Malware Analysis Report

2025-03-15 09:01

Sample ID 240916-tkzgpswhjh
Target Trojan.Win32.Cerber.pz-485713e5274cb1115e7d39a9383c657ff4a35ade034c994d140466abf860e83cN
SHA256 485713e5274cb1115e7d39a9383c657ff4a35ade034c994d140466abf860e83c
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

485713e5274cb1115e7d39a9383c657ff4a35ade034c994d140466abf860e83c

Threat Level: Known bad

The file Trojan.Win32.Cerber.pz-485713e5274cb1115e7d39a9383c657ff4a35ade034c994d140466abf860e83cN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 16:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 16:07

Reported

2024-09-16 16:09

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onpjghhn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biojif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkbalifo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oghopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pckoam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qijdocfj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laegiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oebimf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfikmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npccpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpceidcn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akmjfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acmhepko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mffimglk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqemdbaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qngmgjeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aganeoip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blkioa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Moanaiie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgmdjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qkkmqnck.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogkkfmml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Linphc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npojdpef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcfefmnk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abphal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnkbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeenochi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npagjpcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmagdbci.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhhpeafc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apoooa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohendqhd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okanklik.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlhkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Achojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laegiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Moidahcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqeicede.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anlfbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beejng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Niikceid.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhohda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mofglh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqjfoa32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laegiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfdaigg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljmlbfhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmlhnagm.exe N/A
N/A N/A C:\Windows\SysWOW64\Llohjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legmbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlaeonld.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmapm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlcbenjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanaiie.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhjbjopf.exe N/A
N/A N/A C:\Windows\SysWOW64\Modkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mabgcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhkpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmihhelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdcpdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Moidahcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Magqncba.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkpegi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmnace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nplmop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcnda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npojdpef.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngibaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nigome32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npagjpcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nodgel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenobfak.exe N/A
N/A N/A C:\Windows\SysWOW64\Niikceid.exe N/A
N/A N/A C:\Windows\SysWOW64\Npccpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nofdklgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nadpgggp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nilhhdga.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhohda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkmdpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oohqqlei.exe N/A
N/A N/A C:\Windows\SysWOW64\Oagmmgdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Oebimf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odeiibdq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ollajp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okoafmkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocfigjlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Olonpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okanklik.exe N/A
N/A N/A C:\Windows\SysWOW64\Oomjlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onpjghhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oegbheiq.exe N/A
N/A N/A C:\Windows\SysWOW64\Odjbdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohendqhd.exe N/A
N/A N/A C:\Windows\SysWOW64\Oghopm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laegiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laegiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfdaigg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfdaigg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljmlbfhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljmlbfhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmlhnagm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmlhnagm.exe N/A
N/A N/A C:\Windows\SysWOW64\Llohjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llohjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legmbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Legmbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlaeonld.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlaeonld.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmapm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmapm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlcbenjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlcbenjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanaiie.exe N/A
N/A N/A C:\Windows\SysWOW64\Moanaiie.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhjbjopf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhjbjopf.exe N/A
N/A N/A C:\Windows\SysWOW64\Modkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Modkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mabgcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mabgcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdacop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhkpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhkpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mofglh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmihhelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmihhelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdcpdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdcpdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Moidahcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Moidahcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Magqncba.exe N/A
N/A N/A C:\Windows\SysWOW64\Magqncba.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkpegi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkpegi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmnace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmnace32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nplmop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nplmop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkbalifo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Mapjmehi.exe N/A
File created C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pqemdbaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mdacop32.exe N/A
File created C:\Windows\SysWOW64\Ekebnbmn.dll C:\Windows\SysWOW64\Mlhkpm32.exe N/A
File created C:\Windows\SysWOW64\Bhhpeafc.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File created C:\Windows\SysWOW64\Bdkgocpm.exe C:\Windows\SysWOW64\Behgcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Legmbd32.exe C:\Windows\SysWOW64\Llohjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oomjlk32.exe C:\Windows\SysWOW64\Okanklik.exe N/A
File created C:\Windows\SysWOW64\Beejng32.exe C:\Windows\SysWOW64\Bbgnak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpceidcn.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cacacg32.exe C:\Windows\SysWOW64\Cmgechbh.exe N/A
File opened for modification C:\Windows\SysWOW64\Mofglh32.exe C:\Windows\SysWOW64\Mlhkpm32.exe N/A
File created C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nenobfak.exe N/A
File created C:\Windows\SysWOW64\Aliolp32.dll C:\Windows\SysWOW64\Onbgmg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Achojp32.exe C:\Windows\SysWOW64\Aeenochi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Abphal32.exe N/A
File created C:\Windows\SysWOW64\Gpbgnedh.dll C:\Windows\SysWOW64\Mlcbenjb.exe N/A
File created C:\Windows\SysWOW64\Llcohjcg.dll C:\Windows\SysWOW64\Modkfi32.exe N/A
File created C:\Windows\SysWOW64\Mehjml32.dll C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
File created C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Nilhhdga.exe N/A
File created C:\Windows\SysWOW64\Bonoflae.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Eignpade.dll C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Moanaiie.exe N/A
File created C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Mapjmehi.exe N/A
File created C:\Windows\SysWOW64\Modkfi32.exe C:\Windows\SysWOW64\Mhjbjopf.exe N/A
File opened for modification C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
File created C:\Windows\SysWOW64\Nmqalo32.dll C:\Windows\SysWOW64\Pjnamh32.exe N/A
File created C:\Windows\SysWOW64\Ldhfglad.dll C:\Windows\SysWOW64\Blmfea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjdplm32.exe C:\Windows\SysWOW64\Blaopqpo.exe N/A
File created C:\Windows\SysWOW64\Lmlhnagm.exe C:\Windows\SysWOW64\Ljmlbfhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Nilhhdga.exe C:\Windows\SysWOW64\Nadpgggp.exe N/A
File created C:\Windows\SysWOW64\Ohendqhd.exe C:\Windows\SysWOW64\Odjbdb32.exe N/A
File created C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pgbafl32.exe N/A
File created C:\Windows\SysWOW64\Njelgo32.dll C:\Windows\SysWOW64\Alhmjbhj.exe N/A
File created C:\Windows\SysWOW64\Blkioa32.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Biafnecn.exe C:\Windows\SysWOW64\Beejng32.exe N/A
File created C:\Windows\SysWOW64\Lgenio32.dll C:\Windows\SysWOW64\Oomjlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oegbheiq.exe C:\Windows\SysWOW64\Oalfhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkidlk32.exe C:\Windows\SysWOW64\Ogmhkmki.exe N/A
File created C:\Windows\SysWOW64\Eioojl32.dll C:\Windows\SysWOW64\Qflhbhgg.exe N/A
File created C:\Windows\SysWOW64\Blobjaba.exe C:\Windows\SysWOW64\Biafnecn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Magqncba.exe N/A
File opened for modification C:\Windows\SysWOW64\Nplmop32.exe C:\Windows\SysWOW64\Nmnace32.exe N/A
File created C:\Windows\SysWOW64\Qgmdjp32.exe C:\Windows\SysWOW64\Qijdocfj.exe N/A
File opened for modification C:\Windows\SysWOW64\Aniimjbo.exe C:\Windows\SysWOW64\Qkkmqnck.exe N/A
File opened for modification C:\Windows\SysWOW64\Amnfnfgg.exe C:\Windows\SysWOW64\Anlfbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Agfgqo32.exe C:\Windows\SysWOW64\Ackkppma.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe C:\Windows\SysWOW64\Cpceidcn.exe N/A
File created C:\Windows\SysWOW64\Afdignjb.dll C:\Windows\SysWOW64\Ndemjoae.exe N/A
File created C:\Windows\SysWOW64\Jmbckb32.dll C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
File created C:\Windows\SysWOW64\Lcnaga32.dll C:\Windows\SysWOW64\Okoafmkm.exe N/A
File created C:\Windows\SysWOW64\Oqacic32.exe C:\Windows\SysWOW64\Oancnfoe.exe N/A
File created C:\Windows\SysWOW64\Jbbpnl32.dll C:\Windows\SysWOW64\Onecbg32.exe N/A
File created C:\Windows\SysWOW64\Agdjkogm.exe C:\Windows\SysWOW64\Achojp32.exe N/A
File created C:\Windows\SysWOW64\Nkpegi32.exe C:\Windows\SysWOW64\Ndemjoae.exe N/A
File created C:\Windows\SysWOW64\Npccpo32.exe C:\Windows\SysWOW64\Niikceid.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe C:\Windows\SysWOW64\Pihgic32.exe N/A
File created C:\Windows\SysWOW64\Behgcf32.exe C:\Windows\SysWOW64\Bbikgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mlaeonld.exe C:\Windows\SysWOW64\Legmbd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mlcbenjb.exe C:\Windows\SysWOW64\Mieeibkn.exe N/A
File created C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Moanaiie.exe N/A
File opened for modification C:\Windows\SysWOW64\Nigome32.exe C:\Windows\SysWOW64\Ngibaj32.exe N/A
File created C:\Windows\SysWOW64\Okbekdoi.dll C:\Windows\SysWOW64\Aeenochi.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Cacacg32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqcpob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pokieo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkbam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blaopqpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oegbheiq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mieeibkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aigchgkh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alhmjbhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgechbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Linphc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nadpgggp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apoooa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beejng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chkmkacq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjnamh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaheie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blmfea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abphal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ollajp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkkmqnck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlcnda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Okoafmkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aijpnfif.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biojif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdkgocpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkfceo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amnfnfgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Achojp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amqccfed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhohda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blobjaba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqeicede.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfbelipa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boplllob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oghopm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npccpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqacic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amelne32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhajdblk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olonpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odoloalf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmojocel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blkioa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Legmbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mffimglk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nofdklgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajecmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbfdaigg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcibkm32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mapjmehi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll" C:\Windows\SysWOW64\Pkfceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" C:\Windows\SysWOW64\Acmhepko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll" C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmnace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngibaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pckoam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajbggjfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Biafnecn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" C:\Windows\SysWOW64\Bbikgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Modkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll" C:\Windows\SysWOW64\Mmihhelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll" C:\Windows\SysWOW64\Nmnace32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll" C:\Windows\SysWOW64\Nplmop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nplmop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll" C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfglke32.dll" C:\Windows\SysWOW64\Oohqqlei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibeif32.dll" C:\Windows\SysWOW64\Odeiibdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odeiibdq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" C:\Windows\SysWOW64\Ollajp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odjbdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qeaedd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aigchgkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Olonpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abphal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbdallnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll" C:\Windows\SysWOW64\Ohhkjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docdkd32.dll" C:\Windows\SysWOW64\Npccpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkfceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajpjakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll" C:\Windows\SysWOW64\Legmbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll" C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apdhjq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll" C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" C:\Windows\SysWOW64\Pkidlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Biafnecn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okdkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjnamh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aniimjbo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Blmfea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nigome32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll" C:\Windows\SysWOW64\Nadpgggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll" C:\Windows\SysWOW64\Pbnoliap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abeemhkh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfkpqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aganeoip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll" C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chkmkacq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2756 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2756 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2756 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2688 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Laegiq32.exe
PID 2688 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Laegiq32.exe
PID 2688 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Laegiq32.exe
PID 2688 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Laegiq32.exe
PID 2020 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Laegiq32.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 2020 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Laegiq32.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 2020 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Laegiq32.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 2020 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Laegiq32.exe C:\Windows\SysWOW64\Lbfdaigg.exe
PID 1680 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Ljmlbfhi.exe
PID 1680 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Ljmlbfhi.exe
PID 1680 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Ljmlbfhi.exe
PID 1680 wrote to memory of 2016 N/A C:\Windows\SysWOW64\Lbfdaigg.exe C:\Windows\SysWOW64\Ljmlbfhi.exe
PID 2016 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ljmlbfhi.exe C:\Windows\SysWOW64\Lmlhnagm.exe
PID 2016 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ljmlbfhi.exe C:\Windows\SysWOW64\Lmlhnagm.exe
PID 2016 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ljmlbfhi.exe C:\Windows\SysWOW64\Lmlhnagm.exe
PID 2016 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ljmlbfhi.exe C:\Windows\SysWOW64\Lmlhnagm.exe
PID 580 wrote to memory of 328 N/A C:\Windows\SysWOW64\Lmlhnagm.exe C:\Windows\SysWOW64\Llohjo32.exe
PID 580 wrote to memory of 328 N/A C:\Windows\SysWOW64\Lmlhnagm.exe C:\Windows\SysWOW64\Llohjo32.exe
PID 580 wrote to memory of 328 N/A C:\Windows\SysWOW64\Lmlhnagm.exe C:\Windows\SysWOW64\Llohjo32.exe
PID 580 wrote to memory of 328 N/A C:\Windows\SysWOW64\Lmlhnagm.exe C:\Windows\SysWOW64\Llohjo32.exe
PID 328 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Llohjo32.exe C:\Windows\SysWOW64\Legmbd32.exe
PID 328 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Llohjo32.exe C:\Windows\SysWOW64\Legmbd32.exe
PID 328 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Llohjo32.exe C:\Windows\SysWOW64\Legmbd32.exe
PID 328 wrote to memory of 1920 N/A C:\Windows\SysWOW64\Llohjo32.exe C:\Windows\SysWOW64\Legmbd32.exe
PID 1920 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Legmbd32.exe C:\Windows\SysWOW64\Mlaeonld.exe
PID 1920 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Legmbd32.exe C:\Windows\SysWOW64\Mlaeonld.exe
PID 1920 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Legmbd32.exe C:\Windows\SysWOW64\Mlaeonld.exe
PID 1920 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Legmbd32.exe C:\Windows\SysWOW64\Mlaeonld.exe
PID 2060 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Mlaeonld.exe C:\Windows\SysWOW64\Mpmapm32.exe
PID 2060 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Mlaeonld.exe C:\Windows\SysWOW64\Mpmapm32.exe
PID 2060 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Mlaeonld.exe C:\Windows\SysWOW64\Mpmapm32.exe
PID 2060 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Mlaeonld.exe C:\Windows\SysWOW64\Mpmapm32.exe
PID 2592 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpmapm32.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2592 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpmapm32.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2592 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpmapm32.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2592 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Mpmapm32.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2800 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mieeibkn.exe
PID 2800 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mieeibkn.exe
PID 2800 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mieeibkn.exe
PID 2800 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mieeibkn.exe
PID 2080 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mieeibkn.exe C:\Windows\SysWOW64\Mlcbenjb.exe
PID 2080 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mieeibkn.exe C:\Windows\SysWOW64\Mlcbenjb.exe
PID 2080 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mieeibkn.exe C:\Windows\SysWOW64\Mlcbenjb.exe
PID 2080 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Mieeibkn.exe C:\Windows\SysWOW64\Mlcbenjb.exe
PID 1384 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Mlcbenjb.exe C:\Windows\SysWOW64\Moanaiie.exe
PID 1384 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Mlcbenjb.exe C:\Windows\SysWOW64\Moanaiie.exe
PID 1384 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Mlcbenjb.exe C:\Windows\SysWOW64\Moanaiie.exe
PID 1384 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Mlcbenjb.exe C:\Windows\SysWOW64\Moanaiie.exe
PID 1856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Moanaiie.exe C:\Windows\SysWOW64\Mapjmehi.exe
PID 1856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Moanaiie.exe C:\Windows\SysWOW64\Mapjmehi.exe
PID 1856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Moanaiie.exe C:\Windows\SysWOW64\Mapjmehi.exe
PID 1856 wrote to memory of 2192 N/A C:\Windows\SysWOW64\Moanaiie.exe C:\Windows\SysWOW64\Mapjmehi.exe
PID 2192 wrote to memory of 468 N/A C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Mhjbjopf.exe
PID 2192 wrote to memory of 468 N/A C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Mhjbjopf.exe
PID 2192 wrote to memory of 468 N/A C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Mhjbjopf.exe
PID 2192 wrote to memory of 468 N/A C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Mhjbjopf.exe
PID 468 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Modkfi32.exe
PID 468 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Modkfi32.exe
PID 468 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Modkfi32.exe
PID 468 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Mhjbjopf.exe C:\Windows\SysWOW64\Modkfi32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

C:\Windows\SysWOW64\Linphc32.exe

C:\Windows\system32\Linphc32.exe

C:\Windows\SysWOW64\Laegiq32.exe

C:\Windows\system32\Laegiq32.exe

C:\Windows\SysWOW64\Lbfdaigg.exe

C:\Windows\system32\Lbfdaigg.exe

C:\Windows\SysWOW64\Ljmlbfhi.exe

C:\Windows\system32\Ljmlbfhi.exe

C:\Windows\SysWOW64\Lmlhnagm.exe

C:\Windows\system32\Lmlhnagm.exe

C:\Windows\SysWOW64\Llohjo32.exe

C:\Windows\system32\Llohjo32.exe

C:\Windows\SysWOW64\Legmbd32.exe

C:\Windows\system32\Legmbd32.exe

C:\Windows\SysWOW64\Mlaeonld.exe

C:\Windows\system32\Mlaeonld.exe

C:\Windows\SysWOW64\Mpmapm32.exe

C:\Windows\system32\Mpmapm32.exe

C:\Windows\SysWOW64\Mffimglk.exe

C:\Windows\system32\Mffimglk.exe

C:\Windows\SysWOW64\Mieeibkn.exe

C:\Windows\system32\Mieeibkn.exe

C:\Windows\SysWOW64\Mlcbenjb.exe

C:\Windows\system32\Mlcbenjb.exe

C:\Windows\SysWOW64\Moanaiie.exe

C:\Windows\system32\Moanaiie.exe

C:\Windows\SysWOW64\Mapjmehi.exe

C:\Windows\system32\Mapjmehi.exe

C:\Windows\SysWOW64\Mhjbjopf.exe

C:\Windows\system32\Mhjbjopf.exe

C:\Windows\SysWOW64\Modkfi32.exe

C:\Windows\system32\Modkfi32.exe

C:\Windows\SysWOW64\Mabgcd32.exe

C:\Windows\system32\Mabgcd32.exe

C:\Windows\SysWOW64\Mdacop32.exe

C:\Windows\system32\Mdacop32.exe

C:\Windows\SysWOW64\Mlhkpm32.exe

C:\Windows\system32\Mlhkpm32.exe

C:\Windows\SysWOW64\Mofglh32.exe

C:\Windows\system32\Mofglh32.exe

C:\Windows\SysWOW64\Mmihhelk.exe

C:\Windows\system32\Mmihhelk.exe

C:\Windows\SysWOW64\Mdcpdp32.exe

C:\Windows\system32\Mdcpdp32.exe

C:\Windows\SysWOW64\Mgalqkbk.exe

C:\Windows\system32\Mgalqkbk.exe

C:\Windows\SysWOW64\Moidahcn.exe

C:\Windows\system32\Moidahcn.exe

C:\Windows\SysWOW64\Magqncba.exe

C:\Windows\system32\Magqncba.exe

C:\Windows\SysWOW64\Ndemjoae.exe

C:\Windows\system32\Ndemjoae.exe

C:\Windows\SysWOW64\Nkpegi32.exe

C:\Windows\system32\Nkpegi32.exe

C:\Windows\SysWOW64\Nmnace32.exe

C:\Windows\system32\Nmnace32.exe

C:\Windows\SysWOW64\Nplmop32.exe

C:\Windows\system32\Nplmop32.exe

C:\Windows\SysWOW64\Nckjkl32.exe

C:\Windows\system32\Nckjkl32.exe

C:\Windows\SysWOW64\Nkbalifo.exe

C:\Windows\system32\Nkbalifo.exe

C:\Windows\SysWOW64\Nlcnda32.exe

C:\Windows\system32\Nlcnda32.exe

C:\Windows\SysWOW64\Npojdpef.exe

C:\Windows\system32\Npojdpef.exe

C:\Windows\SysWOW64\Ncmfqkdj.exe

C:\Windows\system32\Ncmfqkdj.exe

C:\Windows\SysWOW64\Ngibaj32.exe

C:\Windows\system32\Ngibaj32.exe

C:\Windows\SysWOW64\Nigome32.exe

C:\Windows\system32\Nigome32.exe

C:\Windows\SysWOW64\Npagjpcd.exe

C:\Windows\system32\Npagjpcd.exe

C:\Windows\SysWOW64\Nodgel32.exe

C:\Windows\system32\Nodgel32.exe

C:\Windows\SysWOW64\Ncpcfkbg.exe

C:\Windows\system32\Ncpcfkbg.exe

C:\Windows\SysWOW64\Nenobfak.exe

C:\Windows\system32\Nenobfak.exe

C:\Windows\SysWOW64\Niikceid.exe

C:\Windows\system32\Niikceid.exe

C:\Windows\SysWOW64\Npccpo32.exe

C:\Windows\system32\Npccpo32.exe

C:\Windows\SysWOW64\Nofdklgl.exe

C:\Windows\system32\Nofdklgl.exe

C:\Windows\SysWOW64\Nadpgggp.exe

C:\Windows\system32\Nadpgggp.exe

C:\Windows\SysWOW64\Nilhhdga.exe

C:\Windows\system32\Nilhhdga.exe

C:\Windows\SysWOW64\Nhohda32.exe

C:\Windows\system32\Nhohda32.exe

C:\Windows\SysWOW64\Nkmdpm32.exe

C:\Windows\system32\Nkmdpm32.exe

C:\Windows\SysWOW64\Oohqqlei.exe

C:\Windows\system32\Oohqqlei.exe

C:\Windows\SysWOW64\Oagmmgdm.exe

C:\Windows\system32\Oagmmgdm.exe

C:\Windows\SysWOW64\Oebimf32.exe

C:\Windows\system32\Oebimf32.exe

C:\Windows\SysWOW64\Odeiibdq.exe

C:\Windows\system32\Odeiibdq.exe

C:\Windows\SysWOW64\Ollajp32.exe

C:\Windows\system32\Ollajp32.exe

C:\Windows\SysWOW64\Okoafmkm.exe

C:\Windows\system32\Okoafmkm.exe

C:\Windows\SysWOW64\Ocfigjlp.exe

C:\Windows\system32\Ocfigjlp.exe

C:\Windows\SysWOW64\Olonpp32.exe

C:\Windows\system32\Olonpp32.exe

C:\Windows\SysWOW64\Okanklik.exe

C:\Windows\system32\Okanklik.exe

C:\Windows\SysWOW64\Oomjlk32.exe

C:\Windows\system32\Oomjlk32.exe

C:\Windows\SysWOW64\Onpjghhn.exe

C:\Windows\system32\Onpjghhn.exe

C:\Windows\SysWOW64\Oalfhf32.exe

C:\Windows\system32\Oalfhf32.exe

C:\Windows\SysWOW64\Oegbheiq.exe

C:\Windows\system32\Oegbheiq.exe

C:\Windows\SysWOW64\Odjbdb32.exe

C:\Windows\system32\Odjbdb32.exe

C:\Windows\SysWOW64\Ohendqhd.exe

C:\Windows\system32\Ohendqhd.exe

C:\Windows\SysWOW64\Oghopm32.exe

C:\Windows\system32\Oghopm32.exe

C:\Windows\SysWOW64\Okdkal32.exe

C:\Windows\system32\Okdkal32.exe

C:\Windows\SysWOW64\Oopfakpa.exe

C:\Windows\system32\Oopfakpa.exe

C:\Windows\SysWOW64\Onbgmg32.exe

C:\Windows\system32\Onbgmg32.exe

C:\Windows\SysWOW64\Oancnfoe.exe

C:\Windows\system32\Oancnfoe.exe

C:\Windows\SysWOW64\Oqacic32.exe

C:\Windows\system32\Oqacic32.exe

C:\Windows\SysWOW64\Odlojanh.exe

C:\Windows\system32\Odlojanh.exe

C:\Windows\SysWOW64\Ohhkjp32.exe

C:\Windows\system32\Ohhkjp32.exe

C:\Windows\SysWOW64\Ogkkfmml.exe

C:\Windows\system32\Ogkkfmml.exe

C:\Windows\SysWOW64\Ojigbhlp.exe

C:\Windows\system32\Ojigbhlp.exe

C:\Windows\SysWOW64\Onecbg32.exe

C:\Windows\system32\Onecbg32.exe

C:\Windows\SysWOW64\Oqcpob32.exe

C:\Windows\system32\Oqcpob32.exe

C:\Windows\SysWOW64\Odoloalf.exe

C:\Windows\system32\Odoloalf.exe

C:\Windows\SysWOW64\Ogmhkmki.exe

C:\Windows\system32\Ogmhkmki.exe

C:\Windows\SysWOW64\Pkidlk32.exe

C:\Windows\system32\Pkidlk32.exe

C:\Windows\SysWOW64\Pjldghjm.exe

C:\Windows\system32\Pjldghjm.exe

C:\Windows\SysWOW64\Pmjqcc32.exe

C:\Windows\system32\Pmjqcc32.exe

C:\Windows\SysWOW64\Pqemdbaj.exe

C:\Windows\system32\Pqemdbaj.exe

C:\Windows\SysWOW64\Pcdipnqn.exe

C:\Windows\system32\Pcdipnqn.exe

C:\Windows\SysWOW64\Pgpeal32.exe

C:\Windows\system32\Pgpeal32.exe

C:\Windows\SysWOW64\Pfbelipa.exe

C:\Windows\system32\Pfbelipa.exe

C:\Windows\SysWOW64\Pjnamh32.exe

C:\Windows\system32\Pjnamh32.exe

C:\Windows\SysWOW64\Pnimnfpc.exe

C:\Windows\system32\Pnimnfpc.exe

C:\Windows\SysWOW64\Pmlmic32.exe

C:\Windows\system32\Pmlmic32.exe

C:\Windows\SysWOW64\Pokieo32.exe

C:\Windows\system32\Pokieo32.exe

C:\Windows\SysWOW64\Pcfefmnk.exe

C:\Windows\system32\Pcfefmnk.exe

C:\Windows\SysWOW64\Pgbafl32.exe

C:\Windows\system32\Pgbafl32.exe

C:\Windows\SysWOW64\Pfdabino.exe

C:\Windows\system32\Pfdabino.exe

C:\Windows\SysWOW64\Pjpnbg32.exe

C:\Windows\system32\Pjpnbg32.exe

C:\Windows\SysWOW64\Pmojocel.exe

C:\Windows\system32\Pmojocel.exe

C:\Windows\SysWOW64\Pqjfoa32.exe

C:\Windows\system32\Pqjfoa32.exe

C:\Windows\SysWOW64\Pomfkndo.exe

C:\Windows\system32\Pomfkndo.exe

C:\Windows\SysWOW64\Pcibkm32.exe

C:\Windows\system32\Pcibkm32.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Pjbjhgde.exe

C:\Windows\system32\Pjbjhgde.exe

C:\Windows\SysWOW64\Piekcd32.exe

C:\Windows\system32\Piekcd32.exe

C:\Windows\SysWOW64\Pmagdbci.exe

C:\Windows\system32\Pmagdbci.exe

C:\Windows\SysWOW64\Pkdgpo32.exe

C:\Windows\system32\Pkdgpo32.exe

C:\Windows\SysWOW64\Pckoam32.exe

C:\Windows\system32\Pckoam32.exe

C:\Windows\SysWOW64\Pbnoliap.exe

C:\Windows\system32\Pbnoliap.exe

C:\Windows\SysWOW64\Pfikmh32.exe

C:\Windows\system32\Pfikmh32.exe

C:\Windows\SysWOW64\Pihgic32.exe

C:\Windows\system32\Pihgic32.exe

C:\Windows\SysWOW64\Pmccjbaf.exe

C:\Windows\system32\Pmccjbaf.exe

C:\Windows\SysWOW64\Pkfceo32.exe

C:\Windows\system32\Pkfceo32.exe

C:\Windows\SysWOW64\Pndpajgd.exe

C:\Windows\system32\Pndpajgd.exe

C:\Windows\SysWOW64\Qbplbi32.exe

C:\Windows\system32\Qbplbi32.exe

C:\Windows\SysWOW64\Qflhbhgg.exe

C:\Windows\system32\Qflhbhgg.exe

C:\Windows\SysWOW64\Qeohnd32.exe

C:\Windows\system32\Qeohnd32.exe

C:\Windows\SysWOW64\Qijdocfj.exe

C:\Windows\system32\Qijdocfj.exe

C:\Windows\SysWOW64\Qgmdjp32.exe

C:\Windows\system32\Qgmdjp32.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Qngmgjeb.exe

C:\Windows\system32\Qngmgjeb.exe

C:\Windows\SysWOW64\Qbbhgi32.exe

C:\Windows\system32\Qbbhgi32.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Qeaedd32.exe

C:\Windows\system32\Qeaedd32.exe

C:\Windows\SysWOW64\Qkkmqnck.exe

C:\Windows\system32\Qkkmqnck.exe

C:\Windows\SysWOW64\Aniimjbo.exe

C:\Windows\system32\Aniimjbo.exe

C:\Windows\SysWOW64\Abeemhkh.exe

C:\Windows\system32\Abeemhkh.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Aganeoip.exe

C:\Windows\system32\Aganeoip.exe

C:\Windows\SysWOW64\Akmjfn32.exe

C:\Windows\system32\Akmjfn32.exe

C:\Windows\SysWOW64\Ajpjakhc.exe

C:\Windows\system32\Ajpjakhc.exe

C:\Windows\SysWOW64\Anlfbi32.exe

C:\Windows\system32\Anlfbi32.exe

C:\Windows\SysWOW64\Amnfnfgg.exe

C:\Windows\system32\Amnfnfgg.exe

C:\Windows\SysWOW64\Aajbne32.exe

C:\Windows\system32\Aajbne32.exe

C:\Windows\SysWOW64\Aeenochi.exe

C:\Windows\system32\Aeenochi.exe

C:\Windows\SysWOW64\Achojp32.exe

C:\Windows\system32\Achojp32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Afgkfl32.exe

C:\Windows\system32\Afgkfl32.exe

C:\Windows\SysWOW64\Ajbggjfq.exe

C:\Windows\system32\Ajbggjfq.exe

C:\Windows\SysWOW64\Amqccfed.exe

C:\Windows\system32\Amqccfed.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Apoooa32.exe

C:\Windows\system32\Apoooa32.exe

C:\Windows\SysWOW64\Ackkppma.exe

C:\Windows\system32\Ackkppma.exe

C:\Windows\SysWOW64\Agfgqo32.exe

C:\Windows\system32\Agfgqo32.exe

C:\Windows\SysWOW64\Ajecmj32.exe

C:\Windows\system32\Ajecmj32.exe

C:\Windows\SysWOW64\Aigchgkh.exe

C:\Windows\system32\Aigchgkh.exe

C:\Windows\SysWOW64\Amcpie32.exe

C:\Windows\system32\Amcpie32.exe

C:\Windows\SysWOW64\Aaolidlk.exe

C:\Windows\system32\Aaolidlk.exe

C:\Windows\SysWOW64\Acmhepko.exe

C:\Windows\system32\Acmhepko.exe

C:\Windows\SysWOW64\Abphal32.exe

C:\Windows\system32\Abphal32.exe

C:\Windows\SysWOW64\Abphal32.exe

C:\Windows\system32\Abphal32.exe

C:\Windows\SysWOW64\Afkdakjb.exe

C:\Windows\system32\Afkdakjb.exe

C:\Windows\SysWOW64\Ajgpbj32.exe

C:\Windows\system32\Ajgpbj32.exe

C:\Windows\SysWOW64\Aijpnfif.exe

C:\Windows\system32\Aijpnfif.exe

C:\Windows\SysWOW64\Amelne32.exe

C:\Windows\system32\Amelne32.exe

C:\Windows\SysWOW64\Alhmjbhj.exe

C:\Windows\system32\Alhmjbhj.exe

C:\Windows\SysWOW64\Apdhjq32.exe

C:\Windows\system32\Apdhjq32.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Aeqabgoj.exe

C:\Windows\system32\Aeqabgoj.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Blkioa32.exe

C:\Windows\system32\Blkioa32.exe

C:\Windows\SysWOW64\Bpfeppop.exe

C:\Windows\system32\Bpfeppop.exe

C:\Windows\SysWOW64\Bnielm32.exe

C:\Windows\system32\Bnielm32.exe

C:\Windows\SysWOW64\Bbdallnd.exe

C:\Windows\system32\Bbdallnd.exe

C:\Windows\SysWOW64\Bfpnmj32.exe

C:\Windows\system32\Bfpnmj32.exe

C:\Windows\SysWOW64\Becnhgmg.exe

C:\Windows\system32\Becnhgmg.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bhajdblk.exe

C:\Windows\system32\Bhajdblk.exe

C:\Windows\SysWOW64\Blmfea32.exe

C:\Windows\system32\Blmfea32.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Bnkbam32.exe

C:\Windows\system32\Bnkbam32.exe

C:\Windows\SysWOW64\Bbgnak32.exe

C:\Windows\system32\Bbgnak32.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Biafnecn.exe

C:\Windows\system32\Biafnecn.exe

C:\Windows\SysWOW64\Blobjaba.exe

C:\Windows\system32\Blobjaba.exe

C:\Windows\SysWOW64\Bjbcfn32.exe

C:\Windows\system32\Bjbcfn32.exe

C:\Windows\SysWOW64\Bonoflae.exe

C:\Windows\system32\Bonoflae.exe

C:\Windows\SysWOW64\Bbikgk32.exe

C:\Windows\system32\Bbikgk32.exe

C:\Windows\SysWOW64\Behgcf32.exe

C:\Windows\system32\Behgcf32.exe

C:\Windows\SysWOW64\Bdkgocpm.exe

C:\Windows\system32\Bdkgocpm.exe

C:\Windows\SysWOW64\Bhfcpb32.exe

C:\Windows\system32\Bhfcpb32.exe

C:\Windows\SysWOW64\Blaopqpo.exe

C:\Windows\system32\Blaopqpo.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Boplllob.exe

C:\Windows\system32\Boplllob.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Bhhpeafc.exe

C:\Windows\system32\Bhhpeafc.exe

C:\Windows\SysWOW64\Bhhpeafc.exe

C:\Windows\system32\Bhhpeafc.exe

C:\Windows\SysWOW64\Bfkpqn32.exe

C:\Windows\system32\Bfkpqn32.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Bobhal32.exe

C:\Windows\system32\Bobhal32.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cpceidcn.exe

C:\Windows\system32\Cpceidcn.exe

C:\Windows\SysWOW64\Cdoajb32.exe

C:\Windows\system32\Cdoajb32.exe

C:\Windows\SysWOW64\Chkmkacq.exe

C:\Windows\system32\Chkmkacq.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Ckiigmcd.exe

C:\Windows\system32\Ckiigmcd.exe

C:\Windows\SysWOW64\Cilibi32.exe

C:\Windows\system32\Cilibi32.exe

C:\Windows\SysWOW64\Cmgechbh.exe

C:\Windows\system32\Cmgechbh.exe

C:\Windows\SysWOW64\Cacacg32.exe

C:\Windows\system32\Cacacg32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 140

Network

N/A

Files

memory/2756-0-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Linphc32.exe

MD5 9b25fe859f24f7dd60db5164cde66f5a
SHA1 e27ff2851b1ed9e4f9bd90da1ddf8c64dbaf7208
SHA256 684a5566ddb4aa685804e6e424652952b4bee8ea6a182d3df85259efb350b70b
SHA512 a91c80ba75460ea48675f0759b6d7ff043306d7dc37f73798bbe713e7dbffb2ad42fcb8c5fa2c078950cb4d94cd03700e741aaef6e9fb28ce942b6929d3dbf51

memory/2688-13-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2756-11-0x00000000002E0000-0x000000000031C000-memory.dmp

\Windows\SysWOW64\Laegiq32.exe

MD5 3b475b7efa4ecac75fb69f2fa020de45
SHA1 734aff3af6b4b0a77cbc2e10ffbb74276f8acf38
SHA256 0b25542a4a04f92b61c90cfda88a0e35cdf9c3dceec43705612ab58eae8964ea
SHA512 1b764217ed62a9accfecc15aa0a15acd5ae1a3c151b887c05ec4483f5a817e97ec5cb2d47ac87a61ea85cc37edc3ee13b97c7553756d57aa3faf7916d3dfa824

\Windows\SysWOW64\Lbfdaigg.exe

MD5 708a3ca0f361e8e77181f7584d142f4a
SHA1 701b3005641e1ded2d60392a67573246b8fadc7d
SHA256 4f08344e4091a17443f751098e5666f567730f050def81f16690f26d5863c48a
SHA512 d1ba734c635e25e5d356f92bff1b8938ba81986d8c7e202810be8dcfb4c2935d9c5a5b77a8a46c3e083cd154da1be39bcbc519a906c148bef76a136c8339b933

C:\Windows\SysWOW64\Ljmlbfhi.exe

MD5 103c4ecea023af87047716b964b0f9c1
SHA1 d18049c58e69b1f99da392720b6d1d415c57643c
SHA256 ea348593dd5fe28ab19b472b9793d77abc98cb0aa238e5f781abb273e0b3a6ce
SHA512 922dfc4d12d554ab3e82bf062269b08964dfddc6e687bc855a83aeffdb63da075482371b42d1e117166d59e59d1cabfea61ffef9c16c5a30e9a2c06c551a1a03

memory/580-75-0x0000000000250000-0x000000000028C000-memory.dmp

\Windows\SysWOW64\Llohjo32.exe

MD5 47fc2181217472d8ca0d37ff1e9e4f54
SHA1 6e5753ebac9cb69307f218aac5e2262b3cdcc5eb
SHA256 ffb213ce1acf05009e54057340a150b168bd6eed955c60765c7b4820e23b8baa
SHA512 ca74bdce251d36eaaa777d457bc3149cca5f2e0593a537115f5e4a306567a61fe14182404c6774dc3523747fb9e6cf3ac37923df70f123ee9b1955c9485d8364

C:\Windows\SysWOW64\Lmlhnagm.exe

MD5 faf72d1987cdfde538c2273b1e607aaa
SHA1 ac2cfe838b2ced987903ce6d1b35fa0cf4764a04
SHA256 9896f77e3a92e4cb6543796a8623554fe3a653a63d94bd930a09c5f7cb77896c
SHA512 b373f3ff1478c81ddfd35f7a3773692e8b975dc257830921c4c8d4df01575906211ca49f534d2f8a08d2d723e374712821addb57de206289959c5a906a53c276

memory/580-82-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Legmbd32.exe

MD5 2ed3d20e4e975c180ba66ca22ba5be2c
SHA1 61fd5581289f564cf0674ae8d200b104a2b32447
SHA256 2b5c13bd69075e9f3c61a5bffde945a1bb6520cfdc364cb99c7363405053435c
SHA512 fe5d335188f8467c3207c482c75d1fc7e79c14d627647254e0ba550020177443ccbb9a3d135ecd427270fd170fe5dfe0383920b3f155213974e905e1da311153

memory/580-125-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Mpmapm32.exe

MD5 ed21113678cd63ec4708633bf2c9d622
SHA1 64ddcc40b289d3e417e674d1d0b48597bd18ba8c
SHA256 e096d7effd94976eaa647f79e422e22c2e2a8ac28c2c8095bf8979f7efa053d9
SHA512 7242c5b12fc7ab0cd0cc32827863f866d9792afc5dcd381724afe0bd7fca079d33360880d862f831d682c262824af5a0e6025739945bcf6f72f3cd4dc41a6bbc

\Windows\SysWOW64\Mieeibkn.exe

MD5 b844e13af57a8692202dabf070aea1bb
SHA1 8413d0dfb416b4ffe50648b3c9e776f69b0ceedf
SHA256 eb210e0c5c11570cef1bc1a8bc18cb82631b562983785c154f55fba8d1dcebb3
SHA512 f7d9867b4d4f16c1b886d7f890723770422faf26f59fff8d8465f8d33adb404ce098333612ce4179b9a810581ccb403901f052bda83e357387c53026dfefff8e

C:\Windows\SysWOW64\Mlcbenjb.exe

MD5 65a145af5afe425a647b6470646a0527
SHA1 19f46d6e5e4a356dce58afb3229d726d39a998e0
SHA256 4fee074868dad41492ea5acfb03aa1174f3de32ce2ae3759d51b79d5acec9d32
SHA512 7b001d4955d575a0d05c9ebf709d570f4122fed201231497964293f3159425902b6b8dae6f91d08aa70b6c75efdd25163d7f491113222b30ade2132982f661ab

memory/1384-188-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2192-198-0x0000000000400000-0x000000000043C000-memory.dmp

memory/468-222-0x0000000000250000-0x000000000028C000-memory.dmp

\Windows\SysWOW64\Modkfi32.exe

MD5 0f046ad30ff79510013d26ff997a94e7
SHA1 c767d37faaf9368681fe12fcef59524156a1e98a
SHA256 64818a1f7c559cfb325bd08d83a8a45be9061f7dcf49fa34506c6cb592d9b6c0
SHA512 48f9975f6f0eb1af594d5a287bba4848d70cd97d94e82852e859170d5efb768c965a8e0b44a7e6d8d7147923c8da5ce5a643bd43b568c9531b97ba6aacc70694

C:\Windows\SysWOW64\Mabgcd32.exe

MD5 daa4b748f47a59efb3fe962207029059
SHA1 b98cdde8cc280fb4441ad59c01dc73ef4fe2b296
SHA256 2bb82cff051f7879f2d6ad9cabd8ae63f18a4c10cf0ea40a89d010f28a8cf246
SHA512 4dd5097a8811a9a813237b24cecc82b9eca7f6898c7815319a642bd13db47150fcab4cac6f2e5578c6870ae96ca3e3c5b160fae471ff9e860ba1a3dde85aa07b

memory/2164-249-0x0000000000250000-0x000000000028C000-memory.dmp

memory/948-266-0x0000000000280000-0x00000000002BC000-memory.dmp

C:\Windows\SysWOW64\Mmihhelk.exe

MD5 b9595addfa75932f41047a747970520a
SHA1 186bc7352c717ab4a2549fa0459e5c96754fbec2
SHA256 b933e629ec60cd26525e12be82476d684242d5106ee3154b3bda618905788116
SHA512 ac425839ff088ceb0ff5e124342677637378aa195e9a316823d997eb08431069f65179332961f8762779d3a6c41b6be9e5cf87b261f28acb027e1b574bed7ff1

memory/948-297-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mgalqkbk.exe

MD5 9b4c4a49c80bdbd8949991cff3ccbf6e
SHA1 dd4f12d02811ce68f3b34c386ecff055b53d591c
SHA256 ab5ef7d9ca092879a5d4c504aee93db56884ab161f0854c692a99dddfe02359f
SHA512 5d9f56171c2be9f3b0d69b4150c2d1342b444cefee831a1a84dab3cca431e7fa800c4df36c0184ec2f228ea780b162655ea0ed2afcb3c9dba91e047246672096

C:\Windows\SysWOW64\Moidahcn.exe

MD5 25b630bd34e2c35c839314163b468b74
SHA1 dd70ca6381e5fcc79343763066008eef67fd6662
SHA256 a320b32095a9286342a469c6ee5e7a7ad4fe073d4fd62a42f1e0ee465829c469
SHA512 261fbdc8d46112a8e3a68f5718afe1c8efc7d18b906f225f59f5023d7c9997ae54fd9c4c833ecff774226de0e5d4690939d6bb506222a5df5b107fd4ab366e25

C:\Windows\SysWOW64\Magqncba.exe

MD5 3cd4f64506e0b96d4b1c1c80d7730d54
SHA1 c7c025d7534a5a0a658a2356d9d48075f6b208ff
SHA256 40da6e1f6c77695e309508519a6448011cf4c2d6895289f92f8a3315df780172
SHA512 3632ea33efdf00a0f3b87c715fbe36f3681a70e86ef40fe95a53f30cfc5f575b10a8e3783cb1350b45a06f0ee686c2c52b482ef27da48155d3ba48182204652f

memory/2056-318-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2612-327-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1988-326-0x0000000000440000-0x000000000047C000-memory.dmp

memory/1988-313-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1140-309-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/2284-334-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Nmnace32.exe

MD5 d8ec039c295d64d25085e45a2cafaf38
SHA1 2cb3345a2701c0c959801307f7079c10577e1b08
SHA256 b699b65e9dbafb0b64e8aeda87a2a3d91e07cd3af69188f65ae39a91e055818b
SHA512 337a42137f674e909b37b9a0cc998e746d61fbb35a197947f9d6f715196eacfaf2cc9f76c3fad06db8b881421fda63e0ce0b61a367600a8fab5af11361743673

memory/2612-355-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Nckjkl32.exe

MD5 bc3438c9ee1ee9a15f322e8165409098
SHA1 6f05170c0285f6ee5ce8467c79a6d8f5e7635cdb
SHA256 295cc1a4f034292f04f06a07b452aed8a6ce35e85cde88c82e2f0de408eb4eb7
SHA512 a9795469564efd2c4f6e077f9e205e6eca4804a73142b64e83a52da858082876e324233787c72989db0ebcedad5a1317cd53a4ebb712006613e8dd597e844594

C:\Windows\SysWOW64\Nlcnda32.exe

MD5 d3848495174771cc71b97cb3ffd15938
SHA1 1b8df7c315d368a549e100f6ea74634fd43ae5ec
SHA256 fca8c63e222470de227b57238f63f8da4a5e67a236b77c762b1228f57c68a049
SHA512 1f4a8be4bc0c3cece80aaa2da0a1a387469630a0ffb64867bb3f2aefca4799247feb15eeb4195e712d07802697210b830006bd6743f32726f6f46970cb1de65a

memory/2072-395-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2112-416-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3044-427-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2816-447-0x00000000002D0000-0x000000000030C000-memory.dmp

C:\Windows\SysWOW64\Nenobfak.exe

MD5 d021c110aaecef5e53d85e7fbf912eb1
SHA1 7a05d3f02c31416dcaeffc55af08a09094c77614
SHA256 c01cf752186ae818c19adf1c389b785b5a9df2e5b6d3f904e7e7264ae626e928
SHA512 91bc9c5b74a7a884d839c32235dd617871a77e78092b009be362ac3ca755e978df5c1709cd294053d88bbc8fc154be79161ddafb9fdf32ec552ebea3fbf5be8f

C:\Windows\SysWOW64\Npccpo32.exe

MD5 c91618172e90c9f570b447e16fd2521f
SHA1 45e5dfdf004ef56aebe8f598baf67bc6a0df2529
SHA256 ac330a14335cede6bd3acd036f869ae8e6423f3c740aa7558d87296ff32d84f9
SHA512 73f5782f25a93155a60254f191ecd5aa3125ae6bfaeccb55a31a8c4049f8b040d84109a63863c68950d95e8412aa3648f34927480f75d2f14fb234c0cc4e3afb

C:\Windows\SysWOW64\Nofdklgl.exe

MD5 3fb0a33ab14e89643d3e3ada6b99a2c2
SHA1 5e35ddebade07a0cfcd37cf0412ddab612c13e52
SHA256 04654320d9988739c82e46ed3d20d7c2f3bb9b26b45c92dfb4e0955a867c44d9
SHA512 cd9eabff96c311562ae5ed3d79d2aa312c18175bdfc9b3719950985c870762e94dd01ec41214e229c347e646a40734b40cc10a808bb583770a3a67bef594bac9

C:\Windows\SysWOW64\Nilhhdga.exe

MD5 fe809191028b794962826f8e3b2d2d9f
SHA1 c69a27320254a5cff33767be0da856285702305e
SHA256 c76e0e5521e8376c6357743bb4d2fd1dfa7849e87c0cc1fce2149f59d49af6f0
SHA512 34346f7f3c97317255f25cdaf6b0f37bd751abafb42409301a1d1360b05040a431187aa1ccae763ce9f81877d1c93b0c15d2b3bc85f59bebb5c22ee13b352de2

C:\Windows\SysWOW64\Nhohda32.exe

MD5 586f06b34980bcef7b694833ac5cf5bb
SHA1 37d508baa9fc76c51545fccd69c7b997c957111a
SHA256 ef87352170bf99e2b1097a907c20107fcf94af9c86c70000bccd95dc82741b8d
SHA512 1eacc35dcb4c896d634f47b64c2343e1aa85390a27cbfceff4c98dbc73ca58100445009d3034f40314c3fd64316cce03900f47fbec1196598d0d20fadc300c48

C:\Windows\SysWOW64\Ollajp32.exe

MD5 906a87972cca026a35746d7f17b11fbc
SHA1 4ffee50864b449fe2de6f4c1370df25404d0aa3f
SHA256 2825515e1f444253a4ae79514e9437fa2e593b90d726daa752936a04408552cc
SHA512 a3c984b5296975080f326037b6109278abcef65d96fa7e0a74367ff655f20590da1ed7569c7e9a75b15414113b6a0f3f0e485bc1d59384515922b77e3dcc1763

C:\Windows\SysWOW64\Okoafmkm.exe

MD5 c60c015fdbe0274e4e360d3fc432a345
SHA1 6943536037aa32e649c8931cdc135336012d396d
SHA256 359cbd977884df1c74b69cb400455db2b3355bc456901abe6698a0fb117775ed
SHA512 996aaef159a8dbaf330f2e5d043eb79241224217d50f298f6eca3ff2a5fdb583d1266c9dfa68bc6374eaf013ea0503fa73fb99d26af3eac6c2c678c699560a31

C:\Windows\SysWOW64\Olonpp32.exe

MD5 e8cdb316f7f9d2ce2e4b44ca08c1828b
SHA1 ec322e6d8e7a1d98fb92023f8533209dd391c7c0
SHA256 b1a5dfb3fd651b9aed0d84c55260a38a66b047106311f992c27f9d81f29efda7
SHA512 2a87a9d49515eea19698213d9e3c3679ad1cc1fea970a427357bbb8e3ef29546acc306279b75b72047d6b55be2c53111d5a4cebd770765bbada5d1360a31ef2f

C:\Windows\SysWOW64\Odjbdb32.exe

MD5 5fb6095bf4ed65c9df76946a60c745af
SHA1 c1d3f72cda9a2be4314dbf73de3edcfcf64f4714
SHA256 c9d1860c9041986cb29fbe9ca8bd9b636f4636a84e5da81eacdf044a43140f3c
SHA512 52eb88757eaa441f16c65dbe6c1fc1140a3d681903ea5b2947693f1a6da115f7debed36401711717bdecc6baeabb651411f844e40b17c3f73d6728cbe0680fab

C:\Windows\SysWOW64\Onbgmg32.exe

MD5 3bc230f2be0bc42b1bc5a819374f376c
SHA1 b9518f4f9a2c14a64f78b1bbbcab6d04db004201
SHA256 425dd391f4d6c57f930747635dd6a08143f81050661a53fd93d52937807fc064
SHA512 15afc40603c24ddbd8fe1eb0233c4b7a793a4392ad836540c4c1c7183a36f9f4c765862a928231ea2c127fb06f6ba2cc5aed0ca155b2757e43885a1563430426

C:\Windows\SysWOW64\Ogkkfmml.exe

MD5 ef45fd3a07cc1cbab171dcfed1edd05a
SHA1 25141ea7b5cf55f46df5983d1bea53b83b7f1f78
SHA256 b40f8ab8c6d5458fabd0fd5c314fd3082f989f1c2627a342714c07ef0eb349cc
SHA512 1f7f28f9a91b43518ec5dfff991865b564ba8f7e2bf76f945bcf3704c8acd3626f4d3705324abcd7a4f8f054aa29898933bd830984b5f3eaeed488b08994b378

C:\Windows\SysWOW64\Onecbg32.exe

MD5 badd8967882afde91821fba7296dd39d
SHA1 a91cc72a2c285767472d37b49fc1194b5a583098
SHA256 6517d613b046f3a98a27ea9bcf49d9f2e51b23dea14206dae780895f7c330ba5
SHA512 e6d437d665270876c07d2b472a50983581706d5c04ad7e2d94bed208842a5eaaaecfa264fd4055fd603f180fd1cbbe4899c4afb95be559e37f512b8efcbba36b

C:\Windows\SysWOW64\Odoloalf.exe

MD5 c634268a14a6cf0138c177f9c0769e5b
SHA1 66e6113bc7e5b1414cf975ba1116459f16201e5b
SHA256 4097b38a0eda518af499de4a3f1c53cab275373a5d837960f62d45a578bc93bd
SHA512 7ee12158157ce8e4b9214c567cc0ea0bee52c67b3c83d6a58bd869b1d3de10052eea1ffa881b37cb82d3f9fd8a1c7fc5a5fed4967f5319baaea7b38c39953e31

C:\Windows\SysWOW64\Pkidlk32.exe

MD5 7285e880f137a6bb2f649a11c71bbb8e
SHA1 60903978d78604bd71aaaaf9900b9d116d2dd9f9
SHA256 05bdaca1373ad38b7f52fec759907bc2982622889b49d51ad1525f807e6bd7bf
SHA512 9cef98879677bf93038a70e853752f1bd21dcc9f62d1fd241cc6c142b84a44bb995e471f4732b3e1c4687cfe4e3cb74b30202e4eb6deb5e16874e1a67ea6ee7b

C:\Windows\SysWOW64\Pmjqcc32.exe

MD5 ce345763f883b44553aca00f918c273e
SHA1 702c5fdaef9a917329b3089bd0b37fb8c1539c4a
SHA256 3de0a251bfdf3cf4a8a6561974e543d97a09728fb56d011baee221314c70f1d8
SHA512 8d2e6326607eeb26228a7b436dc279c6b550ebe622fc68156955fb7c8f6aaef169ee8ba5847d0613acd56a7c117942a0531024146b664ad6cc119549c588de2f

C:\Windows\SysWOW64\Pcdipnqn.exe

MD5 186d7cc64ba91ad8dc30c79b75d1ccd0
SHA1 8d3e9a90bc2fb217d5d02a1f95c64bcbdc74b142
SHA256 35caa1e8d028d07f66e5cde2ad974713cd87a1db863fcdc43fd263e983aa8586
SHA512 9e9c2227236e4132aee92cecdca18e9aeadf54c57b7aed466f73901238802e6b491ada0b746ec672c40515b3ccc022ece2a1d76017dffee9f4150b866eccff08

C:\Windows\SysWOW64\Pjnamh32.exe

MD5 9e3c65115e1e0c8d5eae9ebe2f9817db
SHA1 32cdcca6c1d3ffb23d13f26f050aa24fb7d96628
SHA256 03dd62c21de0cd861fbaf7f6775207c39c3cdf5c6e55819600a753b7d893a434
SHA512 357f1d6b8fba98e406f0ef5d21e85f89dd5ecfedcdadc83b9665f9e2dff28126a08f03abd89e1509c842bf76fa74d011f7af47c33cab9b2164b06b06e773ad35

C:\Windows\SysWOW64\Pgbafl32.exe

MD5 b4b418311740dcea0f627a3c2336cc5a
SHA1 9a479cb91429f44bcefd7440197954a3c2775c66
SHA256 f0ccddf54b900dcba594021b0b8d27f8c1a66c9504c01010b79d6881f3fd4a79
SHA512 bc6bddd5fa11072b83a76533f020d5480d9447d6485f3ea8a6e99283b6af0ab113b96de361fb07a2e2b9116b64354885c137a0fc8326b0a056c13cbd7b044137

C:\Windows\SysWOW64\Pjpnbg32.exe

MD5 8fa00cd587cdd0d330cb54a417bda452
SHA1 a8834a958ed5e374497285574644620474841eb0
SHA256 fca539e7a5587d0ba991cb078cf3fcc23607a93e2e7c8c8a23da869cf2e65502
SHA512 a406500ae8a700e6319f90677be95c8a316cfbdd9ad146e6ed7a0461ab3f931665a7e59e8ee037ca9b6604e452c4f1b243e25155e4b8d8f9fc70f96793c7b146

C:\Windows\SysWOW64\Pomfkndo.exe

MD5 c00647e38edb914220ee67a0d8d37d9c
SHA1 c1a8a9f565885ad6f95eaa911feac999481c096d
SHA256 5e8f2af5a5ec8df39e6465e34647ff166e3b8a1a0dd8a29cc10c76f71329067a
SHA512 9cc39d0842d36806680bc481495e96a03c16b5783bc79482e1b1ee9e162afe8f71c7c16c410c6bdce4354532c17bbad5a798b7d79523aa54b5815cc912b5425c

C:\Windows\SysWOW64\Pcibkm32.exe

MD5 dfd33cb00e5b117906700da4f7d80603
SHA1 51b19aa597d38ff38dbb00566ff4a413c4e8bc76
SHA256 d40649d4428d4ee264781eb04bc5186f4c0cb6422c6d1674cb79d5ae87fb8cdf
SHA512 d3239653904d2d873cebf619e2b21306e82cda6cf0593115346966162d8f92e420ca018294b269a1cc39a37c30109676e3f6988ac40fff99317be9c67126f9aa

C:\Windows\SysWOW64\Pbnoliap.exe

MD5 97c9d7e25de3eb0bc44cbb46195e9d11
SHA1 f037df8839bbd771b5888346cf66c51b72705839
SHA256 1e3ec87f68146cead9039acd1cbc6764f9b8ec5b818da9d3a3860ed1e3f65f57
SHA512 ec17c1a162c8c72110cd4b070f9392c5b8bd2918d56d66e2ca289058af634ad31ac6cb7d9495c2bcfd13b233d2b4f48dddf699e20e197e518d171439e1fbfa8d

C:\Windows\SysWOW64\Pihgic32.exe

MD5 588e6dac18f483296f82ca565f309d14
SHA1 ce88c9044ea045566b1662ef02d2e1cb45cc6e34
SHA256 f74573c1f1c744932cefef30f142b774daf5c521ec60a2e6e4d854f57b2e3e35
SHA512 37fc22fce1628a702cf29054241cc2fd0118daa47707a5021e14c4abe9d8df5780b78f21ad1e1e16dcdffcc5fdf221ec24dffd7e6e135363bb96258e2bb3578d

C:\Windows\SysWOW64\Qbplbi32.exe

MD5 e673fdc907e5adbaea6969895785e683
SHA1 30ba4e6941660ec133eebfcc6eb2e8b4f81e0e69
SHA256 77546e270f702f6c0ade6d14eef4d33e683ea5fddf2dbc9090117d4a63348365
SHA512 fb1de708d6a8710fbb4581eb3cb2b37a4860078e25cf649f065e3efa686eb30ccb2cc73e6552ecee92532ab227685dae325ed9abcf56b86a4764097bd4069cda

C:\Windows\SysWOW64\Qijdocfj.exe

MD5 ed7ed7e99f9afcd9ba5d24869259a9c5
SHA1 af9a0399a9dbbf798a1cea456cd7cef33fe5a1b6
SHA256 88d8375beea40165ad245614452a341ec87ca5960982b56595416b377aa5d03a
SHA512 9c1abcb9e79eb8050316a0e15a8ffbc8603a3b24b2d94a42230163d64c96904818afb84c55fcc6f8673dff732a4db0a54c3096d7393d0433a252d598a95b250c

C:\Windows\SysWOW64\Qqeicede.exe

MD5 2746ceaa064b1c744b6b3de37ca0def4
SHA1 4af6e3a48dc45a93c4ee27773c5caaa769d0e3a2
SHA256 20186244db6a28f73a2455c922a37ea6d8f3f0512395218b2e804aad7684a4cf
SHA512 c5f7587ebb970941ff6776b4f399c39017db3ec342ec9c46f1f882c156b05fa709c199cc9481904ffd3395749e5eeb9cb1cfb82ca1bbec19395cdd02a6fba891

C:\Windows\SysWOW64\Qeaedd32.exe

MD5 80c0d4e37688260c154e06abe61a8a92
SHA1 99f958c4a8865adb5a721185e02f02037a87d8c2
SHA256 24bcbd90810bb10682fe846149257bbf6c2aa6e20423a37c4226bd806b81e91d
SHA512 32affa076b976b87e9e2a1e3a43868eef8c6b4a156d14207db4121be9861aa52df3fe63f511ffb0025243b0099d17c9fc455ff6114608b98890c23f87a059f4c

C:\Windows\SysWOW64\Aniimjbo.exe

MD5 0e46fc34d02462fccede4ad5c17d45bf
SHA1 d165bbde7adf31eef25a34fb2cc5fdd7b0cf42e4
SHA256 918a46c230009785083069d0adf8f6c110560d4f71e6b50ed8cfef80054a25da
SHA512 a95ad958e1bcbfdad452d19ae7bbae607d40e948a2218e5b1e342f4fbf5416f22c19803d49b7fff91a4d549fc50f874bafd88a87becce26dc65e7f358a7c3130

C:\Windows\SysWOW64\Akmjfn32.exe

MD5 e21d937bdd03242e1bcd0455ee27c07f
SHA1 b6ad112b6d33a9da8006d99c7d530858a8aa4eca
SHA256 117428d633396636891bad4261605b8381234da7c1a573f34329934a5f3c8c8e
SHA512 9150a9be4040ceb8d8c73598527e07e3706174556bf842f526a72b445b7077ebf22c459f8e35d78cd465c51a7f2554c4e500d251843e4d7955e49ee297463a10

C:\Windows\SysWOW64\Anlfbi32.exe

MD5 86409b2b2c6147413dd8a1415111e393
SHA1 34aa476bfe7073c740c0973d2a9259f697512d33
SHA256 89d6cfb6969374a960dd9bb49dad1c515743706ff67ef0cf57c259a5bbd26f4d
SHA512 d8e9f12861be3e37eff0b75487231c1e5a57976b7d1bcb5be307cc8c2b192a0f9c3ad84de061b8039288801afc579aadfd18c898c0ee71ee08f246b55746d607

C:\Windows\SysWOW64\Ajbggjfq.exe

MD5 51a66e7004052da97253d8bf7aea64ef
SHA1 b2545d407208c56c6f3da7595369a232d722f91d
SHA256 055e32dfac86618c4cb676215dd46dd6991fdc97ab59b0dd542165c78167f384
SHA512 44c4cde755c1d4a42966eb49a8ca5e22e6972d30e1003a5727af0afebb213b58a52eaf52a81137ab02e763e3f34486abefc22821f02fbe8818ee4c63499f7451

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 c79a537d934f8c577f7ac7b49de3be6a
SHA1 2036002e5182f824195bfb739907338bc0ddcbb2
SHA256 57649ce12b81139237ce9cc5fbfb2bad44c87c2b05ae8bcbbd9b59f5495259ec
SHA512 883aaad82ad6833e0da124820a85528b2053f3da5aac205a829eb3bbf0a387e383352c3f74dc689f484aaf27580a6342cc4e330d123e4c88be1ccbe4d5debfee

C:\Windows\SysWOW64\Apoooa32.exe

MD5 d3aedf877b75bbc66299585aa7aa1393
SHA1 bea8c7d7e6c2adb387d95f9525afce707420aa22
SHA256 bce6d6a12f121ea7d6b0096dbdf6d6c9ffbfa6565a0863229361ce24245a573d
SHA512 01bb8dc08f4604ad86a651b59741242a32b0e6bcba33625ffff9826e4245165b72adfa5d5746ceaa12e33f19106427a7a20b6d33e8621f5c5f619ab2049d006b

C:\Windows\SysWOW64\Ajecmj32.exe

MD5 68337975be38cc4122ed74f4c4f94c2f
SHA1 8f2f8674a42d1f71bcbb51737b4ab13175f7dc2a
SHA256 225d9fa334f97c2746e0a49818620e6db08ccdd8bc9c3b7fde56733f813ea3f4
SHA512 9ab63adc47fc0a4c8beed7d84e394c0a2fc7c79f91ee9f867011a1fe612a54892e5fcc66ffbc6a61e3950e1bad100f6d3248c7c1da2189607c5b839821825e85

C:\Windows\SysWOW64\Aigchgkh.exe

MD5 83e485d3d60fd4275adaf4de246ae4ef
SHA1 c2ab249b74b678946f65095c1d4028e08deae198
SHA256 014ecacf4a63fbbf57c785e2fe10af654b495a3fe9f9e6f9ba3405e3ff3dfe22
SHA512 b88b757d09a7b0d1a650585dcaa62559d948a53ef8e211c9df1e1a4562bafcd7311b63a8da1accc9affb7d7fd81cf6b2da2f880961a63a6cb74fc783b932e3ee

C:\Windows\SysWOW64\Afkdakjb.exe

MD5 0ff071ed0dc559f3680bd9c5098b6e81
SHA1 f20d1ee0ce02fcf43cdb6b7461be35d09d23dd1f
SHA256 f6ca41c25453b5664176cc95b14ff5ee1bba4305bf21c13b8705db66c0f0aab1
SHA512 ea32903e49081ccbcb676815515c35c4de4399fc233968e64813289771f820aec087ee50baa8849e7e98a28465fc15a80982f58637dae1c2276bae325d2e0b34

C:\Windows\SysWOW64\Aijpnfif.exe

MD5 8e4a275defd03576c8ca609af23ccb36
SHA1 35503186a10661503e62dc1414b115fe6acb85a2
SHA256 66c7fe49f94126f0f663c9f9463706d3760c4442ac3dee7e87e8f845e050fd8f
SHA512 d549edaf6edfe6c877f9ac8fdc5a563eda9954e6cff4ce84f3aa2e5792c6ba3d26b11fdce686772f552788c26243c96422e5139c76f2b46093a39f4206c1b11a

C:\Windows\SysWOW64\Alhmjbhj.exe

MD5 334ec875a708c15689757af4af102d42
SHA1 dc61c19322cc994aef6e3d0f503c6134ebaf4ef0
SHA256 2dbab47b908fd319a47d878a1e9c4fb1841a8e79e95faf8d5b559799ad46cb58
SHA512 7c0589f1ec34fe998d678283f9cb77dc8a098464b1f916538472dd4624296b8ad7808f0eaa2ac39db9a953caa6ff6efca0469ae835ab5e7609aaf85d02ba8a02

C:\Windows\SysWOW64\Acpdko32.exe

MD5 0d281a85c78ef72059c4567d88a44119
SHA1 e185ac7a2f29eb9c616744c9bc144cfe6dd25fb2
SHA256 4f951b3e8a568826bbcad6f237b82ddeb9b3e96d6eb98761f8c86c0baf59da5f
SHA512 3454fca95670ad44bba1557b6f1a59f2528cf71f7f9d205b260040e64fb9420f4b9dc900af5e549a539e7d4afc016a2edb9ce28b39c6d0b3fecabd64ba66ad21

C:\Windows\SysWOW64\Bpfeppop.exe

MD5 219043fd3e66a45a7479abd1496edc71
SHA1 773f5aaa56a891f74839472eb203988746a4e186
SHA256 78a9a5a99de02a4d50e153f0cbfa55bf578016a9f52b3fdae454a1feca90a925
SHA512 7cf136acf69404ba3fdef21824187062f8e56033492ee519a04785f13d09a01dfa8831c3a6f08ff8e9fe0a96902c6049989fb40e9405105efed0c9f19258b004

C:\Windows\SysWOW64\Biojif32.exe

MD5 1e63396d092ecd05b66abffa24370cdd
SHA1 47f95fa5ecae17666647d20b09dc5c0c62ec507b
SHA256 3ba355b46e1b2ce02c3c5564aa1cf5286b0c76472f9a70292a51d131b0ae024f
SHA512 ce1991f9007214f743716ccf7c074bf4a55fcfe9401e04e36d1fa976ecee537b1e625fcd76181268352b5268c620cedf11bbe1329b38a586334173600dace6a9

C:\Windows\SysWOW64\Bhajdblk.exe

MD5 8b94b10964f96b7d627dc0f64074720e
SHA1 905d0b6d87f33e7e00444033f343d10af614cf50
SHA256 32f00e41cb9205c98294ca378e2c5eac292d225c2bf85113ea247b3056cdd9f8
SHA512 920f14d7e0ed97a0beee8b6ba4d548fbb988d005ad7b20a8eb6a884d73b7cc5269d7ab1cb4d8fe69efce2070cc0a5575127a60b7d8e4e8630b14052fe30cbdf9

C:\Windows\SysWOW64\Beejng32.exe

MD5 7877eb1e4bfbfde5cea91afbcdf4d0e8
SHA1 2e04defe3c7c5df1e4faa610c245943606c3d287
SHA256 8017c7f66311acd5100e709c5175ce68822ba36b259fab009034164d47913590
SHA512 ee68deaa2188e6755aede09aa02425d3f3abae8d2c895ea3cec9fed2f0d7d4b0cb5b4c8d2d2ba869ed80ccf98ef386d7a88b35f607958ecf3c3c481f3ef8eb46

C:\Windows\SysWOW64\Blobjaba.exe

MD5 81ae37e46157baacb248cfae0e517b0e
SHA1 5f66498252464d2ffd9187d3053f3718c23dfefb
SHA256 2a5ba7159ac5ec381f8fc6c13347af2b2b2e4801ea254dab0af30dba452648ee
SHA512 fac727808479e07074ed8f2363b1647b1d84268dc30110aa44b3a9fea697fa5e021eb6a58830dac226217cf2eba316573393894c0f32ac3837cb57b3b76e353e

C:\Windows\SysWOW64\Bhfcpb32.exe

MD5 49d3f079e6549a7c5bd9df5b55e998a3
SHA1 c3d1802015b3a0a50284427b509dd16452fa5f59
SHA256 d41aed91315944bdcc8ccaf0650edae230cd95ac8c6511ca84ecbd13fed0e96d
SHA512 edf85aee563d8e6831d8c61a689187a33d983baf23e12859045d19fd8023507cf2214647c4f0a03f828177069945f6a8a2badf1e6e46e976dd92e482341f75e6

C:\Windows\SysWOW64\Bjdplm32.exe

MD5 b91717f2cc9391cf658341d48d76bd4e
SHA1 e3dab939fe55d80dc5b279f5c448cd0eccff7c18
SHA256 9b7b815e02181f403649d8cb1a58f9eb886178608707edd36d6240a9ea090c3a
SHA512 c8e9d3e364d841513a883b74bf541c8e41c6fc1ea9fa6d8883993f175614fdd4f74621e8c0fdc1ce6eaffe423ade9a6e3bfad0c7d2e1c57cae6c28c0ecdcf53f

C:\Windows\SysWOW64\Boplllob.exe

MD5 30d62cdf061da2bcbd845287ddc1c753
SHA1 3ef8607216dc7660619abbf2f2cbf7d928276ba3
SHA256 359165e05bfa3bf83c0debb936eb3710d5a9fdff3884457576650fdcb3d310ab
SHA512 b0d125e76faca92bbe0257f707efad799a3d8191b57f2cc2340ebffbd25dbec9ca6b7369071bb8936d94090409d05f426594f256619a6e061af7e5b233687512

C:\Windows\SysWOW64\Bejdiffp.exe

MD5 c668493e19e00021d9e8665cd2cc4ae4
SHA1 b29a5f736183a2ea00e87676cb2b3ca6543ae3e8
SHA256 69c03c6013b1d82324b8a5618d98e9341f055d1b844bf894376dd38a4ad76cd6
SHA512 9f0ef54451e974a859e2e1749deac903bc164c58e080e1e86106b20444f6f0ccbbf7faddb2e55731d67b78c4d7c5968c89ddf512fccf8ea3b2c8293501114af1

C:\Windows\SysWOW64\Bobhal32.exe

MD5 f49f648b4b9ed2e7b714c95a694c1c11
SHA1 f3b925aad4cbbd740005fbe24704982137e278e5
SHA256 8b1edc5b99495ea0dedaabcb24744afcf00ca3a01d50f86e605fe39d070b1ce1
SHA512 1e2e4442ad951ec498eba2e9b7be10b594bea0d8eaca652039ffb0f26a1ea039c0c299352c297785bd1bc99827ea14013e4aab450094df46c4dab6fa82be9a9c

C:\Windows\SysWOW64\Bkglameg.exe

MD5 a64ee09efd4a2815af5376ff42b59765
SHA1 9cc6b14aa13dabb588e71511e42790f7e9799d37
SHA256 b1ca5fcac3db07e413a885ac3ade92aaa12e3c688f9791f57b226bd017d06a55
SHA512 e8d5a0db2a5f4e0153877811c2c972d2c0f34603a67eba9ce215ea8433ab9bcb4526895a85fe9d779aad8b61a2c6b2f7e14bc75e9714794057136acfd64f9ef7

C:\Windows\SysWOW64\Bfkpqn32.exe

MD5 080500f32dfc3540a519e607e540987e
SHA1 aa958ff365c3c08c249346618d478cd4769baa66
SHA256 9f7a532984623430d357d8929ff9fe2662ce8372e43c8cf8c259b0b756a879cd
SHA512 41de8d567e5912a5d09404d5e526155c90b6d9bc174b6d848db9fb4c36a4af8d1878d7fde52b22b351de073a24fb22ddbf2e880485aa626c64a033a3e4ee8c4b

C:\Windows\SysWOW64\Cpceidcn.exe

MD5 a56b4de5ceb9d410585960702f73d1bc
SHA1 cf80104f3d98f90db475e3371b97b9cb2982143b
SHA256 b36ff24799ea6326f3d9d00c49c8b3231d1153aeabf5f07c5d89e2b399b730aa
SHA512 97ecdb196c1a152e28a866bb2d12b7cafe232926f13da4bec55bb42b443b848efef49c0d17dac90a44d43a8f3590dc2c149ee073eef43ecf7f8d243819f51368

C:\Windows\SysWOW64\Baadng32.exe

MD5 2493c91d2b17847747230b4e95872544
SHA1 c509d73618275f6591acaec23e2b8dc51ee05684
SHA256 afb917db207ba5b4a369383091438947c8dad6d181c5be33d24dab453481e100
SHA512 00ae5148352b197d2e9f690f8b60f57a93fabae1dcfd155897def1696439728716661ee8515158126e91ffc0e70ca1cbfa49cd50244dbaf39d6f5a46d9adb1f8

C:\Windows\SysWOW64\Cdoajb32.exe

MD5 3af05e19bcdbe28401dca95f57170ae7
SHA1 0a815cdef6f58c455c9a1cad5bd003d721ad49cf
SHA256 5fdac4efd07ac9fc17115024741c0b43a50d02282966911e868adfb07ada247d
SHA512 db7840986a00ae425a26a635a765010a2fc418b44bd9fb107098e830f4e2b2c5111cf1fc771c8fefd68134e3ec1b0472273d67cb242b6e67a0c5496df87fc703

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 c1d8c3bdaac5a1beb3c9fd664d21bfb8
SHA1 2d1a009482865dd1811091dcb83bd8a2a3700a6b
SHA256 cf83ececbfd9a48ed090901ee9035a9f8eab3e3a3ddd25b9ed31f3a0ce3d3d79
SHA512 75406a0dfc296ea84846e5ceff0695bd29125065d4b28ba1507a64b22814d3e1c820cce72fa3fd34bc7aa804e9bdc085f46a070272066b26bf797b7ec3a5b36e

C:\Windows\SysWOW64\Ckiigmcd.exe

MD5 0eb6ea7f62f257d601d3c8ad3c9d41ce
SHA1 609dcbdf5dcc8006577d96d079ae189e9764ccd5
SHA256 26a42e26306a003fab76077705b3feae28ed81b251ae073216ae572695096ec8
SHA512 e4b85dc122a6c7488a9c0df99062b252cc28d609107e1e634a07fe3d7f6fbcca3241dfafd0e503d70a75a6cc6730afcf2d485dd39c075e7b27f70cea9e1404b6

C:\Windows\SysWOW64\Cilibi32.exe

MD5 0c1a746aa9b036268d3f4449a71ed195
SHA1 e0cc121b44adf87bf00d0d2a1d3c6f64169cc1b9
SHA256 f47f1a0849ab0de58ba37f2f904aaf6aa39d3fe1d5b9919d7875c7c02060833e
SHA512 178fd0096552c6e12307548cad177e58cb88c31a1451c6ed89e5786d4857d9512da02261ee5fa3c6c97d8d4c31c9bed8ae5f5df31ebd279d5c541b068b6698bd

C:\Windows\SysWOW64\Cmgechbh.exe

MD5 35ea2e398926938786ee69c13dba6b56
SHA1 613c00d8c8b03715456343ff0047d76e35ef19aa
SHA256 35dd8f3d3989718854b5d852a828f31bcdf336787ba6f9e9b0cfddf8b95e8097
SHA512 aadfbc306f16074910b7479aa4de3aa25d79f5f8c3575db2e49097636c582e5216f8f63e58e69e5ef686c35f276a1fbcedd0030de1e4c29d1b8d962ef4d13061

C:\Windows\SysWOW64\Chkmkacq.exe

MD5 1df3521d199d8c89a180d3d91e5feb96
SHA1 f798f826d30c04bb3d24c61daeae0b0c2db2c64c
SHA256 7c8f73400b57dffc2d6c484d2df013e3c49eb647f62f7af1993e33abf2d1917e
SHA512 7371fec201be18d514521df5ad61613880b6c833b78d647bb9823ff16e20705733631259b28dee2a08af5142bdbfb6014c4f9a4fcfbc5fb06a0c352fb2d94873

C:\Windows\SysWOW64\Cacacg32.exe

MD5 f283a74752fc7d6839d632146a8d2448
SHA1 4348ba5f3fc53783785ab2f18d8a62eae2f2e299
SHA256 a1fa0853d6db648ecd6e616ae80ab65ee6eabc62bf0bdd4cf88439e97f318505
SHA512 9d1872588c9169fb942a3fefe3c0d743f9d51c1f24d92b9f9f0092b0f524c367e4d17732678ae6b4fb93abcf8d444754ffad4e5e03472707b384e1470f272131

C:\Windows\SysWOW64\Bhhpeafc.exe

MD5 1b5315e08f09a0fcee295ab4373f2408
SHA1 accce03ceeeb370ef624cb0b6ac4767f5285c1f6
SHA256 ba8b1098c5f76576ca1ccfc00429324fc08f96bafb31299a0ef572056b7be69d
SHA512 9f8a167dba94c2a42d56af75a5293cf6e27cd45889b2756e74c7f1e9ad0a86a13dbb4e7be5d302c322530bdd73bcb043b5a652c21ba2b3bfaceccb3c17f1f544

C:\Windows\SysWOW64\Baohhgnf.exe

MD5 9ea96ff875f5b54fdd6cf16c7d9419f2
SHA1 9483ce57520673aa2692551aa8b52a27ad7da18f
SHA256 90860bbcda38ef1ebf5bf47181b7e515f844911ecb6372716e2dc52192b9deaa
SHA512 2c3cb0b533bdb9437aa15c39b59c89fed5db2866295fe5b4afb9cdccc6558dc469655870883d48dba2a10cb6d505d54ba1a4430f6b117f555e2ea128aadff621

C:\Windows\SysWOW64\Blaopqpo.exe

MD5 8ee9692a90aee16a6da99357d72d3858
SHA1 a001adb9659f4b585470a02f7484f8fb4e784806
SHA256 c45a46c7bb4478043f975934c4e2976122812b2d4f72caa230f69d81a9370a66
SHA512 7be9503908338717bc7b5ec70eb0077027a49d16f027fc9bc3cda6e608fcf2af36a8dfe665105fd5125234fc5cc6b34e47d630f4b8ac5e429e6dd4e8f8baed0a

C:\Windows\SysWOW64\Bdkgocpm.exe

MD5 9e0c497117d9ba577acda6021e8d400d
SHA1 658d4bbb3f7baa64f9bb14c632352e6291442654
SHA256 fc61eb13ce28641d35a9e5e89c1bdc39dcd7410eb02b50b9af7537c53cb6f17e
SHA512 e114759d81bc644053eb38e3a157c5a28982aaccf1fb17df442db08d34ed758d23efaa4d3e926a4db825ac31553cd9911a39a594d957c1e1e5889b916c784f04

C:\Windows\SysWOW64\Behgcf32.exe

MD5 00d685f5c7188b33933863f9443cae4a
SHA1 d679fef94fd6608b943621889e50b106c19621b1
SHA256 fa9007a2e402f77b768188acd3c907d14410aea5c1018827217dc3565c1c9bbf
SHA512 d39122fec4ec9d2a318f427ed3868b34a1d14bbde93616031f6b597b7424b7adef345bde438aa741b515a3452f867144160c7e9ddf0b46f3df372ab6e3aab0f4

C:\Windows\SysWOW64\Bbikgk32.exe

MD5 4586fd586f2f185c57ed8d2e992b7dd0
SHA1 2cd0b3542ed10a0305614011b10ba6e14e8430cd
SHA256 e1c21184dd29af00c5316efc555205d15e12abb96919a9a1703f837ee0866f75
SHA512 8969ff90da42c4425b33196192a870f32070de7bcc9daa324a7aec5e5667aea0a2f9d79fa6ea10ecceeffafa7c14249908e63248560cbc77d657bb0b26e208e7

C:\Windows\SysWOW64\Bonoflae.exe

MD5 ec4229bd63800742a91dfbc8e21002ab
SHA1 b88b78a6682fdd746c7498737717b3cc0c3e3331
SHA256 1cb045fed0784e9f65ce38cde37c82d6cf7ed3a8dbb8917c23a3a6501ddf48cf
SHA512 07323ad71728091c459ad342c848f55086f8c0bd0ea89c102c433ef17a47edb1700e9504d7907c85fcbbdd606bd4d8d0a2e1b2a216eb3de310d6a8baaeaaceb5

C:\Windows\SysWOW64\Bjbcfn32.exe

MD5 9190f12d745c1487f6ef5490b6945f99
SHA1 f422da3bc10dc2e68d350feef3e0b9c43cc0dd83
SHA256 1c6a8d9610394c81ff52f31f4396273b05749f4a3e88e0b2d783d61aa7a7157a
SHA512 0844976ce6d89822e4e3b47100da70cc41dc3ea4587df1929d7c0710d48812ed30c47cf585d651e0dfc5e0a43abed02c33ada70a2178ef2697d63dee18b74aa7

C:\Windows\SysWOW64\Biafnecn.exe

MD5 b38e0513b354ace974bf4518d45c9b89
SHA1 c0f1b9049efd7ed638409cac55da7acb63b5dd02
SHA256 78702accab5a2b7f5b3cde8fb6b65706c54c619c638c22539935dfe7be508fc5
SHA512 e205f869a43af99a272ae1ba1f681eddda7d4473438b83569c3857606507d34f9385f88310535d76cd40d65cfadda4a77b2bbb71099bacd371e8d75defd26f40

C:\Windows\SysWOW64\Bbgnak32.exe

MD5 56b33526e731a131bc09aa37716cf7a7
SHA1 29b5ced077515ebaa014ebe230725e0522f0ad2a
SHA256 85841e01bd61d91f487e71405cdcae92a3628fe78854cd85eeb4a20e7140a7b8
SHA512 da173dc03bfd191c1ea1f7a26aa885c1dd95d1387d085d62dcf11dc83ae5a8cd7d83d80619e398d377ff559e21f12e9298620db0c71e16995b8bcc3c45289146

C:\Windows\SysWOW64\Bnkbam32.exe

MD5 115dc9994b526e06ac476431a4ed0419
SHA1 0282a0621c10c01584be14c627ae00298c89cdb0
SHA256 ae74b5a70304e5ce4af18e1f7d5ac70b6189f7c323bd30aad50aa43e56d8624b
SHA512 2982bcc562ab2ed3e029279d0b3a636fac2b16cf5a3e942d2164be2fa1a4e4ec3194a9f40fa9f5f10d53170c79931a3d818df28b18876e90ef9aa749d468d4de

C:\Windows\SysWOW64\Bphbeplm.exe

MD5 acb404cc29d6ce255fc900954c6f03f5
SHA1 1ab346980f47fbb1565b5e9c846f85c3bb59b4ea
SHA256 df5444df10e51ace3de3f94697892d046d0ad962a3b3a65e139e235080169896
SHA512 85fa95a27b14ab91dd946e835bdbf09216ba142239a48fb6ef9694c955e49a66df6dbdf3d984f27869fefeaf933f629aed48808c8de5475edf610980e3160d86

C:\Windows\SysWOW64\Blmfea32.exe

MD5 d9f774acb379c031c5c3d9b33eec1390
SHA1 6f15780b49cb893e095c6fb51c353b7a22996e8c
SHA256 1e26b1085d52383723a3922516f4f08b452455eac4f3922e734d11d741f11bc0
SHA512 8265d238d6ce411b0e270347ae491e437a0cdbc4b96f8b87a8820b8a65a5ca20d1a2c5897d76297f48d655815f5dda72b7d0a7e0a4eaa63ecf378914482f952f

C:\Windows\SysWOW64\Becnhgmg.exe

MD5 78abaf85359fdebe78d0f2cde086c061
SHA1 29c3788198f0ec2c12d670744f66b808864f82f4
SHA256 a2a3a70a9293046978c7455df06ba7e79d2a9791213d8e4d80cb97d1e0dd05ea
SHA512 53959da3d9e27c812f3c2014aa27fa7a082b6935b2ba2e74f231cef85c4a2775b74c3ac65b5cda856978aae9a4d413a5df0bc46857edb6462c46258aca1872bb

C:\Windows\SysWOW64\Bfpnmj32.exe

MD5 0fd09c47af7736b74b53aa4e16c3def8
SHA1 8bcc93ad76b224b6fd598c307c41eb05d8cfb4f7
SHA256 c0cddd4f06208a54dc3085124ffb572842d505f8827f35cedac43d077ea50feb
SHA512 34407409827e5b44fc44707d2347d4ca7b4f70b3ed08fb3fbb1b07ee6e29a1dc7b2207a3e220a85414952fee175b65580b23645b8a7d66c580cf7e13b69cc12d

C:\Windows\SysWOW64\Bbdallnd.exe

MD5 74036390b2e36fb13ca4846845fe3000
SHA1 0771e3aa93a5b400ac9c827e684ce745f4d66816
SHA256 deeb46fc2c2b41df834de11abdbb709636406a4fbea5b99a53e79356126ae76c
SHA512 927542f99ea1e977b2a4d390c7be87bafc41a221c029939c38a48b04dcb48faaad5f8935e77009b0107dca254780f977746c58daac6cd29626894e98bb9f3133

C:\Windows\SysWOW64\Bnielm32.exe

MD5 c1fc1200e7e46dbea3da5c656e075782
SHA1 9c59739cce24ccf19aabe3bc1271806680d2c7e7
SHA256 629f2b8fc8591bb4cbf855d626a62aeacf1a7e8bc5d5abb55e8e63f5ad1f3b92
SHA512 5de1d91f0de7404427450c414c28260cbf623d55b6127ddad3b48f4e0d2e25dffebce9f55c73057166fd7ad2fa4951d4c551292d4702675d6c8f95144ae07204

C:\Windows\SysWOW64\Blkioa32.exe

MD5 bfc1ffb3984b9795f7a2bfed767c5278
SHA1 73ee77f484106bdc1fc7447d8dbbdb624afda2ea
SHA256 159641ed3bfa0d096cca235188320490dec4834cd2a3a49f3364ff61df2f60b0
SHA512 f381442178fd3659fe818ed4772790c0d510dc07501e6f89f3e6a25fad955fe2e20bb022f7556812ffdee5a8d005040338e61e6662ad22ef6ea960ff3578c539

C:\Windows\SysWOW64\Bilmcf32.exe

MD5 cdc18e70475297dff8a9249072c5f293
SHA1 47dd2c2a662745f3db6c6bf0f5e5146438a7a87b
SHA256 e2e0e69e2d67a336c817f6f1493f930a11310a0687bd5e5379926ffbbc202e31
SHA512 668606723941392bcd31cefb90af5f2da16ca7f7b83341b7f4c41868bf0f1711c0b7bc4bc91b4adfe3ff44a7b8ce47517485de04048dfc99d771772a5f8afb1a

C:\Windows\SysWOW64\Aeqabgoj.exe

MD5 7da6e5586f993deaa86067324ab8804a
SHA1 2af4bcea78b454f733ad3287fc7255dfca1cdabb
SHA256 f0d016b4ea7780b76cc11a382fd5bcd3bb7b0d9abf1c2210ee85cb292f3cb202
SHA512 6e8e71bae7ce3456721e17f387ebddd9c6fe539d5a6cedf382520ceb371efe3c44d5ae55bae742e3e3e8aaef7b415f2400688c7fbd238d98e970cdb88b19be48

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 d641a5742a443fd600ba9a1fe60fd282
SHA1 026bdb1b090414a98276eab8f932388a796e94ee
SHA256 a1ebdd5af277951a9803008e33a1122094a035ca47ed1336c4702ca39171c28b
SHA512 f53a3f9c133edb3a8e9d7d5d10edeaf884e811e788296cf1728e72114a567a0eb7473b4b68b8123bc5f88c9aff45590f9bc06d5ed2d4a7b9cbc9e6466917761b

C:\Windows\SysWOW64\Apdhjq32.exe

MD5 fba43ed5467f07533983429486abe725
SHA1 cec4bce421a0fb2fd52ae00c688f49d6f6ed6815
SHA256 8c083ffc61158305db4de6d1653536f9bce9e663c142c6dfa7afa26aabbb35d6
SHA512 06674136e8f248b7da8ab31539a2c7f31ee5c156f31354e7fb047767b4228bb328eb1a57cfae9f8fd1cba56769d138798371782f4f4d6505c8a453480f344699

C:\Windows\SysWOW64\Amelne32.exe

MD5 c8c86e9f300e621c09510a93e9be8337
SHA1 67cdf506fd89f2336aec6d5769eaff02685622ba
SHA256 cce7f2a01b9c803d98f4f7ed0d6a51313da1f716545c8dad7332685e0d4f636c
SHA512 f154132f5b80ca427ab65cd68b66dd9c24528f16abb301262df847ed59ead366cc9cbf2b03f5c8bc53608aa2476ddcfed2a2a0cfb41d531bc1420721e34879db

C:\Windows\SysWOW64\Ajgpbj32.exe

MD5 d29305a05395a5d08ef5fd7aa28b145a
SHA1 616e3463e04415da775e76c5f7b8bf76ec7ff017
SHA256 17b4b5413f0b0a19b4b4b751082c676699dcdc5d4e01b8b318954a0dda4d495c
SHA512 520b459fe9c458a3d99a501210a23a735aa25a8ebaebc91aae4c8097eb292475449a0372ca15def16ca163b6167a620bee9c1f2c3bfe2e0b1511f5971e3f50d6

C:\Windows\SysWOW64\Abphal32.exe

MD5 3efddd23ee73bc15275e67ee2954df6c
SHA1 4b90ae98136afcfec0b7d0d4d428ea39a72f70b5
SHA256 5da60dfc053b70b693ad264f22716213c6dbf026a95159c43af4aa6c395d4010
SHA512 f4125ae0d365079319891a9b7d8d1497a6d88b17db060bf30388cc8c2f85455435332144ea56dfc3d44048f1e30d63faaaf765253c7fda6462a6072373dd4454

C:\Windows\SysWOW64\Acmhepko.exe

MD5 ffb3f07ad51ad9c3e73c1482195ea7f8
SHA1 e2225a31be053feb25278fb8ac6ade6e9c6c57db
SHA256 25ab008a0dd0658b7b5fe848bf188a666890196db52616efa5d2bd4c9bc01620
SHA512 c09eda307538bf26ac30f552af09e6af20688f90d0f3191d06955615eb81860ea877bc3f778c036179af923c5c874b307f8a023a8c8648d6885d89dc7d6b370f

C:\Windows\SysWOW64\Aaolidlk.exe

MD5 e73bdcc2baca78bf20b36613745f13e7
SHA1 c7f5f21827ce4493ee4628a85476a7bed045cb32
SHA256 8345fdff760be28185b41c1b367d9f34492226e2eb6bc859f04370b34dca9cf3
SHA512 5cbd53c0f2e935fc5ac140ff100fdc3b1ab1b538c0ee8b0a7be40c35e458877f5e257dbebbcf3a913167b7a320ea1bd8ef17e55c25c860d39c7132ded20feb34

C:\Windows\SysWOW64\Amcpie32.exe

MD5 d5aa113354c0f07b864c7f8602f5b5ce
SHA1 76b0878ce8cf4045a830c7e8b96215f59eb447a1
SHA256 b4c09df6e2425d254bb6f62581ece9ae88a43b5fa8cb8db68199bcf9d43db64a
SHA512 0acb4b3a65778ca9843311d551542efed7f1785b69404984a1614452b7679d6ca4baa18b4ecde92b7871a6a4e5f0f509cd6ec9c8190567547202b43b8f63737e

C:\Windows\SysWOW64\Agfgqo32.exe

MD5 e705f86adb8ae11654c841360b96f82a
SHA1 73abd3b76eacd84b8cc0a1d0e2cc6ef914c73fb8
SHA256 fe688dc2a42679e748c13f7930c6e425b908baa7600fe039bc5dd7da35fc693b
SHA512 98247a5a1f7e4158b68379e63129f815693ecdab1919d0dea780fb7352ab721bf4eec2c406363ade74cd79fbae1b2946361ac6f8b9c65732dd7f19e5b3f15bd9

C:\Windows\SysWOW64\Ackkppma.exe

MD5 5be0946a455eb8be1b82f6a2ba387ff1
SHA1 14b2c977ee074946a7c1bee03f5a2a5a683063ca
SHA256 545613b50929459409829c254e735f565e3954b40d9498635304c883b0a7c89e
SHA512 ad925b6023eeacaf3f102a742196adb1f84105c521caddb83e57e5a43cb3741f62b24a2e0ff5c265dbbcd4109843bbd9c58f1edce67a2cc9f2f50a122fb74bf8

C:\Windows\SysWOW64\Amqccfed.exe

MD5 13f06b0fd72689da1fc0421217e71cb0
SHA1 023f62bcc0ca6e42c94b24dd2ad1e5195b63e28a
SHA256 00982502b90dcb5798a40869e3ddebee5d970e5013c3ccf0a8bb5a5b14f22a07
SHA512 4eac62a4d6a91dc45d9eb2553f5168974259de89087b3df01b65da7080f39dfefecfd7c59456b8e8a6dc7a725db38a12da3f4b23df47e879b06eec67b4fe2c6c

C:\Windows\SysWOW64\Afgkfl32.exe

MD5 5087c693892994d39c0b57dd7234987c
SHA1 579c4b06fc6df03edc430376a76980791ec70ced
SHA256 8f4d1bde88d6e92052e4a89cfac23eaad47de8b74a1c560b03939c8ef7164720
SHA512 0e03ee5da8589122cef6cc5e78cf9f880beec0f7418b276effd4472d35a4e854eedcef27ebd4f5e1ca34f126ee47c6c640700098ff8d3364851a2a954c405cbd

C:\Windows\SysWOW64\Agdjkogm.exe

MD5 8dc6ff25440dddc9051deed051b3deaa
SHA1 5bbbd9914b0816f4a8ba24ec6b05cfc6475673c4
SHA256 9bae05202e6af292297b2d581dbe0bbb6166040daaff46ceb92590c4d2f16ede
SHA512 d5cec28fd1633411e6c1b202f6af681f01c57b84525e0fd55c749818021dfca4d9e61725fea50ed14978b59514b327867b69dd06fe6f0beef933ab4ebfe0c9af

C:\Windows\SysWOW64\Achojp32.exe

MD5 c41a9fe4de9703f76309714870499456
SHA1 e4d85f669e6294d2ce0d19061c15f34754741873
SHA256 386526271ecd7aee132c72eb4c3a07aeb450e9fee392bdeb91596f7fa11a5c05
SHA512 63031051a52d438948e77c32eddea6201ed64217308082d69178b304f8c44963d6adb59b39fc192a38c4fafbfda3696117eddc55af675d5d8890cfbd22388f70

C:\Windows\SysWOW64\Aeenochi.exe

MD5 f6551ab967c1e8feb32f7f2e8ff36b37
SHA1 38954e9cd2fd36165bfe77e365dd39676340be13
SHA256 1b72efd648fd16639967fd92844c967eb41e7b0b77b1ba57788a148cabd1af27
SHA512 cf8044d21b72d53a8cc8ce4fe45fcfb328e52d894b9adf23a99f1ee1b12c95e75717cd90521e623a55924a9f075a15d9b84bbe294feef6035fa40d6b4a079fc7

C:\Windows\SysWOW64\Aajbne32.exe

MD5 fdd2be91a7fa6f58f35300aa31ee8ad9
SHA1 2ecb0a807193b35d4c28bc8a19774dcea181bd0e
SHA256 4b09307c4961905cc60e9f8f4e183262168b321d9efab990a69ff1f0cd36b72d
SHA512 967f7fd760dbc9a07d39344047eeb1620b2073e4bf15d0439fa32872943f9e81eea77a42f1ee806397001f74ee75f143fe1b01c17c6a368c889df4b03c246bfc

C:\Windows\SysWOW64\Amnfnfgg.exe

MD5 e1d164df544675d91372d39a715a782a
SHA1 5ac1f34b11757d04b6baec2e92b01ae34a702e6e
SHA256 a7bb129d58de06a361f698a316e443952f3d822f0ecb1199563cca84598c8bc4
SHA512 87afeae4a25116d3826b8b41e5586b90ec2d565d92221017bced79153751b26185c1f145b74c1953d9f2a26712c6d34912480ff9a00086f3f6d0dce1c759538a

C:\Windows\SysWOW64\Ajpjakhc.exe

MD5 f4b7bb8071b18a0c9256f4f09ca39887
SHA1 295a8a4d3d7fc1f7917874380c6f92ff30beb563
SHA256 7a0c0d1097903eaaaa5f761a38f4e91fed6f76daa44662679d0e53b98897775a
SHA512 5cb1fcc505f8e9186a89b9e23c02b8328d6896f397e323508b25c32b50729cd823016fabfc47ba88945e2226ebd5e55a88e3f8373d75f8abe5755b9cef3c04d4

C:\Windows\SysWOW64\Aganeoip.exe

MD5 10cf8191e3c18abf90e184b019fb43c5
SHA1 785835c203346cb1db82a887f132172bff14f0a3
SHA256 6057fb202ee5e488ddafc7a6db1b9eff0c41bec4f5a611c2aff6f8cf6ac2ac50
SHA512 a6ad727ee73589be305fae79151154b2a0189717905344d2a5a46d9c3e0d2e0478544e376b7e4a5ce2dcbadca861a47c2e47e3acfc06dee086b56eb8e9d52ead

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 2341caa87184df4fb236dd13f257ce13
SHA1 7e86aa8881cad465432dbe04b4365ec53eecf11f
SHA256 656a447d4365e0e3eed9bfdf787e2b4281fb1a1d1235a7f243279342f9d18e10
SHA512 02b82849e13858e3751633a195540f32fdd004ef74ffe64f920ee8ab048034e5c0e2c567cfee598ceb35457085b78f7c17afe7643ef1c33a8134aa1b5f2d983f

C:\Windows\SysWOW64\Aaheie32.exe

MD5 f8030c22678cc08d9b8ac73bb7d577cf
SHA1 497467825ee8e35f611a873bffccbbd692b2fd15
SHA256 5a90109845d5130ae9d5b5f4c01bc60a9bbaeae7b5e793b6918267a461d7d381
SHA512 0c2437b170678017bad96094e6105090ec6f9254442086abdc0a1e1d69a7c9bfd586051089a65ee7963107703a4e7410815381941a599263fbf2c708a9cf58c2

C:\Windows\SysWOW64\Abeemhkh.exe

MD5 07de9612419c78fd9bd479b02184357a
SHA1 ba02f6d38a057b4f5b7883240b6eb51d6195476d
SHA256 a732e13bece0bd8a89b0cf30b67b83ef26ea93729929a1d6df5289ef62eb61a1
SHA512 3d0cec965cfe105ac1a1a63bd6dc0135be8a3621434997a9f5c8773fc32bb3463abaad09e385145489fd113d97e4335ab1dc93ba0a947a648db27e845200a6a8

C:\Windows\SysWOW64\Qkkmqnck.exe

MD5 06d778e503bd977e4891824e7f138d14
SHA1 7c2f4d556a4fa4bc8f0138c0e07853b6ef866b71
SHA256 3fbcbf5db5ea08d05ff9450acf6902551520fba1ee628e8c3fe7d86bf97fa0f4
SHA512 be0e5228a74d3c34d957432a63c3ee9ea05ee9140fd07a39a496f7c783c27cf898b10384f05ef0c7693f812e8b7df3d621ce2817c8291e1ce501b70159aebf4d

C:\Windows\SysWOW64\Qbbhgi32.exe

MD5 162b5518a8fe31d171dbcb2c1e3f6b5f
SHA1 951a0e17ac0fed8c28772f673403f5b7fe7cceb1
SHA256 7124a4f00601f2cec07509e233f06b29d488a1c818adbc08fba131a3dbcb7591
SHA512 c0d748a44cbf7ff12ce68ebb54667aeb7924655e500e0fbf11d0e1f60181f2a5af0e6173b39b94cb1763113981d3478a3735bb542eb2c4ab0a306125483e6f00

C:\Windows\SysWOW64\Qngmgjeb.exe

MD5 386fca95712b4c79013b6dd9a0a19816
SHA1 2fae38f1b478153509ec073eb43a5953787642a5
SHA256 6a8a0aa93ebc61ca065db62351f1b944839ba3a5b4e6ea54f7de83cf326223a2
SHA512 7ef9091e3503fde81f2e3106eeceb90db81b5561977050056b6e6a5565b00839b6f928dc21853b3b3e951525f651358f453723f54422c20ab8c6257b0be7721a

C:\Windows\SysWOW64\Qodlkm32.exe

MD5 b993bc001291dc6738810339924b34b4
SHA1 0420dc5daabc4708f46c2f3f8a9d3d4412fdafa1
SHA256 a9aa7662ec2e7a4e7852da2e81ba4f46aad0af84a540d674573a652fb1f7734d
SHA512 c97fa76295cc4597d4ea61336840d63d2624d85a6811b8a27259c3397e6876c1835279c3e5cc03adf5536d0bb5c2be0daa878b481bf74bab61b58557f26962b8

C:\Windows\SysWOW64\Qgmdjp32.exe

MD5 5328542ee945cbc6c7735402a845ff57
SHA1 2aa2d0cd65b9daae597b2eeb0be78b750103f325
SHA256 204bd62ab08e50d81ce946481c5acd23adf12329d28a68b4edacaa25876d4e4f
SHA512 b9c4c468d5d113c8eb0360d33be5ef12578c9364de0264c4cf8add05311bb3a280e0334e8818611347ff8ba759b51492e76e2e637b46d82dc4bb10a081020c38

C:\Windows\SysWOW64\Qeohnd32.exe

MD5 ec6b30b22eaa01adcb560248f46c66d5
SHA1 9949b1c6a9cf744eb494f4af82f8bced087e510e
SHA256 927e74bb20e5a6a544f03d507617f2cc469cec39daf46950d2c74f3b5c0eeef8
SHA512 ba31eaef7eda80136b0894829e9be0ec50c3d0726e30ecc373caa40e0fc6fd4bf8edd7ef81a03df4ce7386f53021fd9ddb7add508fd864f16a177786f7576412

C:\Windows\SysWOW64\Qflhbhgg.exe

MD5 3c4ee28fe13e15827322a6e024a61205
SHA1 06fcc51858c112a8baf0092bb89d47aefd87cc87
SHA256 aaaf37b302c4e70499082ee4376909a08a37019de3275f89a4b33bc38656aae9
SHA512 a5d600cd2851fd4bc6a05d9880c9838f6250b9b3c6220d17a9f853bba2d4e9c45acad9a60d77711e6d836d5985b3323f80390caf4662aa37ddb615471688918c

C:\Windows\SysWOW64\Pndpajgd.exe

MD5 e27f809f5e50a6fbfaede73b0c8c5e0f
SHA1 8052abf051fb84e4ee64d5fc48fcdbaf998d82c2
SHA256 ad126c419b938b2c9d1998690b28388f4f35aed3b3643a254aada9cdc60635cc
SHA512 f10cab0349a9804026640fe2b3eb0b96064ea1ba9d5b195990ee8dfa04bdf0ef015cf42f75094463a5f80bcd99f615be72864007d61a10a9dc7bc167fa252109

C:\Windows\SysWOW64\Pkfceo32.exe

MD5 f8cfc5bd821ac38ac1b8f5c99b82be1f
SHA1 34cd04b90fd951cb5ccec3a6c655ba7a8f67a7b6
SHA256 42f56fa5845e43f1a9c4bf4d2355baa83ade20c4a2c53ee7d6d64dd0ad78a2ea
SHA512 19837c1a3ce709ff565658f167050595db44f56b55fac1b497feb20eb951e1b0597f436510fb3841c732b792db8934018dc78b421b9c008c8290ab2b2dfdf0eb

C:\Windows\SysWOW64\Pmccjbaf.exe

MD5 522a1491330be5d7d91d7b275570cb36
SHA1 8ca8bb3863c0d462ae62dc1a3eca26d0be4ebbc0
SHA256 7932b1ddc1ba999dd9670c2d2cef2a6d6b10e7be86b6762199b4eedf35e008e0
SHA512 e7443ad042b95f97eb98e3f963578dece928ea69747b3d6bd6894e98479e237c9e6e2eb27a439f72b50fd3c9c47b58b470288ba8ea11254e5a4776b1e75402b7

C:\Windows\SysWOW64\Pfikmh32.exe

MD5 4951ede803212193ba306c44257d3bf2
SHA1 c0263d437657f5c2f2e2d4e25be2b07a2056a868
SHA256 5b6abece0bbce3cf34df6e2e4434bf812a3d56ee84f7db3437e6dc74409ae245
SHA512 6fef982aec36b7e481dec73c72cb5681b74d36865ca50af29cbdbeb099bbe9284dec15aeb5ea95df3a21edbf25e9ba1d22a9800ceb40acc69a18aace053c9008

C:\Windows\SysWOW64\Pckoam32.exe

MD5 3f28ca2a1573de2f7d18d0a2edc37212
SHA1 0735c402462a55fd74c9a3c3af50174ecc53e341
SHA256 7f8ec3b2befa97767e043b173ae41926066547f8b03dd0e330f1671b6e1166e3
SHA512 8de4510ce2a3f845f723b94941fdcc6cfe138c37859c7f745e82e6b95dcef2e0f57d0641e1414fe0c31c42156f69d0ba75f32191d876050c2ead9cd07d951e53

C:\Windows\SysWOW64\Pkdgpo32.exe

MD5 49c1d995cffc036fb1e6a17f06a82564
SHA1 63203c01f3e8daf53900fb59b5f60da146f61b9c
SHA256 e474b3b811f0d2ab71f2ea8e7945bf2cb5ee9b7ac2c25a04499f8b7e9348e2c5
SHA512 7d61fc986d38978cc3ae35e3af8a252e1567dcd9f5e4ff6c7f7d5135f7a4698ac9a9ad86a64735377c0fdf26ec69f930febb0a72425cf51261a6e94806929835

C:\Windows\SysWOW64\Pmagdbci.exe

MD5 9c47deeafac8e67493849f254ee04fba
SHA1 84a4a2d139a38ad5500c8f4c8b79588c47140178
SHA256 23b63d832bb361e0d88d35c3b36fdf35e9b066f2d0b9b4bc96b19642c4c7c000
SHA512 d735dcd49f436131ad66dad008d9214cad684039f13634b0f1c25673f5486333e513ef3993872c42f8f56ea55341e0eb48be628ebc0f9fa858125c5027f0bb56

C:\Windows\SysWOW64\Piekcd32.exe

MD5 3ba7feebb6d55855d4f53712d5d7262d
SHA1 1e86ed7fd90cfa702cacf9c7f5e8a2daa8e36a5b
SHA256 959006b9c81cf6455039d3c3b0560431f438690f983af8342854284ab2aca80d
SHA512 debc76622939075a9b63556f350140e32bf1e6b79f3320b4fb563b5a8d3a22d0b3898f9a131e0102109aee4a751128e4acb403b199ad79d0a601d7e5e632740c

C:\Windows\SysWOW64\Pjbjhgde.exe

MD5 71f0e25f966c67b23822e7177b02358c
SHA1 753673783738b6b82a3dae3485ac2f4ea7b683b1
SHA256 19cb38cec61c0059a1e5d1608e47973b0ac5682d99d5cb7d8dfe4ebeb2c1a3b0
SHA512 a61e0e40988475f582b49dba4bfff42e8ef998ef3e87afac9dc0bf3a48c0c42bf56b226854fb4beb04fbc6d432fea19158bfaedf9be3f9de5ab16848f33950ac

C:\Windows\SysWOW64\Pbkbgjcc.exe

MD5 8b9f6c6da1c9e42c8b12f062560c0ef7
SHA1 0e813ed94c4acc5fd926d237557183ba227306ed
SHA256 350538496ce3acf8248e1c2a9fcce455cc880310998e7d2daa3ce01ebb5c2108
SHA512 97286ec3e12612aa83d2b27d80c695a93feb5a195e27a602d650addf89b74051d490322cc4ca4ac4b494c61892ee1cb3cf0890c7883b885f8dcb7692aafc73f7

C:\Windows\SysWOW64\Pqjfoa32.exe

MD5 99b65b13529f0f9272bcedd191340c05
SHA1 9ccc8aec8252b55d0b911bf7b4faed48a85ac38a
SHA256 f952d8646a4c25afce0e74040ef9431eea34733a63a2c6c4a056f2a0f7925794
SHA512 0bdba9a42b6f7c7a9d5113afa52b7cb74efa429a25fef8fa868f891be477204b0125ab7142b3cbf8ac306117f1ce9f443d4a5ca31819b56266fc0e2a26b93367

C:\Windows\SysWOW64\Pmojocel.exe

MD5 fddfb635a1ec379368666edbae9a54d7
SHA1 c90a2f7fe6238cfbf42148d1b19d710313a029dc
SHA256 1eef2deaf719da786b1d7077795b966df38d91bee4b8bd4802b483e6adae63bd
SHA512 0e1d11828f48e81c90008b29ec8c884513ed58eeb5d4ba93476a07d216382c9e39b254b155f92645c21dc0e7a7a8a9889a89b0288723794239bce2de4b1e2b74

C:\Windows\SysWOW64\Pfdabino.exe

MD5 2485ec8eb20542e79704b19b1f4564a8
SHA1 1ff6bbf4d1bd4d07c5902988b4c54755dd6a057d
SHA256 2fdc9fbd3329c08fc287009ae263f1385b0350c854629195d38ac0cf3560c4e0
SHA512 bf34d992fc3b9e4dcc5fbdc5c3141a52da428100da7156b2d4c36e887010fc7a393716112f43ac1fad94e9cba565887ebc7685138ed3ef962c93ae9353162933

C:\Windows\SysWOW64\Pcfefmnk.exe

MD5 ab84e773afce9c5280c62d183fd09a07
SHA1 d9a91aafe982ba5a6e1b1804bee749d0b5db111d
SHA256 6f60a285429071b459270f7035f371765b3aec68d8f817304e92242ede2396bf
SHA512 586ba470bf56b6160dcb7719121df7c9f8171a97ab22e46b9de4763ed03613784de1ff37074a5ca981db69149cccae3a27c82c6ec07fafed0d9f21fbdf1ba484

C:\Windows\SysWOW64\Pokieo32.exe

MD5 fca5c245ee5f9bc352202eaf4327800a
SHA1 af21dabe27629ee39655d86f7c2337275453f89a
SHA256 f0a72dd9dce124cb5088cc3423a4b7da30ab6d556d2ca4702147ab37318c17b5
SHA512 664a40eff98f7e2735efd7aca231c88fe51ed8bc64b99ed7676d009ba02221641401aafa78c8234cd7a2fcd47b94fb600b13c519892ad568160fa0601ef0b3fe

C:\Windows\SysWOW64\Pmlmic32.exe

MD5 1870996337fd5b6e28a345cf5f800962
SHA1 b705401cbe6fa4c5a760b699946c6c8f00bcbb7d
SHA256 cc64054fbc37fe770efab9b7514b9dad7f264a29222f98934c81415ba43367ae
SHA512 4f13a90188f1f51fe84d97d4c4ad59011fc407dd99ebb50f866ba6ba3e9109c2b92500b4194e9f8c31c6bbacc0400f5a4a182e6abfbdda4bb524f628a19ef091

C:\Windows\SysWOW64\Pnimnfpc.exe

MD5 16f86f0f05d2a33b82802a70d44b8d1e
SHA1 332f05dc42ec60899403919e21ea18f45f24420f
SHA256 d07f18af2cb536c60fd8ef3270675b959eba81a7a13f760ae68a4f48a5e6f84d
SHA512 7c8ff95037e59ea3a455efa3b979a27594de2beb7f201d106bec2117b4804aa0d8e3a81b543ae29a37f9473b9543ca3ad6e10b655b3fe5af6baf4f23b922613e

C:\Windows\SysWOW64\Pfbelipa.exe

MD5 2b0decd233da953add7d94920a7009f7
SHA1 78f00e5c4ea96065d603f33bcbd74c3601301416
SHA256 7bd2d33a73b4f462978a5507fbd7d39930a3c7f1c1aab0dbef73c92cd1de82d0
SHA512 0cbf0f01eca465e7b1858074b4abc2bf22e2260b0d95d18cfe283642b3febb3653c8f90166b686d1d9a45cb978af4f2f63350cf254d94a5ad9b1baf2405f9dbd

C:\Windows\SysWOW64\Pgpeal32.exe

MD5 807c2d15b51872f11570c8ad6317d65d
SHA1 ad1ea4fc03122ef4448e23d881fa9788f0a8d723
SHA256 1ecb6284c6dd9eb102ca8bb2091fc0847148983ae57a1da7589be96011e81f9e
SHA512 83bd1c6874d899e019ee45387d0f00baf8146372ca1dde243e9fe39e64cd8bb8f087a0fcc3a4658ea08a222558ed094f286c8dbe677ca882573a2ae41be408cd

C:\Windows\SysWOW64\Pqemdbaj.exe

MD5 856d6134fa894bfc5504f2aa90f2370b
SHA1 b540fb8dc3444712ac899f5314c38694f3592e5a
SHA256 cc488d41daa1113ae667c93559b7364f6ccfdc8df00c87d9514d484d095bf500
SHA512 70d56ee085a12eb412e7369b6780251e75a4026016a60fa2f9263b3215cebfe7f58d3497919f3b7eb33a318335a8a57531de182354d03f68c842427fbaeb6017

C:\Windows\SysWOW64\Pjldghjm.exe

MD5 06b6ae21330dc16d40e9f44680977db5
SHA1 c82592953067b8c148b91d66434c18535c6a4ebf
SHA256 291933e0ba30e96f05ea49f115e7ed73f4593f2522b903fedc72e78265eae1f6
SHA512 1f314d7d313daf61207abd17e4b3918f6dc24c3d4a0af7f0dc60e053830a30fb4c906d4dfb9ac7c749519750411c56d51b8124cd7700b0800734ab7ca5d23699

C:\Windows\SysWOW64\Ogmhkmki.exe

MD5 283e1bec99eadaa7beb353a5ba428c8d
SHA1 835e8552ddd3397508f925fc338187a88ba36310
SHA256 0a81fa66764d8efc397ab05d867e68c87a9b2885da071b90a42a3e668fa4a24c
SHA512 681aaba0eea122bf9d4070f720f1a0264956366cb20e16273d902cfb84eb4cde5d4156c2e0b51212dff96b931e93de96c43a96445dd2ba68c3a995c4633583d7

C:\Windows\SysWOW64\Oqcpob32.exe

MD5 7ffdd58f398fca0d19ea1690aa0f8a61
SHA1 33bdc9824ba06a573e9b39fefb5335373d7efcc6
SHA256 d72aa643b57fc3b5adf46ef529baa85117842eedfe1e40d168f8643d01bf3d4f
SHA512 1531c4d683d4572ac0c36832d586320449791ede35a5ec05ff5924edfe15b6753599bb79d18855001d7c290d847910e41381b2c0e79abfc6fadf77d1aded5022

C:\Windows\SysWOW64\Ojigbhlp.exe

MD5 19970f3ccc79d8d751734239b80b6fcf
SHA1 9fca657d6110a694a4babaf769e3f97f7b30ea03
SHA256 f187e670ff1f01c594810c86710d0d7d4021e27c35345e837d74ffce8fc9d4cc
SHA512 260f9a17630af488645ed830ab0549f8d28a77c09d3caf156e1f527b5ed8546ec9e050e4550da95b2992a5f8e7f27cf05de51a108f415fb327026547c968806b

C:\Windows\SysWOW64\Ohhkjp32.exe

MD5 6de7e83c1b0d89f00161e962fafb2f41
SHA1 5c405dc575f808519c34cea841d268c7aa79b495
SHA256 11cec124d782ebc71abac6df33b61335e8327d9c8080edfa1ef70c11d21cf6e4
SHA512 f5e775d36c0a92d898f10a73340e77c4654547353382d4c7891e8737acc96b445399a2c601ea61f455b848b79f6414df7ca1d55723d2940d0576a6a8a93d4dbd

C:\Windows\SysWOW64\Odlojanh.exe

MD5 54dc1377db39ca42b0158138c1de7f71
SHA1 d84e5569689a94878dd35bb7c4a325575d179dad
SHA256 925d32b19d4c5d8f9d71a422fa565641f755edc18de9c7876f06db16796a1542
SHA512 66ebac05b33fa239a727bd9928545bbec1f7f626fad940e21dd2ac19655c1034a0027d927f03fb755f2c6b782e9bb320766f9e43d9b34220eab9ea295d982a2b

C:\Windows\SysWOW64\Oqacic32.exe

MD5 4969357196c2c8e61a23169aa1c9a9fb
SHA1 0da3d8aa8338c031836fb62e2b2013e157d74063
SHA256 2a2409ae7619364edfdc561fa54c674d38d890c45a9ef88102f6c0cfe8b45b5a
SHA512 3a36bd41c0e0a01c362e59296ce5062c84ae2915b8ee6e1682e863b606dd441669b905fa97d9520057bacd1fb98a0ca9bf7b203ebe00700b2849ea1e1bc8c4ec

C:\Windows\SysWOW64\Oancnfoe.exe

MD5 052218b14be6629a412c6849365f5006
SHA1 37788524cac614e880a05d35c5223130f3d75497
SHA256 e1e60482c572551a7d192fae0f1f875f213b9aedeebb63fbc3dadee4de0602e7
SHA512 5974155f4d2000003a5ca314c7d487651fbef567854a4eac62c1b84dd44f587d5b8cf9af74a81d0bdd4e4ff131a89432d45236005483fad4669f1a1a7bb169f7

C:\Windows\SysWOW64\Oopfakpa.exe

MD5 105d99172cc5f8ae28476e9fb253f877
SHA1 09b42e2a502fb07273df0cc7efbd824cabaea5f4
SHA256 98924a81e59226308793df77dbeebf0aa6ab25464a57c8dfda76e212dc75c762
SHA512 2312769645b7d9ea355fe1d636fb0783a7a7a08485d7c5ed2fa12ce75aaaf59dc7ab9b7dccf0b98dcdcd648439946e6e111d22522ac3dd0cc572a84229bcca70

C:\Windows\SysWOW64\Okdkal32.exe

MD5 3e1bc4dde24636fb2229b204c5904b15
SHA1 3c9df364041e7338a6395061342e1bdb2c609db0
SHA256 26bffa1ec3456ef1ec0368b7409758fe9f5df08153663c34283b9c1af908f9b8
SHA512 727101bd3fbd2d29a13ff03838fe1c656ab8d456016f5ef3c522de93d3939e17e185c2606992473c62493b0dea19b397c0be9ec34de4fbd9c74ca37e7ec42178

C:\Windows\SysWOW64\Oghopm32.exe

MD5 6d0ffaafd5c0cbe71ec72beaddf087bd
SHA1 340723d6c879045128d53ebc8add83b5dcf7da15
SHA256 c8949ce5c72cabae1e61c8f402b037db35a106ade54a5044148ed6c45e064aed
SHA512 adcfc8212df0a06a5550a1fd0bb52889c51114faa91abcaeed061e7541c5c684713e7edde03e505fcd9eed0dec2254905286e2c8017f7fa18227dfa0434b22a2

C:\Windows\SysWOW64\Ohendqhd.exe

MD5 ea065d7b90357bc27cf89eed56306b9e
SHA1 24ccaf5912b9d92abd45ab3dc1e00f4ee41d0aef
SHA256 0259f40b67a5c38dff48f005775185e6ac5a6cb16540c0638b8a93c7150926f5
SHA512 9e5845e4d10e3e958cf32a5c6dcb38042cc5389ad11f492763a89889337f876aab5503b8ef1cf46334a0ffeaefe009eb3657f2738d7843ac9d9880a2eb7e6a14

C:\Windows\SysWOW64\Oegbheiq.exe

MD5 0c4f2a99d0696a26eddaa1dcb86f06dc
SHA1 fabf28f90c74644b850acf46363e7498f7c0eefd
SHA256 f3b97cfe02cee96c5531b251b34bd68f86d7f40ff69e11e53ea8db98ce40cf9f
SHA512 3e4329f8d9e13b34b158bec8721f0225ad39ab10dd221b3f5a9d4e7601e04932df025937c3ab4eb484efe0e4cf8250b41c98be65b1f3692bee5f2692077d6dce

C:\Windows\SysWOW64\Oalfhf32.exe

MD5 71efc647235263d809001dafa18301b4
SHA1 f02497b2678772d779f719b3c81c48cfcd23869a
SHA256 523d7eec1508e05da7208d5af5a4a9a58630572dbacebd1bf4297c4a683e4dd2
SHA512 000ad09b2b7ec83de997e57b3db16e66304bf7eb7e291c376bf9f81bafa5f3b6160c5251e9a031dc560df5100daaf3551395ca2bd2318e71c760fe3c546d9222

C:\Windows\SysWOW64\Onpjghhn.exe

MD5 20d9447511ea42242e938b0bf9827e64
SHA1 1c91307d9d72e577ba59caad468c4729a506f811
SHA256 0f87ce647fb7cf13352b7301910d922eefa4844e40463e5e6998e45a9547c089
SHA512 85300d23f73a625e995b2b2f18109be506fbe3c51a0172cdb4d002c2b80e8bf201fe5eea91340802e158985a769cfab6878fc53ecba5adb900cbc8bf02da642d

C:\Windows\SysWOW64\Oomjlk32.exe

MD5 4da77e35264ba498e6dbb18e6202cab2
SHA1 baab3cbe3711f1ac6c81503b76458adbff8f9868
SHA256 d032f6a60ed18dffe7edf2a5698b6328aebe580ca0fba7c071146c2e50750348
SHA512 28d7b116cbbad9851b5c975bf22274d40ba9e1e6606eab9efa7fd466df8b79d3349407e9e2159845f588905bd7adae136724aa2b4e7b1088701385523db2f375

C:\Windows\SysWOW64\Okanklik.exe

MD5 36fc5dd5a5269b491ac6387109b3dc88
SHA1 6021a6830f1df7da9e063fac6870cfe798eb6f10
SHA256 8560fd5633ba64257534bcccc59e4272e31784ac2161f32b507e1e51e28b131e
SHA512 066ea1e32a3c653bfa51469c73b8ee0de7f4703efde8ff43e020a2363d8c9eb61a760c579c87095473ac4a797d527140e5e13cdfeb2ebc963c8906be8ff4f786

C:\Windows\SysWOW64\Ocfigjlp.exe

MD5 03b0710a940f8e520b7560a35fac4bb8
SHA1 b08e2b270742cde53dae586cd14959bdfa0cb58a
SHA256 98daada6a91395afb9d8d22a7a4a6d6880a373481d91ce10cfa1a62d993d9271
SHA512 045dcfa5295486a9e91bf10516179c3fbc4a6abde6f875387fa3cc6b4425bbb68dc40fe38aa23c682dc07f701fd3e636330043ffadb15a0c3e67ad4238541e84

C:\Windows\SysWOW64\Odeiibdq.exe

MD5 d3a09c3cd1181dd6ce0bf492b6fc120f
SHA1 9c531001f2551c324c697c304a547c10c7f8bca8
SHA256 def6ecb54d66212933c0d96d9ac5189e4562734d102ca5922d5d60f2ea682b5e
SHA512 2700662fd55964a71ede3821fa17d1394030e4a728e30e60f434d393f05d28428941d4ae0b451a2982f66142afdde33463ce31052f4daf207181e5fd39d04e9f

C:\Windows\SysWOW64\Oebimf32.exe

MD5 b67d9b780d8925c2374fefe886010864
SHA1 2a7fa2e4458629f3a1d6756325ba1fe8555b06a9
SHA256 ba55d35b384bce539308d14f89750beb5697deac48aaecc001fd17d1dc719139
SHA512 35a96418bbd6250ddb7da1a7efc856729b52a801f7b30e6e6566435f60e99fa7fd5cced041873af26d1326e53f73362d7fea6d07424b067cc747edfdab130ec0

C:\Windows\SysWOW64\Oagmmgdm.exe

MD5 9410aebb2761eba97049e1ecdd2286f0
SHA1 45c524a2b4b4abf7b076cbdeab1b0993aa637c9a
SHA256 a44c37ccb9c85f2fa3b0be23b99491cfd026c778b24952f54d5a0bc0ca15349f
SHA512 fdd4d8bd2f9ef4f787f205fb6d925f0641cc18717cfb5bc7102c247e0898e8a29f158759e0477af89ce7821b088b201ecc105d76f5e35ed4eaf056a105dba43f

C:\Windows\SysWOW64\Oohqqlei.exe

MD5 7497b2fa90f3496fad2536ef89b1bea1
SHA1 9660d2240ee4af696c42d9501a63c936a6b8d757
SHA256 4acff22e1b4c97ee029de28730e04b52743becf8e9cc05abfe903874434fe71c
SHA512 aa087660c96295184f5e9722952d1b76550af91631ba36ad883317ec862c3030c1fb660f42937c77724dd8d2e5c8a25d02102455a5ab74763e18082c4299815c

C:\Windows\SysWOW64\Nkmdpm32.exe

MD5 88af60b0835ba0d5663ef6ab002f0c1f
SHA1 6833e8dcc73c2e6e9b01fc1afa55215f425fee6d
SHA256 64098185686c97d7bd386cac10c94beb6d81a4418cd2c8992790b4c5ed52c84b
SHA512 4d126764a9ff9705fd3c190ea333ce91272c575d7e27278cc4244557983a0595eebd2b630927783f08f308e63d0b3050cd5aa13df2a38cba087f22f84b2d9c69

C:\Windows\SysWOW64\Nadpgggp.exe

MD5 cf0915b9db326e515d45b8f355999b6a
SHA1 d250e60693d94457596db4e1ebf30117d561ab56
SHA256 bc707c9876d77db0996bde1c8f2b7444ad11acab93cb5346d1b2cb5b4dfc9de2
SHA512 3fe47187db9652fb2796a24ba2a1035e51f3a2df0c8eb3f69f005f57b0bb289874afd8bbf9bf593754bf73560dda26235302885a717661206e458afaacaa0766

memory/1788-487-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Niikceid.exe

MD5 d5c8dfd4c56f93b21d0bb212576547ff
SHA1 eaefc23994a709214c2ecba5ae22bd81cfd0aef2
SHA256 81612757157aab77fa9a3f0b4adebcc4286d2bfbd042dd0adbfde614a5f6d6ee
SHA512 7da1c1953006c6e5b548239fbba72cec8a7914a1241e6eeb93f9d278685aca8289af505fcfe6c1ed254ec20c7212a568de096cc5d3931d6370dcbcc08a524cfb

memory/1964-475-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2816-474-0x0000000000400000-0x000000000043C000-memory.dmp

memory/432-465-0x00000000002E0000-0x000000000031C000-memory.dmp

C:\Windows\SysWOW64\Ncpcfkbg.exe

MD5 2f6955c840d536f0104b4ac764f7f882
SHA1 ebd8ae61e63cd72562239a548260096fb5444ee1
SHA256 caac988a21d6a49084e520c35f5f41304cad3fb5dd126801805ca40502281831
SHA512 dd161a8cca7d656d29f2241cbe9f648f65b8272fe4e0cbc762b1a0efc36024c07661fa8d63e4c99afa6cac5b9edf766fd66be4d35d694ba68e49963996d9c635

memory/2976-464-0x00000000002F0000-0x000000000032C000-memory.dmp

memory/2976-462-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Nodgel32.exe

MD5 0bc2337b86b400aa201b70426c8a22c0
SHA1 5f45db2a6c1f9791d886c336b64bc5b976741ed6
SHA256 4dd94dc5b184870189c3e28da8c98f79860c383008aa623eb325b508451288c4
SHA512 5a0102ba6f80a5d4f91b947fe32e91e38fd425adc021403a4c970836e89c0f8de7437faef5d0b4ae8e6f10c9fb70223cbcdd09cb10306bf23697f3a3c20f6127

memory/1788-454-0x00000000002E0000-0x000000000031C000-memory.dmp

memory/1696-452-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2816-443-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2144-441-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Npagjpcd.exe

MD5 d54d01470c509acdeb260ec3d911d4a0
SHA1 4e28633e1fd0817b0b7a6379e98e254f84837352
SHA256 f83480cc3cba59b61d83c1b54c391a5b1378204417b7f2c4bd55c7cedf7ce9ab
SHA512 660a7d40d9e26fd265cf1985b331861c83a0d0288f069943093264c1e020068cedcdedf983278cce55f9bc353a7f0db38b512caba4ee353a055af32a0e2ca1e2

memory/2976-433-0x00000000002F0000-0x000000000032C000-memory.dmp

C:\Windows\SysWOW64\Nigome32.exe

MD5 bb73407b94b267ecba7f096fe1c79dd3
SHA1 99fc1ef8f1dd4a5ddd5dd0579b0659460ea94e03
SHA256 19d1c81e094f35c09911ba2bd81756a62ed5da7194eec6cf6b3bf37568e2ce89
SHA512 9595a2457ed0b29f5bb9956b145291c3b1e00389632262be795e27ee402872cec840b6b5032ae3912fcb2ef5a8ef719b5088f2a12b9fc23dcefde3e6599216d8

memory/2912-426-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ngibaj32.exe

MD5 c291a258dee2b0c4277252ae1fc7fa21
SHA1 57ba675436d6a463f4ae7603bb5e5178145187f0
SHA256 c0b371262b107a83d1417f9c46be3cbc5086e8b36734accfd659c09af25b345d
SHA512 16bd1c2572bc4cb3e235e7c6771cf4e67ecf79ae35246104934a26c5a88488eb5b4d8ff7a46c39e14e613287328eec04cf36d34ff0a923fa4c33085636715da5

memory/1696-422-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Ncmfqkdj.exe

MD5 89b0e6723501d8a1faf15cadd64efbc2
SHA1 60eeaa2d73271b3b9a3a2b05de88105450d4ff68
SHA256 340132951a31937edbfb23c76995a43b3a3507f0987b8adb7363fe50ebc64c83
SHA512 e7a18815f0fb8bd0327fc009281aff1bacaf050c3aa5997dc93e64e62851e089e8aa2f62ba7e189dcb023d9409a065c9d85ec7f5b7a830bc86430de2ed0e3311

memory/2144-412-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2144-406-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Npojdpef.exe

MD5 12f41fd3ae93f31d35ef74cc9505e682
SHA1 1abc93e3e4be8d726a8e7eb20059be9f313a7c43
SHA256 41f192ea4a0418089657e028db2b0aba9697a5020837aab888f271c3a9b08f8d
SHA512 6833dc97480110a7f38320fecaed229361b6993ee63f29fb596ccfe230a0dc9b3d7959b9f6a7455182b5dd6dab098a26081cd1bed13b3690db24d9368f735473

memory/2588-402-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3044-400-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2912-391-0x0000000000280000-0x00000000002BC000-memory.dmp

memory/2912-385-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2112-384-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Nkbalifo.exe

MD5 1d9bcbfe848cd6ee6210554d2446b736
SHA1 d5122a00619314e98ab693c22fe6c5032dd10263
SHA256 0722a9c5e1134ce5f053bbf52bb24faaee91e27f789e9041a25a89165a839b74
SHA512 0d2919f1c5764dc5824c7d5fec8abf6d5caaf1ab09f29bc5296aff1454081ff5bccef24e491adca0bc2f2136559cb965c8b80248eb236f1bd37874db9bc6bd40

memory/584-380-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2588-371-0x0000000000280000-0x00000000002BC000-memory.dmp

memory/2136-370-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Nplmop32.exe

MD5 dc9f19ed24ff6437c1820cc5e2fc8b0b
SHA1 2f294e30e612729b44cfcd33807e4f6b9fc17613
SHA256 589b63ea4bbafc88cfc8bcb33700fc251e2933b268b5c9427e75d4cf9d13dba4
SHA512 6ecbd368f3f720c51a34d8fdad5aafdf1d6e984e963ae25309be82a218a8723a6285606d4e342bca17490f2d4246424f4ce54270d67d0ee944d08d8a07a64ac6

memory/2588-364-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1988-354-0x0000000000400000-0x000000000043C000-memory.dmp

memory/584-350-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Nkpegi32.exe

MD5 e84bb1813f44a42a67346c5ef37756b8
SHA1 787a78547a65a641ea3f84f5dae0c9d4c0f1a373
SHA256 131ace99aba1f7cf4f6b35f850973f369db68e5d0ae21703fc989754cd158723
SHA512 2ccd761a9ad3bf2bfabae15097e56a64d741f888c93a0dbbed4036445a449c9d7510b8efc382507f75a64819bfc706df5e61c6713228541183468cddf8f7146f

memory/2136-341-0x0000000000280000-0x00000000002BC000-memory.dmp

memory/1140-340-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ndemjoae.exe

MD5 cf0caf27acbb525e1415575f84fa1be5
SHA1 d67d9d170a3fb16dea93047087a99c7e77d357b2
SHA256 fe7f8ee14836b2964b861ead99365a74e80c7d8b2ce939c9c933a18611756e4f
SHA512 52d9837edbd386f6fa510bd9da09f91922805e56639f600ff27a876a0ebc96abe116d9b3704949571bc03f0d7281a71f429d7a7911ffd8df8e7ba1078ccfd74e

memory/2612-329-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2208-307-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2284-299-0x0000000000250000-0x000000000028C000-memory.dmp

memory/1692-292-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Mdcpdp32.exe

MD5 24b3bd6c20e9bcaf712647b03ef6d00b
SHA1 4f49c65d653b7534b9e4d4d885eb9c3cbe5dcc55
SHA256 ca5c38090a22c5c535c14a055de1926153d4551801b7d5267178aa0b7b8628d3
SHA512 933c5d0c707072929bcd946cbf65b3530887fbb09516fc5b0d991e12b8a175c5c74fa4dfb8e1ae6ec0ab9b4160fbddb17f6e8462e2264c6cc1ec5835d78dee03

memory/2056-288-0x0000000000250000-0x000000000028C000-memory.dmp

memory/1692-286-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2056-281-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2208-277-0x0000000000300000-0x000000000033C000-memory.dmp

memory/2164-276-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1972-270-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mofglh32.exe

MD5 94f28d36dfeafe928772acb6823c5f27
SHA1 7de5695b6e394569f99d9b92a77926965d56b690
SHA256 0ab56a24c65254210bfd037b468d10fc7d811ed445e42d7a2f91c60107e693a8
SHA512 39481f2119ae93a2da743391d03a188e6883cd33487fad8d517f16d72fbcf328c5513be20a52cb515c1d96a3b48711318bbce695c18bd016838adff1a696f84f

memory/1692-260-0x0000000000250000-0x000000000028C000-memory.dmp

memory/468-259-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mlhkpm32.exe

MD5 ef3eceb90ff50c007265688cc510cce1
SHA1 f45cc3cb89268e6a140679e98dd0df428eebc1ae
SHA256 6d1cc2b21ef05f96b7223e68b61d3c5187404f31ba7716c6198a685d6a5bc300
SHA512 11d64810b21235af6b3cf2789dc77c6968e53ba9b4bd813f6970ebceacdf37cc05a9fe92e48b27f925aad8c1983e3143859889cf53f91e24dfd16ab6438b9858

memory/1692-255-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2192-248-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mdacop32.exe

MD5 154fe3cf9c6997380932a6a4df6b4dfc
SHA1 93a5e1c5b4b9b9bcfc8ed98d7c3824e1cba1437a
SHA256 b06f6608088b71e42df35bc6144f6cf66bf5ba0ce4b461806af275fe7f12cc73
SHA512 27925d74691690c5cfdf912694ae3bee1218d11eb1ca0e38615768b5c6e65a93c5014404575e130124346ff959245f37c281bbcb27d4b859d1e8babc052a74d2

memory/2164-244-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2164-242-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1384-228-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mhjbjopf.exe

MD5 3c7b0eb4187f17a8941fdf84b5aef18e
SHA1 33ba662f903972ecc7a2d32cda713658299b303f
SHA256 e2a6c5e82becb30ad98fd6d2551c1a6ab62482abd73ad79f76d1597579080c09
SHA512 d5fef937b344b7899d421f05ce26ab6942cfd55a5731101233a5a13ce3e5f9fed29e910a25a75ea2007a38764fe502eb5e3131787bfab5b486f448655e9bbc61

memory/2080-214-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/468-213-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2080-211-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2800-210-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mapjmehi.exe

MD5 4e0ddf70a525e9509b98f83e0beef195
SHA1 35e1702b5a53303bae79a48ad8b8ef6ea7eb67f5
SHA256 5aa6a8957c06957979bd2b52767f344cbfaca137c10964abb6bc2d6e667fde3e
SHA512 9ec4a331725396d7aec9456e667f32e514b1f60bc985c120074bd150285e8560ec472678a3108ee12b1d17ad7e8886600d645efabe87e7330fbabd0cf4dd2455

memory/2592-193-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1856-190-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Moanaiie.exe

MD5 aa931c5b110fcd0f222e1608a8044c31
SHA1 41e6c96cd40010c029bb21cba622aeb00f2d0690
SHA256 aea67c3097b20349300798e22ebac5794f1bed2695309077f054e93af1fe5206
SHA512 5a587a998727be34acc4872fd73bd6b12f063f2353f629f00d80ead018c919dc19d1ca099446692f54beb3ebee56de09b127fe853699f55ce22b544f06387982

memory/1384-170-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2080-166-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/2060-163-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2080-155-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1920-154-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mffimglk.exe

MD5 b860e9f7fc0684dd22231076393cebef
SHA1 db07e2d547d95bdd24ae2dc972b20ec010fce693
SHA256 b09c140e64027b628cf112b3e57da86b3474dbafa4c6294cce93306ffdfe7bd4
SHA512 842a5bff3bed7f6bc98c32382c11866583ee93ed92fd9d4231e6bac4d6983a8e5ccadf0f05a3cb10fa0a14ceef72726d1fa0011b0b1acc01417f7b38df6a45a8

memory/2592-140-0x0000000000440000-0x000000000047C000-memory.dmp

memory/328-139-0x0000000000440000-0x000000000047C000-memory.dmp

memory/2592-134-0x0000000000440000-0x000000000047C000-memory.dmp

memory/328-132-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2060-119-0x0000000000300000-0x000000000033C000-memory.dmp

memory/580-117-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mlaeonld.exe

MD5 b7733f515727be23483906623ac5e92f
SHA1 acc28445d2043c40bde6df4046583a78c55d24ad
SHA256 eeb22d80def7d7d674c6e96bf79a16ee79cef0d749654168c2922c9b28ee029d
SHA512 14b3cc3714edb3d7fbb90a214fc7dfa5b7c8ecad899b21fc8a233d15692d4f9816f9d71402dfe9160c2d0e0fcdaf34ce31760b774ed6b7e36ebc7e03d3c30b05

memory/2060-110-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2016-109-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1920-103-0x0000000000440000-0x000000000047C000-memory.dmp

memory/328-90-0x0000000000440000-0x000000000047C000-memory.dmp

memory/2020-81-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2688-67-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2016-66-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2756-52-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1680-51-0x0000000000250000-0x000000000028C000-memory.dmp

memory/1680-46-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2688-21-0x0000000000280000-0x00000000002BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 16:07

Reported

2024-09-16 16:09

Platform

win10v2004-20240910-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkbkmqed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkqgno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klmnkdal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khihld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Leabphmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jeolckne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jeaiij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Keceoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Loemnnhe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lknjhokg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lefkkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbppgona.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khihld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kemhei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koljgppp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Leabphmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbbmmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Logicn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klmnkdal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkegbpca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlidpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Koimbpbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kahinkaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbqinm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldfoad32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaqcnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbppgona.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdffjgpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkqgno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjgkab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kehojiej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klbgfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ijbbfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jaqcnl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldbefe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbnlim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilkhog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iecmhlhb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ijpepcfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llimgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Inidkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbbmmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llimgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkegbpca.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klgqabib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Infhebbh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdalog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kehojiej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inidkb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iagqgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iajmmm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjgkab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lacijjgi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llngbabj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Infhebbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iagqgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjdokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jeolckne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kblpcndd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khdoqefq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbhool32.exe N/A

Berbew

backdoor berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Infhebbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieqpbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iccpniqp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilkhog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inidkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagqgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iecmhlhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihaidhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijpepcfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Iajmmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihceigec.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijbbfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbijgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjfohjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjdokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jblflp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jejbhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhhodg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjgkab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jaqcnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlfhke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbppgona.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeolckne.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdalog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlidpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbbmmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jeaiij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkafdco.exe N/A
N/A N/A C:\Windows\SysWOW64\Koimbpbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahinkaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Keceoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdffjgpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Klmnkdal.exe N/A
N/A N/A C:\Windows\SysWOW64\Koljgppp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kefbdjgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Khdoqefq.exe N/A
N/A N/A C:\Windows\SysWOW64\Klpjad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkbkmqed.exe N/A
N/A N/A C:\Windows\SysWOW64\Kongmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kalcik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kehojiej.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdkoef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klbgfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkegbpca.exe N/A
N/A N/A C:\Windows\SysWOW64\Kblpcndd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kejloi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khihld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbnlim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaaldjil.exe N/A
N/A N/A C:\Windows\SysWOW64\Kemhei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klgqabib.exe N/A
N/A N/A C:\Windows\SysWOW64\Loemnnhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbqinm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lacijjgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldbefe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llimgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Logicn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcedmnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Leabphmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknjhokg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbebilli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ledoegkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldfoad32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Pomfkgml.dll C:\Windows\SysWOW64\Jlfhke32.exe N/A
File created C:\Windows\SysWOW64\Jlkafdco.exe C:\Windows\SysWOW64\Jeaiij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdffjgpj.exe C:\Windows\SysWOW64\Keceoj32.exe N/A
File created C:\Windows\SysWOW64\Dpchag32.dll C:\Windows\SysWOW64\Ijpepcfj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjdokb32.exe C:\Windows\SysWOW64\Jdjfohjg.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjgkab32.exe C:\Windows\SysWOW64\Jhhodg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbppgona.exe C:\Windows\SysWOW64\Jlfhke32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhhodg32.exe C:\Windows\SysWOW64\Jejbhk32.exe N/A
File created C:\Windows\SysWOW64\Balfdi32.dll C:\Windows\SysWOW64\Jejbhk32.exe N/A
File created C:\Windows\SysWOW64\Klpjad32.exe C:\Windows\SysWOW64\Khdoqefq.exe N/A
File created C:\Windows\SysWOW64\Kejloi32.exe C:\Windows\SysWOW64\Kblpcndd.exe N/A
File created C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Ilkhog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbijgp32.exe C:\Windows\SysWOW64\Ijbbfc32.exe N/A
File created C:\Windows\SysWOW64\Eepbdodb.dll C:\Windows\SysWOW64\Jdjfohjg.exe N/A
File opened for modification C:\Windows\SysWOW64\Lacijjgi.exe C:\Windows\SysWOW64\Lbqinm32.exe N/A
File created C:\Windows\SysWOW64\Kahinkaf.exe C:\Windows\SysWOW64\Koimbpbc.exe N/A
File created C:\Windows\SysWOW64\Klmnkdal.exe C:\Windows\SysWOW64\Kdffjgpj.exe N/A
File created C:\Windows\SysWOW64\Cjbdmo32.dll C:\Windows\SysWOW64\Ldbefe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lknjhokg.exe C:\Windows\SysWOW64\Leabphmp.exe N/A
File opened for modification C:\Windows\SysWOW64\Llngbabj.exe C:\Windows\SysWOW64\Ldfoad32.exe N/A
File created C:\Windows\SysWOW64\Hmfchehg.dll C:\Windows\SysWOW64\Ldfoad32.exe N/A
File created C:\Windows\SysWOW64\Ihceigec.exe C:\Windows\SysWOW64\Iajmmm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jblflp32.exe C:\Windows\SysWOW64\Jjdokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jjgkab32.exe N/A
File created C:\Windows\SysWOW64\Kkegbpca.exe C:\Windows\SysWOW64\Klbgfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kblpcndd.exe C:\Windows\SysWOW64\Kkegbpca.exe N/A
File opened for modification C:\Windows\SysWOW64\Logicn32.exe C:\Windows\SysWOW64\Llimgb32.exe N/A
File created C:\Windows\SysWOW64\Ledoegkm.exe C:\Windows\SysWOW64\Lbebilli.exe N/A
File created C:\Windows\SysWOW64\Olkpol32.dll C:\Windows\SysWOW64\Lbhool32.exe N/A
File created C:\Windows\SysWOW64\Koimbpbc.exe C:\Windows\SysWOW64\Jlkafdco.exe N/A
File opened for modification C:\Windows\SysWOW64\Kemhei32.exe C:\Windows\SysWOW64\Kaaldjil.exe N/A
File created C:\Windows\SysWOW64\Logicn32.exe C:\Windows\SysWOW64\Llimgb32.exe N/A
File created C:\Windows\SysWOW64\Infhebbh.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
File created C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jblflp32.exe N/A
File created C:\Windows\SysWOW64\Pceijm32.dll C:\Windows\SysWOW64\Jbbmmo32.exe N/A
File created C:\Windows\SysWOW64\Eqfnqg32.dll C:\Windows\SysWOW64\Kbnlim32.exe N/A
File created C:\Windows\SysWOW64\Khdoqefq.exe C:\Windows\SysWOW64\Kefbdjgm.exe N/A
File created C:\Windows\SysWOW64\Hbhgkfkg.dll C:\Windows\SysWOW64\Kahinkaf.exe N/A
File created C:\Windows\SysWOW64\Aedfbe32.dll C:\Windows\SysWOW64\Ieqpbm32.exe N/A
File created C:\Windows\SysWOW64\Qbddhbhn.dll C:\Windows\SysWOW64\Ihceigec.exe N/A
File created C:\Windows\SysWOW64\Ifkqol32.dll C:\Windows\SysWOW64\Jlkafdco.exe N/A
File created C:\Windows\SysWOW64\Kehojiej.exe C:\Windows\SysWOW64\Kalcik32.exe N/A
File created C:\Windows\SysWOW64\Ijpepcfj.exe C:\Windows\SysWOW64\Ihaidhgf.exe N/A
File created C:\Windows\SysWOW64\Jbijgp32.exe C:\Windows\SysWOW64\Ijbbfc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbebilli.exe C:\Windows\SysWOW64\Lknjhokg.exe N/A
File created C:\Windows\SysWOW64\Jhhodg32.exe C:\Windows\SysWOW64\Jejbhk32.exe N/A
File created C:\Windows\SysWOW64\Iecmhlhb.exe C:\Windows\SysWOW64\Iagqgn32.exe N/A
File created C:\Windows\SysWOW64\Ldikgdpe.exe C:\Windows\SysWOW64\Lefkkg32.exe N/A
File created C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jbijgp32.exe N/A
File created C:\Windows\SysWOW64\Gqpbcn32.dll C:\Windows\SysWOW64\Jjdokb32.exe N/A
File created C:\Windows\SysWOW64\Dpjkgoka.dll C:\Windows\SysWOW64\Loemnnhe.exe N/A
File created C:\Windows\SysWOW64\Ldbefe32.exe C:\Windows\SysWOW64\Lacijjgi.exe N/A
File created C:\Windows\SysWOW64\Ieqpbm32.exe C:\Windows\SysWOW64\Infhebbh.exe N/A
File created C:\Windows\SysWOW64\Hgnfpc32.dll C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbhool32.exe C:\Windows\SysWOW64\Lkqgno32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Ieqpbm32.exe N/A
File created C:\Windows\SysWOW64\Dcmnee32.dll C:\Windows\SysWOW64\Jeaiij32.exe N/A
File created C:\Windows\SysWOW64\Koljgppp.exe C:\Windows\SysWOW64\Klmnkdal.exe N/A
File opened for modification C:\Windows\SysWOW64\Llimgb32.exe C:\Windows\SysWOW64\Ldbefe32.exe N/A
File created C:\Windows\SysWOW64\Jblflp32.exe C:\Windows\SysWOW64\Jjdokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kejloi32.exe C:\Windows\SysWOW64\Kblpcndd.exe N/A
File opened for modification C:\Windows\SysWOW64\Klmnkdal.exe C:\Windows\SysWOW64\Kdffjgpj.exe N/A
File created C:\Windows\SysWOW64\Lajbnn32.dll C:\Windows\SysWOW64\Khdoqefq.exe N/A
File created C:\Windows\SysWOW64\Anjkcakk.dll C:\Windows\SysWOW64\Klpjad32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ldikgdpe.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Inidkb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbijgp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jejbhk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbebilli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijpepcfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdalog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kahinkaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lacijjgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Infhebbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbppgona.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkegbpca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jdjfohjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkqgno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieqpbm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iecmhlhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kejloi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khihld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kaaldjil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kefbdjgm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kehojiej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kblpcndd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldbefe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klbgfc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilkhog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iagqgn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jeaiij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klmnkdal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klpjad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjgkab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbbmmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Leabphmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lefkkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iajmmm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlfhke32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlidpe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llimgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lknjhokg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koljgppp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbqinm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbnlim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ihceigec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ijbbfc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jblflp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jaqcnl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlkafdco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Logicn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldfoad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbhool32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jeolckne.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkbkmqed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdkoef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kemhei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Loemnnhe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldikgdpe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kongmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbcedmnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ledoegkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ihaidhgf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhhodg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koimbpbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keceoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdffjgpj.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jlfhke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll" C:\Windows\SysWOW64\Lbcedmnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbcedmnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbijgp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klbgfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpbcn32.dll" C:\Windows\SysWOW64\Jjdokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll" C:\Windows\SysWOW64\Jeaiij32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Keceoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll" C:\Windows\SysWOW64\Lknjhokg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieqpbm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll" C:\Windows\SysWOW64\Ihceigec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdalog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Koimbpbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kefbdjgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" C:\Windows\SysWOW64\Lbebilli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll" C:\Windows\SysWOW64\Jejbhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbbmmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klmnkdal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" C:\Windows\SysWOW64\Kbgfhnhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll" C:\Windows\SysWOW64\Kaaldjil.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llngbabj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfood32.dll" C:\Windows\SysWOW64\Jeolckne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejnp32.dll" C:\Windows\SysWOW64\Jlidpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldfoad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iajmmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbqinm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Leabphmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkqgno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdjfohjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll" C:\Windows\SysWOW64\Khdoqefq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaaldjil.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jlidpe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kemhei32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klgqabib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbijgp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jdalog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll" C:\Windows\SysWOW64\Kkbkmqed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll" C:\Windows\SysWOW64\Kongmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kejloi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iecmhlhb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijpepcfj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jlfhke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdffjgpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll" C:\Windows\SysWOW64\Kdkoef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll" C:\Windows\SysWOW64\Klmnkdal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Klgqabib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lknjhokg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjdokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll" C:\Windows\SysWOW64\Klbgfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll" C:\Windows\SysWOW64\Jlkafdco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll" C:\Windows\SysWOW64\Keceoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll" C:\Windows\SysWOW64\Kalcik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll" C:\Windows\SysWOW64\Ldfoad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll" C:\Windows\SysWOW64\Jhhodg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Khdoqefq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll" C:\Windows\SysWOW64\Ledoegkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iagqgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll" C:\Windows\SysWOW64\Jjgkab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkbkmqed.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lacijjgi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jaqcnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll" C:\Windows\SysWOW64\Jbbmmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ldfoad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll" C:\Windows\SysWOW64\Klgqabib.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Infhebbh.exe
PID 4960 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Infhebbh.exe
PID 4960 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe C:\Windows\SysWOW64\Infhebbh.exe
PID 5096 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Infhebbh.exe C:\Windows\SysWOW64\Ieqpbm32.exe
PID 5096 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Infhebbh.exe C:\Windows\SysWOW64\Ieqpbm32.exe
PID 5096 wrote to memory of 2728 N/A C:\Windows\SysWOW64\Infhebbh.exe C:\Windows\SysWOW64\Ieqpbm32.exe
PID 2728 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Ieqpbm32.exe C:\Windows\SysWOW64\Iccpniqp.exe
PID 2728 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Ieqpbm32.exe C:\Windows\SysWOW64\Iccpniqp.exe
PID 2728 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Ieqpbm32.exe C:\Windows\SysWOW64\Iccpniqp.exe
PID 2152 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Ilkhog32.exe
PID 2152 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Ilkhog32.exe
PID 2152 wrote to memory of 3324 N/A C:\Windows\SysWOW64\Iccpniqp.exe C:\Windows\SysWOW64\Ilkhog32.exe
PID 3324 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Ilkhog32.exe C:\Windows\SysWOW64\Inidkb32.exe
PID 3324 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Ilkhog32.exe C:\Windows\SysWOW64\Inidkb32.exe
PID 3324 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Ilkhog32.exe C:\Windows\SysWOW64\Inidkb32.exe
PID 4472 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Iagqgn32.exe
PID 4472 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Iagqgn32.exe
PID 4472 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Inidkb32.exe C:\Windows\SysWOW64\Iagqgn32.exe
PID 2164 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Iagqgn32.exe C:\Windows\SysWOW64\Iecmhlhb.exe
PID 2164 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Iagqgn32.exe C:\Windows\SysWOW64\Iecmhlhb.exe
PID 2164 wrote to memory of 3784 N/A C:\Windows\SysWOW64\Iagqgn32.exe C:\Windows\SysWOW64\Iecmhlhb.exe
PID 3784 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Iecmhlhb.exe C:\Windows\SysWOW64\Ihaidhgf.exe
PID 3784 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Iecmhlhb.exe C:\Windows\SysWOW64\Ihaidhgf.exe
PID 3784 wrote to memory of 3092 N/A C:\Windows\SysWOW64\Iecmhlhb.exe C:\Windows\SysWOW64\Ihaidhgf.exe
PID 3092 wrote to memory of 4836 N/A C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ijpepcfj.exe
PID 3092 wrote to memory of 4836 N/A C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ijpepcfj.exe
PID 3092 wrote to memory of 4836 N/A C:\Windows\SysWOW64\Ihaidhgf.exe C:\Windows\SysWOW64\Ijpepcfj.exe
PID 4836 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Ijpepcfj.exe C:\Windows\SysWOW64\Iajmmm32.exe
PID 4836 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Ijpepcfj.exe C:\Windows\SysWOW64\Iajmmm32.exe
PID 4836 wrote to memory of 3560 N/A C:\Windows\SysWOW64\Ijpepcfj.exe C:\Windows\SysWOW64\Iajmmm32.exe
PID 3560 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Iajmmm32.exe C:\Windows\SysWOW64\Ihceigec.exe
PID 3560 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Iajmmm32.exe C:\Windows\SysWOW64\Ihceigec.exe
PID 3560 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Iajmmm32.exe C:\Windows\SysWOW64\Ihceigec.exe
PID 5092 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Ihceigec.exe C:\Windows\SysWOW64\Ijbbfc32.exe
PID 5092 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Ihceigec.exe C:\Windows\SysWOW64\Ijbbfc32.exe
PID 5092 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Ihceigec.exe C:\Windows\SysWOW64\Ijbbfc32.exe
PID 3972 wrote to memory of 416 N/A C:\Windows\SysWOW64\Ijbbfc32.exe C:\Windows\SysWOW64\Jbijgp32.exe
PID 3972 wrote to memory of 416 N/A C:\Windows\SysWOW64\Ijbbfc32.exe C:\Windows\SysWOW64\Jbijgp32.exe
PID 3972 wrote to memory of 416 N/A C:\Windows\SysWOW64\Ijbbfc32.exe C:\Windows\SysWOW64\Jbijgp32.exe
PID 416 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Jbijgp32.exe C:\Windows\SysWOW64\Jdjfohjg.exe
PID 416 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Jbijgp32.exe C:\Windows\SysWOW64\Jdjfohjg.exe
PID 416 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Jbijgp32.exe C:\Windows\SysWOW64\Jdjfohjg.exe
PID 5116 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jjdokb32.exe
PID 5116 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jjdokb32.exe
PID 5116 wrote to memory of 1360 N/A C:\Windows\SysWOW64\Jdjfohjg.exe C:\Windows\SysWOW64\Jjdokb32.exe
PID 1360 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Jjdokb32.exe C:\Windows\SysWOW64\Jblflp32.exe
PID 1360 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Jjdokb32.exe C:\Windows\SysWOW64\Jblflp32.exe
PID 1360 wrote to memory of 1588 N/A C:\Windows\SysWOW64\Jjdokb32.exe C:\Windows\SysWOW64\Jblflp32.exe
PID 1588 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jblflp32.exe C:\Windows\SysWOW64\Jejbhk32.exe
PID 1588 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jblflp32.exe C:\Windows\SysWOW64\Jejbhk32.exe
PID 1588 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Jblflp32.exe C:\Windows\SysWOW64\Jejbhk32.exe
PID 2920 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jhhodg32.exe
PID 2920 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jhhodg32.exe
PID 2920 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Jejbhk32.exe C:\Windows\SysWOW64\Jhhodg32.exe
PID 2896 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Jhhodg32.exe C:\Windows\SysWOW64\Jjgkab32.exe
PID 2896 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Jhhodg32.exe C:\Windows\SysWOW64\Jjgkab32.exe
PID 2896 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Jhhodg32.exe C:\Windows\SysWOW64\Jjgkab32.exe
PID 4056 wrote to memory of 4904 N/A C:\Windows\SysWOW64\Jjgkab32.exe C:\Windows\SysWOW64\Jaqcnl32.exe
PID 4056 wrote to memory of 4904 N/A C:\Windows\SysWOW64\Jjgkab32.exe C:\Windows\SysWOW64\Jaqcnl32.exe
PID 4056 wrote to memory of 4904 N/A C:\Windows\SysWOW64\Jjgkab32.exe C:\Windows\SysWOW64\Jaqcnl32.exe
PID 4904 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jlfhke32.exe
PID 4904 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jlfhke32.exe
PID 4904 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Jaqcnl32.exe C:\Windows\SysWOW64\Jlfhke32.exe
PID 2456 wrote to memory of 4292 N/A C:\Windows\SysWOW64\Jlfhke32.exe C:\Windows\SysWOW64\Jbppgona.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Cerber.exe"

C:\Windows\SysWOW64\Infhebbh.exe

C:\Windows\system32\Infhebbh.exe

C:\Windows\SysWOW64\Ieqpbm32.exe

C:\Windows\system32\Ieqpbm32.exe

C:\Windows\SysWOW64\Iccpniqp.exe

C:\Windows\system32\Iccpniqp.exe

C:\Windows\SysWOW64\Ilkhog32.exe

C:\Windows\system32\Ilkhog32.exe

C:\Windows\SysWOW64\Inidkb32.exe

C:\Windows\system32\Inidkb32.exe

C:\Windows\SysWOW64\Iagqgn32.exe

C:\Windows\system32\Iagqgn32.exe

C:\Windows\SysWOW64\Iecmhlhb.exe

C:\Windows\system32\Iecmhlhb.exe

C:\Windows\SysWOW64\Ihaidhgf.exe

C:\Windows\system32\Ihaidhgf.exe

C:\Windows\SysWOW64\Ijpepcfj.exe

C:\Windows\system32\Ijpepcfj.exe

C:\Windows\SysWOW64\Iajmmm32.exe

C:\Windows\system32\Iajmmm32.exe

C:\Windows\SysWOW64\Ihceigec.exe

C:\Windows\system32\Ihceigec.exe

C:\Windows\SysWOW64\Ijbbfc32.exe

C:\Windows\system32\Ijbbfc32.exe

C:\Windows\SysWOW64\Jbijgp32.exe

C:\Windows\system32\Jbijgp32.exe

C:\Windows\SysWOW64\Jdjfohjg.exe

C:\Windows\system32\Jdjfohjg.exe

C:\Windows\SysWOW64\Jjdokb32.exe

C:\Windows\system32\Jjdokb32.exe

C:\Windows\SysWOW64\Jblflp32.exe

C:\Windows\system32\Jblflp32.exe

C:\Windows\SysWOW64\Jejbhk32.exe

C:\Windows\system32\Jejbhk32.exe

C:\Windows\SysWOW64\Jhhodg32.exe

C:\Windows\system32\Jhhodg32.exe

C:\Windows\SysWOW64\Jjgkab32.exe

C:\Windows\system32\Jjgkab32.exe

C:\Windows\SysWOW64\Jaqcnl32.exe

C:\Windows\system32\Jaqcnl32.exe

C:\Windows\SysWOW64\Jlfhke32.exe

C:\Windows\system32\Jlfhke32.exe

C:\Windows\SysWOW64\Jbppgona.exe

C:\Windows\system32\Jbppgona.exe

C:\Windows\SysWOW64\Jeolckne.exe

C:\Windows\system32\Jeolckne.exe

C:\Windows\SysWOW64\Jdalog32.exe

C:\Windows\system32\Jdalog32.exe

C:\Windows\SysWOW64\Jlidpe32.exe

C:\Windows\system32\Jlidpe32.exe

C:\Windows\SysWOW64\Jbbmmo32.exe

C:\Windows\system32\Jbbmmo32.exe

C:\Windows\SysWOW64\Jeaiij32.exe

C:\Windows\system32\Jeaiij32.exe

C:\Windows\SysWOW64\Jlkafdco.exe

C:\Windows\system32\Jlkafdco.exe

C:\Windows\SysWOW64\Koimbpbc.exe

C:\Windows\system32\Koimbpbc.exe

C:\Windows\SysWOW64\Kahinkaf.exe

C:\Windows\system32\Kahinkaf.exe

C:\Windows\SysWOW64\Keceoj32.exe

C:\Windows\system32\Keceoj32.exe

C:\Windows\SysWOW64\Kdffjgpj.exe

C:\Windows\system32\Kdffjgpj.exe

C:\Windows\SysWOW64\Klmnkdal.exe

C:\Windows\system32\Klmnkdal.exe

C:\Windows\SysWOW64\Koljgppp.exe

C:\Windows\system32\Koljgppp.exe

C:\Windows\SysWOW64\Kbgfhnhi.exe

C:\Windows\system32\Kbgfhnhi.exe

C:\Windows\SysWOW64\Kefbdjgm.exe

C:\Windows\system32\Kefbdjgm.exe

C:\Windows\SysWOW64\Khdoqefq.exe

C:\Windows\system32\Khdoqefq.exe

C:\Windows\SysWOW64\Klpjad32.exe

C:\Windows\system32\Klpjad32.exe

C:\Windows\SysWOW64\Kkbkmqed.exe

C:\Windows\system32\Kkbkmqed.exe

C:\Windows\SysWOW64\Kongmo32.exe

C:\Windows\system32\Kongmo32.exe

C:\Windows\SysWOW64\Kalcik32.exe

C:\Windows\system32\Kalcik32.exe

C:\Windows\SysWOW64\Kehojiej.exe

C:\Windows\system32\Kehojiej.exe

C:\Windows\SysWOW64\Kdkoef32.exe

C:\Windows\system32\Kdkoef32.exe

C:\Windows\SysWOW64\Klbgfc32.exe

C:\Windows\system32\Klbgfc32.exe

C:\Windows\SysWOW64\Kkegbpca.exe

C:\Windows\system32\Kkegbpca.exe

C:\Windows\SysWOW64\Kblpcndd.exe

C:\Windows\system32\Kblpcndd.exe

C:\Windows\SysWOW64\Kejloi32.exe

C:\Windows\system32\Kejloi32.exe

C:\Windows\SysWOW64\Khihld32.exe

C:\Windows\system32\Khihld32.exe

C:\Windows\SysWOW64\Kbnlim32.exe

C:\Windows\system32\Kbnlim32.exe

C:\Windows\SysWOW64\Kaaldjil.exe

C:\Windows\system32\Kaaldjil.exe

C:\Windows\SysWOW64\Kemhei32.exe

C:\Windows\system32\Kemhei32.exe

C:\Windows\SysWOW64\Klgqabib.exe

C:\Windows\system32\Klgqabib.exe

C:\Windows\SysWOW64\Loemnnhe.exe

C:\Windows\system32\Loemnnhe.exe

C:\Windows\SysWOW64\Lbqinm32.exe

C:\Windows\system32\Lbqinm32.exe

C:\Windows\SysWOW64\Lacijjgi.exe

C:\Windows\system32\Lacijjgi.exe

C:\Windows\SysWOW64\Ldbefe32.exe

C:\Windows\system32\Ldbefe32.exe

C:\Windows\SysWOW64\Llimgb32.exe

C:\Windows\system32\Llimgb32.exe

C:\Windows\SysWOW64\Logicn32.exe

C:\Windows\system32\Logicn32.exe

C:\Windows\SysWOW64\Lbcedmnl.exe

C:\Windows\system32\Lbcedmnl.exe

C:\Windows\SysWOW64\Leabphmp.exe

C:\Windows\system32\Leabphmp.exe

C:\Windows\SysWOW64\Lknjhokg.exe

C:\Windows\system32\Lknjhokg.exe

C:\Windows\SysWOW64\Lbebilli.exe

C:\Windows\system32\Lbebilli.exe

C:\Windows\SysWOW64\Ledoegkm.exe

C:\Windows\system32\Ledoegkm.exe

C:\Windows\SysWOW64\Ldfoad32.exe

C:\Windows\system32\Ldfoad32.exe

C:\Windows\SysWOW64\Llngbabj.exe

C:\Windows\system32\Llngbabj.exe

C:\Windows\SysWOW64\Lkqgno32.exe

C:\Windows\system32\Lkqgno32.exe

C:\Windows\SysWOW64\Lbhool32.exe

C:\Windows\system32\Lbhool32.exe

C:\Windows\SysWOW64\Lefkkg32.exe

C:\Windows\system32\Lefkkg32.exe

C:\Windows\SysWOW64\Ldikgdpe.exe

C:\Windows\system32\Ldikgdpe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 224 -ip 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4960-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4960-1-0x0000000000431000-0x0000000000432000-memory.dmp

memory/5096-9-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2728-17-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2164-49-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ihaidhgf.exe

MD5 f4bfb44615b9e4d3a7d0c5d52eb24bff
SHA1 c7c08c2f1adfea4661e7cf7a31968782d7395c30
SHA256 6c45869197038fd01e7f9b5ca9b492a2d72c036bac848d949efb053916d9eb1f
SHA512 0b0485f17c6ad1561e5d41053df3f3aeaa788f6e563b704e7e0acb4ac7e0d8b89a38cb6e698a7f74c935e74105350d136601327efc625501a06df09b790b51e1

C:\Windows\SysWOW64\Ijpepcfj.exe

MD5 e63b52723d9b097333e6652c1558ad00
SHA1 d36f079fb9c87cdc72821fa4466e78ae62b41e66
SHA256 1573ba1f6df7a42a0fd02e5a41a89350acc08dce72bfddb8b416d3cad51f1162
SHA512 cf2120e0aaeabc3ad46f13110b151320a886d8bd991f04a0e47708b72b75c04db9025d1c3af22f5bb4eb504165b570e29513e18808ee4d7ca61c03ae9dee2b1f

C:\Windows\SysWOW64\Iajmmm32.exe

MD5 ed86e40d9b62ea75f47fe35008a06927
SHA1 377c564a589fb1a80c9fc11a638f5d4054aa8081
SHA256 ad609a3dcf9f88d584ae7ebb18ce43611b723101dd4c0be26e140abb1bb4fb79
SHA512 196f01c9b1bf5137498d1875e0fa05ba4f791438d6b779e8b5e3147979653fc9413a658e4b3f9879aa85d3a998472df534b95bc621e3f773b8a4564659143a78

C:\Windows\SysWOW64\Ihceigec.exe

MD5 605b26d197fd160769990af29bd6204d
SHA1 b5098dc2334ded8c9ce17339f451a9e98f38ece5
SHA256 0fa71f01445429d4178b496d267214b6448302f420a078cad889d738bfe68715
SHA512 b43c1e49aa9715b889d5f6163075a312b75e47ae6728e1ad47d50e100d4a32663d64333703aa50bdc6fef1cac804967a39e21168a04a10df22188d58dea42166

memory/2152-107-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jbijgp32.exe

MD5 9a36b5af5126b85cfacfa2cdeb8bc669
SHA1 6c911eb6b4ce1c644440570c7e812f6bdc6387b9
SHA256 318e6951d049aca7c58720124c92b2eae01a2afbeee916048ab92c3c5eac636d
SHA512 082bc4b27ca6a013b373611ea156940fcae1ef2a394550d9b75f08b171efa04b7401c5a5bfb2a181e3b986e55393de5345f7e4bfa1a18544c6aadb39851e8358

C:\Windows\SysWOW64\Jblflp32.exe

MD5 5ce2ad78711830e03ec9342d29602ecd
SHA1 cff380fbb808b2864a78441d29b7016185ff5351
SHA256 36724fbc4c33f20fae62efa7667d962f95e2a5175e7dc2df1a01ed2e093ab8f1
SHA512 4327e3d989e679bbcef9e4ba087b9fe488e8ed1cacb3b6ff3f222f6d3a9c18d40c214bdab4e962d9e0f8516c1b8387f8ab92f292ce9e1ba6949b94ade752ace0

memory/2896-153-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jjgkab32.exe

MD5 7cdc94490500e9fc25e73e85dc6bbcb7
SHA1 32d4df4b839e792b8d5ff6c597adc811c1b39b77
SHA256 862d0c39b93d05046188f1c0bc0f8f250da300394c22fcdacbcd981ad461be3a
SHA512 3d669152f9dff780ff263a65aa617aaf10e8aeb44f2431ac7f44f134cb3ecf8694e2b9d0c4230de2b371ccce521dcfe60f02eb04727c4d7ef39f834c49bfd008

memory/4904-172-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2456-180-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jbppgona.exe

MD5 43ebb320708b4efe4a702780d607acc5
SHA1 57533132390f3135de84480ca641ec706d0f4c9a
SHA256 fc272629982cde137e51a4628f0f685f4200e413cba19baa7692a30c98b9adc5
SHA512 8c452e27ddb19fbdb5eac3b466e713c407f6b7d89bc0cb11a88702b413f753a82998ad48aee5e50f9ba91a81f48b5d8e838f6fed772b6739a9876da725a93e97

C:\Windows\SysWOW64\Jeolckne.exe

MD5 26039a21c29b2a2eaf8535af2c06ec36
SHA1 71fd6195c5d728dac2a54773aeace478e0aeafa0
SHA256 9d8dbb18aadf6fd230548985df730e2b7b319210f88e4282f34d136c4073811f
SHA512 af23d2e8a7c57c211ee272e26eddbfff97d2c9d334d8abdbdb9fffd2e6c0e23a9c1a01c211578f2e5a83f5215dd109b220b13457b51b09f13a9f793034a81d9d

C:\Windows\SysWOW64\Jlidpe32.exe

MD5 7b0840ffe4fdc59a63206bb0eb1cdbe5
SHA1 47a8773293970f9a47643e3323778cfebffbfd2a
SHA256 c8ca74d90f7781c8c21800a1b40bbb7dfed8f8c55642091403ecc7cb4444e26e
SHA512 4d374507169550d50612bdddac56124c1c4924646b27b973c3a2bf95cd204cbedf1a05ea5603e1c19a43e65054f57eb13335e4f206bcfabc5f663472777109ba

C:\Windows\SysWOW64\Jeaiij32.exe

MD5 085204cef44e5d108217d83dcedbdb5a
SHA1 f8ab7b84297a981c0dd1bdb27704cc6b0c01ab75
SHA256 53303575b1d91f196e2b65d6899b208754250ed5ab5c67bb7e19f3d8931ccb60
SHA512 b07a2d8338dfbcabe129672a110682ce76d7b649dd5c451ce70b691d94b822ddc43895b07400e6c5fce5f66f8f3b131717ad553b7273698190f11861423dbf2e

C:\Windows\SysWOW64\Kahinkaf.exe

MD5 26da085ecd38d868c197954ace8f919c
SHA1 de1059c66e846e9daba2bf96de29c0e84cd1ddc2
SHA256 7d32f1c615fc2cd30d6353dc675e4299ad775983d4fdb8cadc8d5984fd0556a5
SHA512 ce0fab9c9b89bbcd15af3dfaa5b8bfe4d705df9ce6513edde77d86dfcf55479245f49593d35e5a414fede4876c754a52ce496a42e37f1e7e5f9be3abce99fe3e

memory/3244-316-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3400-334-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4120-358-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4624-378-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4132-388-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3724-396-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2032-408-0x0000000000400000-0x000000000043C000-memory.dmp

memory/180-421-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4076-434-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3372-435-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2652-448-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5024-461-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3724-460-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ldikgdpe.exe

MD5 afae8b654a45a3dcd81975d63fa301e2
SHA1 29500600fe237401e987882419c46fbaa421b2fa
SHA256 bacb545ef8821c878c0c007ca60a60157b804d9870ff155db59dd4b2f620959f
SHA512 7e50c88bfc66d9642c75d00cb29d554113c177821f32496e393449e98a832c475bf21637d0cbff3a635bd84b7de3cc2fe953d937218063185717aa8766b1987b

C:\Windows\SysWOW64\Llngbabj.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2032-474-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4804-468-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2540-467-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lbebilli.exe

MD5 f5f4d6ffc7d3a1cbee1437f2e775e24f
SHA1 b7b7ffbc2c2f448c05b5695cc47bcf0433572e70
SHA256 caeb7310d50e0c2e5abe09de576806bdbae976fd27b0bb720627c67957b28105
SHA512 37b06039c0c3c9936f29284140461fd68da1467f8bb128472f2b633c0175f0212485ab51fc060771cbde27b2216d4d61729af15428098f64bdf1529bfecfd7af

memory/2012-454-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4624-441-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3580-442-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4552-428-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4776-427-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ldbefe32.exe

MD5 223b1896d862bf4b464775d03501772d
SHA1 7b6bbb6da11c6b007de11639123144320a753e7e
SHA256 3a9495f0cf7cfde2dc0079a9045b415c99419f04df0ed2c510e13edefcbf7dca
SHA512 db4f72b6156709ee9eef6f7998fa367069dbd60cb37c2d3e44cad61ee38795f155eb65f919f20f7c008f36c5cb33f5438b9e6e1267aea016528b1417ac6e73cd

memory/1068-420-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3044-414-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lbqinm32.exe

MD5 a7b8439e907b576f4dd31817086863ee
SHA1 9bb8428519d7816296f0c29580cbc06577d244d5
SHA256 2901484bba16295dd94393e36063ec2a537b4aec368207dd56a5b8147e209502
SHA512 33bd37704e69641eba204d458776c9cb40e1d31abcc128373c1907584e98b5de53375704f61b90ddd8afdbf6595898e2e03c754a692352b9acbc5207f6a0bd3f

memory/2540-402-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3896-394-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4076-372-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4776-366-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1068-363-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2332-352-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4324-346-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2952-340-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3772-328-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5016-322-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2292-310-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4184-304-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1472-298-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3120-297-0x0000000000400000-0x000000000043C000-memory.dmp

memory/464-291-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3348-290-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1780-284-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Kdffjgpj.exe

MD5 6c14e1060db523a17cb7e8785c76bf75
SHA1 2416b9d9669914be29b175be7ebb0ecf3fbea076
SHA256 854a576826eae9665f91fdca86a964e9c492c4f16e122b2e99fd8c231dd97dbb
SHA512 b16379fa3f09dfbe6f8a6728a69ab115b0b4920f6cf899cbc3017a504142f7e6be50aa5157d5323c65f0148a05b16a758ab8db778091c439a938156ed5ce9861

memory/1916-276-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4292-275-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2456-274-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Keceoj32.exe

MD5 e6245bf93ba74b0d3d48d3e67632bf88
SHA1 97959fc4483819753baa6ff2990de03be5af392d
SHA256 403fa7ccf38f502796cf635334fba0dc7665f3566ccedab1a57854caf5ce6618
SHA512 4152f67d42509231c5e42da2f4eb1c5684f5782ea8d78b82b910c80e24cd786ac4a69ca96b32e52222f3b17e8ce4532adf5117b847212495595c576aabab54ff

memory/2988-266-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4904-265-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2144-257-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4056-256-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Koimbpbc.exe

MD5 f8a234feac24dd213cf00fc6a118d166
SHA1 3f1dc3f0ad0072ca3f688b7a4e40dea32d0e6c04
SHA256 ccc290580fb59a61a11cd6026ef36cb621228e9ced801a41eb75817746e3bc27
SHA512 8167490fd3994999b87852b6cd3b3d3299f2f538f5c90ef26ebf34978fac0f50f1f38841892e7d0365cd790af2a7031b6ae0cf6604f413de145dd54b59e94e17

memory/3356-248-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2896-247-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jlkafdco.exe

MD5 3ac5a555c7135e5ee84ff03f03037149
SHA1 a2996ac44f6c4a74769340239f12b17eaad3e5e8
SHA256 389db1b13f41e9d3c942cab577cf0d06ba0859637301dbf8c497ff1cab4cf62c
SHA512 55127206042a858620fc9129ca82a0e1487288aff3135e3e59de543add1c7509258fa56f63e1ffc76f306e83d456e0c7d8c1fa3fe24f70f48398841c4e03eae9

memory/4272-239-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2920-233-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4812-230-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1588-229-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4744-224-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jbbmmo32.exe

MD5 5aad64e61851e9f4578ae4694592957e
SHA1 a930370b1ef4d8938f90b89a1af2163c71ba3f12
SHA256 aa08e761d60dd05d66cde8c48156c8669103792f0262d761570d7828f138c12e
SHA512 b8bacf700c6b6b1a261fff8af955e6fb9943385c39d526910be4041b70dccc45a2c8460353f592b7186cef41f9e511030903cec44dfb70c083f22f7e4eeb42bd

memory/1360-221-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3120-208-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5116-207-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jdalog32.exe

MD5 7a1600023936a6c69acbf2e9e478d749
SHA1 f965018646546abf99204863f19c34f6bbe5b7ac
SHA256 5a557d328aa94dfa4ce5fa2d494bf6a8b0b7a6dd9b213fd75632aadc5136dd11
SHA512 0906a9da86ff6ec793be3c12270026863c1d65b302116e12ae62b5f4b9377eccf63720ad25a70ceb79caaa3344d0223e81fbbdfedb14de286dff138a190b2628

memory/3348-198-0x0000000000400000-0x000000000043C000-memory.dmp

memory/416-197-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4292-190-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3972-188-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jlfhke32.exe

MD5 e69a6e0a9e2583ad9e046a1b6104b6a2
SHA1 5f84eb244809c68ea0ff92d86d7ca2d2413bbb02
SHA256 6b8f394b7f172dbfa38ba33939e75888bb001067b04a149768cd179828c68c8a
SHA512 7ec1b77d763c189e55310d2bca46c41085fea6e5d44cf7b1615877ccdca6d8e4e8a5907495aa727f56f0df6ef4c4fb376db234795a93fda1bb27d706bb2db765

memory/5092-179-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3560-171-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jaqcnl32.exe

MD5 47f49b67fa58797f15f2d8b3b45cb1ec
SHA1 3cc5795e4b558a1bab0716ee9c4a2736c86e97ec
SHA256 a9a199b196462d46634ab3197006859b79bc86a824d92200be988c6b120e2ee5
SHA512 150c7a9d851b050a1002377730c17434a0c7d22127aa1d7903b2b0169f2701edcd85f9acecc65dcd2e1242175d62da1cef025bb2aebff884abe4b25c451f7005

memory/4056-162-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4836-161-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jhhodg32.exe

MD5 36665bf52739f86818b224cfd04177e8
SHA1 bbf6c9953b389a7551ba7ea7b9d95ec90fbe61e6
SHA256 a753f7fc0d498cff3f3b4dfd1d87116a41eb29c53bb4b44e67b3afaad9683737
SHA512 e08a2162613c05660ac6ec27c02b816fc87e3c3322a01dbd8e8544415fb4c334bf2fef580660bd64ee7df5df56a413745ae6deb1f88e6fefeb9eede8b3c151b1

memory/3092-152-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3784-143-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2920-145-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jejbhk32.exe

MD5 d04056aaa27a6d37385e8540de6e1fcd
SHA1 68165690f53943b407f567b423870cc18ed2cbf0
SHA256 00b5fcf09b68212bac0e472a70eee6d4d01b8e75927d39173508039327cd6a58
SHA512 1985c0e01cbf721d2360fb81e5c29458aaa5d39db8faa002c7855f133ea1279e9fa2883d58c8b039505a615608daa2af5324c01e9ef19d99113f63ef29e7f524

memory/1588-135-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2164-134-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jjdokb32.exe

MD5 ee17c7c1afb87f6ed6e5a42061663a0d
SHA1 f577c33bfdc35860be1aacf6988b9208550eb833
SHA256 75b2a5eade837cda8808652b5dfeaf20b9a0f1895dad29d35648b4fc42546233
SHA512 dea80affe34519d5ea1b3d68988abdd993e08a27fb9cbe26f7b5a60359e4cdf635ab188114bf2ee0857bd2a14210a27c2bdc4a593d6dffeed8f8ae392b2fc80d

memory/1360-126-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4472-125-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jdjfohjg.exe

MD5 46facdec91f6a9135d6d04eb9469bf23
SHA1 612951d260c52f815bcd9c35c67acdfe49990b83
SHA256 1bcb31b0b36fd74448ca008cf0b71e68920a9214862e00c8ae860130995bb3c0
SHA512 cf440aa8678d31bc73d0618c6a57d5fcf2c55f7a8dd8e1bc62e5ecbdbdb9df4c4a5fd78ce516e5f436116531fe5cafb918b262b3e5fd67d6aad59e36d7a46cbb

memory/5116-117-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3324-116-0x0000000000400000-0x000000000043C000-memory.dmp

memory/416-108-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jbijgp32.exe

MD5 221b9de3a19984c23f62c32234bfc7c4
SHA1 79ae6c585fc398801ba6d8fbd3f7694a817bdf24
SHA256 a2cb204f168f46e9afe19c04d025735da6f14d68c01f185db50010ba86470e0b
SHA512 80b54bfd27b38923bcb698155efce6860830fa0efc320068b9bb80eef8859c6ba55974043fda9b996d9f5894a4dade02862c47c23c879e900c07259edd38ae8e

memory/3972-99-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2728-98-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5092-90-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5096-89-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3560-82-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4836-74-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4960-73-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3092-64-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Iecmhlhb.exe

MD5 17f3844ad7b5c59a8f356a5fe14f0e78
SHA1 0a11b1c2182f4309993e2feede088f2ec6b03d9d
SHA256 80e4a12dfe6a8304d438a58ef335585dd4441b4fbf4245036452d5a035e38f25
SHA512 afad5bba90520f9676d6b5591cbea317a81112611deeb67b958b0f9f54a9648827d53ac5e7cc93d09268b055a0ac7db16ad44fd341087fdbc28f99e73dc38955

memory/3784-56-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Iagqgn32.exe

MD5 14eff6c3dd22bfdccb2fa1ccd71a32e7
SHA1 22d496ab9b8267766b7f2319aadf0c77b6683fda
SHA256 c7b6fd9cc608d54ee186496657c729c873aad2b7ce9544ed5957cfd585c4fd26
SHA512 c913eb778043d46a757e858931b5ede859071ebe435886a0bb314f7bcb25f8f150163ff6b8673a200e926d7353ffce7fec197361fa2f5e88eb3048290e8e8d91

C:\Windows\SysWOW64\Inidkb32.exe

MD5 b26167dbf1054821de3351bb744f6260
SHA1 9e1e680013db829e6c0daf2fc58b70901567e580
SHA256 07363bdc9dcdceb4b704cb6e4072f44c5378aab90854259136146a33a5e59577
SHA512 fb0a3714fb2ec5a0f7e90f1b1079f45ba7cae6a8172a04dccc17a51e862be66ee6b90f4cdb8ff7c951e2b05de35a5f9bc649883a32e6ba107a6841b35c51081a

memory/4472-40-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ilkhog32.exe

MD5 b5177abdcea3de2f7f2e9797c59f64e4
SHA1 b2c368e30edae7877f58ee764d4c0a3a908ad1c2
SHA256 eb8ebe0b32920e9af642b9f29069edf8504b8baf8d471d2f8f77c5b53c3ed777
SHA512 9f7e2a3a4ef6fff27b1c10a4116256f34d91c721f21861675149ea206fca417ae8112c3194f25fd454fb033c893aae784b82c6b9d5d5266a294a1bdf845ef8ff

memory/3324-32-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2152-25-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Iccpniqp.exe

MD5 4f209914be96be794bcfd81f993d482c
SHA1 36f905dd6570afcf71af0fecde3940073a9e2d0a
SHA256 16e71c4ccbf86e81902cec89f31f4e656653a87ede1ffed8cec5485b1a3225aa
SHA512 cac3d0d4fba52e7a549dc49f55b46afd1709d164ec9eb3c6aa73332ce981e4a1a9cd488f6d4135bf71cbe048e2820b3cdf02afe657f0daf566c38d0d378b7d07

C:\Windows\SysWOW64\Ieqpbm32.exe

MD5 bd56695e44b00e410935432a28681d64
SHA1 ab59e9884a3b02f4e30a52df8367d7bd3591e976
SHA256 8d6cbab201fa414b1b8560d149fe577c39ec8ce024500e0f91b0c3d5bd64bfa4
SHA512 d44ebf55bf0620e5058ec6686a4bb1cb7407187571953fe53a3cfa46e39196a928304fdde3f5dbaa09b4b0728938ce124bdaaecf44ca9b6f18a8c41f39cb3b12

C:\Windows\SysWOW64\Infhebbh.exe

MD5 c57b0a6a994298dce1ef9ae29212734b
SHA1 8b1c7b3bd16b57a23c89217d3f6c773112ece7d1
SHA256 2c0ab85a5f11d34e4aeea3f31cf493a10de561d57a20bed6d3b7903b0874f966
SHA512 a6ce7de06f1e9f6cde6d4abca0511efde07a92d1f200d976b42ea6fa843f2c1f62587cbb726ec4fa975bb28f3ae1d0ed6ebe9c4ae687f8cc7d85914091201035