe C:\Windows\SysWOW64\Efeoedjo.exe
PID 1724 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Dfbbpd32.exe C:\Windows\SysWOW64\Efeoedjo.exe
PID 1724 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Dfbbpd32.exe C:\Windows\SysWOW64\Efeoedjo.exe
PID 2012 wrote to memory of 972 N/A C:\Windows\SysWOW64\Efeoedjo.exe C:\Windows\SysWOW64\Ehfhgogp.exe
PID 2012 wrote to memory of 972 N/A C:\Windows\SysWOW64\Efeoedjo.exe C:\Windows\SysWOW64\Ehfhgogp.exe
PID 2012 wrote to memory of 972 N/A C:\Windows\SysWOW64\Efeoedjo.exe C:\Windows\SysWOW64\Ehfhgogp.exe
PID 2012 wrote to memory of 972 N/A C:\Windows\SysWOW64\Efeoedjo.exe C:\Windows\SysWOW64\Ehfhgogp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

C:\Windows\SysWOW64\Admgglep.exe

C:\Windows\system32\Admgglep.exe

C:\Windows\SysWOW64\Beldao32.exe

C:\Windows\system32\Beldao32.exe

C:\Windows\SysWOW64\Bacefpbg.exe

C:\Windows\system32\Bacefpbg.exe

C:\Windows\SysWOW64\Bpjnmlel.exe

C:\Windows\system32\Bpjnmlel.exe

C:\Windows\SysWOW64\Bpmkbl32.exe

C:\Windows\system32\Bpmkbl32.exe

C:\Windows\SysWOW64\Ccnddg32.exe

C:\Windows\system32\Ccnddg32.exe

C:\Windows\SysWOW64\Ccpqjfnh.exe

C:\Windows\system32\Ccpqjfnh.exe

C:\Windows\SysWOW64\Cgbfcjag.exe

C:\Windows\system32\Cgbfcjag.exe

C:\Windows\SysWOW64\Cgdciiod.exe

C:\Windows\system32\Cgdciiod.exe

C:\Windows\SysWOW64\Dajgfboj.exe

C:\Windows\system32\Dajgfboj.exe

C:\Windows\SysWOW64\Dgildi32.exe

C:\Windows\system32\Dgildi32.exe

C:\Windows\SysWOW64\Djjeedhp.exe

C:\Windows\system32\Djjeedhp.exe

C:\Windows\SysWOW64\Djlbkcfn.exe

C:\Windows\system32\Djlbkcfn.exe

C:\Windows\SysWOW64\Dfbbpd32.exe

C:\Windows\system32\Dfbbpd32.exe

C:\Windows\SysWOW64\Efeoedjo.exe

C:\Windows\system32\Efeoedjo.exe

C:\Windows\SysWOW64\Ehfhgogp.exe

C:\Windows\system32\Ehfhgogp.exe

C:\Windows\SysWOW64\Egkehllh.exe

C:\Windows\system32\Egkehllh.exe

C:\Windows\SysWOW64\Edofbpja.exe

C:\Windows\system32\Edofbpja.exe

C:\Windows\SysWOW64\Efpbih32.exe

C:\Windows\system32\Efpbih32.exe

C:\Windows\SysWOW64\Fcdbcloi.exe

C:\Windows\system32\Fcdbcloi.exe

C:\Windows\SysWOW64\Fmlglb32.exe

C:\Windows\system32\Fmlglb32.exe

C:\Windows\SysWOW64\Ffeldglk.exe

C:\Windows\system32\Ffeldglk.exe

C:\Windows\SysWOW64\Fladmn32.exe

C:\Windows\system32\Fladmn32.exe

C:\Windows\SysWOW64\Fldabn32.exe

C:\Windows\system32\Fldabn32.exe

C:\Windows\SysWOW64\Fijnabef.exe

C:\Windows\system32\Fijnabef.exe

C:\Windows\SysWOW64\Gbbbjg32.exe

C:\Windows\system32\Gbbbjg32.exe

C:\Windows\SysWOW64\Ghpkbn32.exe

C:\Windows\system32\Ghpkbn32.exe

C:\Windows\SysWOW64\Ghddnnfi.exe

C:\Windows\system32\Ghddnnfi.exe

C:\Windows\SysWOW64\Gieaef32.exe

C:\Windows\system32\Gieaef32.exe

C:\Windows\SysWOW64\Gpoibp32.exe

C:\Windows\system32\Gpoibp32.exe

C:\Windows\SysWOW64\Gmcikd32.exe

C:\Windows\system32\Gmcikd32.exe

C:\Windows\SysWOW64\Heakefnf.exe

C:\Windows\system32\Heakefnf.exe

C:\Windows\SysWOW64\Hpfoboml.exe

C:\Windows\system32\Hpfoboml.exe

C:\Windows\SysWOW64\Hiockd32.exe

C:\Windows\system32\Hiockd32.exe

C:\Windows\SysWOW64\Holldk32.exe

C:\Windows\system32\Holldk32.exe

C:\Windows\SysWOW64\Hmqieh32.exe

C:\Windows\system32\Hmqieh32.exe

C:\Windows\SysWOW64\Iopeoknn.exe

C:\Windows\system32\Iopeoknn.exe

C:\Windows\SysWOW64\Idmnga32.exe

C:\Windows\system32\Idmnga32.exe

C:\Windows\SysWOW64\Jngkdj32.exe

C:\Windows\system32\Jngkdj32.exe

C:\Windows\SysWOW64\Jbedkhie.exe

C:\Windows\system32\Jbedkhie.exe

C:\Windows\SysWOW64\Jgbmco32.exe

C:\Windows\system32\Jgbmco32.exe

C:\Windows\SysWOW64\Kmoekf32.exe

C:\Windows\system32\Kmoekf32.exe

C:\Windows\SysWOW64\Kgdiho32.exe

C:\Windows\system32\Kgdiho32.exe

C:\Windows\SysWOW64\Kmabqf32.exe

C:\Windows\system32\Kmabqf32.exe

C:\Windows\SysWOW64\Kggfnoch.exe

C:\Windows\system32\Kggfnoch.exe

C:\Windows\SysWOW64\Kmdofebo.exe

C:\Windows\system32\Kmdofebo.exe

C:\Windows\SysWOW64\Kobkbaac.exe

C:\Windows\system32\Kobkbaac.exe

C:\Windows\SysWOW64\Kjhopjqi.exe

C:\Windows\system32\Kjhopjqi.exe

C:\Windows\SysWOW64\Kkilgb32.exe

C:\Windows\system32\Kkilgb32.exe

C:\Windows\SysWOW64\Kfopdk32.exe

C:\Windows\system32\Kfopdk32.exe

C:\Windows\SysWOW64\Kmhhae32.exe

C:\Windows\system32\Kmhhae32.exe

C:\Windows\SysWOW64\Knjdimdh.exe

C:\Windows\system32\Knjdimdh.exe

C:\Windows\SysWOW64\Kfaljjdj.exe

C:\Windows\system32\Kfaljjdj.exe

C:\Windows\SysWOW64\Lknebaba.exe

C:\Windows\system32\Lknebaba.exe

C:\Windows\SysWOW64\Lajmkhai.exe

C:\Windows\system32\Lajmkhai.exe

C:\Windows\SysWOW64\Llpaha32.exe

C:\Windows\system32\Llpaha32.exe

C:\Windows\SysWOW64\Lehfafgp.exe

C:\Windows\system32\Lehfafgp.exe

C:\Windows\SysWOW64\Llbnnq32.exe

C:\Windows\system32\Llbnnq32.exe

C:\Windows\SysWOW64\Lflonn32.exe

C:\Windows\system32\Lflonn32.exe

C:\Windows\SysWOW64\Lcppgbjd.exe

C:\Windows\system32\Lcppgbjd.exe

C:\Windows\SysWOW64\Ljjhdm32.exe

C:\Windows\system32\Ljjhdm32.exe

C:\Windows\SysWOW64\Mcbmmbhb.exe

C:\Windows\system32\Mcbmmbhb.exe

C:\Windows\SysWOW64\Mjlejl32.exe

C:\Windows\system32\Mjlejl32.exe

C:\Windows\SysWOW64\Mpimbcnf.exe

C:\Windows\system32\Mpimbcnf.exe

C:\Windows\SysWOW64\Mfceom32.exe

C:\Windows\system32\Mfceom32.exe

C:\Windows\SysWOW64\Monjcp32.exe

C:\Windows\system32\Monjcp32.exe

C:\Windows\SysWOW64\Mehbpjjk.exe

C:\Windows\system32\Mehbpjjk.exe

C:\Windows\SysWOW64\Mlbkmdah.exe

C:\Windows\system32\Mlbkmdah.exe

C:\Windows\SysWOW64\Mblcin32.exe

C:\Windows\system32\Mblcin32.exe

C:\Windows\SysWOW64\Mhikae32.exe

C:\Windows\system32\Mhikae32.exe

C:\Windows\SysWOW64\Mbopon32.exe

C:\Windows\system32\Mbopon32.exe

C:\Windows\SysWOW64\Mlgdhcmb.exe

C:\Windows\system32\Mlgdhcmb.exe

C:\Windows\SysWOW64\Neohqicc.exe

C:\Windows\system32\Neohqicc.exe

C:\Windows\SysWOW64\Nklaipbj.exe

C:\Windows\system32\Nklaipbj.exe

C:\Windows\SysWOW64\Nafiej32.exe

C:\Windows\system32\Nafiej32.exe

C:\Windows\SysWOW64\Nhpabdqd.exe

C:\Windows\system32\Nhpabdqd.exe

C:\Windows\SysWOW64\Nianjl32.exe

C:\Windows\system32\Nianjl32.exe

C:\Windows\SysWOW64\Npkfff32.exe

C:\Windows\system32\Npkfff32.exe

C:\Windows\SysWOW64\Ngencpel.exe

C:\Windows\system32\Ngencpel.exe

C:\Windows\SysWOW64\Ndiomdde.exe

C:\Windows\system32\Ndiomdde.exe

C:\Windows\SysWOW64\Nejkdm32.exe

C:\Windows\system32\Nejkdm32.exe

C:\Windows\SysWOW64\Npppaejj.exe

C:\Windows\system32\Npppaejj.exe

C:\Windows\SysWOW64\Ogjhnp32.exe

C:\Windows\system32\Ogjhnp32.exe

C:\Windows\SysWOW64\Ohkdfhge.exe

C:\Windows\system32\Ohkdfhge.exe

C:\Windows\SysWOW64\Opblgehg.exe

C:\Windows\system32\Opblgehg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 140

Network

N/A

Files

memory/2124-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Admgglep.exe

MD5 8f6f3e71129b7cf93f5a5e20b5ce2d6a
SHA1 9b51afb73c178a2aa0736012b8370006f8b886a6
SHA256 70914ede9c2282714303e5f0e48628c187cda69b809a13dde6923da52c8590f8
SHA512 f693c35664a295487b19f88d9b1b05affed41b20c6c05a24d17d8a7df5ad93e837aa3c96ab4f723cf34d6e28039d28cd8a7e552d076352cca2ee1cadb56c3672

memory/2236-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2124-17-0x0000000000440000-0x000000000047E000-memory.dmp

memory/2236-21-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Beldao32.exe

MD5 ecc909b5c0dd0b715e54ad83feeab294
SHA1 f4bad32a0335b6092e15464275e0ce119ee5eb51
SHA256 bf4cfe6b88129e7493b973e9310cfa21e7508937e9d997e9f38233cc65fcb589
SHA512 3bf08044827a342cfc00a32eca3aa3d2e536257ba1c012ce5e3d2c11f776c58e607ce6d0b6498bf1138134f6b5ee7b30055dd399059cac139c76120409047b6a

memory/2632-27-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Bacefpbg.exe

MD5 34a09acb62e29c959571ba4f7481ee6b
SHA1 2decd755f01cb2addc836cbe5495598bf09aebde
SHA256 33cb5ade21a4ff18fbb6c237a784e1493bd78590ce0f9f018b40425a77227d75
SHA512 8919779c42526c310cb48dcab2dc6551f622487a4cad946f4de3581e8b143e4439dfd44310ecec95eadd6178d375e675456ff1a73f49de68f035378bc7f72895

memory/2632-35-0x0000000001B70000-0x0000000001BAE000-memory.dmp

memory/2632-40-0x0000000001B70000-0x0000000001BAE000-memory.dmp

memory/2952-49-0x00000000002A0000-0x00000000002DE000-memory.dmp

\Windows\SysWOW64\Bpjnmlel.exe

MD5 06a3fcfb8611f8c4bc1d1743f55f2a96
SHA1 bfb213401d1f58babad9e097918a01428ec1d4da
SHA256 5f51a42ab96b6d785c2ff8c99f8cd364a35d957dcad6a97d8f5037383b933d3f
SHA512 50933c79eb3b6985757604cee746e1a2952d200b1b55ccb57b9b4c1f2328c1da7df76ac8efff0212b7aca91712b26b12da5006d6812a1d514ca3ca00d6af729b

\Windows\SysWOW64\Bpmkbl32.exe

MD5 891cb802613a6d249571b5bc3f0eead3
SHA1 d31e9cce6f9dece423b64147f83aad99711308b6
SHA256 4e3301c1da31df21a64acdddf8e221795556b9f0aab4f6f82ed9cd1a1b420b0e
SHA512 b59e33c47d64cf587cb462ee296a58647b79b0818ae3af8187985936d040aa9ee191a8a39af27064c6ff052d052d4e4aa75981a261254d87a04e3dd43d9331c1

memory/2760-62-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/1656-68-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Ccnddg32.exe

MD5 72bd419e7f812784a864e972f245e327
SHA1 8d8ba310ec145a3e3d14e25249370208fd92ae94
SHA256 feca3314b009ddb51fb1b4f5541b9b2353cd9f9c872f1f1ba6c59063857d162f
SHA512 ad81c2407db64c9c203a1275e98baa198b6f8997ed4d06f5f6fd656921c0e36a3ccfa799e14f89cc2c5dbb0cec0556a5b430286890359eb595a52abf3278293b

memory/2556-81-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Ccpqjfnh.exe

MD5 0a3480657260b69b0eec993b0cf3a2b6
SHA1 f26929b7d7a167fc834966ddcebb4d08d8c267d2
SHA256 37f1ed63f622cfc8f534164d7d7ea89699c0fad4bcdb10fb9090bbe23cc4d643
SHA512 752e1ff4499be00bdffaa81bf4fbe2a93a134b64e72dcea4377f27ebc74b61001098f02246f74300682ca25a063a0eddde0420d810a72529c8cd84ed93d5a205

memory/2556-89-0x0000000000440000-0x000000000047E000-memory.dmp

\Windows\SysWOW64\Cgbfcjag.exe

MD5 fba682e072afa20eebe5d43ed567d49a
SHA1 362ff0a4171301e27a23ab92c711fbda9fb416a7
SHA256 8ac3f3b1390b78bfe35bb144a6921b727c3e3dcfd7c5e5d7ce9ca51b3222f651
SHA512 88d2cda1d028d1a8e09ae60eb975b7a914d9c6908c51309f247e482882d43bf8264d39407960768795a8f88c3795216cb845fc1814bca2d21ffae178e37d29df

memory/432-107-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Cgdciiod.exe

MD5 7f7a0bca33f6332acae3b6665dedd1e3
SHA1 2e11bc466f72ba98820cdd37c69c518a9ff00a2c
SHA256 27b280f89aaca25c80ac1d1bad30be557c99e1b0ffc8e7000b2543dea3ba32d9
SHA512 b98d312d55fad497af3b671ec0188fb3a8290bbc02e790f552c149c472cd7e4aa958eabe390ec7e48126a4854e0eaee94f80ef2a45dc0a5cbf1b611e6d3b0792

memory/2816-127-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Dajgfboj.exe

MD5 83347c8e5e436ea41fabafebcff5f8ce
SHA1 0e2ef4eb2184d929cb6dbc1d8a9c38bf380b5f97
SHA256 fd1c22630631c0fe5127dfa0bfeb66db22757c3373f748c67065bea884658bbb
SHA512 619d6ea773d81b7fe3da89625ca2d5187bc23450bf431ec5dddca672ffe6a53ab1e4dfc208f0e1490926094cbe9230a3cf34569daabd803a46ac45f6a7a781d3

memory/2816-128-0x0000000001B90000-0x0000000001BCE000-memory.dmp

\Windows\SysWOW64\Dgildi32.exe

MD5 ed64ac6ab9d3fe265b2fd768b00e5222
SHA1 cf4aec92d26e01a49a8f250a818bbbb2e53461fd
SHA256 2cfeeb3811cb86879270457168beed277bd22f2e48d4a486d5055b9b46b93084
SHA512 b43cdd0a5c47d0e3bd6e5dea484402cec91f0a2e7a09c7378432761c0999ab1175f598b42b5940452d9f42fb19bba779744f238ed7e9bb80bce330d3a735ef64

memory/2912-141-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Djjeedhp.exe

MD5 66656ebf402917b1c4de10f3e8edb893
SHA1 c7cf466561538dec22ae64328e512037682b6cc5
SHA256 f9b9aff1b9a8a5b749b37b76f6249f4201faa7aacee9485e923691de09b2106a
SHA512 c86f3658ad5a851fd9dcb380e0facfabe579ffdae0dee40adc6db7c609330277baf2d8b5d637173ffa6947b98d5d89b6a244f795edd9cb926b49bf2c9a5aabb1

memory/3016-159-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Djlbkcfn.exe

MD5 a635c0771f76d306a431ac8f699684cc
SHA1 a1dbaf04b363bd7bac9a532c1bad98acf49d8377
SHA256 558dbfd54cab1120fcb9734b0bae3854cf48141e6794c9d30abdc5ab9d7e3a9e
SHA512 0cc4c8126fc019efc392c1a396f670aef9482a1b7c12cb4e430a36df857a27d4b4ffa94bf717d7e0afe75c9e48234c0a11b1f6f6aead4ad1e7a220d825208b74

memory/3016-171-0x00000000001B0000-0x00000000001EE000-memory.dmp

\Windows\SysWOW64\Dfbbpd32.exe

MD5 f2763fe4214d31d7698ebb19bf0002ed
SHA1 cd0d94cb4d5c0f46c0202ddacee21727994b3e6b
SHA256 307234a96e02cf7bd3b490068161547faec45bb82b0fe53dbcd803c8044d3752
SHA512 3e78e6aa20d235255492380ebb634a80ed85c7219a9f43efcfc7fe1cb12e5f90ff3c95512db3fcd3c249f777af17a2be4f67482c1e2762017b6ee219c58a3e3f

memory/1724-185-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\Efeoedjo.exe

MD5 ffc71f96e069d0773718049dbf8f3b9f
SHA1 be20bab0f4a0ba2ace68cc982a38e77a170308ad
SHA256 0b1947cf61531da7db893611c0e93d45576140ebe4c98c5022274f54920f65a0
SHA512 24f96c1901e8fe9451347657f793df5a022cb25e02c10435a76d0f2410e13ee209df04c4d5a9c3193875d4c6a16ebdc6b9e2e2175afb31c538265ce1cc55691b

memory/1724-197-0x00000000001B0000-0x00000000001EE000-memory.dmp

\Windows\SysWOW64\Ehfhgogp.exe

MD5 fa043c4f51de1dd4cf83ee154b40d710
SHA1 021fd549e36744cec2aa31ab2942add1323466e5
SHA256 5afb4d9e9c52403d0e5e892c155b5fdf1515c98f153d5a9fb849884e87646f4e
SHA512 4ea3b89cf009b8299ad65540911848a585d060c6bd0b322d3a79237c63ce819a9bd000c03d3971c9f5ae479e61d4b8bee84d349130263f2f56db20532711ee6c

memory/2012-210-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/972-212-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Egkehllh.exe

MD5 f40dffe4c984bdf937ff29fe0390141b
SHA1 acc0858d6ff5b1e0d375940d3a1bac7383db2a41
SHA256 7505a1830ce84b9d3718f0429bd69f390309295ab25575a941b781b20152aa12
SHA512 402a2f2f3f969ffab28afba7ba1845a5a3dec234b5c2e0584733ed3178ae5296f478e1b791de59d96ed5ac82f6cf35759e42863a961173be2acf95be126a9894

memory/824-223-0x0000000000400000-0x000000000043E000-memory.dmp

memory/972-222-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Edofbpja.exe

MD5 e06b23a337c6a728804ba800ebf3b108
SHA1 ac4e1f8be08eaec9ab114e8154a1a6fdc4224387
SHA256 5c7d7ba26d07c2e7383fd9c72258d63c16308d803d0e0a6e706dda0106de055f
SHA512 f30d534ea4bf8ddbb13815377827ec24f83ffba5ce45958fc546e059f662a5ebfeb845efb7dc32017cf27f31385dec83e432a1fe87e6d3bb22f78fcab406573f

memory/532-232-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Efpbih32.exe

MD5 3ddae230acfa52da9635d7b79a702e7b
SHA1 240c690187475adf085ec22d40b7ebf5a88bbebb
SHA256 bbe8bc587fdb24d2b16e76f4b86d96b18e506f2ccb63463624ba03c2a04da3ed
SHA512 1bb612aa69323927f090da99d1cb5943a9bd9ab26eee4a3e3b24a0f046f5424ef5038f8c56b5f867fe684ec9ffa2e45bc7d26c97ced959212eb9cc23982312cf

memory/1344-241-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1344-247-0x00000000001B0000-0x00000000001EE000-memory.dmp

C:\Windows\SysWOW64\Fcdbcloi.exe

MD5 d632183b999cc98dc4a8a87d5b586ffb
SHA1 e01ee8677c9661f17b2942e23975d255c0eac78c
SHA256 51b1fd32e3bb1a72f5e561c4cddc2c527a339e2715b10fffe60e449823bf21d4
SHA512 47ccd7af7db75d87d798250bdf55765aa7f6c71e1fc13aee7bc8991f70813b8587c1da4ed1e3210188c19a83c8d09d05736cdad2aecf354c70cd0e4fd7b747a9

memory/1344-251-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/1736-252-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1012-263-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1736-262-0x00000000003A0000-0x00000000003DE000-memory.dmp

memory/1736-261-0x00000000003A0000-0x00000000003DE000-memory.dmp

C:\Windows\SysWOW64\Fmlglb32.exe

MD5 266bea4b75ddd34be9a5a9a0349f0a44
SHA1 a6e35ddb449d723ab5dded608695f72b724814db
SHA256 e211135e28f7c1efa0e1946829024de0e05be9d299fa8e1bf837d3ae9be5e0ca
SHA512 4e8d91b895c7973b9b9bbf0651ca17e9b6f780660e33e428e1ccf90e1145b0d90107678c15ef0b4934b0e0e29d9f83d2d5e45d24649fbbda7bb6a32b6e2dca2b

memory/2252-274-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1012-273-0x0000000000440000-0x000000000047E000-memory.dmp

memory/1012-272-0x0000000000440000-0x000000000047E000-memory.dmp

C:\Windows\SysWOW64\Ffeldglk.exe

MD5 d387dbd1b2ffa0c98d390a54343689a1
SHA1 0e05780b1ef2efa3745c08d52dd4de71195a25fe
SHA256 d0821333623eff16a7db8cfb35aca78f9d31521e038a18a3480b14c32a6ea69a
SHA512 7f41aea273a62ed461583d33ae3321dcb9f835a99565dbf20355644028e191c2c6bd18fe7eb5dba3d924c07fbcbe10020d768b0f423f49fc2db1de043a52a931

memory/2252-283-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2296-285-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2252-284-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Fladmn32.exe

MD5 be14e70b32c7e577b1808b2081748494
SHA1 033707af17447126198a31cad1e53f3e0b31e4e8
SHA256 aa5117d14d920144f43bae2f5340ddd462499327d122aa0e2c231485626d889c
SHA512 20f95914946d86f211ac42fdd3f295de4b3821c6f5ab9424e0e23694248ac6f265302cafa200e5a3df88453daba90e7af58f98bd4866ac817377cf8ee5b87fa1

C:\Windows\SysWOW64\Fldabn32.exe

MD5 e0560af1dcdfe8b52da4b19636384f05
SHA1 36994fe40306120f0a9d21e3d58af7db6f8b2d57
SHA256 91fb889ee2b3f998a1658e883fc5373d0753b00b837c8eb5dfcbc17bacecd492
SHA512 ef68b68b9d241d475ac46b96bdbadf815f61aa5ab2f8ea09138adddcfaa79c976b1f3d5a1fa79de1c4d0483065def9f760ebdb81fcb95cf03724023a5d756215

memory/2296-294-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2976-295-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2976-304-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2976-305-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Fijnabef.exe

MD5 fa5c231f299888819d1c3c1430b56af1
SHA1 9ac10c5cf2e833347d1fe8bbd7379918e1fd58a4
SHA256 2bbb47c62c9665759f1df86ddcdb54be0230b4aaff803cbaa84e1fea89e6e493
SHA512 a1d6ee7406c3e8ccb5b1a73408fde7e696fdb9c22fb1b36fabd8f0bcd75be67fd19fedc643c6ee85e4943c147d6d9236c5881545ce3b875ae67a37a640f11d24

memory/876-310-0x0000000000400000-0x000000000043E000-memory.dmp

memory/876-312-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/3068-317-0x0000000000400000-0x000000000043E000-memory.dmp

memory/876-316-0x00000000002D0000-0x000000000030E000-memory.dmp

C:\Windows\SysWOW64\Gbbbjg32.exe

MD5 205a1a366f164a1cb0d1f4580ea36fde
SHA1 63cac4f46f0a4abe159e3ce7e4299f5c1d94b169
SHA256 4db816ab1674f7c70eba661b60169b45b979cce21cc9b19134dda24e8060e755
SHA512 7f87e19fc955e34669c0d7498c58e3e4d2259f6c1b9473934bc294dc5a9876a5cadd043b7d82200dc71c29b70b18418987ff7658b9e4db4be6adb59c09b51751

C:\Windows\SysWOW64\Ghpkbn32.exe

MD5 12dfba0ebc2bfcb0dc480e3118588d94
SHA1 78d69256f5072c3f4c70fd38481035a8b13032cd
SHA256 aadd86c66292918308a20b2fccce06ebd55f8ce873da749eb3861a7789935bae
SHA512 b0f6873c3bec63f4b67885a33f389b95ed793ac94521cd087397ed0445b7801a39cabec93be65598fddb8aaced0333de75976aa6282179cb41b8b2c51974dfa3

memory/3068-327-0x0000000000220000-0x000000000025E000-memory.dmp

memory/3068-326-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1568-328-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1568-337-0x00000000002A0000-0x00000000002DE000-memory.dmp

memory/1568-338-0x00000000002A0000-0x00000000002DE000-memory.dmp

memory/2068-349-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2124-350-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2680-355-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2068-348-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Gieaef32.exe

MD5 350f3a5d2ff097f24a553b6d99a3a66d
SHA1 8fb5170e0ab233dd4392287b71efbf282b03feb5
SHA256 2794bd222ac809672178e4f743853d0998c4ff62bc5d5a20587d002a8d5908a1
SHA512 08b0b33f19bbfcda940bdead069858bd90e6b9ef97ef61ee992cdbd81337b4d8f978786e3013630f6fa9cf655f8e52e024f068c4f036c9fc6546eecf4db6e316

memory/2068-343-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2124-360-0x0000000000440000-0x000000000047E000-memory.dmp

C:\Windows\SysWOW64\Gpoibp32.exe

MD5 5e512352d7ae7d1fbcfa0c3e19ca9632
SHA1 aa73f40c168039f731c1ef686a60a89727742b23
SHA256 607b973e15b0fac7f098d241fe14042deacd28238ebe7dd659064b99a530b37f
SHA512 eab668d2f344c9749bfe10cfe068faa83c95f5859392e4cc4aa5682e5402e87489788ef45523e5f95c811f2ef65c63972ef77a5704fc818e2f3dca88e9a164cc

memory/2812-367-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2680-366-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2680-365-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Ghddnnfi.exe

MD5 1fe30eb9e9c28f27a9970806661e010a
SHA1 86b99feb927720a3c1e61b4d60647db08a3cd61b
SHA256 9f6ec63383368bf98cbe76b1122b8f9efbb4443cd654cbc2a55896a5c508e2a3
SHA512 b0e2508329527be4229d2970b02fa567d7807fdd978e386d82583bd14f3860c7399b66281c1302edd8d2a4559aef347f2cd064312baf0669a99937dbd68b65d1

memory/2812-372-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2632-373-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gmcikd32.exe

MD5 e55939ed922dcf948188b0d92dfde7f2
SHA1 2a6e8213057a7ab4f6bed1fdb6c1e6e3977aae5d
SHA256 a4160d37f972674249d21f2b298bbabea120cb9b675ab9f595fd2770e85df643
SHA512 86dfe9455b95178b1d40aab004d8aadc31d8ef8c4527378d9b6136d6b8845df5fe6aa57c31b4044d358662f74311ef1d509fc58691f563c70d4bc6b392e4811f

memory/2632-374-0x0000000001B70000-0x0000000001BAE000-memory.dmp

memory/2688-379-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2952-384-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Heakefnf.exe

MD5 1d60ae9b16db6ac667ccdff2ace34f5b
SHA1 30d936f648e56649e242667dd7afe88784622324
SHA256 85feb4f71ef4ce8287f2ce18dc486d8c3ec27e26a9b03e87135840b94bf2c3fc
SHA512 bf238e1583306184c3a3e2879a6265db22d7def607b1eef8ef64e68d5e001220c0b19c9ff480b0555b2a998edbd4938ff439924fa93203f07e6fa62933b9e0c5

C:\Windows\SysWOW64\Hpfoboml.exe

MD5 d972c20e7a9d5975cd6fa0c3cb220775
SHA1 0f1d9c0d76b369a07b9a6ff963d38a6d92d55701
SHA256 19da6ca52dd21154873e49754b1195e29349f2d185ad4141d292efb3e52a7ba1
SHA512 b91280dfd98689524f96225db03ecf732575679de834a988eac3e6c1ee4c03c8dfa235ed6f166e141087134d212e0ff6ab0865bdbd8235e3983e2db895aca4c4

memory/1628-395-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2760-398-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2340-408-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1876-419-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2892-422-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2556-421-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1876-420-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Holldk32.exe

MD5 df2dd53523c0a9053dbf2872df414c45
SHA1 17e075f79042bdf0c5c207731568f071f8d08573
SHA256 c6b60be0a482fcf696620648e8e60faae7976d648af1a521868b90eea9082030
SHA512 0153eee2b0e929d3402dba08e00af321a8c31cb1354fc9642485aa75572b0f52f0913681d1991f29125852f456386b35109f20bb166127c6896128add4dab932

C:\Windows\SysWOW64\Hmqieh32.exe

MD5 f56e0bea20a677ec00679207437848df
SHA1 07d35a263110a993fca932610cc9110249e935f8
SHA256 0d803625fded3044261ca1babbdbb740ff4b9eb4ca587f3e645f6f79b83f9403
SHA512 2bb75384fa70325159c44c9e7356091f68e0bc9a2aec9bee3a0fddc79c498c3835b40160e09da1f604a374dc3b8000dcc154f0bba6978bf90107283294f533f8

memory/316-434-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2892-433-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2556-432-0x0000000000440000-0x000000000047E000-memory.dmp

memory/2892-431-0x0000000000230000-0x000000000026E000-memory.dmp

memory/432-445-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2876-444-0x0000000000400000-0x000000000043E000-memory.dmp

memory/576-443-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Iopeoknn.exe

MD5 f2b56ef13efba3ac7ef165ec11793aaf
SHA1 8560dd1b54f1783abeca4ec3dec1249709f45cb6
SHA256 1e70a1a74bc07ce85a7828d504b4bdf7aaec2773ed46bb44108a6bad7b34638b
SHA512 4168c62dda35c0a4d46bde285d94b46cfee3264128eef8fd554e6acd6e112cbfd1f94f001eb241f69734d352d660b2a12aa27c1cbcfb757a0c01948ea3c20b4e

memory/1876-413-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1656-409-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2340-407-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Hiockd32.exe

MD5 cb8b0e9094f825379d25da50ee7c2838
SHA1 7b08c98d00b875d5b6163bc25b8aa08a156079f3
SHA256 f9dd5a202d5dd58f69fe770410c8e49b0d54063a4de901504879a1df85505900
SHA512 8b88f724118f4b8ccc177f01949db253fb211a4e646731256c21f9fb57a72f2428ebfe0f8310220a7dc1d8c5be6f23e179aa7fa5f31913eaf933162271abcecf

memory/2340-397-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1628-396-0x0000000000250000-0x000000000028E000-memory.dmp

memory/1628-390-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2688-389-0x0000000000220000-0x000000000025E000-memory.dmp

C:\Windows\SysWOW64\Idmnga32.exe

MD5 4dfd4189bbab22f22efb9630b253f3c8
SHA1 688ef98fec853b1200e4c985c508f9c43c26f8e8
SHA256 c3be699808ecf7722751c0eb3809abca6c50e626352d3966255a91818ed0228c
SHA512 e379fc32bf7ef8d0d3219d06813d2aea74ac50fe3066649d0af4f7b9d31d50f80c62d1c118e19aa6a8c34e323c0a42ae3c388180d1a6971bae177c2901c0ab42

memory/1316-457-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2876-456-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2876-452-0x0000000000220000-0x000000000025E000-memory.dmp

memory/432-450-0x00000000003A0000-0x00000000003DE000-memory.dmp

C:\Windows\SysWOW64\Jngkdj32.exe

MD5 655845384d67c5e9c47469cbe9e3fd04
SHA1 b753597f3b76ca57e8644a834991f4aad05aa5c3
SHA256 4e30a321f8ec039deba828b28c760afa3ad6aedbdc4cb36cc5dfba4591a9bfba
SHA512 be3db254f596f63bf703cb2f4d3e913a4a31db76d827bb02adbbeec1124c948c338ead06aa62f8463c6e52a59306e4babed3c7ac12f65d2f224ec0565ff4198b

memory/2968-471-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2912-466-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2004-481-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jbedkhie.exe

MD5 e3bdf2567587dd05278a1a5bf747992b
SHA1 7de4ee4494ad15a2f5800aa4f2fd8b49356405e3
SHA256 01ab4f2a412de89f89958b159a350058f34dd188dbdfbf0d0032f60b73a759a8
SHA512 07792fd270b3d92d77dd6a1fef05b838806c2d9d151b3f3690899664b6ef9180398910c92dae042bbd4513325b4e0624b9b8430dd2703a52ead27831b8f62dec

memory/3016-486-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1080-491-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Jgbmco32.exe

MD5 8c2b0ccd617cd6c685a5945d4112f9a9
SHA1 9cff37f70ca0432684b93e557c35a67ac00f04b9
SHA256 4b23dd2e9a52abc8971c42789da3d2ab0b044ecdb6e8a3d7fa6c38e0a3856682
SHA512 85042858ba5f83a66b70364bc38c6f8f51a741914556a90b61f2ffb5b3988ca0b1e08594a0cf3786bfde55adcc57d690731d9142316c722debb5e608f2927e7d

C:\Windows\SysWOW64\Kmoekf32.exe

MD5 03920b2aeaf9f71d23ebce145b55075a
SHA1 ff9a6dde0b68649a4fad04a1036a7d8fa46ff1b6
SHA256 e5d612089a0381a3dbac2feaa4ddb2fe07d9a6d4309670459adcdc4ab47c6413
SHA512 3b169d283951754fd435c131f08481ee5d955b7eae4ea7df117d2720ec8c248cfd4af589a0d83019a0236ad10fb235158a3378275f78a2c9dcf5fdfcfd85ac05

memory/2184-473-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Kgdiho32.exe

MD5 47e8f595428e3a3361f194ae53f0d916
SHA1 9b91b57399908f3204004e9cceb6ecaf2047debf
SHA256 92cf0021c4b8f734e364c5bda88c987399b2e99561bb35a964dd5e5cbf880868
SHA512 13082072815bc8252124faff3b3ace715615e2503083d0d204e825efda46dc8ea24bc8ba908d61b6cfd0fb38202951deea189f143910123fc06d3b80251cfed9

C:\Windows\SysWOW64\Kmabqf32.exe

MD5 d7246d763660ff6c00e7c6fbdcbbf44e
SHA1 4e459d69a8e5f6e7950fdaf49954d45c954b9909
SHA256 9ec4eff2732184201f4e51bbb5abf8cea0ea45bd1249c6aef68cc2c6d03b1534
SHA512 d7e348139c4cef009f2ed11471040cd2bee8da19fe2c8c8ca15c20e7db0ef0f29f042887f36aceb808fca0b68ddad98ab3e365eb20c89fa2cf09615f44479507

C:\Windows\SysWOW64\Kmdofebo.exe

MD5 0eac8baff657a6a68b25ef5b8f04b3cc
SHA1 7b96b4c4e2d6f6a09ea9a9902d6b824bb85ae79c
SHA256 3bb46054bf615b186e16e2fecbc44bec3bac2517f05755b986e31accd91d8229
SHA512 7dced71b3ccb137c94c629d92c1625916b7b19f4d1125105dc93961774c14d01354ea50ede776bfabd9f782a9d5cf3392d28a7c8a2032a7bb25f6ee5adff2a81

C:\Windows\SysWOW64\Kggfnoch.exe

MD5 3b7be16be024c3d81488bbfd258750a9
SHA1 8d1aa1f38749b3cb3dc53946f3e7a2e2464a456f
SHA256 7efdd7076ab4c32838016f5e94d3d0c46343fa8bbad45821980c246d4a813024
SHA512 7fce069e54bad23cbeed557d549747b09c5614a06549e9d00828e9d4c4a76b102bdb393363664d5ed934ddd7844688a01c72a60c36f52d576d39d282af00c0e5

C:\Windows\SysWOW64\Kobkbaac.exe

MD5 66bd0156b0a74b2eb5bace2a4dd4423d
SHA1 7f56cbefe9ac6df27444994427bf3569ec857c64
SHA256 cba5a69c84abbace5922df7801df871a604717c20ace4b7fdbb789171e2b3946
SHA512 871a7cff05eda4c1fbe928d5c8e6a18458275fc00240ce177f927e9fe3419a5504d6903c3cf0802fc6d0c5f31700acd0136838677c7e15091f141b70126dcd83

C:\Windows\SysWOW64\Kjhopjqi.exe

MD5 d466614558446e634089005b475b7106
SHA1 d02d04cdfd6e57597aec3dbc38136a23704eb36c
SHA256 baed53d3b3c50a59a62e8a355c2e6516ce961fe595c5c429af797fff29808d70
SHA512 029c056751b66822b718785a68eddb94840ca51128704b655f15873e8383064f46d5ed2356e2f003b1029e399b154d30da2ea0af559df696d2fd250681afdea8

C:\Windows\SysWOW64\Kkilgb32.exe

MD5 c3654ccfcdefeba0fabe45d4fd6ba81d
SHA1 3eabd1564a4f6b76df0716d0c4aa7b64f6e9ed76
SHA256 552cb2bd69038c5e2fae46f122a89cf858b3ef3131c3876352b93e9e9a9b8613
SHA512 fc13160cd3738b2d8583d6a85ff62ae63ca14c66fa06d585f4ba6bbb6b43559331d7f3f794a8f2d4e684f33a6804074a559d0ebde8888b8b8de85240525727b2

C:\Windows\SysWOW64\Kfopdk32.exe

MD5 b1cdc25e70508d3eb2335f7c69d651a0
SHA1 634e93568dd41791b55fc9c3051614b613e0c4ae
SHA256 041af9f6c33dfe67771cf6f58f2004f5c4ce7e80bc65054f18a1dd07652cac69
SHA512 c4acd21d5e4b568589b869cba5be5846edcc998faa73d44e697267d76b53c5f1fca61f75ae5aa75e5e9058d298f5f188890bd5a9cc8cdb6b109220785b4e8c37

C:\Windows\SysWOW64\Kmhhae32.exe

MD5 be6fdda74350d1239620dae89cf2ef15
SHA1 ecc9bd27d0aeb0d863c69faf83fc5afb2bfb9d7a
SHA256 98755b6582357d22acc3f4123280b6bf9fb4425aeb55ad8783d0222c274574cb
SHA512 6eadcaee4efb7f9500d1e1bf14cba9e1157accf492ee2eee1f55b5a70051a1bce26fef2289b1a1b04f9ee4bb3f83194a6d64d8c96bd7404d98a5c80a154964b3

C:\Windows\SysWOW64\Knjdimdh.exe

MD5 5c1f62be5f5dd77d022b6a474d76f470
SHA1 35e1debaa8bd2a8204a3da590609c10ed94af904
SHA256 afe788b43051241ffc31ec0320e87a7a93b20e4c66a6d7b3240ba05e8ab4187e
SHA512 9d164cdacdd489768b902863550149f09d35c28846a9c9b87021492e5c8a5f4f3d6c8ce74d6909b8ca7ddb21fa07512e39c610f5b4d18bedc1110c7c25a0751d

C:\Windows\SysWOW64\Kfaljjdj.exe

MD5 7a44438413c28a459f89d15af3edbc2a
SHA1 94dc635cc7df7686d410e9670e3b7f04168e44d8
SHA256 f48007a1770ae5850a02dfda1c39fb0044fec64ffad54ffbe19a0c9e9004a322
SHA512 8f94dec69724c6dcb5a0816b87ccb026a79acfeff2a2a859a05138cfa50899bdef27c8464db83c1eeca8ee5e362be32d789397c11f241e48735b25a6841152ce

C:\Windows\SysWOW64\Lknebaba.exe

MD5 1e4abe50a73c255236cf86f2ff4a6019
SHA1 a0546aa63b7dfa878ffc2fa8dafce818f8bb19d2
SHA256 501625815f78d2ab51f642e229c03b4ad46a0bf556d21b4a9fa25070e65fe197
SHA512 fad72b56440bb172c775412d491f0e8e151e835c138f03758436570e3ff93e81bed579e9bc05cf5cfad8017805483013b2fa6e4211ecf04a90507a5b71c231e1

C:\Windows\SysWOW64\Lajmkhai.exe

MD5 f854822fa7b6ddec5c75892c4c32d4bc
SHA1 06de3243c13c8addc15508e5973238b4937997c9
SHA256 332c95ff200ea1adfaf858d8dbc4727b4d4661030c92817047c71601f6bf6478
SHA512 a1a6e5f4477bf5d952fa2bad465cbcf653de9c740bf9cd23c0c888c411aa64f9bbc4516deaeae651ecded595de24215e929dfd9f9ccf0456c4449c6e388d72f3

C:\Windows\SysWOW64\Llpaha32.exe

MD5 586b7fe0de3e2f9a070e11ffd590e4e1
SHA1 f435ff5635aa626a1c943fb34edc623f2a7a8424
SHA256 08d316fbd9e07ba96dbeb2c4c4f71d3f73e75ed8b727e994200d72e33701ca88
SHA512 a1adb15ad5126a46cd9c1355c7f0671df0ed86f90a18d62d57ba3f054512c05015c7017813dcd2f05d3a971dc568dc8d8b7eb2cf809e357a5c172fc18534abdf

C:\Windows\SysWOW64\Lehfafgp.exe

MD5 fb47c411b022f9fb45aa27f4a54232c7
SHA1 ee56aa319dbd051fb87481ffd1336387274b63f9
SHA256 975e48d52dab2d4e26beb683532f80cd594b35ab7b354f68e80d58525f1b1c73
SHA512 7202336997363910cc9c879f0d8bb38ef54b2d1089a437474a4ceaafa9f97be38717d86716fbe1a43521eba3be77bcacb80378f0009bb5b5bf3aab953fc0f654

C:\Windows\SysWOW64\Llbnnq32.exe

MD5 608e9a3cd05eb7e231e82c39a93b3ac0
SHA1 29c9e611b6fda993d359c45b3e3d1855d7d907aa
SHA256 fd8602980b00c8df66e793870134b3f459ec9add5028fa44b72d07abba48275c
SHA512 34972113296c6a5a3ce64d2192b7bc7abd13115e880e0945d1ceeac6f1a6f69d15b7eb92cd69bdeff0292459f7b06dd9229ecede55f9483f87dee108a0f44610

C:\Windows\SysWOW64\Lflonn32.exe

MD5 649004bed73b511139c8c943a3307090
SHA1 be7a62a29cf8ea876547419c5cb2547e4456c5e5
SHA256 82e0a964ae3ce55ea21bf2fd1b383f1a310f4a121d316a775117205ae007a5e2
SHA512 afd98b0f393214ae124dc9ed6beaaa929392ed177745d514e7a42b976e61a69235e32845df1ffd7a5aec6060ba8add1964f67a7a279fb0b14bc2b4806b79905c

C:\Windows\SysWOW64\Lcppgbjd.exe

MD5 c2a42706fd7b6e1aff6614cfd1cfd0e2
SHA1 e952816f58228a313a50315369f62c83a65804f5
SHA256 74180316bd178f6d9e230955297390eba3b58dffff34871f67ab8d786531825b
SHA512 b25c519c1db1cf071ac3071ec820ee750ff69faf4b4a1408cd003ea7d54575842e186362a1e6bf7ff22d95662fce2472ae5f8a629e4ebab70f73701f9766178e

C:\Windows\SysWOW64\Ljjhdm32.exe

MD5 286145b33317c60098b19a0cfe6a6909
SHA1 dc72fde0a97165f446314f70223f5af920b61efb
SHA256 0e644b560c13e2565007b2692f0d58d55e58f72d8de42d3898b33d6c11285497
SHA512 af94c7a570a85948295e1016d87c8c04017c14c2f7b829c3853525e46a16605eda2de408990f5dc6f0679b49453794d630ea7621468d3727902ff82c6b277b20

C:\Windows\SysWOW64\Mcbmmbhb.exe

MD5 79286cb22811ef4ad3e9497d213b2203
SHA1 db131a68ee316328430097e40395d33c567f0a2e
SHA256 309853589484929dd1cdf2acb63498ceba62a7fb010774e82b9559e70275fe49
SHA512 5e6bbb41285fe1d7dde08daf6bda37e7259608223e81cdcd1bf8f6a38807fdc3605ad43cab9d94f55667e9ebe7e086f91259aedb7ed62b695c96067067c622a4

C:\Windows\SysWOW64\Mjlejl32.exe

MD5 d9a003212a013391c5f7c159032a5181
SHA1 955abc4eab2dec818262c0cdf47d1b1643e92ada
SHA256 e2d2a81d017d12452277dad7674468b50e14a0fd173ab3a71928ae6a054a6930
SHA512 0802068ee27e4e7cd6f035a1ea215013c328a38f9d833806da469db57dd98775078dfb0be14955e70c010a07acccf931dd48a4c416f6dcb3f52f385856e002e6

C:\Windows\SysWOW64\Mpimbcnf.exe

MD5 8bdffca59a5a4ded86d8149446ed64e2
SHA1 d7b16d11fd1a7514d81c11c3efda708d90ae4662
SHA256 f50a6490b1ce9a3e72da8a9616172ed8b3f48a8ae04e334b684a55b98df65e70
SHA512 9e53a484ac38ab3a0d8d531cef542ebc7cef11259015c40d5df48723c1705014d87660918ffc1fe9de0f03fae2c34ce5338810d41ce4a8e5ed429b8f304a3d86

C:\Windows\SysWOW64\Mfceom32.exe

MD5 7e2934be569575c4c86439d1ca55b2b8
SHA1 156405af5101d9760c321b0d6a049c5094113f99
SHA256 243e9e8dfbb385b508ef8afde284b82ae2c6d7408623d2baa554e9d28f92c10d
SHA512 26e4dcfbce2b09b07ff86f20e529e7bb3a630972e118022a758bbf10d298d260089fc587471462c3e10af5f18eeab742489378ef923836cf18e6c52a4a3e1795

C:\Windows\SysWOW64\Monjcp32.exe

MD5 b88dbe00ca465b0d7968db982ac96fb6
SHA1 8dfe2f995aa4375131057219bb6b79ca0fcff4cc
SHA256 dfb493ef262d6ca5bb1b25bfbd2be994489ea57d2c0a0ccec7df71dcca9dd53f
SHA512 25ca62474d830068e0c55f78a57c9cee93f93cc40ec16bf778a551804ae0c1a69d6a8da33fc245eb8533fcb8050fcf08c7a603e7fbe13135976049eae215911e

C:\Windows\SysWOW64\Mehbpjjk.exe

MD5 48c980da0b6322714848070dc09ccba2
SHA1 82fb04d3a3779a23f980bba5420399fdc6da81bf
SHA256 fb9fd3eeb0a7fb0c74759d2dd03a7426f053a86d14b7b920616c8ac2391568ce
SHA512 b9f27565c6c1fec51152fe3fd3cf336a173f0aebfde8a01e32cb0700666bf560433c23585b8186ce964c78e2007909a4d0587d8e02cc47499054e7a45f016ef6

C:\Windows\SysWOW64\Mlbkmdah.exe

MD5 7bee7fc4a1148a46cfe21c2467b00d39
SHA1 1f4d311cbbdd1f0ee0808dd72a25eb1b9703b8ed
SHA256 72f6c6d191b30100566b29e1a0596faa87f1fe405dcbd3fca926f2819bac445a
SHA512 ea24796836cecd26fdee0f4d5e7da069127eb3636893c014daa3929aefdc30d282cc82e22854c3520af3b8214707ea1879696c747be03b97c45b4970752374fd

C:\Windows\SysWOW64\Mblcin32.exe

MD5 728af0987c48724ba2917f17508cb763
SHA1 9cb24e5dd3271fc00f866d0da799170ca6b92ef4
SHA256 09ce0a9bcd47213e731f120cdf0764bedc5a38021c96d93b5890de13c23e2794
SHA512 3e5316626a92afcdacd3f840184b111a9f7f49b5dd437894cb1cefc6b5b7e5952e0f38b0b1f4df2b42678784171cf2902480d8e3c01f52b669bf01bc14da8721

C:\Windows\SysWOW64\Mhikae32.exe

MD5 335c03e3f3d2946df0563ef20e2ae6c1
SHA1 58ee928bbd6819bacac614a51d39c12ad7b06de8
SHA256 b42a1db8e27396fdc4d3afa58d730b01c620deb4201b4c7ac1f95569d3f78faa
SHA512 609ef0d28fc113212fd07a25678283470d599aa122df9454b01fa3312303cbd7b71ed31c2436c97b11da17988e77337e6048ef6bdde5da439e77211dcc0d2385

C:\Windows\SysWOW64\Mbopon32.exe

MD5 be6bf860fa1744be2d0b48f2e7e06c77
SHA1 8792b1624a1d5e5d4da29a42e82c1babdfc9944f
SHA256 eeac6af70fd46fd1b88f526d4ef5b4703b8054d4bfe3e7d215c44514429ae7b0
SHA512 64f0c1ec613a89970685f69ad7a7c4a37dc467354e6abfdaaf661d4953515924740aa5912e0f7189b87e8d95bd2746cd3ae41e898cb020627409f640ec7b14f8

C:\Windows\SysWOW64\Mlgdhcmb.exe

MD5 3a7c7ed3f3cbd65dba4a28292dda712b
SHA1 7f39cc22aa9c0ad9272bc1bb54ac357c1e1d3f51
SHA256 2a4aa4b1fd7b49c91c0d62d142cceb9187e29933fb7fd32790a22e1bbcb5e096
SHA512 3ea18393a28b0fa433229d9a993da7186adae10b8489ef346813f44e01435f9459e52ecbca67742d202d5671b11cb1b1842df9e3ea8a49a90d086901c101b355

C:\Windows\SysWOW64\Neohqicc.exe

MD5 48e0e8a61a4e98e7971fa180794d1f41
SHA1 af953344fc714f70ec434a0a7a6b12035374ef4b
SHA256 380d43e753b926926acda758169799bc6a113407321390ca7c8b53e0e65ec902
SHA512 1c9216454b5d579ffc2f706c496f20054ec647b5a3577db725bedc61aac40342b3a12d75514c461497c153f3307611366c04beff32ae53849c515604709cbbaf

C:\Windows\SysWOW64\Nklaipbj.exe

MD5 5cb85880c69be0f2a77833b9bf7c83fa
SHA1 6a95c73fefc1b04e79345a71d0c506d604539832
SHA256 6c0b4306fc96df9754d8aa67052023cd299ef55d8c1179a15f45a046b4fbc293
SHA512 4ae34b14be3b0d941d48ab7e5c6c9735853f9fb3092c353f0763a9e1ec77729729afadd81e8eeb4b5ec79db9f538a30a6943d964b43dde485962ecccce9b1fd1

C:\Windows\SysWOW64\Nafiej32.exe

MD5 e1b90568227a8ac474927f376696afdd
SHA1 23dbe51186654282ab25e7b4146257a7602033bb
SHA256 4e97f83b3a9a7a1697d2beca484c0bcd4f6bd90dd1f8c87f235cd00acaa52a1c
SHA512 cd95c985bedae7fc9c2dc1b17daa9d562f86f21b6fedf97285271aba0606d09e8f7d75dcd9f65390a2f23b369070a79a7cf26395aeedf01ca062e0872edaa524

C:\Windows\SysWOW64\Nhpabdqd.exe

MD5 816a9776898e2687fa56703ad5a77bcd
SHA1 cba4af6f444d8003694bd961fd2de83d84499cff
SHA256 6cfe8369546627e1c20ed1b5a015642f71914501600de6a175f5756bec527940
SHA512 879ef1992a552149351972bed8b4ff773ac10884c34476a9a49231faaf73c5af557d6da0efeee9dd017aa097b772319cbf209298d602c56037432b8c65e30836

C:\Windows\SysWOW64\Nianjl32.exe

MD5 9c3da1d7a09f8f34362b842488859d7d
SHA1 4ab68cb3832f9b187484ade20892973825ccc4ee
SHA256 724112c16cc53b50b3165ccf739bd07a62cdb89e587be814f9d6d85f15fbc0e4
SHA512 1ba1dd40a88d7a268bd7e7c7ef33095ca73433778f728d24a8fff90311277ed4557c5051b2f3f852a5036342c82f7a44bc2f147f3df9adb56d99ec055379c0b4

C:\Windows\SysWOW64\Npkfff32.exe

MD5 1bfe725146351310ecaf3fd0d4fdf161
SHA1 98d577071ff7b11acb5be8325ac022e248671ea2
SHA256 7d6f2c7c85ed595bb433bf93fb9259ba61ca84b55bad38dfcdd32bf647180b1d
SHA512 6a60c69aed69b5a77fdaf54e61d96c75f39c647bf697182bd772e585b0b8bebf3af9633390fed24268ba037c0d9b287db7292783de02b2ee30d8f587b4231cde

C:\Windows\SysWOW64\Ngencpel.exe

MD5 670b7566fc6ed4fdf28d52f8f9739261
SHA1 d06fd490ec3ab3511da4c9862ea7157d85fef5b3
SHA256 efd6cd6bd2820decf26c3c98ce650f5f3b02c457004123d47e4b3baf47ae491b
SHA512 573f7b86ccff9b05701e148e3b71651277bcd9b2652ffbbd6b16b3a7a83f1cf61a79285e531b1a813f596997d27151f2014fe71fa3b6bcbe227b25f7ea381926

C:\Windows\SysWOW64\Ndiomdde.exe

MD5 202fd9beea3ffc1f4d3eac25bd1526fb
SHA1 2eb1be768efb1f96f5b35080c9137170e5d04e5a
SHA256 2969738ddd2b5238ec95190d20d565ce82205696718ad533f9e44d4e1de298f1
SHA512 2586f70c5ee5a5d4d4265b820c2d9a27ffa6d51a0f314d0408868a29fb07267d48184caae5a6d4fa8b6048b2ebc8b8eeeb8fa1db5646d20087ab575351c3a29e

C:\Windows\SysWOW64\Nejkdm32.exe

MD5 c822a3908e133e531889ee7303e17376
SHA1 adc9a40d02c5b5098041e8b49b150e1cd14b36f6
SHA256 2309fb1aadc69792eb0bceb4842d22070f07b3a2736a71e7479dd8fedf7625c0
SHA512 b4964d8bd16d0cad2f36e23e9307604953a61ac20e8b3bc23bac8365e6c5fb24347bed042099581884bc0e838b4023215351893fe37f31f997c58ec368cfc7fd

C:\Windows\SysWOW64\Npppaejj.exe

MD5 cc20fbb447d862e35b914652c2e98969
SHA1 8da0d399f41ca0c235355240f2082f4693a3dee8
SHA256 197c007b5551544d81525550d89ae7b52fa0534054fcff4171228f25a384c405
SHA512 370a8c11d9c7d21ef632b7aa80bbd1ed01d238bda287c9df24121dd01c93216dec6457d32a1d2316e1edc42b6c5b8ca81030e092c64c7c3d8826ea5e78f1661d

C:\Windows\SysWOW64\Ogjhnp32.exe

MD5 79e7471c9090f278aef18fccfee534d4
SHA1 6f30a71248d35335b29d6eee1770a47290508a07
SHA256 4159d437b9301930caa73a2d2fd66306ed93ccfa78b813f8189dc0c5990f64e1
SHA512 06276f5f4c5662ece0ba81e5a782f98be566630a4a48087b98a0ee80a25b25fcbcb5a7c35cc7718ef8e4066cbc4ac4bc6b789141768f2e3c48c4f4a771f415bb

C:\Windows\SysWOW64\Ohkdfhge.exe

MD5 eecc364621bbb4e92a4c796811d647b2
SHA1 18416e0b4a2a25c3adccb9359bda26e5e58dc062
SHA256 6a9c0d13587fcf8af15dbf8eea7d3a5440c116a4abeced84b7d89cbf928529da
SHA512 63bd59458e61c6dd81a228579fcd3d9f7511d841b974bb71feedff7363f8c5047527bb6e04ce816c7e2db16593c5f5dd07df2306da2af2a490526ca022ffd46a

C:\Windows\SysWOW64\Opblgehg.exe

MD5 b475ea6a0a7346362276c1adf9a237d8
SHA1 9d33a0d227e266c7b040e2c2ffba902a1d302604
SHA256 f3a07e5865ea791be17cf6a7b6546e0aa1cb009ea737fa1762fa5716e6789792
SHA512 c5c09cf13b96c7811bd2e36da49f880faca2fb4cd1b98da2122546b285a3269a03d9897731526814ce8e3aea9953c20ea24fc739a231b8ccafbb69f331564e8e

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 14:33

Reported

2024-09-16 14:35

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emjgim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hedafk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgkmgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aokkahlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahenokjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfigpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bepmoh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efjbcakl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klfaapbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmpdhboj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alkijdci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgjijmin.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Albpkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emhkdmlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljqhkckn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfoiaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjjpnlbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmhand32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fplpll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kggcnoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmafajfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlgepanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Piphgq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Allpejfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdpaeehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coqncejg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcgnbaeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alnfpcag.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npepkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfoann32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkhnjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcbpjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bblnindg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpchib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcngpjh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcaofebg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohcegi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnlkedai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmpmnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkjiao32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bomkcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpbmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emjgim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljceqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocaebc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgnomg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahenokjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aoofle32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodjjimm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lopmii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfjola32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aopemh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdagpnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpnkdq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkjnfkma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppgegd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pabblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eppqqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njpdnedf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emmdom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coegoe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjjpnlbd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Madjhb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knfeeimj.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oohgdhfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeaoab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohpkmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcepkfld.exe N/A
N/A N/A C:\Windows\SysWOW64\Piphgq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkadoiip.exe N/A
N/A N/A C:\Windows\SysWOW64\Pchlpfjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pefhlaie.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpqil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcjiff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pidabppl.exe N/A
N/A N/A C:\Windows\SysWOW64\Plbmokop.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcmeke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifnhpmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabblb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlggjk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcaofebg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhngolpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmdkgob.exe N/A
N/A N/A C:\Windows\SysWOW64\Qebhhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Allpejfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfhad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpqnneo.exe N/A
N/A N/A C:\Windows\SysWOW64\Akamff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achegd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahenokjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoofle32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdjin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoabad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkknogn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aleckinj.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbkcpma.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhldpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkkple32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcahmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpdin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bljlfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkmmaeap.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgeno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmlilh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bokehc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfendmoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcjqinf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkafmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblnindg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bheffh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmabggdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bckkca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfigpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmcolgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmgiaig.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfldelik.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbbdjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cimmggfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cofecami.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfqmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjliajmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckmehb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccdnjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbgnemjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciafbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckpbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccgjopal.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfefkkqp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Comjoclk.dll C:\Windows\SysWOW64\Jlmfeg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfheof32.exe C:\Windows\SysWOW64\Gdjibj32.exe N/A
File created C:\Windows\SysWOW64\Ljhnlb32.exe C:\Windows\SysWOW64\Lflbkcll.exe N/A
File created C:\Windows\SysWOW64\Hlfpph32.dll C:\Windows\SysWOW64\Bpdnjple.exe N/A
File created C:\Windows\SysWOW64\Hcmbee32.exe C:\Windows\SysWOW64\Hpofii32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pajeam32.exe C:\Windows\SysWOW64\Poliea32.exe N/A
File created C:\Windows\SysWOW64\Hibjli32.exe C:\Windows\SysWOW64\Hfcnpn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe C:\Windows\SysWOW64\Akkffkhk.exe N/A
File opened for modification C:\Windows\SysWOW64\Qkmdkgob.exe C:\Windows\SysWOW64\Qhngolpo.exe N/A
File created C:\Windows\SysWOW64\Flnqig32.dll C:\Windows\SysWOW64\Qhngolpo.exe N/A
File created C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Dmalne32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe C:\Windows\SysWOW64\Ljhnlb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocjoadei.exe C:\Windows\SysWOW64\Oakbehfe.exe N/A
File created C:\Windows\SysWOW64\Ffobhg32.exe C:\Windows\SysWOW64\Fpejlmcf.exe N/A
File opened for modification C:\Windows\SysWOW64\Maiccajf.exe C:\Windows\SysWOW64\Mnkggfkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Bffcpg32.exe C:\Windows\SysWOW64\Bnoknihb.exe N/A
File opened for modification C:\Windows\SysWOW64\Goglcahb.exe C:\Windows\SysWOW64\Glipgf32.exe N/A
File created C:\Windows\SysWOW64\Aajhndkb.exe C:\Windows\SysWOW64\Aokkahlo.exe N/A
File created C:\Windows\SysWOW64\Ciipkkdj.dll C:\Windows\SysWOW64\Bgelgi32.exe N/A
File created C:\Windows\SysWOW64\Nfaemp32.exe C:\Windows\SysWOW64\Ncchae32.exe N/A
File created C:\Windows\SysWOW64\Paplcg32.dll C:\Windows\SysWOW64\Ecefqnel.exe N/A
File opened for modification C:\Windows\SysWOW64\Elgaeolp.exe C:\Windows\SysWOW64\Ejfeng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Injmcmej.exe C:\Windows\SysWOW64\Igpdfb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gmimai32.exe C:\Windows\SysWOW64\Gimqajgh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe C:\Windows\SysWOW64\Iomoenej.exe N/A
File opened for modification C:\Windows\SysWOW64\Jllokajf.exe C:\Windows\SysWOW64\Jebfng32.exe N/A
File created C:\Windows\SysWOW64\Jedccfqg.exe C:\Windows\SysWOW64\Jcfggkac.exe N/A
File created C:\Windows\SysWOW64\Fccfel32.dll C:\Windows\SysWOW64\Ccdnjp32.exe N/A
File created C:\Windows\SysWOW64\Dpgnjo32.exe C:\Windows\SysWOW64\Dmhand32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnpabe32.exe C:\Windows\SysWOW64\Mjdebfnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckhecmcf.exe C:\Windows\SysWOW64\Chiigadc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe C:\Windows\SysWOW64\Aphnnafb.exe N/A
File created C:\Windows\SysWOW64\Inbhocbm.dll C:\Windows\SysWOW64\Bfendmoc.exe N/A
File created C:\Windows\SysWOW64\Bpcelk32.dll C:\Windows\SysWOW64\Gbdoof32.exe N/A
File created C:\Windows\SysWOW64\Dgfnagdi.dll C:\Windows\SysWOW64\Nnhmnn32.exe N/A
File created C:\Windows\SysWOW64\Ahofoogd.exe C:\Windows\SysWOW64\Aphnnafb.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnlhncgi.exe C:\Windows\SysWOW64\Boihcf32.exe N/A
File created C:\Windows\SysWOW64\Gejlkojm.dll C:\Windows\SysWOW64\Bhldpj32.exe N/A
File created C:\Windows\SysWOW64\Dcdcmh32.dll C:\Windows\SysWOW64\Glcaambb.exe N/A
File created C:\Windows\SysWOW64\Pmhkafda.dll C:\Windows\SysWOW64\Illfdc32.exe N/A
File created C:\Windows\SysWOW64\Kpjgaoqm.exe C:\Windows\SysWOW64\Jnlkedai.exe N/A
File opened for modification C:\Windows\SysWOW64\Kflide32.exe C:\Windows\SysWOW64\Kpoalo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Adfgdpmi.exe C:\Windows\SysWOW64\Amlogfel.exe N/A
File created C:\Windows\SysWOW64\Bmlilh32.exe C:\Windows\SysWOW64\Bbgeno32.exe N/A
File created C:\Windows\SysWOW64\Anmfbl32.exe C:\Windows\SysWOW64\Alkijdci.exe N/A
File created C:\Windows\SysWOW64\Fpbflg32.exe C:\Windows\SysWOW64\Flfkkhid.exe N/A
File created C:\Windows\SysWOW64\Cmcgolla.dll C:\Windows\SysWOW64\Gmafajfi.exe N/A
File created C:\Windows\SysWOW64\Ghjnkpdc.dll C:\Windows\SysWOW64\Gnepna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcgiefen.exe C:\Windows\SysWOW64\Mmmqhl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gikdkj32.exe C:\Windows\SysWOW64\Gflhoo32.exe N/A
File created C:\Windows\SysWOW64\Bpkdjofm.exe C:\Windows\SysWOW64\Bnlhncgi.exe N/A
File created C:\Windows\SysWOW64\Hgdejd32.exe C:\Windows\SysWOW64\Hdehni32.exe N/A
File created C:\Windows\SysWOW64\Jfkafocc.dll C:\Windows\SysWOW64\Ilmmni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jnhidk32.exe C:\Windows\SysWOW64\Jkimho32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lopmii32.exe C:\Windows\SysWOW64\Lmaamn32.exe N/A
File created C:\Windows\SysWOW64\Bgpcliao.exe C:\Windows\SysWOW64\Bdagpnbk.exe N/A
File created C:\Windows\SysWOW64\Omjbpn32.dll C:\Windows\SysWOW64\Dnmaea32.exe N/A
File created C:\Windows\SysWOW64\Hiipmhmk.exe C:\Windows\SysWOW64\Hoclopne.exe N/A
File created C:\Windows\SysWOW64\Anfjipgp.dll C:\Windows\SysWOW64\Cbbdjm32.exe N/A
File created C:\Windows\SysWOW64\Pdjpll32.dll C:\Windows\SysWOW64\Fpggamqc.exe N/A
File created C:\Windows\SysWOW64\Gbabigfj.exe C:\Windows\SysWOW64\Gjfnedho.exe N/A
File created C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Anobgl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Onmfimga.exe N/A
File created C:\Windows\SysWOW64\Bkkple32.exe C:\Windows\SysWOW64\Bhldpj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdkdgchl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeehkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fnlmhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpejlmcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gbabigfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gljgbllj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hkbmqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hcpojd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfnfjehl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lckiihok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqpcjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkmkkjko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dheibpje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkhnjk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogcnmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdokdg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fiodpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iinjhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcmdaljn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knnhjcog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmaamn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogjdmbil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcdala32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhpfqcln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dflfac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlpfhe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkqaoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpqnneo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Meepdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnicid32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocaebc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpkmal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkadoiip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lknojl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnohlgep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeaanjkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgifbhid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpjcgm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Idkkpf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glbjggof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmfcok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfaemp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amlogfel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plpqil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilafiihp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oldjcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bomkcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kflide32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efblbbqd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eblimcdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lflbkcll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcpcdg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahenokjf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmnmgnoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohfami32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeokal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kegpifod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baegibae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Meiioonj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aekddhcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Camddhoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ondljl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boenhgdd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennioe32.dll" C:\Windows\SysWOW64\Hpabni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngjep32.dll" C:\Windows\SysWOW64\Mminhceb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpimlfke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdlqqcnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Glipgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccdbf32.dll" C:\Windows\SysWOW64\Ojdgnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" C:\Windows\SysWOW64\Pjbcplpe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dpkmal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anobgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" C:\Windows\SysWOW64\Hdokdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdqegoi.dll" C:\Windows\SysWOW64\Ojgjndno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbnmke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jllokajf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npepkf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojgjndno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmafajfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlpfhe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajdjin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afkknogn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmabggdm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiimel.dll" C:\Windows\SysWOW64\Icnklbmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlche32.dll" C:\Windows\SysWOW64\Nabfjpak.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnhkbfme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Domdjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icland32.dll" C:\Windows\SysWOW64\Cfigpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eicedn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" C:\Windows\SysWOW64\Fligqhga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mqafhl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfoann32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lklbdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaae32.dll" C:\Windows\SysWOW64\Cdlqqcnl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fechomko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll" C:\Windows\SysWOW64\Jgkmgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Allpejfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckmehb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oalipoiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgccn32.dll" C:\Windows\SysWOW64\Emmdom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohpkmn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" C:\Windows\SysWOW64\Ckhecmcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Koodbl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhhiemoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnmaj32.dll" C:\Windows\SysWOW64\Pidabppl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkmmaeap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kqfngd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pecellgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcnmpcj.dll" C:\Windows\SysWOW64\Goglcahb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgjijmin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll" C:\Windows\SysWOW64\Domdjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gbeejp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmkff32.dll" C:\Windows\SysWOW64\Jljbeali.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpfgmnfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll" C:\Windows\SysWOW64\Oakbehfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkadoiip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fimodc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll" C:\Windows\SysWOW64\Gimqajgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qacameaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnmaea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfgcakon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffmfchle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdpecjm.dll" C:\Windows\SysWOW64\Iknmla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idkkpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icnklbmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gidnkkpc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njjdho32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Oohgdhfn.exe
PID 2496 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Oohgdhfn.exe
PID 2496 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Oohgdhfn.exe
PID 4164 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Oohgdhfn.exe C:\Windows\SysWOW64\Oeaoab32.exe
PID 4164 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Oohgdhfn.exe C:\Windows\SysWOW64\Oeaoab32.exe
PID 4164 wrote to memory of 1708 N/A C:\Windows\SysWOW64\Oohgdhfn.exe C:\Windows\SysWOW64\Oeaoab32.exe
PID 1708 wrote to memory of 264 N/A C:\Windows\SysWOW64\Oeaoab32.exe C:\Windows\SysWOW64\Ohpkmn32.exe
PID 1708 wrote to memory of 264 N/A C:\Windows\SysWOW64\Oeaoab32.exe C:\Windows\SysWOW64\Ohpkmn32.exe
PID 1708 wrote to memory of 264 N/A C:\Windows\SysWOW64\Oeaoab32.exe C:\Windows\SysWOW64\Ohpkmn32.exe
PID 264 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Ohpkmn32.exe C:\Windows\SysWOW64\Pcepkfld.exe
PID 264 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Ohpkmn32.exe C:\Windows\SysWOW64\Pcepkfld.exe
PID 264 wrote to memory of 2736 N/A C:\Windows\SysWOW64\Ohpkmn32.exe C:\Windows\SysWOW64\Pcepkfld.exe
PID 2736 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Pcepkfld.exe C:\Windows\SysWOW64\Piphgq32.exe
PID 2736 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Pcepkfld.exe C:\Windows\SysWOW64\Piphgq32.exe
PID 2736 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Pcepkfld.exe C:\Windows\SysWOW64\Piphgq32.exe
PID 4964 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Piphgq32.exe C:\Windows\SysWOW64\Pkadoiip.exe
PID 4964 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Piphgq32.exe C:\Windows\SysWOW64\Pkadoiip.exe
PID 4964 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Piphgq32.exe C:\Windows\SysWOW64\Pkadoiip.exe
PID 3036 wrote to memory of 720 N/A C:\Windows\SysWOW64\Pkadoiip.exe C:\Windows\SysWOW64\Pchlpfjb.exe
PID 3036 wrote to memory of 720 N/A C:\Windows\SysWOW64\Pkadoiip.exe C:\Windows\SysWOW64\Pchlpfjb.exe
PID 3036 wrote to memory of 720 N/A C:\Windows\SysWOW64\Pkadoiip.exe C:\Windows\SysWOW64\Pchlpfjb.exe
PID 720 wrote to memory of 964 N/A C:\Windows\SysWOW64\Pchlpfjb.exe C:\Windows\SysWOW64\Pefhlaie.exe
PID 720 wrote to memory of 964 N/A C:\Windows\SysWOW64\Pchlpfjb.exe C:\Windows\SysWOW64\Pefhlaie.exe
PID 720 wrote to memory of 964 N/A C:\Windows\SysWOW64\Pchlpfjb.exe C:\Windows\SysWOW64\Pefhlaie.exe
PID 964 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Pefhlaie.exe C:\Windows\SysWOW64\Plpqil32.exe
PID 964 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Pefhlaie.exe C:\Windows\SysWOW64\Plpqil32.exe
PID 964 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Pefhlaie.exe C:\Windows\SysWOW64\Plpqil32.exe
PID 4620 wrote to memory of 4224 N/A C:\Windows\SysWOW64\Plpqil32.exe C:\Windows\SysWOW64\Pcjiff32.exe
PID 4620 wrote to memory of 4224 N/A C:\Windows\SysWOW64\Plpqil32.exe C:\Windows\SysWOW64\Pcjiff32.exe
PID 4620 wrote to memory of 4224 N/A C:\Windows\SysWOW64\Plpqil32.exe C:\Windows\SysWOW64\Pcjiff32.exe
PID 4224 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Pidabppl.exe
PID 4224 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Pidabppl.exe
PID 4224 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Pcjiff32.exe C:\Windows\SysWOW64\Pidabppl.exe
PID 1712 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Pidabppl.exe C:\Windows\SysWOW64\Plbmokop.exe
PID 1712 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Pidabppl.exe C:\Windows\SysWOW64\Plbmokop.exe
PID 1712 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Pidabppl.exe C:\Windows\SysWOW64\Plbmokop.exe
PID 4984 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Plbmokop.exe C:\Windows\SysWOW64\Pcmeke32.exe
PID 4984 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Plbmokop.exe C:\Windows\SysWOW64\Pcmeke32.exe
PID 4984 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Plbmokop.exe C:\Windows\SysWOW64\Pcmeke32.exe
PID 4808 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Pcmeke32.exe C:\Windows\SysWOW64\Pifnhpmi.exe
PID 4808 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Pcmeke32.exe C:\Windows\SysWOW64\Pifnhpmi.exe
PID 4808 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Pcmeke32.exe C:\Windows\SysWOW64\Pifnhpmi.exe
PID 4472 wrote to memory of 456 N/A C:\Windows\SysWOW64\Pifnhpmi.exe C:\Windows\SysWOW64\Pabblb32.exe
PID 4472 wrote to memory of 456 N/A C:\Windows\SysWOW64\Pifnhpmi.exe C:\Windows\SysWOW64\Pabblb32.exe
PID 4472 wrote to memory of 456 N/A C:\Windows\SysWOW64\Pifnhpmi.exe C:\Windows\SysWOW64\Pabblb32.exe
PID 456 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Pabblb32.exe C:\Windows\SysWOW64\Qlggjk32.exe
PID 456 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Pabblb32.exe C:\Windows\SysWOW64\Qlggjk32.exe
PID 456 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Pabblb32.exe C:\Windows\SysWOW64\Qlggjk32.exe
PID 1680 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Qlggjk32.exe C:\Windows\SysWOW64\Qcaofebg.exe
PID 1680 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Qlggjk32.exe C:\Windows\SysWOW64\Qcaofebg.exe
PID 1680 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Qlggjk32.exe C:\Windows\SysWOW64\Qcaofebg.exe
PID 2220 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Qcaofebg.exe C:\Windows\SysWOW64\Qhngolpo.exe
PID 2220 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Qcaofebg.exe C:\Windows\SysWOW64\Qhngolpo.exe
PID 2220 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Qcaofebg.exe C:\Windows\SysWOW64\Qhngolpo.exe
PID 1148 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Qhngolpo.exe C:\Windows\SysWOW64\Qkmdkgob.exe
PID 1148 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Qhngolpo.exe C:\Windows\SysWOW64\Qkmdkgob.exe
PID 1148 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Qhngolpo.exe C:\Windows\SysWOW64\Qkmdkgob.exe
PID 2480 wrote to memory of 452 N/A C:\Windows\SysWOW64\Qkmdkgob.exe C:\Windows\SysWOW64\Qebhhp32.exe
PID 2480 wrote to memory of 452 N/A C:\Windows\SysWOW64\Qkmdkgob.exe C:\Windows\SysWOW64\Qebhhp32.exe
PID 2480 wrote to memory of 452 N/A C:\Windows\SysWOW64\Qkmdkgob.exe C:\Windows\SysWOW64\Qebhhp32.exe
PID 452 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Qebhhp32.exe C:\Windows\SysWOW64\Allpejfe.exe
PID 452 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Qebhhp32.exe C:\Windows\SysWOW64\Allpejfe.exe
PID 452 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Qebhhp32.exe C:\Windows\SysWOW64\Allpejfe.exe
PID 4008 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Allpejfe.exe C:\Windows\SysWOW64\Acfhad32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

C:\Windows\SysWOW64\Oohgdhfn.exe

C:\Windows\system32\Oohgdhfn.exe

C:\Windows\SysWOW64\Oeaoab32.exe

C:\Windows\system32\Oeaoab32.exe

C:\Windows\SysWOW64\Ohpkmn32.exe

C:\Windows\system32\Ohpkmn32.exe

C:\Windows\SysWOW64\Pcepkfld.exe

C:\Windows\system32\Pcepkfld.exe

C:\Windows\SysWOW64\Piphgq32.exe

C:\Windows\system32\Piphgq32.exe

C:\Windows\SysWOW64\Pkadoiip.exe

C:\Windows\system32\Pkadoiip.exe

C:\Windows\SysWOW64\Pchlpfjb.exe

C:\Windows\system32\Pchlpfjb.exe

C:\Windows\SysWOW64\Pefhlaie.exe

C:\Windows\system32\Pefhlaie.exe

C:\Windows\SysWOW64\Plpqil32.exe

C:\Windows\system32\Plpqil32.exe

C:\Windows\SysWOW64\Pcjiff32.exe

C:\Windows\system32\Pcjiff32.exe

C:\Windows\SysWOW64\Pidabppl.exe

C:\Windows\system32\Pidabppl.exe

C:\Windows\SysWOW64\Plbmokop.exe

C:\Windows\system32\Plbmokop.exe

C:\Windows\SysWOW64\Pcmeke32.exe

C:\Windows\system32\Pcmeke32.exe

C:\Windows\SysWOW64\Pifnhpmi.exe

C:\Windows\system32\Pifnhpmi.exe

C:\Windows\SysWOW64\Pabblb32.exe

C:\Windows\system32\Pabblb32.exe

C:\Windows\SysWOW64\Qlggjk32.exe

C:\Windows\system32\Qlggjk32.exe

C:\Windows\SysWOW64\Qcaofebg.exe

C:\Windows\system32\Qcaofebg.exe

C:\Windows\SysWOW64\Qhngolpo.exe

C:\Windows\system32\Qhngolpo.exe

C:\Windows\SysWOW64\Qkmdkgob.exe

C:\Windows\system32\Qkmdkgob.exe

C:\Windows\SysWOW64\Qebhhp32.exe

C:\Windows\system32\Qebhhp32.exe

C:\Windows\SysWOW64\Allpejfe.exe

C:\Windows\system32\Allpejfe.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Ajpqnneo.exe

C:\Windows\system32\Ajpqnneo.exe

C:\Windows\SysWOW64\Akamff32.exe

C:\Windows\system32\Akamff32.exe

C:\Windows\SysWOW64\Achegd32.exe

C:\Windows\system32\Achegd32.exe

C:\Windows\SysWOW64\Ahenokjf.exe

C:\Windows\system32\Ahenokjf.exe

C:\Windows\SysWOW64\Aoofle32.exe

C:\Windows\system32\Aoofle32.exe

C:\Windows\SysWOW64\Ajdjin32.exe

C:\Windows\system32\Ajdjin32.exe

C:\Windows\SysWOW64\Aoabad32.exe

C:\Windows\system32\Aoabad32.exe

C:\Windows\SysWOW64\Afkknogn.exe

C:\Windows\system32\Afkknogn.exe

C:\Windows\SysWOW64\Aleckinj.exe

C:\Windows\system32\Aleckinj.exe

C:\Windows\SysWOW64\Abbkcpma.exe

C:\Windows\system32\Abbkcpma.exe

C:\Windows\SysWOW64\Bhldpj32.exe

C:\Windows\system32\Bhldpj32.exe

C:\Windows\SysWOW64\Bkkple32.exe

C:\Windows\system32\Bkkple32.exe

C:\Windows\SysWOW64\Bcahmb32.exe

C:\Windows\system32\Bcahmb32.exe

C:\Windows\SysWOW64\Bfpdin32.exe

C:\Windows\system32\Bfpdin32.exe

C:\Windows\SysWOW64\Bljlfh32.exe

C:\Windows\system32\Bljlfh32.exe

C:\Windows\SysWOW64\Bkmmaeap.exe

C:\Windows\system32\Bkmmaeap.exe

C:\Windows\SysWOW64\Bbgeno32.exe

C:\Windows\system32\Bbgeno32.exe

C:\Windows\SysWOW64\Bmlilh32.exe

C:\Windows\system32\Bmlilh32.exe

C:\Windows\SysWOW64\Bokehc32.exe

C:\Windows\system32\Bokehc32.exe

C:\Windows\SysWOW64\Bfendmoc.exe

C:\Windows\system32\Bfendmoc.exe

C:\Windows\SysWOW64\Bhcjqinf.exe

C:\Windows\system32\Bhcjqinf.exe

C:\Windows\SysWOW64\Bkafmd32.exe

C:\Windows\system32\Bkafmd32.exe

C:\Windows\SysWOW64\Bblnindg.exe

C:\Windows\system32\Bblnindg.exe

C:\Windows\SysWOW64\Bheffh32.exe

C:\Windows\system32\Bheffh32.exe

C:\Windows\SysWOW64\Bmabggdm.exe

C:\Windows\system32\Bmabggdm.exe

C:\Windows\SysWOW64\Bckkca32.exe

C:\Windows\system32\Bckkca32.exe

C:\Windows\SysWOW64\Cfigpm32.exe

C:\Windows\system32\Cfigpm32.exe

C:\Windows\SysWOW64\Cmcolgbj.exe

C:\Windows\system32\Cmcolgbj.exe

C:\Windows\SysWOW64\Ccmgiaig.exe

C:\Windows\system32\Ccmgiaig.exe

C:\Windows\SysWOW64\Cfldelik.exe

C:\Windows\system32\Cfldelik.exe

C:\Windows\SysWOW64\Cbbdjm32.exe

C:\Windows\system32\Cbbdjm32.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Cofecami.exe

C:\Windows\system32\Cofecami.exe

C:\Windows\SysWOW64\Cfqmpl32.exe

C:\Windows\system32\Cfqmpl32.exe

C:\Windows\SysWOW64\Cjliajmo.exe

C:\Windows\system32\Cjliajmo.exe

C:\Windows\SysWOW64\Ckmehb32.exe

C:\Windows\system32\Ckmehb32.exe

C:\Windows\SysWOW64\Ccdnjp32.exe

C:\Windows\system32\Ccdnjp32.exe

C:\Windows\SysWOW64\Cbgnemjj.exe

C:\Windows\system32\Cbgnemjj.exe

C:\Windows\SysWOW64\Ciafbg32.exe

C:\Windows\system32\Ciafbg32.exe

C:\Windows\SysWOW64\Ckpbnb32.exe

C:\Windows\system32\Ckpbnb32.exe

C:\Windows\SysWOW64\Ccgjopal.exe

C:\Windows\system32\Ccgjopal.exe

C:\Windows\SysWOW64\Dfefkkqp.exe

C:\Windows\system32\Dfefkkqp.exe

C:\Windows\SysWOW64\Dmoohe32.exe

C:\Windows\system32\Dmoohe32.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Dfgcakon.exe

C:\Windows\system32\Dfgcakon.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Dcnqpo32.exe

C:\Windows\system32\Dcnqpo32.exe

C:\Windows\SysWOW64\Dikihe32.exe

C:\Windows\system32\Dikihe32.exe

C:\Windows\SysWOW64\Dfoiaj32.exe

C:\Windows\system32\Dfoiaj32.exe

C:\Windows\SysWOW64\Dmhand32.exe

C:\Windows\system32\Dmhand32.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Ebejfk32.exe

C:\Windows\system32\Ebejfk32.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Ejoomhmi.exe

C:\Windows\system32\Ejoomhmi.exe

C:\Windows\SysWOW64\Eiaoid32.exe

C:\Windows\system32\Eiaoid32.exe

C:\Windows\SysWOW64\Eplgeokq.exe

C:\Windows\system32\Eplgeokq.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Ejalcgkg.exe

C:\Windows\system32\Ejalcgkg.exe

C:\Windows\SysWOW64\Eciplm32.exe

C:\Windows\system32\Eciplm32.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Eifhdd32.exe

C:\Windows\system32\Eifhdd32.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Elgaeolp.exe

C:\Windows\system32\Elgaeolp.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Fmfnpa32.exe

C:\Windows\system32\Fmfnpa32.exe

C:\Windows\SysWOW64\Fpejlmcf.exe

C:\Windows\system32\Fpejlmcf.exe

C:\Windows\SysWOW64\Ffobhg32.exe

C:\Windows\system32\Ffobhg32.exe

C:\Windows\SysWOW64\Fimodc32.exe

C:\Windows\system32\Fimodc32.exe

C:\Windows\SysWOW64\Fllkqn32.exe

C:\Windows\system32\Fllkqn32.exe

C:\Windows\SysWOW64\Fpggamqc.exe

C:\Windows\system32\Fpggamqc.exe

C:\Windows\SysWOW64\Ffaong32.exe

C:\Windows\system32\Ffaong32.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Fdepgkgj.exe

C:\Windows\system32\Fdepgkgj.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Fplpll32.exe

C:\Windows\system32\Fplpll32.exe

C:\Windows\SysWOW64\Fffhifdk.exe

C:\Windows\system32\Fffhifdk.exe

C:\Windows\SysWOW64\Fjadje32.exe

C:\Windows\system32\Fjadje32.exe

C:\Windows\SysWOW64\Glcaambb.exe

C:\Windows\system32\Glcaambb.exe

C:\Windows\SysWOW64\Gdjibj32.exe

C:\Windows\system32\Gdjibj32.exe

C:\Windows\SysWOW64\Gfheof32.exe

C:\Windows\system32\Gfheof32.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Gbofcghl.exe

C:\Windows\system32\Gbofcghl.exe

C:\Windows\SysWOW64\Gjfnedho.exe

C:\Windows\system32\Gjfnedho.exe

C:\Windows\SysWOW64\Gbabigfj.exe

C:\Windows\system32\Gbabigfj.exe

C:\Windows\SysWOW64\Gkhkjd32.exe

C:\Windows\system32\Gkhkjd32.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gkkgpc32.exe

C:\Windows\system32\Gkkgpc32.exe

C:\Windows\SysWOW64\Gmiclo32.exe

C:\Windows\system32\Gmiclo32.exe

C:\Windows\SysWOW64\Gphphj32.exe

C:\Windows\system32\Gphphj32.exe

C:\Windows\SysWOW64\Gbfldf32.exe

C:\Windows\system32\Gbfldf32.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hmnmgnoh.exe

C:\Windows\system32\Hmnmgnoh.exe

C:\Windows\SysWOW64\Hckeoeno.exe

C:\Windows\system32\Hckeoeno.exe

C:\Windows\SysWOW64\Hkbmqb32.exe

C:\Windows\system32\Hkbmqb32.exe

C:\Windows\SysWOW64\Hmpjmn32.exe

C:\Windows\system32\Hmpjmn32.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hcmbee32.exe

C:\Windows\system32\Hcmbee32.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hpabni32.exe

C:\Windows\system32\Hpabni32.exe

C:\Windows\SysWOW64\Hcpojd32.exe

C:\Windows\system32\Hcpojd32.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hmechmip.exe

C:\Windows\system32\Hmechmip.exe

C:\Windows\SysWOW64\Hdokdg32.exe

C:\Windows\system32\Hdokdg32.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Ipflihfq.exe

C:\Windows\system32\Ipflihfq.exe

C:\Windows\SysWOW64\Igpdfb32.exe

C:\Windows\system32\Igpdfb32.exe

C:\Windows\SysWOW64\Injmcmej.exe

C:\Windows\system32\Injmcmej.exe

C:\Windows\SysWOW64\Ilmmni32.exe

C:\Windows\system32\Ilmmni32.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Iknmla32.exe

C:\Windows\system32\Iknmla32.exe

C:\Windows\SysWOW64\Inlihl32.exe

C:\Windows\system32\Inlihl32.exe

C:\Windows\SysWOW64\Ipjedh32.exe

C:\Windows\system32\Ipjedh32.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Igdnabjh.exe

C:\Windows\system32\Igdnabjh.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Ilafiihp.exe

C:\Windows\system32\Ilafiihp.exe

C:\Windows\SysWOW64\Idhnkf32.exe

C:\Windows\system32\Idhnkf32.exe

C:\Windows\SysWOW64\Iggjga32.exe

C:\Windows\system32\Iggjga32.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Icnklbmj.exe

C:\Windows\system32\Icnklbmj.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jncoikmp.exe

C:\Windows\system32\Jncoikmp.exe

C:\Windows\SysWOW64\Jlfpdh32.exe

C:\Windows\system32\Jlfpdh32.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jlhljhbg.exe

C:\Windows\system32\Jlhljhbg.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jkimho32.exe

C:\Windows\system32\Jkimho32.exe

C:\Windows\SysWOW64\Jnhidk32.exe

C:\Windows\system32\Jnhidk32.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jjoiil32.exe

C:\Windows\system32\Jjoiil32.exe

C:\Windows\SysWOW64\Jlmfeg32.exe

C:\Windows\system32\Jlmfeg32.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jlobkg32.exe

C:\Windows\system32\Jlobkg32.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Kqmkae32.exe

C:\Windows\system32\Kqmkae32.exe

C:\Windows\SysWOW64\Kggcnoic.exe

C:\Windows\system32\Kggcnoic.exe

C:\Windows\SysWOW64\Kjepjkhf.exe

C:\Windows\system32\Kjepjkhf.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kdkdgchl.exe

C:\Windows\system32\Kdkdgchl.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Kkgiimng.exe

C:\Windows\system32\Kkgiimng.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lqikmc32.exe

C:\Windows\system32\Lqikmc32.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Ljaoeini.exe

C:\Windows\system32\Ljaoeini.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Lnohlgep.exe

C:\Windows\system32\Lnohlgep.exe

C:\Windows\SysWOW64\Ldipha32.exe

C:\Windows\system32\Ldipha32.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lqpamb32.exe

C:\Windows\system32\Lqpamb32.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Lgjijmin.exe

C:\Windows\system32\Lgjijmin.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Mcqjon32.exe

C:\Windows\system32\Mcqjon32.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Mminhceb.exe

C:\Windows\system32\Mminhceb.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mgobel32.exe

C:\Windows\system32\Mgobel32.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Mnhkbfme.exe

C:\Windows\system32\Mnhkbfme.exe

C:\Windows\SysWOW64\Maggnali.exe

C:\Windows\system32\Maggnali.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mnkggfkb.exe

C:\Windows\system32\Mnkggfkb.exe

C:\Windows\SysWOW64\Maiccajf.exe

C:\Windows\system32\Maiccajf.exe

C:\Windows\SysWOW64\Meepdp32.exe

C:\Windows\system32\Meepdp32.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Megljppl.exe

C:\Windows\system32\Megljppl.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mjdebfnd.exe

C:\Windows\system32\Mjdebfnd.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Napjdpcn.exe

C:\Windows\system32\Napjdpcn.exe

C:\Windows\SysWOW64\Ngjbaj32.exe

C:\Windows\system32\Ngjbaj32.exe

C:\Windows\SysWOW64\Nlfnaicd.exe

C:\Windows\system32\Nlfnaicd.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Nmigoagp.exe

C:\Windows\system32\Nmigoagp.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Ndflak32.exe

C:\Windows\system32\Ndflak32.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Oalipoiq.exe

C:\Windows\system32\Oalipoiq.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Onpjichj.exe

C:\Windows\system32\Onpjichj.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Oldjcg32.exe

C:\Windows\system32\Oldjcg32.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oaqbkn32.exe

C:\Windows\system32\Oaqbkn32.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Olicnfco.exe

C:\Windows\system32\Olicnfco.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Peahgl32.exe

C:\Windows\system32\Peahgl32.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Pmlmkn32.exe

C:\Windows\system32\Pmlmkn32.exe

C:\Windows\SysWOW64\Pecellgl.exe

C:\Windows\system32\Pecellgl.exe

C:\Windows\SysWOW64\Plmmif32.exe

C:\Windows\system32\Plmmif32.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Pdhbmh32.exe

C:\Windows\system32\Pdhbmh32.exe

C:\Windows\SysWOW64\Plpjoe32.exe

C:\Windows\system32\Plpjoe32.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Pdkoch32.exe

C:\Windows\system32\Pdkoch32.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Qlimed32.exe

C:\Windows\system32\Qlimed32.exe

C:\Windows\SysWOW64\Aogiap32.exe

C:\Windows\system32\Aogiap32.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Anmfbl32.exe

C:\Windows\system32\Anmfbl32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Alnfpcag.exe

C:\Windows\system32\Alnfpcag.exe

C:\Windows\SysWOW64\Anobgl32.exe

C:\Windows\system32\Anobgl32.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Akccap32.exe

C:\Windows\system32\Akccap32.exe

C:\Windows\SysWOW64\Aamknj32.exe

C:\Windows\system32\Aamknj32.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Bemqih32.exe

C:\Windows\system32\Bemqih32.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Bkjiao32.exe

C:\Windows\system32\Bkjiao32.exe

C:\Windows\SysWOW64\Bnhenj32.exe

C:\Windows\system32\Bnhenj32.exe

C:\Windows\SysWOW64\Bepmoh32.exe

C:\Windows\system32\Bepmoh32.exe

C:\Windows\SysWOW64\Bhnikc32.exe

C:\Windows\system32\Bhnikc32.exe

C:\Windows\SysWOW64\Bohbhmfm.exe

C:\Windows\system32\Bohbhmfm.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bhpfqcln.exe

C:\Windows\system32\Bhpfqcln.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bahkih32.exe

C:\Windows\system32\Bahkih32.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Blnoga32.exe

C:\Windows\system32\Blnoga32.exe

C:\Windows\SysWOW64\Bomkcm32.exe

C:\Windows\system32\Bomkcm32.exe

C:\Windows\SysWOW64\Bnoknihb.exe

C:\Windows\system32\Bnoknihb.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Bdickcpo.exe

C:\Windows\system32\Bdickcpo.exe

C:\Windows\SysWOW64\Blqllqqa.exe

C:\Windows\system32\Blqllqqa.exe

C:\Windows\SysWOW64\Camddhoi.exe

C:\Windows\system32\Camddhoi.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Clchbqoo.exe

C:\Windows\system32\Clchbqoo.exe

C:\Windows\SysWOW64\Coadnlnb.exe

C:\Windows\system32\Coadnlnb.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cfkmkf32.exe

C:\Windows\system32\Cfkmkf32.exe

C:\Windows\SysWOW64\Chiigadc.exe

C:\Windows\system32\Chiigadc.exe

C:\Windows\SysWOW64\Ckhecmcf.exe

C:\Windows\system32\Ckhecmcf.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cbbnpg32.exe

C:\Windows\system32\Cbbnpg32.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Chlflabp.exe

C:\Windows\system32\Chlflabp.exe

C:\Windows\SysWOW64\Ckjbhmad.exe

C:\Windows\system32\Ckjbhmad.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dbicpfdk.exe

C:\Windows\system32\Dbicpfdk.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Ddjmba32.exe

C:\Windows\system32\Ddjmba32.exe

C:\Windows\SysWOW64\Dheibpje.exe

C:\Windows\system32\Dheibpje.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Doaneiop.exe

C:\Windows\system32\Doaneiop.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dkhnjk32.exe

C:\Windows\system32\Dkhnjk32.exe

C:\Windows\SysWOW64\Dodjjimm.exe

C:\Windows\system32\Dodjjimm.exe

C:\Windows\SysWOW64\Dbbffdlq.exe

C:\Windows\system32\Dbbffdlq.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Enigke32.exe

C:\Windows\system32\Enigke32.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Eiahnnph.exe

C:\Windows\system32\Eiahnnph.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fligqhga.exe

C:\Windows\system32\Fligqhga.exe

C:\Windows\SysWOW64\Fbbpmb32.exe

C:\Windows\system32\Fbbpmb32.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fimhjl32.exe

C:\Windows\system32\Fimhjl32.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fpimlfke.exe

C:\Windows\system32\Fpimlfke.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Fiaael32.exe

C:\Windows\system32\Fiaael32.exe

C:\Windows\SysWOW64\Flpmagqi.exe

C:\Windows\system32\Flpmagqi.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Glbjggof.exe

C:\Windows\system32\Glbjggof.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gfhndpol.exe

C:\Windows\system32\Gfhndpol.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gldglf32.exe

C:\Windows\system32\Gldglf32.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Glgcbf32.exe

C:\Windows\system32\Glgcbf32.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Gikdkj32.exe

C:\Windows\system32\Gikdkj32.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Goglcahb.exe

C:\Windows\system32\Goglcahb.exe

C:\Windows\SysWOW64\Gfodeohd.exe

C:\Windows\system32\Gfodeohd.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Gbeejp32.exe

C:\Windows\system32\Gbeejp32.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hlpfhe32.exe

C:\Windows\system32\Hlpfhe32.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hlbcnd32.exe

C:\Windows\system32\Hlbcnd32.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hmbphg32.exe

C:\Windows\system32\Hmbphg32.exe

C:\Windows\SysWOW64\Hoclopne.exe

C:\Windows\system32\Hoclopne.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hpchib32.exe

C:\Windows\system32\Hpchib32.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Iepaaico.exe

C:\Windows\system32\Iepaaico.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Ipgbdbqb.exe

C:\Windows\system32\Ipgbdbqb.exe

C:\Windows\SysWOW64\Ibfnqmpf.exe

C:\Windows\system32\Ibfnqmpf.exe

C:\Windows\SysWOW64\Imkbnf32.exe

C:\Windows\system32\Imkbnf32.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Ibhkfm32.exe

C:\Windows\system32\Ibhkfm32.exe

C:\Windows\SysWOW64\Iibccgep.exe

C:\Windows\system32\Iibccgep.exe

C:\Windows\SysWOW64\Ickglm32.exe

C:\Windows\system32\Ickglm32.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jghpbk32.exe

C:\Windows\system32\Jghpbk32.exe

C:\Windows\SysWOW64\Jiglnf32.exe

C:\Windows\system32\Jiglnf32.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jcanll32.exe

C:\Windows\system32\Jcanll32.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jllokajf.exe

C:\Windows\system32\Jllokajf.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jedccfqg.exe

C:\Windows\system32\Jedccfqg.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kcidmkpq.exe

C:\Windows\system32\Kcidmkpq.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Knnhjcog.exe

C:\Windows\system32\Knnhjcog.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Keimof32.exe

C:\Windows\system32\Keimof32.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kflide32.exe

C:\Windows\system32\Kflide32.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kfnfjehl.exe

C:\Windows\system32\Kfnfjehl.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Ljnlecmp.exe

C:\Windows\system32\Ljnlecmp.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lmaamn32.exe

C:\Windows\system32\Lmaamn32.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lckiihok.exe

C:\Windows\system32\Lckiihok.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lqojclne.exe

C:\Windows\system32\Lqojclne.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mmhgmmbf.exe

C:\Windows\system32\Mmhgmmbf.exe

C:\Windows\SysWOW64\Mcbpjg32.exe

C:\Windows\system32\Mcbpjg32.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mnhdgpii.exe

C:\Windows\system32\Mnhdgpii.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mfeeabda.exe

C:\Windows\system32\Mfeeabda.exe

C:\Windows\SysWOW64\Mmpmnl32.exe

C:\Windows\system32\Mmpmnl32.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Nqpcjj32.exe

C:\Windows\system32\Nqpcjj32.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nmfcok32.exe

C:\Windows\system32\Nmfcok32.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nagiji32.exe

C:\Windows\system32\Nagiji32.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Oanokhdb.exe

C:\Windows\system32\Oanokhdb.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Omdppiif.exe

C:\Windows\system32\Omdppiif.exe

C:\Windows\SysWOW64\Opclldhj.exe

C:\Windows\system32\Opclldhj.exe

C:\Windows\SysWOW64\Ogjdmbil.exe

C:\Windows\system32\Ogjdmbil.exe

C:\Windows\SysWOW64\Ondljl32.exe

C:\Windows\system32\Ondljl32.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Ocaebc32.exe

C:\Windows\system32\Ocaebc32.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pjmjdm32.exe

C:\Windows\system32\Pjmjdm32.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pnkbkk32.exe

C:\Windows\system32\Pnkbkk32.exe

C:\Windows\SysWOW64\Paiogf32.exe

C:\Windows\system32\Paiogf32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Pdjgha32.exe

C:\Windows\system32\Pdjgha32.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Qacameaj.exe

C:\Windows\system32\Qacameaj.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Amlogfel.exe

C:\Windows\system32\Amlogfel.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Aaoaic32.exe

C:\Windows\system32\Aaoaic32.exe

C:\Windows\SysWOW64\Bhhiemoj.exe

C:\Windows\system32\Bhhiemoj.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bpdnjple.exe

C:\Windows\system32\Bpdnjple.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bhblllfo.exe

C:\Windows\system32\Bhblllfo.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Cggimh32.exe

C:\Windows\system32\Cggimh32.exe

C:\Windows\SysWOW64\Conanfli.exe

C:\Windows\system32\Conanfli.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cocjiehd.exe

C:\Windows\system32\Cocjiehd.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dafppp32.exe

C:\Windows\system32\Dafppp32.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13804 -ip 13804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13804 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2496-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2496-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Oohgdhfn.exe

MD5 3f8db5dfb18cbe04a82360dbdb643b64
SHA1 4fef4980e43f7919b6eb39eb38da7988a18663a0
SHA256 3f3040a1c0243d9c43e6e5de4c6a84b1e3513999176ed3094dd984a1564afe24
SHA512 ad53bcf7b95a60d3b978f2ef7ba202e210b78729a29d1698eaacf1fd9dd2f5c68c9577ebce6861ee006d3e5a935cf5b63eff0c4c9f5f767864ea9d4f0dad1ebc

memory/4164-9-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Oeaoab32.exe

MD5 5a1ad48174d9737a1f0212482b97d3bf
SHA1 6f04026ef9f9abd9bf9d0be8dcf4df03572aafcb
SHA256 5f602c7c166c806ec69c94771858e3d73e515981195a0cb8bce6bca627b189a3
SHA512 6a2a887cd0f531c76b8c57644dad86df89d02182541d4e29e5ef8392fb7e034d8f85428a4b75ab87c0e35e78c0b32758159abdb1eb0035e4145089c9c3bbf805

memory/1708-16-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ohpkmn32.exe

MD5 403a4d1d72557b397d17aef1680cc599
SHA1 195caab448d3eb969d3ade049da307751a018112
SHA256 6d13b3d8c149b52b065e507310322bfb2fd5ae7da08946a273ac8bbc2fe4141f
SHA512 b32e25e27f590bfa3c64fc85f4329ba5060e5a1784a04e7cf2afbe5ce3714430e82042daf632fda1e72241fe1260a830718ddda58db08f183814dca4dcffceea

memory/264-24-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pcepkfld.exe

MD5 0c920f988d1ba10ea6bdf2cd63bd68aa
SHA1 f30adcf2129235be24e424576f71eb234ea17c88
SHA256 f5ef7f43a845ec8792b6d83e40c5e53c40566649d4f9586dbc6d10c4f4c12b44
SHA512 70ceda8d997878d087eefe8c871dc954e5e22f79b90304df7054fa6cc0a667f305872337c808a561523f27f6c05d5048b66dd6b29482debb47d91eec3e344a51

memory/2736-32-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Piphgq32.exe

MD5 980cda697fe7840422e05690c1e98c62
SHA1 3f04f5808d30cb9dcda0983bd3425a0f64126abe
SHA256 5fd0f992ca24a10d94dab9d19f2c98fbf6580d76d6fe56cb5be7f2c2fb519cf5
SHA512 b2c23a563763325f8254037566863896335f22cc1411a0fd399a97e1af2112a45e6603663fdd41667c5b42bd58a61304c1678549d2f23508d79531a499704a73

memory/4964-40-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pkadoiip.exe

MD5 fe0f7ee23449c349f385b5bdcfb6681b
SHA1 98a4f0c070001af692fa6813b69f43290e4f3cfb
SHA256 8c781bfeede3dda022b51116a757b384c1ee1c254ae151a715f630335d5324f1
SHA512 a1513d05bce513107efbbf1c01b81fc8d5536c4a8fc3525237138afcf858a03ef8be3c7218eab2a03525cae72a8df27eca98a2d27164431837e9a481890a9edf

memory/3036-48-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pchlpfjb.exe

MD5 e894cbd6b60994a38bbe96bdb31e2e1b
SHA1 3a7d2dd320b22c79e172ebb584845427d68c3b09
SHA256 1c5da3feb66339ce70cec864c100bb0991c41a3b06c1824f6ce86ab9201359cd
SHA512 8be7043efa3687cdf44f18373ddf9fd7cd73699b11ba4171c7742fb25ee1b3980ea2d08e34805e7f8cab7a39fec2f0933e7992ba8c59f5fe140a90653c48c563

memory/720-56-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pefhlaie.exe

MD5 53f3de3d4531cd5fd5fd3a44e97258d9
SHA1 9f8686a8a1b857c620aac4d0c068192b24f42adf
SHA256 6a38f2971d824f7c70033ee7349169b5691beccc991770ded1856415b36e1663
SHA512 f7cab6809fa07888edab46efca2e0cec13b714ba91f603b887e395f4c9581c823b7c9a0ec6e686ef5b7e1eac57e946fba7ccf3031eb903d84a77f3d0d3316fcd

memory/964-64-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Plpqil32.exe

MD5 41ff9e559a9d669b55b762e18b6931ec
SHA1 97b8cf20efe1f99cb3eb44faefa785fd3e52daa5
SHA256 2e7e1831c75ae9f02977d9b55d59b760a4a7e64393b587bd9f898a95702ef2c5
SHA512 33d5628aa56fa85285f25c26163effb06f1162c9e357bfdeaa9171dae2c4e5dfa98db807d4c4133c6165815e74dc725578d56b35965265aca92ce0d315ab95a6

memory/4620-72-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pcjiff32.exe

MD5 199a5c524591893c55b67cb3410ca764
SHA1 51f0de0fbfc83a2d1152999e997bf2dae3cc6b02
SHA256 224a2b75d09c7ca6dd43475f0dfa3249538c046e5b76e78c5e12b856b339f70a
SHA512 f7762b193147521be5d0116d5c37d5730881146eff2468ab5d01e089b108e5106e1aef1709f923f13a6b126ea6c3c82728f797f2063a71c8b1e2deb02dd9eedd

memory/4224-81-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pidabppl.exe

MD5 786c6187471e9764bf3054073d86e1bf
SHA1 0e0658a8973cb002308adb96269c51490968f5c1
SHA256 1d6191febd0be1364ed095bdcae6ccb27dd4833c4e89bca4fc6ef46afe0d2fc5
SHA512 97d859f345f617e4cfac925a371bfe543d9d85b63936317fd4f584aa158ac3b21f0a0380aebb073ede7f67958eda09127f12dc1ca6bb8e74ef71db64131a16f3

memory/1712-89-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Plbmokop.exe

MD5 644d53f5064ebd247f3daf5992866646
SHA1 e46e9a39afa56c6b626650f32b984aa9858bdcef
SHA256 4d2d0ca53c886bceb8942846520e0ea7b96281a1a5acfdb7e8a9102c0694e9b0
SHA512 7147873e747e694ef1e039b6ec6e48686a708a1c0a2b4a638d4d04f38ff3689c8eaee70e182593827091c179bae6c17886a4ee4ec2a85f6ea95f16e52ffeb70b

memory/4984-96-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4808-104-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pcmeke32.exe

MD5 5b18c1ae8cb77982ce19cec7c05581c3
SHA1 81d2096f7fdcf74c8b5e4c911203c3121f92c3fb
SHA256 e79bbea1c76fa7e95be27b958e5a6fdae5639536d92e3d599a870b62cbce91bb
SHA512 96f0e70401acefff260ee574faf65618c1b0d8647b806fdacde047a957a3a8852593e9b628d8ee9a196601a2002d30cd2798dd716c932fe17d22ee107d5c8c17

C:\Windows\SysWOW64\Pifnhpmi.exe

MD5 cc824794bb82b43e072ab05cf0efa19c
SHA1 e34fc685ec8d11d6775abc242426d244f20e5a50
SHA256 b3137e6ad9c378de7be48798c5492881154cc601978189e37f09931c42987a4a
SHA512 0572c1d87a2406be98af0dca92559fa254da1f6c5ba392ee28c92d88768a1eb9767273792d606000dab1a4660e6690292438d509412af372517c260a5c32f52f

memory/4472-112-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Pabblb32.exe

MD5 5c7dbbd227c8ab9b82f4f191308102ef
SHA1 78d9b0a9ea5d83ecf61d4a7fbf8f6005b60ee4b1
SHA256 6febcbc991bfc34ca855966ca9c71dd351fa805392c3897151e28f7911b3a18e
SHA512 0753b70220ed4ba570796e50e0fd9393d7dacc41d5a2b60df1135cdec2fe9d3e24814c24ef47ef4a6a5b4a35263f6b36daba73ac7964356a24c754b4a2e44c67

memory/456-120-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Qlggjk32.exe

MD5 a8615b1dbfd0af04762c928e27b339f6
SHA1 b937ec0ff936b67d86bde8bb6675a053c64aa3c6
SHA256 ea148eb810148512a4f17a4161547fc25d14565e64ccaae8ed9b03894eedf1de
SHA512 d0ea8ecf217be9d842b83c15098eb5dadedee734f4b5308f0c9e06ffa4693d56b083b389c5588e9534ab23259b4fb4d6dd1308bc32113ac87dcc3eaa3da242f6

memory/1680-128-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2220-136-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Qcaofebg.exe

MD5 2a6df367e41e58a33d7d44ee7e193d2a
SHA1 658f762c782b7fa49f9a3d11df1ddf3b4f0b0e82
SHA256 9c7c1d573f8e01901a495708d6cac17bbdd9bae31dfced4783ea69df5236f573
SHA512 4bef75b65f9b3981daa77695ef312e156843ab4fa185c52709a7248ca6608c7bd60b858ed6e2a056be133610b08ef9c7857736e7ac73fa739b73bc7d450286f7

C:\Windows\SysWOW64\Qhngolpo.exe

MD5 fdae6131943237c82624086a296b9a36
SHA1 ce862dea322b13df1d39c094f7a02c2b19260063
SHA256 dc4ab44cd97de0b4b55e8a248cd3c53d0d378f50178235e9d71a07b0285236f3
SHA512 dcf3adc7794ce8522893f30a7f4d3201f55414b5cee052ee65504c986a1f48972d41295939b1f76c6da17495af0f19adc25e29ab9dff65af857cc7082418a37a

memory/1148-144-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Qkmdkgob.exe

MD5 66a084f0b7bc26c7a5d0707265c101fd
SHA1 92f9e118dc40c23b7c6ca081cd5b827fe7b03f37
SHA256 aa54102fbb45af6ede5e19bf039fdcc1ffef585e4003f5a7b47f8bba8565a30b
SHA512 361dd6fb967b2e34cccfc76ae7be22c82150b2242898686a207067e019240b698e92288a6f671696f6b972e316c184b4d5606e92ee7395ca1e124cbe65b0bbf7

memory/2480-152-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Qebhhp32.exe

MD5 d58058de4e815ab61c1aa6336ab7a91c
SHA1 82cd0080d3b7ee8da7036ef68d5141870fe76b26
SHA256 69fecbece44add70fe252b7468fe43127bc2b2462db2ef279d89adfbd783af22
SHA512 bbde879fc649d12fb282e6d5e3e46c7146d02919719fc4e85a45b99d0010f2fd7a12b239afe30218bbf6561a7bf1eed6287b43fb172aef20c9cbc05a149172f1

memory/452-160-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Allpejfe.exe

MD5 7d1ddc0ef05e8a675cceb2631e8bd099
SHA1 b832913d36899640bc15e7d94e17003a5f2c74cf
SHA256 14462d8d3537e5cc468245ae3b8b502b045fed6bec868bc3c0bdc72646152696
SHA512 21cdb13a67afe06e48ceba4ff52cb48311741b6c21f844624cecce15ad16ecfc65c38edbef06a9a064d7113736d20e74d04d29d6e301c71e17fdd141ed028eb3

memory/4008-168-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Acfhad32.exe

MD5 6ff7dc3afee6a5fbc250ebed5d815a81
SHA1 40c38b930b7c1b45cf18081d2157789e54bed0fe
SHA256 9557c8fb896446785e846640376090c444ad5ab2905c21e216f7897ca1d42145
SHA512 e60a2013b0a8bb634abb5e223173ee941665add049415db5e30f5eb2bd9887a7a10fdabb15d32494a2a3175b93a1090f6ff225087fa35d0f27743c3ded044c75

memory/1964-176-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ajpqnneo.exe

MD5 7fd7fbbc88d0f878ae0666125a96d49a
SHA1 f59d85b8155a39ac243c3cf3b96b9b7cc36fb811
SHA256 516a5fff61cc4b01b10bff14e6aa4862085aa5362830e6f8de89f38a8d24fc7c
SHA512 170ffed1a2291f652f0c9c5633046377e82df717a889ba277a27f62449c7a546a5e430f85202ad2287aaae0c86359e13ce074d68bbff5b7567911a72a0de0187

memory/4260-184-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Akamff32.exe

MD5 175e00aaaf8d94947f40232bf4778e2e
SHA1 fb680b5d0eb62880cdba62c32e9e8093c64f5eff
SHA256 23f51a96158b803d78d363f727798c9cfa5d4026aab487d9518dcebcf3aab561
SHA512 04717bee1c9dce23ef2203e718d9bb65e43bbfc0115b917f74fadd61b07ea13932779403d088fa6e6f82c88555eea12add4460f49f6256d0d78c2aebb33639d5

memory/396-192-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Achegd32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Achegd32.exe

MD5 1117853bc85b114a71a1867d68f0a724
SHA1 1493cc72e52cd138b2c2cb624efd6aceea1e45f0
SHA256 dea8b5c327eb6b740af3919ad710037f720077cebfd001afb18265fd65e597a7
SHA512 1cc1998c43a67ee6775f9d7636549dd127a42a48f635eb25b0e7df66b5d272588274860d0554f78306260770b9f894fd1ef52247cab7ada6518a22de1228800f

memory/4912-200-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ahenokjf.exe

MD5 dcc14bff5597c58c33e5457d2a236cbf
SHA1 411b24f16b4baddba551804f1d60a1e5d4188ec7
SHA256 23bef5e2f47e98ff2d843e1c4578d5b5bec9996cccea332bcf1b790da3043622
SHA512 c569ff050e7fd59bdab9c1a20429f567b138b0e9a2fdb32ff02e5d9a97c4b8e0064364da997dc28bf2521ef501776c3106c38da0edf5f933cb8189895cb07ce3

memory/3140-208-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Aoofle32.exe

MD5 67c06e80f4581b99cb94728eea0f1cd5
SHA1 82ba1bdceb55f0aec5f03a176c47abbb77a45c82
SHA256 87d689f2b93132303c7adae70d94500caa773aaa069e4e43ac6e7ef0e4d44159
SHA512 d64b418e942fdb1e8338a964815570a97892c180c36442ad1e9a028911d8f05d039f8df27a9a9a2b3a8b5c4d7041e2f5f9a2d6a4a32aa73c636c45b20b66ad6f

memory/3752-216-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ajdjin32.exe

MD5 df6c57ec968edfbdd94bfb65196b2f1a
SHA1 cbf1ca00303674de74035f80a780b75404d51d2d
SHA256 f711c5a1bfefed8cf3a454bfce8e5a0d35f4f6965492db7a88ba8060dd55d302
SHA512 edd68ba1eff152bfaf1b9a3b1f176f2e08f8f4bb6a961e45867226c3e3aaac0a60a6885936b06228915b4a13c401408ffcce363f12d2d33c9294778488b181cf

memory/692-224-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Aoabad32.exe

MD5 5dbeddbc46ae4c4c8aebef35c704b5ee
SHA1 9eb1c8c3533f704a6d1e3dbf33edc4fe19b63961
SHA256 a5c9ede8a2caef170227023a2767bdf77d294e803ffe4039a187f0c79607b726
SHA512 19d734639e74e1058d513e2821b46dc94285bbb41b56d8fb82a98c7c2ad8799fcb625a940883d9a59c196b18bc4756cfbf915147c15585dd4b73b88d1aa9e7e5

memory/4908-233-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Afkknogn.exe

MD5 360bc62be448ccc7ec7575cfb14a917f
SHA1 c9f3e63f0c6e9cabd09993cfbfea04e572fe02df
SHA256 e4348109b990c81002ad4a524499b7c3d2b516225267a83a7a38fb5765c08494
SHA512 88393c02b4fff89179b755aaa2f141b67e16350b2476c415169aa03b3a2ab39813234b77ff92f211e211b515aa7445738f1c5c715f90c4544dc2e2eda01be51a

memory/1696-240-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Aleckinj.exe

MD5 acac2ebd128b6b05f77c8c1914b7778c
SHA1 cbf17429104eddf73cafaf65656fab3edd71710d
SHA256 859b0e186355d21038124b5d1b603b94321ad6621afa3900502c3f4ad03bbf89
SHA512 85ccbbd82b85c2c7cb5caae50021f5ed061b930b54ecbcf9b392363eb0b1302bd6bfb382504d12bb2f50610e96812187bae8e4ad127a00f4ebbb2327dc8da9a9

memory/1720-248-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Abbkcpma.exe

MD5 4675c1aae3261513c59685171cc1e92c
SHA1 714bcec7925589764abad50ac9db58a7124a99c9
SHA256 67dd8152b433ec605c1be534367869fed65ef30d52860a2bfda971f8f9b5d741
SHA512 c8c494d7f183f3d1606fdcd0664cdf32f3cb24b120d9d8916040fed28400e5d6709d4ec04f3923105bfc2e0e8308bcbe9cbaeb3daf6bb330594c53d35c7859a7

memory/1408-256-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4300-263-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5004-269-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2784-275-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4600-281-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Bljlfh32.exe

MD5 bc3749f6d9fc419ca23aff5ab80c0001
SHA1 867609d4c1532eccc7be72484e2682717d764de6
SHA256 ce960a327da46f933d60b5ec6ef3c85d3fc86c7c93621aa6abfc43ded838f073
SHA512 8692da8bd4e18696449494f593c3534d8069963dc929bcbe0240b3b43fbc96e46f390f7f9ce071f50bd6a4305f78f1f023bf5f4536ab231b584eb87d48a33815

memory/1404-293-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3720-287-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-299-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Bmlilh32.exe

MD5 0a0de23575995c4feb9b5ef9fc6dc505
SHA1 ecca68cb5bd1b05c23b2cb5c55894d5d1555297d
SHA256 7e83d0605df248154935a3cc8a6037bebed5f57b921ccc656401679ce6644d19
SHA512 0cbab9d7290c241b5d3ac1332757b238245110a6a831f248c55814b533b4ef5cf6786376cbad10a92b260483c2f1a981ee926d812020787daab652a5caa05463

memory/3260-305-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1196-311-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Bfendmoc.exe

MD5 62568f226309bc317944683d28708528
SHA1 7ee64bfe30aef9c6619400731601c80f92db710f
SHA256 e0c4d4ec75a90e25ff9c404c3c3e083148887d6a57dd4c71ea0e571a24316858
SHA512 b1a3c9a25a8588abc7b2dd959b10eaa53d3cfbae3d0d91b60f1edec081724578f52268a658317996de2c5f6002a208aac8fd2bc60adb8c87c9030b88e2e5b713

memory/4452-317-0x0000000000400000-0x000000000043E000-memory.dmp

memory/320-325-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5056-329-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Bblnindg.exe

MD5 67ff37d2ba91aef14a6a6e33a941a6a1
SHA1 fbed3c5a8ceb9521fed0dea09e96802edaefe438
SHA256 f034a6862f4a1f15ab4db00e7fe91d6ba0286f77bd66253702ab8604a9c09f1e
SHA512 ca1732ea94ac0f8ff04c76ba92e79b663b853bb24582ceede63dafce1b336e38174ea19149411ef0326bfd6dddbae32f2f9b3a83eaa6096b44c0f0bd03afc68f

memory/4836-335-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3388-341-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4012-347-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1900-353-0x0000000000400000-0x000000000043E000-memory.dmp

memory/768-359-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Cmcolgbj.exe

MD5 f27528e8338920a164ff9e7bf90a19a1
SHA1 708be4d0047b2eea0bf4821351d0f4a4d92c31e0
SHA256 bef1b57b151438eb164072776444bbbecd0f35b3bb4a52798d70cd0981b266de
SHA512 41186536d627bab0f8e1eb404975dfbea4a4f74b5378b4a9153250213fb9ad5ede7b245aed32640c85ca5819c08692d177434f2d2c8f963fa917c2f8bf21601d

memory/628-365-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1752-371-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Cfldelik.exe

MD5 cebf40dacaa5e54dd6930924496f87dd
SHA1 f320e10c78257b0fe9ab3feaf6d7f38ebf39d211
SHA256 d0e01d2ed2763c0788cd69aaca25c28c9dd4d43954865e7369853f7e009ebcb9
SHA512 85b3c20e6a82991b259e269d46ff673e8d870193407142e4101b6f898692ea34b7bcc58cab164a659c77522253e10e28c69d70f81677c0ef5d05aa05960aa9c0

memory/4784-381-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3300-383-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2164-389-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1704-395-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2692-405-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3224-407-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2380-417-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1928-423-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2804-425-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4064-431-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4716-437-0x0000000000400000-0x000000000043E000-memory.dmp

memory/532-447-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4672-449-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1144-455-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4584-461-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dfgcakon.exe

MD5 9b57bbd4d6168cda80821cecf442e422
SHA1 8c2a47975e90b1a0b798f8d8453cc3d750fd7569
SHA256 5bb215dcc64e407490a2fbc2826a129d4b1c0cc324bb4f102a0f479b8168c119
SHA512 b9e66fea6abe47765b8e6d4732e6dc1367af71aa5562c076c98eeda9f4d713bce7cd3d0e3558f782920b96dd1ca5fed732cf152d468cc93fb7117830334062e7

memory/548-467-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4828-473-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1584-479-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3476-485-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5060-491-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dfoiaj32.exe

MD5 3db015eb2a57ecacb3bceb8d23fb74d6
SHA1 9773180d27986ce5a1516d036dd391f2457f7299
SHA256 bc0f03983aea0dc9ea84ae43af05a536dc24b776b0a2f6a3c3380cbd47ea645a
SHA512 afa714660c65eaa1280db02bbeda32e019505761b6fd707359d77ca555994022a90d8f0152836c84b4ef1092838abe0932bdac4c9f143a73706e1fe4e5132e35

memory/212-497-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3568-503-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2976-513-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2900-515-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Elnoopdj.exe

MD5 fe3569105dcd6a6241eec71cb686ba9b
SHA1 39c432082afba08133e656cfe21d5a792c183bc9
SHA256 c5c948053a055467876691ed7fcb28531131d69d01e0934266f4a964dc4351c5
SHA512 1983895781f87c01e62435302cc7c385612b3241715ba809c5ab76c15e7efa75ca5acfd03bfd004348fcb6b5d24944e9e2213326e9d896462ed2994ae159b1c1

memory/3948-521-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4876-527-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3756-533-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2496-539-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1280-540-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5092-546-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1904-553-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4164-552-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2400-560-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1708-559-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Eciplm32.exe

MD5 2d530ef99028bb588c25294f24a46a10
SHA1 57f2a1cf186e45f3d8a490ab3cacd8318b89d054
SHA256 7dd49d1168737466017b3c92f388494f7dca60a76be571d84c3e7f46dec4086d
SHA512 8218cdf50956838f29826c068b42e52cd3d8d358ba384502a0df3a57b3d72226a24cb6c656df4379ff717506be215bf2d8be1143921a4ec93699a6cadba87f12

memory/264-566-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5100-567-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2736-573-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1008-574-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4964-580-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1876-581-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3036-587-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3428-588-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ejfeng32.exe

MD5 74898fe26147465793b1b4263316dd33
SHA1 ad81a9caa92a7c7ac2942b0ffe0f988950f2f3a3
SHA256 66bc3d780be379d7c8660eff818dc2c5df69c2fcd297474a94b9a63913be0cb9
SHA512 cbf7d718d9f99c1b5a1460211b455c2db3f0406dc75e92b1361ebed5f3beef22675cc4bdb3aa399d8e594a96e4052da08eaf5f7f58d364d947b98504c83ab987

memory/720-594-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ffobhg32.exe

MD5 4fc9067ea55e94a92b6c17e31e8fb5b6
SHA1 d2644831280027c22ef69dab32419aba72b9dd4e
SHA256 8c213d25ae9cf331134f153d85c5f9713481ff98360af59e3f4984d5ca524a7e
SHA512 0ff0963bb3777de0859ad0812ae260a2317239ac41029418045a896d47a14feff4461f275dc4bc95a5f8fa8b4f4a6b6c28ca84668a71eeb4132f453bae29ba0d

C:\Windows\SysWOW64\Ffaong32.exe

MD5 e65a28e836677157400a82dd80da08ec
SHA1 060f173cfe889d99b6f7c5c21a3bd01f42373a1c
SHA256 5669d865f8c9ae5856e6b94f56d934e012b834dd432baed8b7f7ef20fa5c2091
SHA512 9cd2785aed210150a2b711c983d2b3a36aca27ded5bd9495b6d3ca7ca1c920e89c72a2b1eaab4657fd4dcc35193f5446f321a1f84330d1c20e02a645850ce95a

C:\Windows\SysWOW64\Fpjcgm32.exe

MD5 8a75e6e8ed78c222cdd92676cd485524
SHA1 0b7ba2bf603d1a4536f536cc501e117e38c659d0
SHA256 368d4ba2ba7bfa254b88b61e81707cb7f8243e64793f7b3a32317a3c7a2f43f0
SHA512 8d747aca0dc277c95d93b220355bcd51d31d44626c8e32b85e0222a653e4bb82e4b6282a89c0d5cc4919f0422678a023c3885764d3235c8d22123d0f72b5c700

C:\Windows\SysWOW64\Fjohde32.exe

MD5 e6c368e7aa6c23badfa32272085e53f0
SHA1 84915f71932c2e8196a09f867617242088fb5282
SHA256 faa8bb5f776659525516bad251600441fd37b832fd5e9b89d886db0ce5f1c6a3
SHA512 105064a4be9d8032110f4bbc5bc2aed2e0513ba11b9930eece8b7e63a22858f1a1f8419907b60171dc92a3abbf51fbf4a1a2aa92517957a945215f13c3acc77b

C:\Windows\SysWOW64\Fffhifdk.exe

MD5 9496450b3716e3d6fbdc96eaf3bb9580
SHA1 6a5670abd9a2641b9e6fb278619920fedbd80c43
SHA256 a8cd0ab6bd140ddcc81c44f4f4f18a62cdc5b41742ff2c6e82eba01a5a45c6ea
SHA512 0e276857f92c013de88c524a797b95d13f6a0d5674d5d3d90a347ad004ce139d4d5eac0ac0f0639a7f069a5f86db68dd26035dd10c56e012c71aa5ab4d6bf782

C:\Windows\SysWOW64\Glcaambb.exe

MD5 73c8d20baa914e0c7a121bfbb04ef77d
SHA1 b7763b4b589ab8bf74d1e8d1d8b4baf0c28b5127
SHA256 38ee1135bfaf11fe7334a4924f0d9f9ae15dc1ec61dcfe554f572c9e7130017f
SHA512 ef7fbf125c5be2c93ec4a443113965470f877a2bf4132292b05c5939a7c6e7ddfcfd835a775878fa3515d81f16d1fe0d1186b59382ed96590a884729381d998d

C:\Windows\SysWOW64\Gmbmkpie.exe

MD5 4d49570f54116e74ace3b3e4436f6716
SHA1 d3692bfd54989a853626de2c923aeb685871351d
SHA256 f29897379964513682bd13a31d636ce1283044da060b68c0a451bc9c4c996ce6
SHA512 32c945138c4b246032b6ba54e71e15affaa0dd931990826bf238842666bde6d3878f1fcbe4961d660c855fb1c5f532d66a3b9da4fe0038247174f7df984dd172

C:\Windows\SysWOW64\Gljgbllj.exe

MD5 df0ddbca3e795b50335ebabb6d0f7d6e
SHA1 b461f96303b2588c56608573dce8f851072153c8
SHA256 cf7819020e72320fd3ca0fad98c1a9f49eda1b75fc6617b815a99619a3a1b8f3
SHA512 5bedcbd42bd5f60e0da1e3e831e8d067a8917f40095b177864cbaff398770e7f351ca2db1024f465d72cb920582ee80bafec60a743b5c756e31c27d7eca9895e

C:\Windows\SysWOW64\Gbdoof32.exe

MD5 bbc6cfa296fa6773c6508f53f9064607
SHA1 1ec246adc87097367b71da079bbb1764140881fe
SHA256 7fc003c55ffcd04670016cc36b7adf63971f28bc32a915201b057929d250f18d
SHA512 4e69f5cfd73ddaab070d44e96fe7ee173051f546c5ee5921ebe2ed8d8777b94566c8838d01bc8db8b84f8122bfb20a99fcb54cd0570a59799fac2d35bc18d240

C:\Windows\SysWOW64\Gipdap32.exe

MD5 5fa6ef3755009bd7d31064d8e05e1175
SHA1 15a60a558de6586a1ab961fd19a7bbd8e0da59eb
SHA256 da423d0d959f0f57f3ec8c4eea8f8d3bcef2dd72c59ab26bec0c0ac658477366
SHA512 866069ff8cb815c81027236f934d3cb7f33eeb9bb6eb0343447e3ac71ee588dbc62f1c155296063c6ac6626cb70a49f6cdff3e003a12c06dba5260a8063b3da8

C:\Windows\SysWOW64\Hibafp32.exe

MD5 3ddb3f76a6e43414ba94d86268f08776
SHA1 8e07d37399b9f403615a30024ce8f870f877863c
SHA256 15390db1a23c8d3f0be03965cb2d01b08a1e7cad49cc47ed63f76726900415f3
SHA512 01f9b412e2b3d8295bd23312e6db4230554345ab2a9f719203bd93e4e48dc9e2ec3368757036124fc8f109492287584d1ed5260318b9e9c5bb3bca40a7ec40ab

C:\Windows\SysWOW64\Hckeoeno.exe

MD5 bf54f778eae66770b128fd708fffd1dd
SHA1 7fdfd844047a52d17092ff0476635360b8dbdd92
SHA256 99cd786e6343c9c68e03518baf8b63f67a9f9c9b2f1de0f8cc6262cd0bdfea3b
SHA512 b3a6e000497760c2ba46dd90674b33635b25289d199ef444739a8216279d9424159242767005409e5df2cd40a5582a4f44f5648aad30af1ad6d8f2ad435fa514

C:\Windows\SysWOW64\Hdokdg32.exe

MD5 660fb26f93d52c4988250bd870bf7b27
SHA1 1ea2cf10579bfc96cac87ef037ffca2f9c69b74b
SHA256 6b4f6c01fe52dba6fda5b0e9bf5f10cc49d729fa3e5cc787749116c725077235
SHA512 720378d03163530f20f43982e457a53aa41ac2ee2b17280bda5cfe68a9b519b8d1127db8cd0b007ea0802af4ad6b4526a5398559bc8bd061d5e56bf9e23ddb2b

C:\Windows\SysWOW64\Igpdfb32.exe

MD5 0b0f447bcd2a6a5eda7577b3c2ea5638
SHA1 72cd931bf36964565c4a9475d9d95e4e3a042c4f
SHA256 068d5f031f55e62f7a4e66228811ffd6dcad03c7eb04c94bfaf18b0cc0b43174
SHA512 b5642b1fb30fa98be23d48260a302ddc1ba71e8c44a6af6166bcc0c84d41fc903b2a70ae6d2e41b81e6272615752a5f993ca912392c91c8269d3ed8f3034944b

C:\Windows\SysWOW64\Jjoiil32.exe

MD5 c4cb1d01bfb15e65f3ce52e15c8f0f6c
SHA1 5e66fa1ba7938e9e3209ec7fcc48ce1c9a564199
SHA256 d31b7bca887e6aebe5922a591e0493c311475c423394e77e57f895d6ae250bec
SHA512 dabfd8db2da4382375539d8ebc15cc851e3163cd91428e8cac639d3c7e30cddc4677a7510509dfd3946131b703a5e97922b9b144eeea0bca95b90e9aac0c5708

C:\Windows\SysWOW64\Jcgnbaeo.exe

MD5 01d3e6eba81a1a267dbced781385739c
SHA1 7c7d077334dc055d45bcca39e69945f0ed052044
SHA256 37385e4f6fa1b0381e794acb3f7baf9efeba1cacc795580e6cd0894305972192
SHA512 b67e44e69bf7dc19c205c9d2b478b6d1a65e1df0bfa1e379af199323e245d174ef9fab01a8aaec371f3eb5d3c4be853860a2ebe49c47178793cd2052ae02d423

C:\Windows\SysWOW64\Kkeldnpi.exe

MD5 21a2be803b031cdcf16eea3d9db7eef4
SHA1 7ad7aa99e44369373ab27d260da4f378cb37d34e
SHA256 1736a2ba312dca9a9418091d52e11ff78cd5c71065c09b3d3582b0762bc2899f
SHA512 2d9c9a044831ed7f702875be1627bcb11259ba77e0ba7452c01ee84485ebf2c5ca05bca0718f5ca9c7d13acbf6b85245ad94ae011bdd283a03a6590734cfe5b7

C:\Windows\SysWOW64\Kdpmbc32.exe

MD5 dfb7c9b1e40720b3cf6009e9e2e7464c
SHA1 22c84287ed41ba6945aedcd12a278cd87ba55ddc
SHA256 1d93a816f55a6c122f20eb9c5908ffec0788e0f9607314f9ad02eebe94c1cef4
SHA512 5bad3567e9512d817ab1be34474296ce9d16281dc23cbdd95fd7632cccf3caff7f0577fca5d18b1cd2ad45bc933fe4c6711e0a3fc25f86c4fbad728182704a4f

C:\Windows\SysWOW64\Lknojl32.exe

MD5 09a04a13242ac5024d1aa758344e4aa0
SHA1 8b7d48a39a4cc1c7db6470f754eb77ce36a87dda
SHA256 373de389e8be9b0560c3fe04c523e175b54e558b96600f16ef989e37d4e8d153
SHA512 f9be47dd69bd2c2afdbb386ca4255ab543292828fcb89cedd3b67c25cfa2f35638170fe9ec08831f8e7d6923124f0986e2c8019dc8f5e0183cd7ca261f614b56

C:\Windows\SysWOW64\Ldipha32.exe

MD5 e0450c809f453438b9bb066e9c0b5a24
SHA1 3f0317c12568e300a7aaefa1db6d82cec888154a
SHA256 56f3002ff244181d764d5f768d640811ce19d7f0b1a4899a5d4d39ef93f0fd3d
SHA512 8c477b78239dd8a4ab9af8df95342aa6573fce8ec77366611cbf291c621d17cef1ae327edbe174c40c95436e6492cdd3c7fa78eb7081d1f2a1524867eb1839da

C:\Windows\SysWOW64\Lndagg32.exe

MD5 23c23fdfc6463a801e5691d808806cd3
SHA1 37f12906c512a2a351d02708845ffea2d45f804c
SHA256 b8916d38446f25af153079a308aabaf8851144f815566cac108404a6cc410cd1
SHA512 38f0232c883c516c70e4e54672cf23675ed60ca48f9c22315c77ecccd0f23bc80c5d93c9f5f2c65b5173c8cf1cbc98efc74e3c7236e6bcfc0a4c2f3f17bf9aef

C:\Windows\SysWOW64\Mjkblhfo.exe

MD5 8e3959fb7f12e415fe8e91263c3966f6
SHA1 41b7d1240711ef79765d1f1d07d4181bbec4a878
SHA256 43e2179af0b6f5c74573841329bef73a3dd45d50b2008dcd0d9088b2c8321a7c
SHA512 de5bad1635392a67d04aca24bd078dcc5344a72487801b50affb2104470755f59026deb5798ed6771e9353193ffafd5fbcd80b4701c4cee94965ef18bb7192cf

C:\Windows\SysWOW64\Maggnali.exe

MD5 37b02288b78f5c1c78a381fc2af529a3
SHA1 239eeb3ccab4a5ab627052f0b4846b57daf35374
SHA256 3ba3e2b0c94422205a16329a690dfc6682a1cc9884a9cfc8c5cee37f33929c4c
SHA512 9a259f950323416c798afec082c87bf88fba7bde51f19c896bf7f3223a56533b3581e6d04cb055d8908e6f85a80662e326a262f9fcebb1907901675981b2aac0

C:\Windows\SysWOW64\Mgclpkac.exe

MD5 9bc7e53407dada82dd943a2b4e2e158e
SHA1 f49a54707f419452e9193309165e27adae92c154
SHA256 ce770743c1b7b712122df15df9011ee143d386745e8a257140634ebb5271c1be
SHA512 a9455da778b32112cb6ff0513651cfc237124ba8f3bbf56033242f3da08b726599f86eb847333aa4ba55a2585aafbbe2a41b526340b670f27752e7e111ddfa92

C:\Windows\SysWOW64\Megljppl.exe

MD5 f87f767a9d584d3e89645e6b7d26040e
SHA1 723e8a4151bd6c021776edfc00ffd4b42c2d675a
SHA256 28e727c8673267585d7958cbc80c3531c87f1405bc2317250d43bdbd511cd30a
SHA512 efdbe30a7bc6bf7dfaa5d9c8a34dd734b735062c054d52e5d845f6ab81c63d380645f76aed5db07800dad9a1a148ed37a6e1fb123180e72974eaee133e9898b5

C:\Windows\SysWOW64\Mnpabe32.exe

MD5 b9584efa87dab842a32658f46e3e2e9a
SHA1 5fb1b4c71547cc528e121d02bd1cff2f03f4097a
SHA256 c73407f993da0b7a833053e7ec5f998703716df9c40071148d37fac20cbbcd80
SHA512 2a730e374affbe2c22975bcdd8392a5ccc390183424dc6c0297a0df4209e71ac2a4f171de2c87707b00b5670a644d85e4915b026915165e5505577c4cce6449a

C:\Windows\SysWOW64\Nghekkmn.exe

MD5 cd931c3548da07ef91a43cb4aaa5c2f7
SHA1 53a85fbd550adf41233b1bc1cc58ba99c1eaef7f
SHA256 a19cfe183503b0708e2fa3af4a1299d58c79958384c470e3237775b894271102
SHA512 95248d50f10d692aebd38a5647bdf20b5d734db93e0e589c340afaf325f31675e207fed53c138696fae8d6df2280dc93892399fdcfe853094b710e750c98099e

C:\Windows\SysWOW64\Njpdnedf.exe

MD5 0a2bce404279ffa1b5bc19c9872d3104
SHA1 c4aa52f761862b311599d7a502d3dbcaa062e881
SHA256 bd000828edf80cd8d1b5273961a3fabb352f427a3b73f9210ba9f628d4258211
SHA512 d106a068b31e2b96e04c4d51d6fcdfa40bc7a9b7d4a5738f8f7d7d9ec58f14046271cc3d944902b2abb5ca897d4a3c3501d49b11e8bc60e0ce27686e49f5bb1a

C:\Windows\SysWOW64\Oeehkn32.exe

MD5 f0529090c1edbb0ad1602276fef59481
SHA1 3c40dabc4d00b383e66ae99dc8f963bc013cfb2e
SHA256 5cb15ec57ab2f795ae84b696f596a959e1cca39d1775d21f7c374d4ea10c3c06
SHA512 6be35e530cb3c4217a7e69689d71ecbc002c9cb5bf3fecd98f9317ce376427bb8ac4369208d97eb4d7bcfa0ac32f8babdf0b2f6d71d94f8e96e8ce2795d6f99f

C:\Windows\SysWOW64\Oejbfmpg.exe

MD5 53fc9783cd221341f5b727dde6e6a066
SHA1 6a3785ac79920b91f74e8577cc516e535b1f1365
SHA256 5241dfed1b450434032b773b716531e077263e40c9f715a2c59d691d2f032b59
SHA512 03dd62781de1d8a0b975d9e16b27f3bdc415af6fb9e07093760865d5f6a6a8706c923330cb670369c6030d21bb85ee202d05155eb69dcf7b30e4fe7e705a0190

C:\Windows\SysWOW64\Oaqbkn32.exe

MD5 ccf55a32dd46a6cddda6d201533fb49f
SHA1 b445451608e9a06e2b613a87576805de8901cc4e
SHA256 1e884681204d13c347043bc7f40d4c294805328dc029f928defb194ac26fdba7
SHA512 65e739efecaba42bd0b3c8104376a89dd7630f72c09123c525b9e55d842f037213ec6dc9f25ddabb2b54458f9632c6d70d1465326ee38dd9e981d31f48710f4e

C:\Windows\SysWOW64\Ojigdcll.exe

MD5 4ddd51fb08ec724239824b20d01dbfad
SHA1 aebde41189274410e7b28fdedc5a2b4ee5b7c1c2
SHA256 7a3d8e88f5ce8d0f11521aee337eb30b6ee55a38319ad95ebd7b066508c767ee
SHA512 b14f88997a2bdae12d7ab9fdc902d027d0799853683bad3316cac5f94df08a1e73caebec3b557e666efe01704648fd928263259b256e85f6da697fe229f2c69f

C:\Windows\SysWOW64\Pknqoc32.exe

MD5 26c4920d0db639085b6af448b1819e24
SHA1 a53bbd98e9a4ad65ac3e710ec8c98b15a0176105
SHA256 68df87bbc60ee0059a163df0cbec5b19a398bbfba093d4b33b58a8cd85aa0842
SHA512 e0124981f19df97e6a720800a1594189881d4d04d4b678e37f1e8915df6fab4075b75d558b76288c1a1ca64be21cec9b37607bc41959a34a76f2166ff3ef1199

C:\Windows\SysWOW64\Plmmif32.exe

MD5 94683565117c17ab930e588f62f1b661
SHA1 e1def9f03aafdb5762f833bfc52ee6f2e3c50762
SHA256 9a4fed8f110bcfe7c9ae47c70f43a03a9c1a91d070091915e2086b56d4a04d95
SHA512 f041aa1ee52ece775d46628f5c8262a4ddf5ad61ef251fe2f4db691c0b11f512574f6dfc6736f87fd52685d415fa3ac209d0566a439f4ef2d6826353a7694f6b

C:\Windows\SysWOW64\Ponfka32.exe

MD5 f7346a3b60c3ff4565cfdc509f728d10
SHA1 0b17a3ad87f8bb090151dae98e61a972bd9fc19d
SHA256 82b5907dd2d730edb973655282b80faaea2ea4cde754831b852bcfc8c32c6483
SHA512 be8c4e58370f16d319a11a9ed0defabf5ed17a398831e11a4b045cae76a45d283604ce6589865d96dc297c07db90221b8f4141ea66bae26ba7ea735e1102a82b

C:\Windows\SysWOW64\Pldcjeia.exe

MD5 4a48914a869c5775e610479d7371d042
SHA1 626c73a8004cf6eb5ba073b0ba2877a48a931756
SHA256 937d58750f15d06e48762527d0b1ffd78a914a5b6439b6e8d2c01ee8b26f4690
SHA512 83acc33e2404b7cd3d779eba47525aa726515ac0a50d0b6d53bb9f0e2d9fe920634167bcb2ea46a2404470d47b93e90d6a4d90bec5fabfac3e5db5c0c4e04e65

C:\Windows\SysWOW64\Qlimed32.exe

MD5 a9a5e0b23a4a221b93335b7410947e39
SHA1 d9051f33d808f12292c0316f37543bae2358093d
SHA256 99b3951477ea51fa2636885ef855be1f28332f84dd7e0a82d319dec1233774bc
SHA512 1ab2cc96c0c3a3053b7c36a913493a6999795cfa952602699ce4d5b4ef2a136d56793ac9cdb5801d337a3667f425330a0549300d63d06d25ede8791ca1de056c

C:\Windows\SysWOW64\Alkijdci.exe

MD5 00bcb434851765d2dd87a4f712fb8ac7
SHA1 1168e544b33f7a6f442f648ab48cf61f4c5a27fb
SHA256 ab393e9dab56a1149b74b9503ba8afbf8efbaf574ad8c3b9d9c6b200c0450de8
SHA512 d92aec4b7aa812579377ad491a748c022febf275b13e4d4b1094a33648304249e46c23c0af7c402e729c8f7aeb6fe836da48721c3c079e278ffcbc5107135d71

C:\Windows\SysWOW64\Akccap32.exe

MD5 d8642485cc14f6139dd1800e0f484663
SHA1 1994a3e8d536040a9c617f9a6b5ff97be76f48c6
SHA256 218c8fc2c4cf73269a1ba77bfd33bed673fd563437147570d5f18519df39a1d9
SHA512 ec6a06d0b7cbcf13d5173b975c554e38537e5fdab5c0c8192d0b7a6debc3d8b00f273bc2dabedaf6fa30e81648657f737fe36dc13e9cee8ee8f195fcb3c3df43

C:\Windows\SysWOW64\Bochmn32.exe

MD5 528d02c177696c5737f98c3d22e4b41b
SHA1 9c2fc71693bf1632656da6565714cb8d706ea070
SHA256 639dae688cd25178e8763e49dfaefd989c18e7c22d5b321d7651c9b0735d4746
SHA512 e0317f746638be4055fc9597d79e942c7a14473926f19e61ef2361fdaece053d88ed865b2736ca872e3ba91626ff57f93f3a725412e99043b57563b383053b46

C:\Windows\SysWOW64\Bohbhmfm.exe

MD5 9d866c497b074a1f061af7164f81ad59
SHA1 3acacc916897ad6adbdb1194878e5fb5803a5270
SHA256 8aded1515e79fe721f61ccd7048cc59b677a33e1a319e2b973b4ce0728b60b06
SHA512 6a5d9598a9c74807f2d7f8613f208cc4ff20c396be4b430ee8972cdc1c6ab88997cce02d085b30f323ee81e86e6105c326f1b5e8db89d9231598619fbab08b10

C:\Windows\SysWOW64\Bllbaa32.exe

MD5 67a96d0c039d611a65e1816fd9aa7c2f
SHA1 1596fe9d641b6219a357e582927ffbb7626d24e3
SHA256 2a729348bdefbc0d7f4757802aa2623aca1786ebb3aefa7fe255c164f6c8bbed
SHA512 6ecc492b0394d6538c2a39962766a0f528347f201c7f668edc4dbc3e4965a8c12d529ef5f04b3c341d79a0798bb0260f5519ee859178b16f4f91a24a7820bcb8

C:\Windows\SysWOW64\Camddhoi.exe

MD5 8f2ff3b5d672f1b12878ba7cb1993a6a
SHA1 66adb3e5dd67bad336be5f73e21ca8d341950c3f
SHA256 b368412924a0bbb6ab299fdc7ed3130629a14170617a52aa65d4489740229068
SHA512 1783e2f541a967ef0c33b13ac72a2f6b5dcd5b043badc85c4665ed67a0993e1f96c55baa81ad6608d1f610702610d014f9fb804d744551095b5891895e240b1b

C:\Windows\SysWOW64\Coadnlnb.exe

MD5 2b6edd4f7f09e200eef50d71e03744c7
SHA1 d805e9391b115165abedab76b55d2694330e215e
SHA256 84d192d561b1887836f809124b93dfc88bae4cd03b44ebf5aa094d5aec96caf1
SHA512 498cbb7dcf6862ad40567623cb568818c70ef10b070988868caf5e9dfee3bb704320eccf6fb62cef7edfa9b197d361dfc1c34e1fdaad4d149976fc50b22d3c7d

C:\Windows\SysWOW64\Chqogq32.exe

MD5 f21695ecd2e99feda3f1d6f0a6f37045
SHA1 b15f4d6544e1ce7c8436dcc43e3acfdf21ef08cc
SHA256 0112f97f5af98d5af956d0b6954b248efaa23342d5ac2fb98b7daa23dc0dda50
SHA512 ba388ec3910700625f5d313191a0a6ee65b8a1d7a36eb0b6b855db76946d3d0c7858e2cf73298e1aea13798b49e85964e60577ff9b6ac8dfd1ea2932834f39eb

C:\Windows\SysWOW64\Ddjmba32.exe

MD5 38f7e1a96b9600e8664225b5d2b0cbcf
SHA1 77e5b67d3dad0c8d8803dc11c8a4bf6f195abc76
SHA256 98127df854f77a3979058853177cb693c3a45abfd64ea7f285b2d9fa55dfa5d2
SHA512 f829f7f5a00e96a3478f279fb6f29e770c6c38f7f9da451da5e35072da0fb35df32b724c0621f3cef9409ad84ac96fa4006b84b4bd968876e9da72edd10a43c2

C:\Windows\SysWOW64\Dbnmke32.exe

MD5 31c848f37efaebfdd9c08e5d575eeaf6
SHA1 95a639d9a1be78fbb9b47d809e1d441970d61411
SHA256 fb454aae3d8cc0c8b9da3999ffddf30d2259caf8bd8d4eada5b98c42aa155210
SHA512 cee6dc9ba374bece07c53f2d91d1681b3c49e45cccf2f5c5a20a396f477799e99b3f2e1fb2187f71ecb8ac7fb6be87467ce9922c816ec2cda2761b0d8608fffd

C:\Windows\SysWOW64\Dflfac32.exe

MD5 b5d74466901f9a8a239a314cc60e389c
SHA1 19cdf017887162dcc783d5a0d843473356291f1b
SHA256 7a68dec603d063639ed99cea5f776462abf4d1c2e11cd9dbe3285eabf47ca76d
SHA512 44b4274d04e96bbcd496d0797534c319097f9ad18b27a69dcc1208718f2c527855021254b8ce95348246411f4d652a660ba0020f9f54d07595ec4ddf9e0cb577

C:\Windows\SysWOW64\Dkhnjk32.exe

MD5 dc467a1fe9254201b303212dfe9da449
SHA1 e30f2f3760f0dc88f8ef9fc0e2d17639f3a523ac
SHA256 b44ff5ce9ca3c5aa88420c1f5464b9a177e78bae5212a555dfd1fbe03a83642b
SHA512 8aef69eb3218e58af2e9db8b21037936f17c2788461773e04387da40f2bb0b7761dd829072e9870b47dcbb92e253e60badf968b7ac3ce1f8bb2c0ecc3b328371

C:\Windows\SysWOW64\Eecphp32.exe

MD5 34b46c908467125c8ea1d2d364d24e16
SHA1 63876f9337bbe5011362d26ff74b56b841981171
SHA256 a05bc54d813c215efcef2857ea969a866b93740d5e01553b8cff8c6d9430dc5c
SHA512 45dc04ca47d1cdee4b2119c033546d53bb76a8c929fe7b75c31304244e5f48f18457d70a91e3c6973c69e67c3c5150a189ccbe37095d856cf443402747352d29

C:\Windows\SysWOW64\Emmdom32.exe

MD5 b6111f86d1f44f479b65d6666ac313ff
SHA1 ca965578c9156aea140d038802d6c037db9ffc2a
SHA256 764e2787adf5562ac7ee15c26ef7da39f4b9ff260a6c0ff8af98252179ce65f0
SHA512 c25fadaa7980a3e87d6ee735bd050bb8804246ddf6d48167a7d85da566e72b3d511053ad0e202bca48691448dbcf996567f92470b780e1b1bb7eeb8abdfe86b9

C:\Windows\SysWOW64\Eblimcdf.exe

MD5 f248f9c3a1a9647f2c98ebe3c681ec42
SHA1 c761d28ad8b6595b1a6ede5388c1d8e74df37365
SHA256 e292c8bea029bc7e0cc87e876bd2ca07e2081dd094915c4fb614cc02fb144795
SHA512 24820c0d8cd8bcb1d2902bbed652a6ea9e6876eb1915dc71f5649ba07c97437a20fbec3f08863f330d4e9dd0419ce9d23dd6d9b9686464277fdf79f06c1445d8

C:\Windows\SysWOW64\Enbjad32.exe

MD5 6cdb2da74ffc52fdd2c3d778bf3ae06a
SHA1 c0d71bd94dfde626889e2ba816c0103701180af8
SHA256 63432b826bc5fb1eb13f0b359fd8cb73d6c5729dff44bc3e6c5dac2ab934c297
SHA512 2b30de5d7e1aff5b35c248d6474eaad5ef8940582a7d9fbdae28ef8150310a082e00b78754851276534acc56ec2bc1054a2f60e3759a664db56cb5e8989ea031

C:\Windows\SysWOW64\Efjbcakl.exe

MD5 1abc6c2ebb1f38bcdd9513582e0cdad4
SHA1 1110d4d6595c2d32dd900ee9e57754d25356b4bd
SHA256 0471677efacd66516759af54e9e6799ce29d7c6741b2da47e32549e7d2336e47
SHA512 374bcbc7814411f1181cb7f13c667e663b57021e9de2ca44fc74b4fce115bcc954631473af63fb827d6d158f6a5caf791e9f8e23627e60c3dcb2108f1921d724

C:\Windows\SysWOW64\Fbbpmb32.exe

MD5 215109e03646925a37e7fb29d0c0c02c
SHA1 876a94d42112328cdb0da615aca0cb4635c1a844
SHA256 401467b0403f20c34c0bcdbebe6be4da5b56458852877ffc8d2ac5dd8b5d6c86
SHA512 5f640a3d319c8f731b07e1af1221ed5d0728beba39c59ab50fa05074d207c0374ed7f961333983b556ed83269413699776efd3b664d0199d022bce6be2d6d0b5

C:\Windows\SysWOW64\Fbelcblk.exe

MD5 6579442a14000697cd5143b1d118737c
SHA1 a8fb19b228adf4cac22f292c5c602d1d1ff94ef0
SHA256 087bccdd2df8c968e30aee1e71fe6fe8d9e8bf0a02452933f290b97e4ee5def7
SHA512 3aee09e82ef21d2b7fcc6a4f156b6f68d93c0b81a47b949422fb35bca8fea901df05e1db4f6d04c1e21591baf130bdd39bb698750be7779ac2150ed3b5c83fc6

C:\Windows\SysWOW64\Fpimlfke.exe

MD5 69d9f600f901fbe4e5fe6d57e518d10a
SHA1 77465b8f3c758f52f984f245068f4ccbbfd03833
SHA256 908729656df64785501dbaaa4e0477f2a75ac9a43d22cfd2399302177d9bb603
SHA512 23597e45c2f34b68e314ae3515cd3c4abbb2fb0bb0b444b9319e6e9cfc69465197754359823aeed97d4c09cd6e760a53f452ec44570b252c0797438a217e0b11

C:\Windows\SysWOW64\Gfeaopqo.exe

MD5 c831301e433224400fe8f2084c35a663
SHA1 aec381559320ac7df3235463f4bf9fd9115dd85a
SHA256 fd9b34c131d9dd0902eac1a439ea5b24e2657f1f8cfa5271d0c158772d2aaa86
SHA512 52521a1a028c029d1f9c935f56c939f8121247ad17caba02fe65a8c3cef57d5ca6cc0aad83ee325c6b4fd1a9bced59d5715172f2bf525b36f2b1ff5fb7e50707

C:\Windows\SysWOW64\Glbjggof.exe

MD5 d2aa2f5ff031051fb5dff30020eb1df5
SHA1 94915a8e775327d6d86ebad5a0e11d07b26ed2a0
SHA256 ca27a1f14899121919d66e015510099bf3bafe605fbd50603a2b698cc8d0a826
SHA512 f4504833be8ea9db556a0b33f3d108060b6994f5c12d2e88bec1969a9ae2a3a56ae39ef90aa5899a59b5c761df00fec1e35256a1ab1bb72cfffe1003811b580f

C:\Windows\SysWOW64\Gfhndpol.exe

MD5 41917b98e792180b8ca1127d71c633ed
SHA1 d671bb78d926e82f70ce95beb83d01526321000d
SHA256 2c3986d4a7e70a1023119941e206527b7c1680d54744022e5486346e8f67f721
SHA512 caf10feea4a348377dfa17835340cb5c5e9395dff45250d5ab448830576aad3ea329c8bb7aad568a70952724db4d052498655c6a84a51f53adae768f8411def1

C:\Windows\SysWOW64\Gbnoiqdq.exe

MD5 e1ab0831edafe59bfc162d67c5e2b263
SHA1 c2e7fbff56c3ba29b863f2cdf07a48469d45f05f
SHA256 53b83f7ffa7b40c0a6506d559fe74058d13abab2f91b121b96e535867f4b2a43
SHA512 7e9d9536297157b850b89620877b62125b9ef226b1a09984e6ce7b0416046f5f445d1241625599fd429f602ee97e35aae71b77df1ecb7e7c4b3552cb3379c51e

C:\Windows\SysWOW64\Gflhoo32.exe

MD5 603464633eb20e778b073317ce44d9dd
SHA1 fe7c7b64d81c0b4fbb2a82105454f393148e37d1
SHA256 d075c23bd8daf5c749a57f02551fe3bb4e1c53e42c9a4e3ca174345c67c68140
SHA512 1fb650f251f8dbfce1c4fc090c1e7c2b16298e97b13edd54553f718cccb77a80855c249f31eb59206c0b08dfcf196721e8f1809078a764691f6c5cdcd38f4dc2

C:\Windows\SysWOW64\Glipgf32.exe

MD5 e43f5fd30da95901fb7f0f624488e07a
SHA1 83b202e143da2de6bca61c24392112c14e8fe868
SHA256 39d75857a9c5d87a9b6ebcf0d1da2890e95a8ecca8252b781d259c4aad44a40c
SHA512 12dc9c5de6883bc9a9cf38f4017eea82fcd46250ae7174dc93d1db24bd7e5c8aabad9f611122aa2cbb8715bf2df854158038337e2e345bc2f122b53ecbcd76b1

C:\Windows\SysWOW64\Gbeejp32.exe

MD5 8adde322832655b5b76a7ef5e1559584
SHA1 0f285e167d9f5b4d40e73e272bfff1975461d1a7
SHA256 cb463873f0341271f5716601a1e2dcd469639d9cbce15e44accec3b9bfe2357a
SHA512 74190f17d0d42fb24ed8d3f3a95a68cc9ce937857310e45e6ef69173f6212567dc9d272c6c53389529d1120dd55d19177fabf1cebb5869684f01f364d3c71e9a

C:\Windows\SysWOW64\Hlbcnd32.exe

MD5 e0f13e25ad493094addfbaa1a8342b8d
SHA1 c393dcda05d4ba1b5fdcd7cea57eaeb487abfe4e
SHA256 40e36039f5decb581c9821ea5696098075beaccbbc116fa6ddd8daecc5bfd668
SHA512 890ab2c8e8fa597eb0e6bf4f35220dc64288cad763dd778b82be3ae2fd3674ed8f8e8ced21a6d42ef716be98af8c6ce7b1005b42389ffeead37649332894bdd5

C:\Windows\SysWOW64\Hpchib32.exe

MD5 dc2de0c588f0cbe5a78016e37052782b
SHA1 c3378f6105c6735a240e5f9fe42f9d5bf5e6d4ae
SHA256 7cd082d2317a6410830fc97caf6a4b1368a536f6312fb66473b9c2102293862c
SHA512 4db2fa0c7c07ea8732377700b17cc60d7a5f87bee08c721799c89a4e33f640adb5312449de4a86de396f43b7f794804eb31b3fd69dbf3eae987fd840e254285f

C:\Windows\SysWOW64\Imkbnf32.exe

MD5 e680474e15685377f04af20cb5325405
SHA1 09472c5c00477026261bfe5ad04c2f9e248aa03e
SHA256 70284178c5866fe22d578b023645a534743d290a67dc93e572f8407f08b535ab
SHA512 811ed01517dc166f325c33b80a35637259927473d2536047b800b4f395f0258c3861fa256c606b2b8682e6b3cd1dd001191e04c637ec1efd662bc0127a7c0115

C:\Windows\SysWOW64\Jgkmgk32.exe

MD5 25e2935b5790767f40364a361b273b5c
SHA1 5a71ed3703096482fe360bfc4a54bf547b553d5b
SHA256 35ed02f334e429163519c938b248fedc2cdfebb0308e9cc0cb9b3d9061958303
SHA512 2cbc888c6be133da739096c5e1d54e96fd59057e009902ea41a44a466d93fcacd0743e7eaf5b8cd860859297cb5ce88dd84e029057be67d0be25025b89a1f11a

C:\Windows\SysWOW64\Jllokajf.exe

MD5 8e0c66f543a4cc28cc948aaea7b18153
SHA1 74b07499293294c753a633206d76a84619753425
SHA256 c62961047098fccc077884bae9ea20d9a5ecd9836443bf96fa3a6ec0a2a94984
SHA512 752bb443e9e44297dd5e103179f56aee0929a4365d290de8e4e595756d6e436a8342a77d69da2c1f09ce00897935e554efb5c9291341d3b232fec2a1ee4cefdc

C:\Windows\SysWOW64\Knnhjcog.exe

MD5 3df589776a93d8946c5b019faade29cc
SHA1 aef1dd9fddc436859a8512ce9c1b9345c845634d
SHA256 5ac3cad79018c85a6a9d134929259c18d747d96b05ab355fad2a9433ac234a99
SHA512 76120c499f2ee3698f549288a735959b4f93d8e7eabb70e98d33a3f34745abcfb69fa7c6dde16d970855bf72a871ddd2bc8670b9bbb9a06a9749e0130fae2a85

C:\Windows\SysWOW64\Lgdidgjg.exe

MD5 1d7ce4b8f49aa5ec60fb8aa945ddcfac
SHA1 93f176a8e7a86bbb8863cc8e8a640cc14f620bd1
SHA256 0a1dfef42070f62c57b56e9d8c94e80651dc9def7723da49d1675cadd46f0d85
SHA512 e4f3fa77f96af55485f8eef0a25a64f036c5bb373325b41db84ac4ded4bb1d93ef40428cafd3e3ee064bcd47bd8a2eb703e41148c2675c739592a88daa1b3783

C:\Windows\SysWOW64\Lflbkcll.exe

MD5 9d2f282547a495ef52387346ab04ccf5
SHA1 959ac39ce2708598fa0b1a941797696b276dbd57
SHA256 a5dc2f87a6a3feacfa34ec339119725c46f240a77245192f4831b517523de54b
SHA512 a80e6416bd07f9f54292b9681816f97b5879ae6845e7707a295a88c3bfe3875595bc1fca4eb9c09d697ac0c6d303a2d61139f72aa5e2c4d6f75ddf5d329cb51b

C:\Windows\SysWOW64\Mnegbp32.exe

MD5 d5adb73d27d70631a8dbc578beaf169e
SHA1 5b1dd747f311b38b1ba80146149ace11e10cbb9c
SHA256 de0222ddadd3f7c4e164b98765837f955d721da629668dca982eba5ff4ea59c3
SHA512 9a74a4f3fa9890b65d76f91a48f2837eaa445b4d7569a895a52c5b96df000a6e75634844d4d1ae2a6d02c996e63161166fe4ddc8e6ebe24e9b97a206971400df

C:\Windows\SysWOW64\Mjcngpjh.exe

MD5 b9126efbae3ae70d4be05b9b45a245a3
SHA1 be580a5a9fde5d2248abc04fb3a368ac8826d3f3
SHA256 62bc092b74c270fa2107d87b521bcd7ca9326ed1b17eea22bbaf5eb3e22ea623
SHA512 51ca3580f3c2fff4c3131c5e12f007a8bfbb897c698e607248baa7a2fe8b62b8c7679cd823935464977df7f4a3b785b300f78376855572459b22ca50a58d5d96

C:\Windows\SysWOW64\Nnafno32.exe

MD5 318df2a2d13ec21a939600ce5218edc8
SHA1 017608c246c20d3976191b6043f288213b4c021b
SHA256 b5ca4790954851e078f794f9322c5c1727b78e6396b8ae5ac712909f8a1e2a9e
SHA512 f22c12cd68fba280f21c0eed2d354fc2ba3ec84a6798deeb75d9feb5e813bf14bcf5c9c910166739b5b1bc5381ab898d11fd35266bd8c2126fdc6bed7ad935c2

C:\Windows\SysWOW64\Nfaemp32.exe

MD5 08b6a1a41c23c59e140547bd119ead36
SHA1 d9420259a89ff5ea05b2f972a25412688a7d74aa
SHA256 7576a548fa5b8449dd02bc1890b6add058a4f8ea32a55886f511bc3bdce7a7f2
SHA512 bb27ef39c0f14e70edb0c8f69afb86796aa1f689efbff38d747dfc2798e834474cd99d8794bfea8cf685f86839abb5eb2e5418102de4e554b668c2971a556841

C:\Windows\SysWOW64\Nfcabp32.exe

MD5 2e8ed3d50c6836c41c5340e3c4b7bb56
SHA1 8fe10fe08776a361540ecfbb5b3cf2991dc58e8c
SHA256 28abfc16b90f687b903535e8a88240f3e1306bf9cd68bfa4f5f3b48ebf1c0525
SHA512 c7f5a62f22f3183cc8c834bf928ab85e6737ebda417a348255c5698391a04c46897f0c767d74372c2c82f7910693466eed740994501827464370cfcbc62030f8

C:\Windows\SysWOW64\Omdppiif.exe

MD5 6e27eec085047c9d34d707fb2c1244a2
SHA1 41e085981403321e09dc63c789a5a1334dd66b60
SHA256 68910287ffffda1230a40fe2b6bcb6dbbf1e63da9f57d81c7bcd67afbdbcc240
SHA512 36cc0f375b772900f04bb31fad47cdcda5817c5bd43cae893aec111db3c322c6f1a74483149a7c12d0022cbda77f4426320b97d4fb8d403ad2ff7f06c37e4dc1

C:\Windows\SysWOW64\Ondljl32.exe

MD5 0b8d5f2db53df3f4d7a2b574e8dadaaa
SHA1 c80340a36cdd52e97d8c4738d9bcaccae5157a38
SHA256 c00b37f08f53002791ae30b062a2bfc966c056524c935b37de01eae32de8c1e1
SHA512 03a1f4e034b09decfcbeda8a1f95bf6293c6952932b4b0437d793f15d982fda5b516790b2042be9de243f54135a673086204d72f6a86e94ce0defb0a824f62b8

C:\Windows\SysWOW64\Ocaebc32.exe

MD5 82921a1b74e599121c8a5c2d3eb019c2
SHA1 d044267c412b605918e236e69e606c0f4ea65c65
SHA256 717a378d7dafb45880b904b0e72b3cee4afb042c62b65cc89eacef2b2948ac14
SHA512 12b10157e3fec05a1d05ef8e7d93cc1bd8066e656664edb8671bdd99fad51aeb58e0efd6f64f2a7648024b0eae5fe58f75c13d50f72f5c2078c2cc138ec2d6a7

C:\Windows\SysWOW64\Ppgegd32.exe

MD5 b226fbde8b6d14b6bef7950a95091839
SHA1 3fbf84edc96a3ed19f9cc76e3a56beaf54bde186
SHA256 93542445f452fffd9ce8802b8d78e6de0f7d106e8219b1d9162fac123772ea8d
SHA512 5543f9b7a5e08f4ff4738a391a127b08698095b1a443f3ff3cf71ad40a2e07e1834fb8bf4db0616f10a4062a743ff63a2869be22175f09d610925c656ddc9cea

C:\Windows\SysWOW64\Pdenmbkk.exe

MD5 7b374b1ddde2ef81c289b37430770499
SHA1 d9ac4a10275838bbf7ba10d4f8bcbf260f360172
SHA256 2c55767e0ef67173bdb8de6dafcd586b31fb35aeccb89e4fd100abd0562a0478
SHA512 d1750ba2477b1672f82ee8a0e5c71dd5e0939403c15256649b7cd6e05976be2de1eadc490692db3b119ac80ad3a9af7ff132e54cffa034becedb96b825a2ea25

C:\Windows\SysWOW64\Paiogf32.exe

MD5 7a127f03cf5ab33a153e3932a046c390
SHA1 1e5068fb8918a3b713693ad9600afa385199fef9
SHA256 1fb49102edd82c8de40d2996242b0926fd918c37dbc45ef91ec67a80780ffa6c
SHA512 51b518ebedc9c17f1c1c9536f08f23e9220980e1a6ffe6726f5e92b40c948db1924be15b0fda5c1e263298531648f8f00f668a49a90a3dbed9a482b9405363ed

C:\Windows\SysWOW64\Panhbfep.exe

MD5 d5ea7462a93c176a89c3b3d67787103e
SHA1 ff4ead06ec23c3366a3fd0f09c5fe1cf1ce7cc14
SHA256 d5cb6bd10e50add1869255fbad1c55fa39696db8dede2aca7c505202423c2c71
SHA512 810f3f9f2d68d0a974a42009709906bec99218be12f78a8e386cd0a783a2e4c2389236e3829ca323bea3853f6218d99ec97df5c7aa860c584f5587de5e63d1cb

C:\Windows\SysWOW64\Qpcecb32.exe

MD5 6c6ba74b2e13a03d27c89abc23dbc400
SHA1 027569f7b1e5196fba76aaddc763730c27027569
SHA256 cef42e7d9b7d3a3df7677d7807f73df8101fb063672bf21425414b38f2f6332a
SHA512 a529cb77ac398643b6d8a654dfa070458efa3a91c6fe12e4ee793a3b27f6cbc195bf791486ba4c388525770c80e9baa6d1a90f19ec73a2854739553588195bdb

C:\Windows\SysWOW64\Qmgelf32.exe

MD5 0642fd392847760799d332027798d4c4
SHA1 3744fdff65a548a7e53a2be50be559019f1556b2
SHA256 1b37b31906114802bed3f8224cea3c42085267f931341a9251aca01764fa19ed
SHA512 1ef6dbc5e8d6e6dc93c63e8b42e228455ebb61883b8df388fb85468f0d56850231017a684cdb51d17f973afee13b49b5f57fc20561a415fb57bdf0f43e208d05

C:\Windows\SysWOW64\Aphnnafb.exe

MD5 89f2e9b1fab3c6ceceef2451e2609e0b
SHA1 1185a353aef2cb76c61ef99e5e35b1b7effb0f67
SHA256 090dc3c31e9e00bde359b393882440ddce81a8702fdb43bd4917fe62d6b89ef6
SHA512 c783e9fb34d94f7292dbb12efc1dba2925a04a1bdfd923dcec7cba67f4ae339b0400f858513520a203fe66c505537beb57d65924110e39d49e434f1d476504fd

C:\Windows\SysWOW64\Aknbkjfh.exe

MD5 3c63902ca2900d237d8620aa873f744f
SHA1 a94f4ee9d3240ca4afc76d9d4c871a9595c20207
SHA256 d42b83653f5271e62e3b6044505d62baa4239f8fda47f4bf2fd8959c265ad080
SHA512 cea895f3028029ec5082aaa67f0874a0ca301f3c5530f6a45b9f384f96ebe40b607f02a6e1e89c90e69ee36f9d8159a269099320cf93074c59a60de8b2d87710

C:\Windows\SysWOW64\Adfgdpmi.exe

MD5 15a884498cf7957d3a5c6eadc8057978
SHA1 6e819160b20d1b67287d6b533153688f1e28f425
SHA256 2e73542b41dbf21b000b02fae074d6346ffc5619f353a4413d02d3dbc735b035
SHA512 53a9f130ffcc86c9e74ddbabbf5653612603333fbfee481b06f631042fcde7eeceb2f01d0e232662d6f19148748cc678a90260b403baa20ce8128eb9bc8bbd64

C:\Windows\SysWOW64\Baegibae.exe

MD5 6d1d7f2d7003700893e65495027ebff2
SHA1 5d16bf48aca52f956f16dd2ed53dc3c461325d18
SHA256 5270f948fac7a43ba54313b996f903c13b4d251e310e1d7cf1e9f5a225a6017c
SHA512 2577b29509d71dd285b3ebc673373a14587292a534ec0577c024fc8aedd6264314bcb6d50ace7acff3da139ec58b1e3c14fb1530cddbafcec7cb1630a2865976

C:\Windows\SysWOW64\Bpkdjofm.exe

MD5 c172a402c1e58aa9f9a4d90781064a24
SHA1 50c7f389eca96a2206247f2908aaf763da35292e
SHA256 771cc60e0ed758d95491822a20fbe69be54e146f5450dd98bdaa238f111dcda0
SHA512 89a6fba6fc6719f3192d57a7ce3e53450c6854682eb024bf2a52c0617c65f4383038d05cae3244836703089aeabebb7267910342297992abb1e1f4a26e8ec1f9

C:\Windows\SysWOW64\Cpmapodj.exe

MD5 8fcd442e859543ec77b677c09d794894
SHA1 ab07908fe31f9977e90232bfd4d6643ecf311371
SHA256 dfd0ce2092308787be9e0f5f5d49dadfbea2daeff213d3705fbc30ab14f47e5b
SHA512 7323243b27265255bbaf50f39917f06009d060f5af843718a4580af938e4e02d34a137eb1aa8ad4186f34da5600fbacd4b50bbfe7148c2d710fead22f9d51b77

C:\Windows\SysWOW64\Conanfli.exe

MD5 0baf599ecf7853b4fe1e07957ab1b67c
SHA1 1b50064f64ecaf1c5597a54a6e5c1d965b2beb2f
SHA256 fee4e968bb4224af363187d7595a9ff91b0ed9e54ff3beac11c027500871d352
SHA512 557f3a184a8d2c5b0ec445a7664da6933d1a7802b134940293aaed73c84b1d20b2d18f2777c3d79324e4e2b7c55d0ba1dc4f0c9d7448305bdd9dc97017cdddc5

C:\Windows\SysWOW64\Cdkifmjq.exe

MD5 c81e9324ee560c003249f76180e64952
SHA1 ccff59770ff63949c7a1b132f7a51bf4d77b1193
SHA256 09fbf30602ecf4fb455d7ea72b622b43f8ea8bd57e942d91b824fcd0079f76d8
SHA512 e60dc62bcb00c935031c0ebb651d0393c4337793c20a6970a5f2299d32cc8ab73db2fd60b00453d8f31739db93afda6c20477cc60f01c8dbf7b12e746b2ae86b

C:\Windows\SysWOW64\Chnlgjlb.exe

MD5 2ecf2179b9e293eeac8cb055a02f5b43
SHA1 68bce24782c05d7d36ef9586bfe4ad1c1a406c0b
SHA256 785f5518566a78ed0a7fc779a7a35e0ccad546e4029fa8d9f2f249200ba146ab
SHA512 68620bf289fbf8310b6d21428cef13c3f469c3deb1bcd923a32cce26e1ddd3d5e69457dbfd1954dbbfae20faf0667bfd09c52b2b5df97d2020928009732b1dd7

C:\Windows\SysWOW64\Dpkmal32.exe

MD5 0fa3f78338773ec53a6d6b5a614caa87
SHA1 43c6d70f9374d19e2465c0c341bfc864a7952526
SHA256 2b7e9d4cd7663b158f82a66d2395c877dc0c34973243b4581accd5b5a63396de
SHA512 f2bffd894c43bd04c0f490f35921f4b0687a268a8776e422e39d9b21fa701454f47b64721c8d17ff6f35d6d1a2733befad95d4aa00c249cad5475dec7c2f1874