Malware Analysis Report

2024-10-16 04:29

Sample ID 240601-239z6aag39
Target 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe
SHA256 0d9b70e0f8a386afa3d42e80c35e3260c33315f3d1cb39f6922fd865b9990fed
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d9b70e0f8a386afa3d42e80c35e3260c33315f3d1cb39f6922fd865b9990fed

Threat Level: Known bad

The file 0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 23:07

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 23:07

Reported

2024-06-01 23:10

Platform

win7-20240221-en

Max time kernel

45s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Akncimmh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Akncimmh.exe C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Akncimmh.exe C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Gckmjbbc.dll C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckmjbbc.dll" C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Akncimmh.exe

C:\Windows\system32\Akncimmh.exe

C:\Windows\SysWOW64\Akeijlfq.exe

C:\Windows\system32\Akeijlfq.exe

C:\Windows\SysWOW64\Bnhoag32.exe

C:\Windows\system32\Bnhoag32.exe

C:\Windows\SysWOW64\Cafgle32.exe

C:\Windows\system32\Cafgle32.exe

C:\Windows\SysWOW64\Cmmhaf32.exe

C:\Windows\system32\Cmmhaf32.exe

C:\Windows\SysWOW64\Epgphcqd.exe

C:\Windows\system32\Epgphcqd.exe

C:\Windows\SysWOW64\Fgadda32.exe

C:\Windows\system32\Fgadda32.exe

C:\Windows\SysWOW64\Hhcmhdke.exe

C:\Windows\system32\Hhcmhdke.exe

C:\Windows\SysWOW64\Ihhcbf32.exe

C:\Windows\system32\Ihhcbf32.exe

C:\Windows\SysWOW64\Oopijc32.exe

C:\Windows\system32\Oopijc32.exe

C:\Windows\SysWOW64\Acfdnihk.exe

C:\Windows\system32\Acfdnihk.exe

C:\Windows\SysWOW64\Gkglnm32.exe

C:\Windows\system32\Gkglnm32.exe

C:\Windows\SysWOW64\Jialfgcc.exe

C:\Windows\system32\Jialfgcc.exe

C:\Windows\SysWOW64\Kgclio32.exe

C:\Windows\system32\Kgclio32.exe

C:\Windows\SysWOW64\Nfdddm32.exe

C:\Windows\system32\Nfdddm32.exe

C:\Windows\SysWOW64\Nbjeinje.exe

C:\Windows\system32\Nbjeinje.exe

C:\Windows\SysWOW64\Njfjnpgp.exe

C:\Windows\system32\Njfjnpgp.exe

C:\Windows\SysWOW64\Njhfcp32.exe

C:\Windows\system32\Njhfcp32.exe

C:\Windows\SysWOW64\Nfoghakb.exe

C:\Windows\system32\Nfoghakb.exe

C:\Windows\SysWOW64\Opihgfop.exe

C:\Windows\system32\Opihgfop.exe

C:\Windows\SysWOW64\Omnipjni.exe

C:\Windows\system32\Omnipjni.exe

C:\Windows\SysWOW64\Oiffkkbk.exe

C:\Windows\system32\Oiffkkbk.exe

C:\Windows\SysWOW64\Oabkom32.exe

C:\Windows\system32\Oabkom32.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Bjpdhifk.exe

C:\Windows\system32\Bjpdhifk.exe

Network

N/A

Files

memory/2348-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Akncimmh.exe

MD5 68d9f3a75d465ecba51e6c71d8b1aeca
SHA1 0e4f9bc81fff5b730f129b0d12929d7d53788044
SHA256 9c6899622cfe6cb5089cab5edbfc0cd089087b12fa2adbd4883dbb76b95b7bd7
SHA512 d1968eec6e1cacfd59178c06f74c0634eb9fc6f7677c8ea102c3e1eb0d023e6dfe846aefe1aa0da5d5416621544c3daa6cdd1383b1f2005609553eb3f4a17624

memory/2348-6-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/2504-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2348-13-0x00000000001B0000-0x00000000001E3000-memory.dmp

\Windows\SysWOW64\Akeijlfq.exe

MD5 6a9c04a1725602ead177f5a6861a1d13
SHA1 d740d7f7210b5256d1bd395806c62c9e376f0d3f
SHA256 b1894bdc45061e58fd06d92bad90da30d80f3a311e4e7b1b3db4f79aa9157298
SHA512 f49fe5e0637d2af59892ac235f08561d7a277428c37a5c0aed90b21899529a641bf1c8851ca364fd07549695b5b62aa47ff1625f3aeb7eac0b850f0f3ee27cee

memory/2504-22-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2504-27-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2564-29-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnhoag32.exe

MD5 bc28e67e56287791da1a010c3427f70a
SHA1 9b2cd7a9bb7a329f7c0d29155ff39f2c3989aa78
SHA256 e4014ec8d270918e7982f1fe3cfd3932493cdeb49ccb0a902799416aadbd78e0
SHA512 81b1bdc9b74435dfdfd1c03e156d67d84d19a585ed2647c4688f5b5b66ab0309dd4e0d56ce5b972a3057da28e8f55e3740f59297aa19ab1de55ff3c5f0766d6b

memory/2660-43-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2564-41-0x00000000002C0000-0x00000000002F3000-memory.dmp

C:\Windows\SysWOW64\Cafgle32.exe

MD5 3d29785aa30823d7c37bade134d793f6
SHA1 b038a44cc4213e1aba17774d0d04720cb6f841a8
SHA256 f9ef24f832bf3e0d2c801128568720e6dc35c96780afddff40f68c0ad1930fa3
SHA512 a675c73cab504380e1680d80c7ac48a18e64fab9bd68262861bbe119e89e29528c48b3b505a0b4d9b07d747b0b02ed4f0c7fdfbedb8215df483eb022b1a05ec4

memory/2732-58-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Cmmhaf32.exe

MD5 784816413d44994f7afe5580a7eeb79e
SHA1 c2cfa4b2df1faf8f658c9bc3dc09701e1c0a3bb7
SHA256 8cc35f8ac0aae10f1151708954505cb75a2a8e229d2912765fcf87350c912001
SHA512 4cdbe44ff068674a5f27e5d8a21a1a88883e14f6a3bdfdf0826b2cc0b3fce093d1bfa62bc55ea4b8ebcc4cef2d4e1d8c8e99096c40a3c83063a2cadd4b68193b

memory/2468-70-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cmmhaf32.exe

MD5 d813347f9564f0ff5541ad09f3656d57
SHA1 e8f780b8a7e81e0ed201fe4d539340195897b95d
SHA256 7b50b8f811f3b1a4de928b78dc3e727498b07432acfa2358c2aa2de77d3a6433
SHA512 cccd85b2bba2ffe0aab4aff512792871eb015c5a15db082de41dcbb671b097662e96604dc99355a62b22725e839e6b8ed0cdb622ba932619d8e0655b2bc08be0

C:\Windows\SysWOW64\Cmmhaf32.exe

MD5 5d2ce6f98d32493c63238baa81a2a021
SHA1 44dc475aa9d7ed04ba0922c0e633e2ecd2253e72
SHA256 578f581db19fedd5a48758816a38a55c6908e85424b6f56ecc8d8d46046f6848
SHA512 8a27a733428b1b592896cc8c87de3929c5ba7ffe6acd6600f152fd96422e86b6d03b037dabcbc693957e373f3a07d754765aae0fbeeb3f19471928032989443e

C:\Windows\SysWOW64\Cmmhaf32.exe

MD5 2a338c7bdc0e215e6b9ab69249213115
SHA1 51d27e2c9d8035f09d4bff991378c7306d483383
SHA256 0f5506114316228a23004ff6b2f609cf76af744eb4d30c2527b692d419d705b9
SHA512 a0127e53bca1daa592ff3fb37324d1528b85568dac80503f020f240f5bf3c93c995d524e3e575a0994167270070b0b181633f7c2d63e413b9f9194f31972b818

C:\Windows\SysWOW64\Ekcaonhe.exe

MD5 d3313b354b1bad46c63d3de0fe6984dc
SHA1 2c7102e3ff5c1d32ee6f28c0eb047ad73897db1c
SHA256 260f484258640f2011473d9cd9cf9ba2d2bd242e40342e58807b4ff963fb5f5f
SHA512 e97b79db37d2d0c296120d90860ee0273fa52ce08a9767d454b1645a96ed7e38374b771f9b2464471ea5cfd635e24e0d51f8827d1b87d2716a2db33286f15484

\Windows\SysWOW64\Epgphcqd.exe

MD5 f304a2f5536a4e4d12e157ad64536a6b
SHA1 b73bec952668d4ce7ef2f651ca6d93a27da43f12
SHA256 1ddb1229d4f15d9c640031d1d55fc34d5a9788b6f4b38c96ade939a902b8d52e
SHA512 0862c68d4e1b505eedfd5f9e0f12924c8603a3d9c56118c88a488f1a8f296d3d5be5cd4d47258e8d8b848afe24a2fe0da812cd35a4bd7bcc3c5aad6a4933a1df

memory/2404-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2068-95-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Epgphcqd.exe

MD5 f85c4503c23aef74fe83070b32a9e2d3
SHA1 a2324b615710f54d04f7dd0eb83e697fabd2e57d
SHA256 0b6bbb6b3ed4360b967fd517f0f0be12c29f34d952e80e80b8f3471bf0426f17
SHA512 ad342f144ea718c0fc50e7548b8980e064d3f2318118f1f4639a28faf7f4ea9a74e77f22cf9d883fce9b07bdb54e84972270cd1fca8ef914f2e5d1a649cbe4e8

\Windows\SysWOW64\Epgphcqd.exe

MD5 e7827765a843d92648eea83d39d640ee
SHA1 e5b1bb560254bc3eca88bd7e0bd9dc9626572e82
SHA256 fab3336791c65a6c047d9f84d4f671b27fc7d523b6644f03636de305a1700df5
SHA512 9baee01a99fa8a2e426c104293997c7abd1dd22cb2be98d11c95cb86eec4b3f23e90b57acc354b8b1ff2ed4585908f203377d0976bc57abffb0732b97d7c056e

memory/2068-86-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fbbofjnh.exe

MD5 49918ac203410d2b712d6eeb8f8c89ab
SHA1 e07b01b1f7d8c71acc07581ab4b6a0414a187a19
SHA256 9f1668d4eecd4668c09fc41a49c048096878863a80f34f4c8d7a12c3440eaad6
SHA512 20e22c485ba9cfb23e435a01868ddbb8875a01d92f6fc33552f8c58e35b7d00685985368e3d3d09af0c6cb1252b6dfb2fb68e03e57027a87c1a8297369bb0af6

memory/1084-112-0x0000000000400000-0x0000000000433000-memory.dmp

memory/812-122-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fgadda32.exe

MD5 84f46a820d0c8a8e8954e8552d1ae1d5
SHA1 2c47c291618803206a53a7e7a57004d92e98a3e8
SHA256 e09d5ad79dead84cd5802e3437a33b1274d9d155e405bf54cb2cc9a7ea729262
SHA512 8f4078b4854b46341f71c30aaf1cde66b11c63fbe60137bc4e9a60ba0410c75520f98a859ae6bf350fe7b109bd24d3e5343381414c5bc721a847c426a7ea5b77

\Windows\SysWOW64\Fgadda32.exe

MD5 355516ca1b63cbac827d623f61a07408
SHA1 11e10ae1486888ef74fde5c6febd0279e81646a7
SHA256 f58c37927f203a2cde850911466767b3df1ea3790556a12f4400bf5eea1460ea
SHA512 a17e97aca7303c9b6a706305f11ed6ae2c328103f9b4339806deeae9299e382f7cba7b2ef7027c6c07324f1d9518c433e2ada6e58c434add51dc1dc0cdbcf40b

memory/2736-138-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1372-150-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ihhcbf32.exe

MD5 458b36e6e32672d31439d6ff4a5da9a7
SHA1 8ff489d93791b7bdc559b9bae072bec2e362f1d5
SHA256 112e258bd537132ff3ce77fa745e4967eee105b7b5da28802b71c903bb280143
SHA512 604095dc686037589f824d6d3566f7abc76bc86e33d847e9155bd40a4c8bd0a717197aaa7e732482128a445e90018ba1618e68bf9b9b3162b86535009270838d

memory/2228-193-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1836-202-0x0000000000400000-0x0000000000433000-memory.dmp

memory/324-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-228-0x0000000000400000-0x0000000000433000-memory.dmp

memory/916-243-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1812-265-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1816-286-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2820-296-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3028-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3056-336-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2084-362-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2712-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/768-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1936-455-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Acfdnihk.exe

MD5 dbaec4c252aa70019f00598b06a397d9
SHA1 f7b2d41eee8e865d512e4532a0cf355cd2506b90
SHA256 546ac3731141ac52ed2ea9508f7ca74be636164805674660f28186519bc9d41f
SHA512 a6d3fb2ef14005baab7a91fe85483a3b05b5c63256ed2ae06152be46deab1ee3e291bd33b044658583d15a7af513fe385811f93eb2129dbcdea07a22229dd93f

memory/1796-490-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Cillkbac.exe

MD5 60f61aa6554445a7415175f36380e0e7
SHA1 e7342827d26b588fbdecd4cc6f215d089a482b41
SHA256 ce62093257e64561ee31d6d8ec75b2601c87cc882f72f0dfabf32eeee6747599
SHA512 245c7bd8aa17ce34122f3c3578f435edec7ac85d6180af67f73d6b35116d31dfbd26cb1536fbab65e85d7c13aedce292cbbc0410e7a48792b01ca2e8f09cdaa3

C:\Windows\SysWOW64\Copjdhib.exe

MD5 d62bf629cb6637997c8867c819318145
SHA1 a46a1b9ed11e1e4fc7a07bd3ed4427fb225b4fa1
SHA256 cf33ccedaea570ca379c847bde5a1e653cf533c99b00a814e4139f2345aa75a4
SHA512 564543fe427340da22f502f4a9e081c0089c19144166441491eeb7d02276dadfefb07e18166e90225bcbf93518b3bed4b7fe9a4bad74fc728002ae8b1317cc77

C:\Windows\SysWOW64\Dacpkc32.exe

MD5 96888b71c6a4e76df1468afc7a7487ce
SHA1 ddbd4652cc726dfb85edfe687487fdffdef0d1a6
SHA256 4ba036089123cde957f4fbf982eb973486ae8c0fd18cfffce12d2b7d7b79cde6
SHA512 e9d255fc9bbf7fe2479397131bf5373f60f85f99c4767004c719865f0e5a84f5e3cc4cd38797d694dcf6feeda98f5fd523ad0c6059a35ae53588155594f09595

memory/2068-587-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-605-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1084-636-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gkglnm32.exe

MD5 3377982cdc65e91db5415e8e148d6388
SHA1 9b8dca78725b43c1ea2289f92bfc9a251b660c8c
SHA256 009e36656206eabeed178109fbe3f71de375386bbb49c462d6f8ad96e0a55c9e
SHA512 618ea4c3bab3e9c065ae3755f6c11a425d229de7258fd49b26c75d6c77e1ba3e52c30fff8fa53fa9d2514cb7061819411c834dd187e66e4bc886eab2c1524af9

C:\Windows\SysWOW64\Hcgjmo32.exe

MD5 8b92357d9ad83a396fa10ec0dd792940
SHA1 01c4e1135705d9b173f11104a01b33b005a65fee
SHA256 9865023ec43f8aebce52d74e6da1eb4616ef3886de42cac3498f4e03f2f7200d
SHA512 a7abfa3fb5d5ecc6b26bc7f73fc8f359e46c99a1eee02bdbc0eed71e2a8dd99b7653aecf2ee5bf4420f4bd0ca41ba468489bc5415647ff18c783ebcbe8777a1c

memory/1372-780-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ijclol32.exe

MD5 b409f50aa307c63ff64efc812aeeefb0
SHA1 21225ab76a12eeeae4e5be3724d46f33ed09f4fe
SHA256 6411f2c0d2dbe8046f2c1b269bd9946d216ef202382a4189debfb08f10d1c625
SHA512 f52bd15d96169be8fa915bdce469fb422c5a698d02dbfa157e2b9c2bf83c972a3a4f8d721c51c3dc40f5295e75c53917610a16000aa56a4926c548e8ea950f9b

C:\Windows\SysWOW64\Jialfgcc.exe

MD5 67fc0803fd31f593b1ed19552e354aff
SHA1 7efbbf5e607e1d0e71a4dbbb9b6104a050f0b186
SHA256 999d8cc58de6898e10b635aba434982a4fecf0bb612509b13e0bc1cdcbeb7ed2
SHA512 e5c8c1152286b17bfaaf405b9ed4036fbedb80a0c33cada2ff54a2b127c33ced84c43048b8495ad4926fae2aafe2673cc12b829d4660ce5c1829c67bccaf9845

memory/1360-907-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lhknaf32.exe

MD5 d6680e441260a054bcc34c45233a6c7b
SHA1 4af6ca651aca21812dc2d22e96e64d255d41a392
SHA256 b73b0fa7491ba433591ac8f38039a9855a7a038cdadd3cce8d3cae7b1b7c90d6
SHA512 b3915d56b9a67749c8b8e634a4891474abb302a7fb77e96aa70308feada3f512b8bce045ea85dad79e2ec4f868a883926eeae84a3e7726ebc99cfde3870432cd

C:\Windows\SysWOW64\Mnaiol32.exe

MD5 45a9243aa25f26616cc147f4d630e6d9
SHA1 1da1a342079877daec2a74e9aa8e32a9ff56bf4c
SHA256 790f95e3da7c9b7231b3a15b4b91aeba2a6f08d81a91443f7a9613765110e958
SHA512 43fa2942c4cb2eb580ed02f23667b9eed8b2ca0ee2b5323ad90ff688fc501836585c8eb57db0ea70aac177a9455fa5ec8d6c5774293bbbad36492240028834ac

C:\Windows\SysWOW64\Nmkplgnq.exe

MD5 f010551ebf68ed14c00bb379786914bf
SHA1 064c85e3e96beb54255ef4d42b929bfd03e63726
SHA256 0c9718c0b9d33772f0bf4600d3117ae3535c94bee346b8562431a326f7cb1eb3
SHA512 17d501e34d0760fc2fb6ee0689285f258a55b7eaea7ef8a448ba5d3bd8f18c41185ba94e32a46d7073d0cea76f4002dd69c51121a7d10ef3c80a048e5959469d

C:\Windows\SysWOW64\Omnipjni.exe

MD5 5fb2052dd468331b49c436d8330aa16e
SHA1 fe9caebf16967db0460980916060e12e5cdac45d
SHA256 de5af2e9e7b28bb14fe02333ab58b6fabb6bf4958955f9058677f63474eb2ad6
SHA512 e762482c04633f0aae6a97e594fed00558319c1fa47975defd8d40b7e0a2a40371a9d7b2f74f123c428e84c3fefc8593d28ca465adf8426d3141b9b6f3c66fdb

C:\Windows\SysWOW64\Pepcelel.exe

MD5 e566e7cdf4c103e07d2a31d5f0cd6fbc
SHA1 0f94edf810e23930fb115bc3cd645546b5df5553
SHA256 e8b3e241ccf35587a4d247668533aab88229b145ec579e98136d4ca877217fba
SHA512 61ac819214a2a0b332b9df27225c1338ae2985df5649e31074f7d9b3d433907dcfa48369f6b0dea2242ae94fecabb7da47ee32cd221b7ca49022bee0e5a44851

C:\Windows\SysWOW64\Oabkom32.exe

MD5 bc66b72df688b72f5b681e73cfcfbe9c
SHA1 da8c3a9b332ebd8832911312d271e7f1bc707042
SHA256 fc2c497a0c43500d7c2cd766cf29ffce5c616c63573c23ee12c198c5a9c5f50b
SHA512 1044256e785d30dd90a15854f3875ea84394760d51150d409614ebad57ca71d3ec83b58690a51280b1bd762fad09503362ee1d310c648d69f354b7012f66da2e

C:\Windows\SysWOW64\Oiffkkbk.exe

MD5 a59cb99699aa98d73c0d5324a642d67f
SHA1 099f1071d2fd30f715604303bf1b88b7aa4d8315
SHA256 6ba13128f882db2643d8f2e7db604cc492895ab90bc5aa6f3caa19fbd5b0bce8
SHA512 74675bfc300fe9c894196def98ecf6c30f830b31af46a50d498d023a83ae08c57d5137554115d74053408bc8d73207becf4315963edd00866de199ad2374ba3f

C:\Windows\SysWOW64\Opihgfop.exe

MD5 6c8914163aef58b29c32e663c2ac616d
SHA1 1532785d23aeeb9f59fad55525a75d5a1d88f11a
SHA256 3a23af58eaf10d2cea99d7614cacc0b3800aa293c861c4226d6965b786b5cda6
SHA512 da53f399345dc66f2647ad930c06f6ca083c60832401492fc3668ed9e7f37b6395a8ce478604200cbb49853af0fb81e3429ec6f03d55e164e5e057e99eed5025

C:\Windows\SysWOW64\Nfoghakb.exe

MD5 bf5e90b9d4df2096b7c028d8ca5b084c
SHA1 743a5fb0d857269954459a635921456bbcf20ae8
SHA256 c8b70515e14931a130bca37ccecf1c2c3042853641f5284204e76a4a9e800f31
SHA512 ab3888dafafcdaf1cfba2b72613846c4bb1139dad530223f85f898c3e7fbf95b8dc48c2ad00c5049e8ce8eee1fad7bae63092cbb3e098590e39257096ae0dbdc

C:\Windows\SysWOW64\Njhfcp32.exe

MD5 c29ae0358139540ece4130b24ab317ec
SHA1 82eef10fc992a09de138e64f4e672eea5b765d39
SHA256 f047f968e97dcd7a32ae04cc08352188e39e91cad7d1751c00ec4aa69ff51e1a
SHA512 a0a2833e3cd381774fd3edf775d4db0916fd3c29940a27f3fd4a37b119c12d99227ee278ae436f8df849b5d069b6b0d590d836056919f1cae6cdd2279c4fa29b

memory/2472-1074-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Njfjnpgp.exe

MD5 c162e731be62a1415c5b9c84c2259db4
SHA1 b63f5d4f1fa60fa685239ddcd4dc8093f4044f1f
SHA256 2f19534c34b79ba0c6b148380aebca74f6084b88ad7706db1cd04e824b71bd02
SHA512 56008e50eaf33ad7a4c570774caf18db3b40722069f0570ab8886f7f02bb81e2250b666a7bda3d17f83a54917d800c2ecfeae10d01920f5b6788e3003048e5be

C:\Windows\SysWOW64\Nbjeinje.exe

MD5 fc6b0d9b3e273926bdda15131b5e6cdb
SHA1 b7f5e0ce99b0dadd2b743ac079a92be341d40448
SHA256 6fa4bcaa61103e6ed1320c262a81dd73f0fe77abf76a0324022ff0a4b848576e
SHA512 80dccdd80c3f496614be4ebfa1eae1beefcec0aa9fdb925b302a42485eab38a94326bdc59556f8a0d5ce084a86dd85bf1331455715e89f9c84e3ad6fe80c13db

C:\Windows\SysWOW64\Nfdddm32.exe

MD5 5bbb70efd458549a553e0f72abb07441
SHA1 51a261c03f7699fcd2ccbef2c34852eb7099bd9c
SHA256 ecc042a28361936fb18890baf4ba7227e81560ee704e76a0fe3b5df4ff424cbe
SHA512 b3abb4ee15caf13ccf52fbdff4cf4603c12f2e34b469d2ea483c0c2db39aae179fd4329d0997b13b520339d4fc751d9e68162eacf3cb5b322f2fd9be3465dc27

memory/2084-1018-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mmicfh32.exe

MD5 eeadb75de491f302c372d5a2df7af57a
SHA1 3075ccf2451e355634faf35f8d99c980750c4bce
SHA256 67af7192b25ada49bf7374cddc418f4788e6038d2d1780c3e94b89e32297df44
SHA512 f140462059521cfe3470d83e035bc482c714dcb1310422d63a97d98217e64cefbe2285612e9a40582e55018da11b852d7feff4e0be3ce69fae04c2b58bbe6564

memory/2112-1000-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mfmndn32.exe

MD5 82ea6a1956ab75301ea0fed2c1026f2c
SHA1 8285adba5d3a9e7f1cce837c598a7899fb277c21
SHA256 8f810038843a57fa7006891d1c3c0c94ad8c3fcff0758b72bd856b7080a0007a
SHA512 402545fa92abcaf8d17af7c7555a960ee700d0edd675a260e9bdb796f25752319cdbd378c13e2327cdd8b5c113a268e6be10ccbb2085e3fdd9e1fd56c4436309

C:\Windows\SysWOW64\Mnomjl32.exe

MD5 94c5c1936e55c5add45fab630a8cf8ca
SHA1 099a3cb90ecf328369bbf367e036233afd94e20f
SHA256 0e7db9b46e7a7aba8448f7c10e612635a94e5d80704fa5fe837595384fe8f52b
SHA512 13691a11f95d81b55dc507e1becbc6a9e9678bf3bbdd2d39487174ff538197cb95ddd713a92f24ca42b958226c000585ccddce0bd93fd21e41c215f133723f2e

C:\Windows\SysWOW64\Bjpdhifk.exe

MD5 0404401c462a17d164832e069099151c
SHA1 7306e24a93d943ffa220a92aefff487a5f154dc2
SHA256 3678c808df2d62dc43af8f9ae9017f0c447d8fc0b036dace1943d55d8d0f81a7
SHA512 70cf05b8a49e5c5bdcaad185c09d0f3fcc32a798081970392b2e47cd59d4e7ed234483ca2a5556ee96c53faca2dba3a5963620740febf90244dd485b82658595

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 23:07

Reported

2024-06-01 23:10

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcjiff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omjpeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phigif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aahbbkaq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpdcag32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgifbhid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieojgc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Koonge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qepkbpak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbdhiojo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mepfiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckmonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fiodpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbeejp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbbajjlp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cefoce32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnbeeiji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acokhc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnahdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkokcl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfjkjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khlklj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aanjpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkoplk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpanan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npepkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dakikoom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jemfhacc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkmeha32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjmfmh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nndjndbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kidben32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Legben32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdlfjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkmdecbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Milidebi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmaffnce.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekodjiol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfhbga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjaleemj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcnlnaom.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgogbgei.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bckkca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bckkca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eblpgjha.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phaahggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkaclqkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhmbdle.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lhnhajba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llflea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmedjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Momcpa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bohibc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebdcld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpcapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmpolgoi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poimpapp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phaahggp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qemhbj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blielbfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okchnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddgplado.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbpchb32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nnmopdep.exe N/A
N/A N/A C:\Windows\SysWOW64\Odpjcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgjfkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjkombfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgallfcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgciaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aegikj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aanjpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cefoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Conclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpgmha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpgldhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmbdbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nloiakho.exe N/A
N/A N/A C:\Windows\SysWOW64\Ognpebpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqijje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Andqdh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfpnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Danecp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gekcaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifihif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Indmnh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbbfdfkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Jecofa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgdhgmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Jicdap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amfjeobf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmipblaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcogje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehhpla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkpool32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdilnojp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhfedm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inomhbeq.exe N/A
N/A N/A C:\Windows\SysWOW64\Indfca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjghcfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgogbgei.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgadgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jibmgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kghjhemo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kiggbhda.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqbkfkal.exe N/A
N/A N/A C:\Windows\SysWOW64\Keqdmihc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbddfmgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjpijpdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkofdbkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Licfngjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbkkgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbngllob.exe N/A
N/A N/A C:\Windows\SysWOW64\Llflea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llhikacp.exe N/A
N/A N/A C:\Windows\SysWOW64\Milidebi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbenmk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnlnbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnnkgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjellmbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhilfa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nemmoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nojjcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkqkhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohghgodi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooejohhq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Nemmoe32.exe C:\Windows\SysWOW64\Mhilfa32.exe N/A
File created C:\Windows\SysWOW64\Jpcapp32.exe C:\Windows\SysWOW64\Ieidhh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhmbqm32.exe C:\Windows\SysWOW64\Baannc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihkjno32.exe C:\Windows\SysWOW64\Hnbeeiji.exe N/A
File created C:\Windows\SysWOW64\Cgmhcaac.exe C:\Windows\SysWOW64\Cmedjl32.exe N/A
File created C:\Windows\SysWOW64\Iibjhgbi.dll C:\Windows\SysWOW64\Bhpfqcln.exe N/A
File created C:\Windows\SysWOW64\Bdeiqgkj.exe C:\Windows\SysWOW64\Bkmeha32.exe N/A
File created C:\Windows\SysWOW64\Algheg32.dll C:\Windows\SysWOW64\Jibmgi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nojjcj32.exe C:\Windows\SysWOW64\Nemmoe32.exe N/A
File created C:\Windows\SysWOW64\Pnplfj32.exe C:\Windows\SysWOW64\Pmpolgoi.exe N/A
File created C:\Windows\SysWOW64\Jcoong32.dll C:\Windows\SysWOW64\Eidlnd32.exe N/A
File created C:\Windows\SysWOW64\Iqjpdi32.dll C:\Windows\SysWOW64\Pgjfkg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fihnomjp.exe C:\Windows\SysWOW64\Ekdnei32.exe N/A
File created C:\Windows\SysWOW64\Fkjmlaac.exe C:\Windows\SysWOW64\Fbbicl32.exe N/A
File created C:\Windows\SysWOW64\Kidben32.exe C:\Windows\SysWOW64\Koonge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fecadghc.exe C:\Windows\SysWOW64\Fkjmlaac.exe N/A
File created C:\Windows\SysWOW64\Ojcpdg32.exe C:\Windows\SysWOW64\Oiccje32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qppaclio.exe C:\Windows\SysWOW64\Pblajhje.exe N/A
File created C:\Windows\SysWOW64\Fjqjajoe.dll C:\Windows\SysWOW64\Mnlnbl32.exe N/A
File created C:\Windows\SysWOW64\Emcbio32.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe C:\Windows\SysWOW64\Jgadgf32.exe N/A
File created C:\Windows\SysWOW64\Bckkca32.exe C:\Windows\SysWOW64\Bmofagfp.exe N/A
File opened for modification C:\Windows\SysWOW64\Blgifbil.exe C:\Windows\SysWOW64\Alelqb32.exe N/A
File created C:\Windows\SysWOW64\Flkdfh32.exe C:\Windows\SysWOW64\Fpdcag32.exe N/A
File created C:\Windows\SysWOW64\Qhjmdp32.exe C:\Windows\SysWOW64\Qmeigg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Nloiakho.exe N/A
File created C:\Windows\SysWOW64\Cpfcfmlp.exe C:\Windows\SysWOW64\Cgnomg32.exe N/A
File created C:\Windows\SysWOW64\Glgokg32.dll C:\Windows\SysWOW64\Llhikacp.exe N/A
File created C:\Windows\SysWOW64\Kamhmbej.dll C:\Windows\SysWOW64\Dmdhcddh.exe N/A
File created C:\Windows\SysWOW64\Pefabkej.exe C:\Windows\SysWOW64\Phaahggp.exe N/A
File created C:\Windows\SysWOW64\Fomnhddq.dll C:\Windows\SysWOW64\Cgnomg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
File created C:\Windows\SysWOW64\Nggmhj32.dll C:\Windows\SysWOW64\Dcogje32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qaflgago.exe C:\Windows\SysWOW64\Qepkbpak.exe N/A
File created C:\Windows\SysWOW64\Ihejacdm.dll C:\Windows\SysWOW64\Lqbncb32.exe N/A
File created C:\Windows\SysWOW64\Ekdnei32.exe C:\Windows\SysWOW64\Eicedn32.exe N/A
File created C:\Windows\SysWOW64\Cpbjkn32.exe C:\Windows\SysWOW64\Cgifbhid.exe N/A
File created C:\Windows\SysWOW64\Kdflmg32.dll C:\Windows\SysWOW64\Omjpeo32.exe N/A
File created C:\Windows\SysWOW64\Fiboaq32.dll C:\Windows\SysWOW64\Dbkqfe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jgpfbjlo.exe C:\Windows\SysWOW64\Jilfifme.exe N/A
File created C:\Windows\SysWOW64\Pkpbai32.dll C:\Windows\SysWOW64\Haodle32.exe N/A
File created C:\Windows\SysWOW64\Lpkman32.dll C:\Windows\SysWOW64\Odpjcm32.exe N/A
File created C:\Windows\SysWOW64\Fphppfgi.dll C:\Windows\SysWOW64\Kiggbhda.exe N/A
File opened for modification C:\Windows\SysWOW64\Piphgq32.exe C:\Windows\SysWOW64\Oafcqcea.exe N/A
File opened for modification C:\Windows\SysWOW64\Phaahggp.exe C:\Windows\SysWOW64\Poimpapp.exe N/A
File created C:\Windows\SysWOW64\Imnocf32.exe C:\Windows\SysWOW64\Ilnbicff.exe N/A
File created C:\Windows\SysWOW64\Dmkalh32.dll C:\Windows\SysWOW64\Fbpchb32.exe N/A
File created C:\Windows\SysWOW64\Ofhknodl.exe C:\Windows\SysWOW64\Oplfkeob.exe N/A
File created C:\Windows\SysWOW64\Nhmkghpm.dll C:\Windows\SysWOW64\Pjkombfj.exe N/A
File created C:\Windows\SysWOW64\Ghkmacoj.dll C:\Windows\SysWOW64\Jpgmha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpgmha32.exe C:\Windows\SysWOW64\Conclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhilfa32.exe C:\Windows\SysWOW64\Mjellmbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Fikbocki.exe C:\Windows\SysWOW64\Eppqqn32.exe N/A
File created C:\Windows\SysWOW64\Pfejnf32.dll C:\Windows\SysWOW64\Idcepgmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe C:\Windows\SysWOW64\Pmnbfhal.exe N/A
File created C:\Windows\SysWOW64\Lngqkhda.dll C:\Windows\SysWOW64\Pmnbfhal.exe N/A
File created C:\Windows\SysWOW64\Bfllfd32.dll C:\Windows\SysWOW64\Kjhloj32.exe N/A
File created C:\Windows\SysWOW64\Lhnhajba.exe C:\Windows\SysWOW64\Khlklj32.exe N/A
File created C:\Windows\SysWOW64\Idfplbal.dll C:\Windows\SysWOW64\Indmnh32.exe N/A
File created C:\Windows\SysWOW64\Capqggce.dll C:\Windows\SysWOW64\Bbdhiojo.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgqfdnah.exe C:\Windows\SysWOW64\Kjmfjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlhkgi32.exe C:\Windows\SysWOW64\Nndjndbh.exe N/A
File created C:\Windows\SysWOW64\Fpkefnho.dll C:\Windows\SysWOW64\Nccokk32.exe N/A
File created C:\Windows\SysWOW64\Mpiedk32.dll C:\Windows\SysWOW64\Pjaleemj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Gbmadd32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" C:\Windows\SysWOW64\Mnlnbl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhmbqm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjkombfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll" C:\Windows\SysWOW64\Ojcpdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" C:\Windows\SysWOW64\Cdaile32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" C:\Windows\SysWOW64\Bdgged32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" C:\Windows\SysWOW64\Fdglmkeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npepkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll" C:\Windows\SysWOW64\Edbiniff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mbenmk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhgcipb.dll" C:\Windows\SysWOW64\Pkegpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" C:\Windows\SysWOW64\Hibafp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnegbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlepcdoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Koonge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Modpib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fkpool32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" C:\Windows\SysWOW64\Poimpapp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jpcapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pafkgphl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkmdecbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flkdfh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gfjkjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dqbcbkab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hnbeeiji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" C:\Windows\SysWOW64\Nloiakho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nloiakho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" C:\Windows\SysWOW64\Ekjded32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgjfkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoefilfc.dll" C:\Windows\SysWOW64\Jicdap32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fkpool32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddgplado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oabhfg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkcndeen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fkjmlaac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonklp32.dll" C:\Windows\SysWOW64\Jknfcofa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlhkgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aahbbkaq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpqggh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbond32.dll" C:\Windows\SysWOW64\Milidebi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" C:\Windows\SysWOW64\Mjahlgpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkegpb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkokcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecgodpgb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" C:\Windows\SysWOW64\Andqdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" C:\Windows\SysWOW64\Lkofdbkj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkqkhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qaflgago.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfhad32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbphdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" C:\Windows\SysWOW64\Ikpjbq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dijbno32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjffpe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ekodjiol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpqggh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll" C:\Windows\SysWOW64\Pblajhje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkakadbk.dll" C:\Windows\SysWOW64\Ccbadp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll" C:\Windows\SysWOW64\Ojemig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oafcqcea.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe C:\Windows\SysWOW64\Nnmopdep.exe
PID 1476 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe C:\Windows\SysWOW64\Nnmopdep.exe
PID 1476 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe C:\Windows\SysWOW64\Nnmopdep.exe
PID 528 wrote to memory of 4340 N/A C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Odpjcm32.exe
PID 528 wrote to memory of 4340 N/A C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Odpjcm32.exe
PID 528 wrote to memory of 4340 N/A C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Odpjcm32.exe
PID 4340 wrote to memory of 3340 N/A C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Pgjfkg32.exe
PID 4340 wrote to memory of 3340 N/A C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Pgjfkg32.exe
PID 4340 wrote to memory of 3340 N/A C:\Windows\SysWOW64\Odpjcm32.exe C:\Windows\SysWOW64\Pgjfkg32.exe
PID 3340 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Pgjfkg32.exe C:\Windows\SysWOW64\Pjkombfj.exe
PID 3340 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Pgjfkg32.exe C:\Windows\SysWOW64\Pjkombfj.exe
PID 3340 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Pgjfkg32.exe C:\Windows\SysWOW64\Pjkombfj.exe
PID 1648 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Pjkombfj.exe C:\Windows\SysWOW64\Qgallfcq.exe
PID 1648 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Pjkombfj.exe C:\Windows\SysWOW64\Qgallfcq.exe
PID 1648 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Pjkombfj.exe C:\Windows\SysWOW64\Qgallfcq.exe
PID 3116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Qgallfcq.exe C:\Windows\SysWOW64\Qgciaf32.exe
PID 3116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Qgallfcq.exe C:\Windows\SysWOW64\Qgciaf32.exe
PID 3116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Qgallfcq.exe C:\Windows\SysWOW64\Qgciaf32.exe
PID 1948 wrote to memory of 1180 N/A C:\Windows\SysWOW64\Qgciaf32.exe C:\Windows\SysWOW64\Aegikj32.exe
PID 1948 wrote to memory of 1180 N/A C:\Windows\SysWOW64\Qgciaf32.exe C:\Windows\SysWOW64\Aegikj32.exe
PID 1948 wrote to memory of 1180 N/A C:\Windows\SysWOW64\Qgciaf32.exe C:\Windows\SysWOW64\Aegikj32.exe
PID 1180 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Aegikj32.exe C:\Windows\SysWOW64\Aanjpk32.exe
PID 1180 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Aegikj32.exe C:\Windows\SysWOW64\Aanjpk32.exe
PID 1180 wrote to memory of 4184 N/A C:\Windows\SysWOW64\Aegikj32.exe C:\Windows\SysWOW64\Aanjpk32.exe
PID 4184 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Aanjpk32.exe C:\Windows\SysWOW64\Cefoce32.exe
PID 4184 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Aanjpk32.exe C:\Windows\SysWOW64\Cefoce32.exe
PID 4184 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Aanjpk32.exe C:\Windows\SysWOW64\Cefoce32.exe
PID 2836 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Cefoce32.exe C:\Windows\SysWOW64\Conclk32.exe
PID 2836 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Cefoce32.exe C:\Windows\SysWOW64\Conclk32.exe
PID 2836 wrote to memory of 1716 N/A C:\Windows\SysWOW64\Cefoce32.exe C:\Windows\SysWOW64\Conclk32.exe
PID 1716 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Conclk32.exe C:\Windows\SysWOW64\Jpgmha32.exe
PID 1716 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Conclk32.exe C:\Windows\SysWOW64\Jpgmha32.exe
PID 1716 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Conclk32.exe C:\Windows\SysWOW64\Jpgmha32.exe
PID 1620 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Jpgmha32.exe C:\Windows\SysWOW64\Jmpgldhg.exe
PID 1620 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Jpgmha32.exe C:\Windows\SysWOW64\Jmpgldhg.exe
PID 1620 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Jpgmha32.exe C:\Windows\SysWOW64\Jmpgldhg.exe
PID 4144 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jmbdbd32.exe
PID 4144 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jmbdbd32.exe
PID 4144 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jmbdbd32.exe
PID 4980 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Jmbdbd32.exe C:\Windows\SysWOW64\Nloiakho.exe
PID 4980 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Jmbdbd32.exe C:\Windows\SysWOW64\Nloiakho.exe
PID 4980 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Jmbdbd32.exe C:\Windows\SysWOW64\Nloiakho.exe
PID 3492 wrote to memory of 436 N/A C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 3492 wrote to memory of 436 N/A C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 3492 wrote to memory of 436 N/A C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 436 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Qqijje32.exe
PID 436 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Qqijje32.exe
PID 436 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Qqijje32.exe
PID 2688 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Andqdh32.exe
PID 2688 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Andqdh32.exe
PID 2688 wrote to memory of 4412 N/A C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Andqdh32.exe
PID 4412 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Cfpnph32.exe
PID 4412 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Cfpnph32.exe
PID 4412 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Cfpnph32.exe
PID 4452 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4452 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4452 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 1524 wrote to memory of 3264 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Emcbio32.exe
PID 1524 wrote to memory of 3264 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Emcbio32.exe
PID 1524 wrote to memory of 3264 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Emcbio32.exe
PID 3264 wrote to memory of 3400 N/A C:\Windows\SysWOW64\Emcbio32.exe C:\Windows\SysWOW64\Gekcaj32.exe
PID 3264 wrote to memory of 3400 N/A C:\Windows\SysWOW64\Emcbio32.exe C:\Windows\SysWOW64\Gekcaj32.exe
PID 3264 wrote to memory of 3400 N/A C:\Windows\SysWOW64\Emcbio32.exe C:\Windows\SysWOW64\Gekcaj32.exe
PID 3400 wrote to memory of 3804 N/A C:\Windows\SysWOW64\Gekcaj32.exe C:\Windows\SysWOW64\Ifihif32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0820ef123cc5c35ea59c6ea27321ed20_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Odpjcm32.exe

C:\Windows\system32\Odpjcm32.exe

C:\Windows\SysWOW64\Pgjfkg32.exe

C:\Windows\system32\Pgjfkg32.exe

C:\Windows\SysWOW64\Pjkombfj.exe

C:\Windows\system32\Pjkombfj.exe

C:\Windows\SysWOW64\Qgallfcq.exe

C:\Windows\system32\Qgallfcq.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Aegikj32.exe

C:\Windows\system32\Aegikj32.exe

C:\Windows\SysWOW64\Aanjpk32.exe

C:\Windows\system32\Aanjpk32.exe

C:\Windows\SysWOW64\Cefoce32.exe

C:\Windows\system32\Cefoce32.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Emcbio32.exe

C:\Windows\system32\Emcbio32.exe

C:\Windows\SysWOW64\Gekcaj32.exe

C:\Windows\system32\Gekcaj32.exe

C:\Windows\SysWOW64\Ifihif32.exe

C:\Windows\system32\Ifihif32.exe

C:\Windows\SysWOW64\Indmnh32.exe

C:\Windows\system32\Indmnh32.exe

C:\Windows\SysWOW64\Jbbfdfkn.exe

C:\Windows\system32\Jbbfdfkn.exe

C:\Windows\SysWOW64\Jecofa32.exe

C:\Windows\system32\Jecofa32.exe

C:\Windows\SysWOW64\Jgdhgmep.exe

C:\Windows\system32\Jgdhgmep.exe

C:\Windows\SysWOW64\Jicdap32.exe

C:\Windows\system32\Jicdap32.exe

C:\Windows\SysWOW64\Amfjeobf.exe

C:\Windows\system32\Amfjeobf.exe

C:\Windows\SysWOW64\Cmipblaq.exe

C:\Windows\system32\Cmipblaq.exe

C:\Windows\SysWOW64\Dcogje32.exe

C:\Windows\system32\Dcogje32.exe

C:\Windows\SysWOW64\Ehhpla32.exe

C:\Windows\system32\Ehhpla32.exe

C:\Windows\SysWOW64\Fkpool32.exe

C:\Windows\system32\Fkpool32.exe

C:\Windows\SysWOW64\Hdilnojp.exe

C:\Windows\system32\Hdilnojp.exe

C:\Windows\SysWOW64\Hhfedm32.exe

C:\Windows\system32\Hhfedm32.exe

C:\Windows\SysWOW64\Inomhbeq.exe

C:\Windows\system32\Inomhbeq.exe

C:\Windows\SysWOW64\Indfca32.exe

C:\Windows\system32\Indfca32.exe

C:\Windows\SysWOW64\Jjjghcfp.exe

C:\Windows\system32\Jjjghcfp.exe

C:\Windows\SysWOW64\Jgogbgei.exe

C:\Windows\system32\Jgogbgei.exe

C:\Windows\SysWOW64\Jgadgf32.exe

C:\Windows\system32\Jgadgf32.exe

C:\Windows\SysWOW64\Jibmgi32.exe

C:\Windows\system32\Jibmgi32.exe

C:\Windows\SysWOW64\Kghjhemo.exe

C:\Windows\system32\Kghjhemo.exe

C:\Windows\SysWOW64\Kiggbhda.exe

C:\Windows\system32\Kiggbhda.exe

C:\Windows\SysWOW64\Kqbkfkal.exe

C:\Windows\system32\Kqbkfkal.exe

C:\Windows\SysWOW64\Keqdmihc.exe

C:\Windows\system32\Keqdmihc.exe

C:\Windows\SysWOW64\Kbddfmgl.exe

C:\Windows\system32\Kbddfmgl.exe

C:\Windows\SysWOW64\Kjpijpdg.exe

C:\Windows\system32\Kjpijpdg.exe

C:\Windows\SysWOW64\Lkofdbkj.exe

C:\Windows\system32\Lkofdbkj.exe

C:\Windows\SysWOW64\Licfngjd.exe

C:\Windows\system32\Licfngjd.exe

C:\Windows\SysWOW64\Lbkkgl32.exe

C:\Windows\system32\Lbkkgl32.exe

C:\Windows\SysWOW64\Lbngllob.exe

C:\Windows\system32\Lbngllob.exe

C:\Windows\SysWOW64\Llflea32.exe

C:\Windows\system32\Llflea32.exe

C:\Windows\SysWOW64\Llhikacp.exe

C:\Windows\system32\Llhikacp.exe

C:\Windows\SysWOW64\Milidebi.exe

C:\Windows\system32\Milidebi.exe

C:\Windows\SysWOW64\Mbenmk32.exe

C:\Windows\system32\Mbenmk32.exe

C:\Windows\SysWOW64\Mnlnbl32.exe

C:\Windows\system32\Mnlnbl32.exe

C:\Windows\SysWOW64\Mnnkgl32.exe

C:\Windows\system32\Mnnkgl32.exe

C:\Windows\SysWOW64\Mjellmbp.exe

C:\Windows\system32\Mjellmbp.exe

C:\Windows\SysWOW64\Mhilfa32.exe

C:\Windows\system32\Mhilfa32.exe

C:\Windows\SysWOW64\Nemmoe32.exe

C:\Windows\system32\Nemmoe32.exe

C:\Windows\SysWOW64\Nojjcj32.exe

C:\Windows\system32\Nojjcj32.exe

C:\Windows\SysWOW64\Nkqkhk32.exe

C:\Windows\system32\Nkqkhk32.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Ohghgodi.exe

C:\Windows\system32\Ohghgodi.exe

C:\Windows\SysWOW64\Ooejohhq.exe

C:\Windows\system32\Ooejohhq.exe

C:\Windows\SysWOW64\Oafcqcea.exe

C:\Windows\system32\Oafcqcea.exe

C:\Windows\SysWOW64\Piphgq32.exe

C:\Windows\system32\Piphgq32.exe

C:\Windows\SysWOW64\Pakllc32.exe

C:\Windows\system32\Pakllc32.exe

C:\Windows\SysWOW64\Pcjiff32.exe

C:\Windows\system32\Pcjiff32.exe

C:\Windows\SysWOW64\Pcmeke32.exe

C:\Windows\system32\Pcmeke32.exe

C:\Windows\SysWOW64\Plejdkmm.exe

C:\Windows\system32\Plejdkmm.exe

C:\Windows\SysWOW64\Qepkbpak.exe

C:\Windows\system32\Qepkbpak.exe

C:\Windows\SysWOW64\Qaflgago.exe

C:\Windows\system32\Qaflgago.exe

C:\Windows\SysWOW64\Acfhad32.exe

C:\Windows\system32\Acfhad32.exe

C:\Windows\SysWOW64\Ahgjejhd.exe

C:\Windows\system32\Ahgjejhd.exe

C:\Windows\SysWOW64\Abponp32.exe

C:\Windows\system32\Abponp32.exe

C:\Windows\SysWOW64\Acokhc32.exe

C:\Windows\system32\Acokhc32.exe

C:\Windows\SysWOW64\Bbdhiojo.exe

C:\Windows\system32\Bbdhiojo.exe

C:\Windows\SysWOW64\Bohibc32.exe

C:\Windows\system32\Bohibc32.exe

C:\Windows\SysWOW64\Bmofagfp.exe

C:\Windows\system32\Bmofagfp.exe

C:\Windows\SysWOW64\Bckkca32.exe

C:\Windows\system32\Bckkca32.exe

C:\Windows\SysWOW64\Cbphdn32.exe

C:\Windows\system32\Cbphdn32.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Dfefkkqp.exe

C:\Windows\system32\Dfefkkqp.exe

C:\Windows\SysWOW64\Dfgcakon.exe

C:\Windows\system32\Dfgcakon.exe

C:\Windows\SysWOW64\Dmdhcddh.exe

C:\Windows\system32\Dmdhcddh.exe

C:\Windows\SysWOW64\Dbcmakpl.exe

C:\Windows\system32\Dbcmakpl.exe

C:\Windows\SysWOW64\Elpkep32.exe

C:\Windows\system32\Elpkep32.exe

C:\Windows\SysWOW64\Eidlnd32.exe

C:\Windows\system32\Eidlnd32.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Fikbocki.exe

C:\Windows\system32\Fikbocki.exe

C:\Windows\SysWOW64\Flngfn32.exe

C:\Windows\system32\Flngfn32.exe

C:\Windows\SysWOW64\Fdglmkeg.exe

C:\Windows\system32\Fdglmkeg.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gkmdecbg.exe

C:\Windows\system32\Gkmdecbg.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hkicaahi.exe

C:\Windows\system32\Hkicaahi.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jlkipgpe.exe

C:\Windows\system32\Jlkipgpe.exe

C:\Windows\SysWOW64\Jknfcofa.exe

C:\Windows\system32\Jknfcofa.exe

C:\Windows\SysWOW64\Kjccdkki.exe

C:\Windows\system32\Kjccdkki.exe

C:\Windows\SysWOW64\Kjhloj32.exe

C:\Windows\system32\Kjhloj32.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Lgqfdnah.exe

C:\Windows\system32\Lgqfdnah.exe

C:\Windows\SysWOW64\Lddgmbpb.exe

C:\Windows\system32\Lddgmbpb.exe

C:\Windows\SysWOW64\Lmpkadnm.exe

C:\Windows\system32\Lmpkadnm.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Mepfiq32.exe

C:\Windows\system32\Mepfiq32.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Mjahlgpf.exe

C:\Windows\system32\Mjahlgpf.exe

C:\Windows\SysWOW64\Nmenca32.exe

C:\Windows\system32\Nmenca32.exe

C:\Windows\SysWOW64\Nndjndbh.exe

C:\Windows\system32\Nndjndbh.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Ndflak32.exe

C:\Windows\system32\Ndflak32.exe

C:\Windows\SysWOW64\Najmjokc.exe

C:\Windows\system32\Najmjokc.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Olanmgig.exe

C:\Windows\system32\Olanmgig.exe

C:\Windows\SysWOW64\Oldjcg32.exe

C:\Windows\system32\Oldjcg32.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Oacoqnci.exe

C:\Windows\system32\Oacoqnci.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Pefabkej.exe

C:\Windows\system32\Pefabkej.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Pkegpb32.exe

C:\Windows\system32\Pkegpb32.exe

C:\Windows\SysWOW64\Phigif32.exe

C:\Windows\system32\Phigif32.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qmhlgmmm.exe

C:\Windows\system32\Qmhlgmmm.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Addaif32.exe

C:\Windows\system32\Addaif32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bhpfqcln.exe

C:\Windows\system32\Bhpfqcln.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Cnahdi32.exe

C:\Windows\system32\Cnahdi32.exe

C:\Windows\SysWOW64\Coadnlnb.exe

C:\Windows\system32\Coadnlnb.exe

C:\Windows\SysWOW64\Cbbnpg32.exe

C:\Windows\system32\Cbbnpg32.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Dnbakghm.exe

C:\Windows\system32\Dnbakghm.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fpdcag32.exe

C:\Windows\system32\Fpdcag32.exe

C:\Windows\SysWOW64\Flkdfh32.exe

C:\Windows\system32\Flkdfh32.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fpkibf32.exe

C:\Windows\system32\Fpkibf32.exe

C:\Windows\SysWOW64\Gfhndpol.exe

C:\Windows\system32\Gfhndpol.exe

C:\Windows\SysWOW64\Gfjkjo32.exe

C:\Windows\system32\Gfjkjo32.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Geaepk32.exe

C:\Windows\system32\Geaepk32.exe

C:\Windows\SysWOW64\Gbeejp32.exe

C:\Windows\system32\Gbeejp32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Ilnbicff.exe

C:\Windows\system32\Ilnbicff.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jokkgl32.exe

C:\Windows\system32\Jokkgl32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kpanan32.exe

C:\Windows\system32\Kpanan32.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ofhknodl.exe

C:\Windows\system32\Ofhknodl.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Opclldhj.exe

C:\Windows\system32\Opclldhj.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pmpolgoi.exe

C:\Windows\system32\Pmpolgoi.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Qmeigg32.exe

C:\Windows\system32\Qmeigg32.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bknlbhhe.exe

C:\Windows\system32\Bknlbhhe.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dakikoom.exe

C:\Windows\system32\Dakikoom.exe

C:\Windows\SysWOW64\Dkcndeen.exe

C:\Windows\system32\Dkcndeen.exe

C:\Windows\SysWOW64\Dqbcbkab.exe

C:\Windows\system32\Dqbcbkab.exe

C:\Windows\SysWOW64\Ekjded32.exe

C:\Windows\system32\Ekjded32.exe

C:\Windows\SysWOW64\Edbiniff.exe

C:\Windows\system32\Edbiniff.exe

C:\Windows\SysWOW64\Enkmfolf.exe

C:\Windows\system32\Enkmfolf.exe

C:\Windows\SysWOW64\Ekonpckp.exe

C:\Windows\system32\Ekonpckp.exe

C:\Windows\SysWOW64\Fooclapd.exe

C:\Windows\system32\Fooclapd.exe

C:\Windows\SysWOW64\Fgjhpcmo.exe

C:\Windows\system32\Fgjhpcmo.exe

C:\Windows\SysWOW64\Fgmdec32.exe

C:\Windows\system32\Fgmdec32.exe

C:\Windows\SysWOW64\Fbbicl32.exe

C:\Windows\system32\Fbbicl32.exe

C:\Windows\SysWOW64\Fkjmlaac.exe

C:\Windows\system32\Fkjmlaac.exe

C:\Windows\SysWOW64\Fecadghc.exe

C:\Windows\system32\Fecadghc.exe

C:\Windows\SysWOW64\Gkaclqkk.exe

C:\Windows\system32\Gkaclqkk.exe

C:\Windows\SysWOW64\Gpolbo32.exe

C:\Windows\system32\Gpolbo32.exe

C:\Windows\SysWOW64\Gijmad32.exe

C:\Windows\system32\Gijmad32.exe

C:\Windows\SysWOW64\Gbbajjlp.exe

C:\Windows\system32\Gbbajjlp.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hpioin32.exe

C:\Windows\system32\Hpioin32.exe

C:\Windows\SysWOW64\Hhfpbpdo.exe

C:\Windows\system32\Hhfpbpdo.exe

C:\Windows\SysWOW64\Haodle32.exe

C:\Windows\system32\Haodle32.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Ihkjno32.exe

C:\Windows\system32\Ihkjno32.exe

C:\Windows\SysWOW64\Ieojgc32.exe

C:\Windows\system32\Ieojgc32.exe

C:\Windows\SysWOW64\Iogopi32.exe

C:\Windows\system32\Iogopi32.exe

C:\Windows\SysWOW64\Ibegfglj.exe

C:\Windows\system32\Ibegfglj.exe

C:\Windows\SysWOW64\Ipihpkkd.exe

C:\Windows\system32\Ipihpkkd.exe

C:\Windows\SysWOW64\Jhgiim32.exe

C:\Windows\system32\Jhgiim32.exe

C:\Windows\SysWOW64\Jhifomdj.exe

C:\Windows\system32\Jhifomdj.exe

C:\Windows\SysWOW64\Jemfhacc.exe

C:\Windows\system32\Jemfhacc.exe

C:\Windows\SysWOW64\Jbagbebm.exe

C:\Windows\system32\Jbagbebm.exe

C:\Windows\SysWOW64\Kiphjo32.exe

C:\Windows\system32\Kiphjo32.exe

C:\Windows\SysWOW64\Kbhmbdle.exe

C:\Windows\system32\Kbhmbdle.exe

C:\Windows\SysWOW64\Koonge32.exe

C:\Windows\system32\Koonge32.exe

C:\Windows\SysWOW64\Kidben32.exe

C:\Windows\system32\Kidben32.exe

C:\Windows\SysWOW64\Kapfiqoj.exe

C:\Windows\system32\Kapfiqoj.exe

C:\Windows\SysWOW64\Kpqggh32.exe

C:\Windows\system32\Kpqggh32.exe

C:\Windows\SysWOW64\Khlklj32.exe

C:\Windows\system32\Khlklj32.exe

C:\Windows\SysWOW64\Lhnhajba.exe

C:\Windows\system32\Lhnhajba.exe

C:\Windows\SysWOW64\Lafmjp32.exe

C:\Windows\system32\Lafmjp32.exe

C:\Windows\SysWOW64\Legben32.exe

C:\Windows\system32\Legben32.exe

C:\Windows\SysWOW64\Modpib32.exe

C:\Windows\system32\Modpib32.exe

C:\Windows\SysWOW64\Mjlalkmd.exe

C:\Windows\system32\Mjlalkmd.exe

C:\Windows\SysWOW64\Mohidbkl.exe

C:\Windows\system32\Mohidbkl.exe

C:\Windows\SysWOW64\Mqhfoebo.exe

C:\Windows\system32\Mqhfoebo.exe

C:\Windows\SysWOW64\Mjpjgj32.exe

C:\Windows\system32\Mjpjgj32.exe

C:\Windows\SysWOW64\Momcpa32.exe

C:\Windows\system32\Momcpa32.exe

C:\Windows\SysWOW64\Nbphglbe.exe

C:\Windows\system32\Nbphglbe.exe

C:\Windows\SysWOW64\Ncpeaoih.exe

C:\Windows\system32\Ncpeaoih.exe

C:\Windows\SysWOW64\Niojoeel.exe

C:\Windows\system32\Niojoeel.exe

C:\Windows\SysWOW64\Oqhoeb32.exe

C:\Windows\system32\Oqhoeb32.exe

C:\Windows\SysWOW64\Oiccje32.exe

C:\Windows\system32\Oiccje32.exe

C:\Windows\SysWOW64\Ojcpdg32.exe

C:\Windows\system32\Ojcpdg32.exe

C:\Windows\SysWOW64\Ojemig32.exe

C:\Windows\system32\Ojemig32.exe

C:\Windows\SysWOW64\Obqanjdb.exe

C:\Windows\system32\Obqanjdb.exe

C:\Windows\SysWOW64\Pcpnhl32.exe

C:\Windows\system32\Pcpnhl32.exe

C:\Windows\SysWOW64\Pafkgphl.exe

C:\Windows\system32\Pafkgphl.exe

C:\Windows\SysWOW64\Piapkbeg.exe

C:\Windows\system32\Piapkbeg.exe

C:\Windows\SysWOW64\Pjaleemj.exe

C:\Windows\system32\Pjaleemj.exe

C:\Windows\SysWOW64\Pblajhje.exe

C:\Windows\system32\Pblajhje.exe

C:\Windows\SysWOW64\Qppaclio.exe

C:\Windows\system32\Qppaclio.exe

C:\Windows\SysWOW64\Qjffpe32.exe

C:\Windows\system32\Qjffpe32.exe

C:\Windows\SysWOW64\Qbajeg32.exe

C:\Windows\system32\Qbajeg32.exe

C:\Windows\SysWOW64\Aabkbono.exe

C:\Windows\system32\Aabkbono.exe

C:\Windows\SysWOW64\Amikgpcc.exe

C:\Windows\system32\Amikgpcc.exe

C:\Windows\SysWOW64\Afcmfe32.exe

C:\Windows\system32\Afcmfe32.exe

C:\Windows\SysWOW64\Aplaoj32.exe

C:\Windows\system32\Aplaoj32.exe

C:\Windows\SysWOW64\Bdlfjh32.exe

C:\Windows\system32\Bdlfjh32.exe

C:\Windows\SysWOW64\Bmdkcnie.exe

C:\Windows\system32\Bmdkcnie.exe

C:\Windows\SysWOW64\Bfmolc32.exe

C:\Windows\system32\Bfmolc32.exe

C:\Windows\SysWOW64\Bdapehop.exe

C:\Windows\system32\Bdapehop.exe

C:\Windows\SysWOW64\Binhnomg.exe

C:\Windows\system32\Binhnomg.exe

C:\Windows\SysWOW64\Bkmeha32.exe

C:\Windows\system32\Bkmeha32.exe

C:\Windows\SysWOW64\Bdeiqgkj.exe

C:\Windows\system32\Bdeiqgkj.exe

C:\Windows\SysWOW64\Cmnnimak.exe

C:\Windows\system32\Cmnnimak.exe

C:\Windows\SysWOW64\Cgfbbb32.exe

C:\Windows\system32\Cgfbbb32.exe

C:\Windows\SysWOW64\Cpogkhnl.exe

C:\Windows\system32\Cpogkhnl.exe

C:\Windows\SysWOW64\Cigkdmel.exe

C:\Windows\system32\Cigkdmel.exe

C:\Windows\SysWOW64\Cdmoafdb.exe

C:\Windows\system32\Cdmoafdb.exe

C:\Windows\SysWOW64\Cmedjl32.exe

C:\Windows\system32\Cmedjl32.exe

C:\Windows\SysWOW64\Cgmhcaac.exe

C:\Windows\system32\Cgmhcaac.exe

C:\Windows\SysWOW64\Cdaile32.exe

C:\Windows\system32\Cdaile32.exe

C:\Windows\SysWOW64\Dmjmekgn.exe

C:\Windows\system32\Dmjmekgn.exe

C:\Windows\SysWOW64\Dnljkk32.exe

C:\Windows\system32\Dnljkk32.exe

C:\Windows\SysWOW64\Dkbgjo32.exe

C:\Windows\system32\Dkbgjo32.exe

C:\Windows\SysWOW64\Dcnlnaom.exe

C:\Windows\system32\Dcnlnaom.exe

C:\Windows\SysWOW64\Daollh32.exe

C:\Windows\system32\Daollh32.exe

C:\Windows\SysWOW64\Ekgqennl.exe

C:\Windows\system32\Ekgqennl.exe

C:\Windows\SysWOW64\Ecbeip32.exe

C:\Windows\system32\Ecbeip32.exe

C:\Windows\SysWOW64\Eaceghcg.exe

C:\Windows\system32\Eaceghcg.exe

C:\Windows\SysWOW64\Ekljpm32.exe

C:\Windows\system32\Ekljpm32.exe

C:\Windows\SysWOW64\Ecgodpgb.exe

C:\Windows\system32\Ecgodpgb.exe

C:\Windows\SysWOW64\Eahobg32.exe

C:\Windows\system32\Eahobg32.exe

C:\Windows\SysWOW64\Ekqckmfb.exe

C:\Windows\system32\Ekqckmfb.exe

C:\Windows\SysWOW64\Edihdb32.exe

C:\Windows\system32\Edihdb32.exe

C:\Windows\SysWOW64\Fjjjgh32.exe

C:\Windows\system32\Fjjjgh32.exe

C:\Windows\SysWOW64\Fjmfmh32.exe

C:\Windows\system32\Fjmfmh32.exe

C:\Windows\SysWOW64\Fcekfnkb.exe

C:\Windows\system32\Fcekfnkb.exe

C:\Windows\SysWOW64\Fbfkceca.exe

C:\Windows\system32\Fbfkceca.exe

C:\Windows\SysWOW64\Gkoplk32.exe

C:\Windows\system32\Gkoplk32.exe

C:\Windows\SysWOW64\Gjcmngnj.exe

C:\Windows\system32\Gjcmngnj.exe

C:\Windows\SysWOW64\Gbmadd32.exe

C:\Windows\system32\Gbmadd32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1476-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1476-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Nnmopdep.exe

MD5 dd16f438f9ab2713f3f72efe92a78584
SHA1 d37dbbab72d2c9f654a83989a10a6a4cdf5a7e21
SHA256 0d2df6d68bb7aaa0303fcef3b125e950e99577cf5cd591d7756a9a6aedc342b1
SHA512 f9355f955635770db00347d3479f4d1633f012dd3fe7a0712af807f3eef814507f048180769963aa10f25037cd9653bd6a10533a473541773f905e227916dad4

memory/528-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Odpjcm32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Odpjcm32.exe

MD5 0ed8041f7c4c962ee1fee9946d042a8f
SHA1 1426588a5fea3697072680b7811004227633f897
SHA256 b076e9876c568f1d277901341f85f63d3c0b2741611ee42f0b63f9d9305a0f95
SHA512 3e74e7920df49b57cf29540446de7be21682b646151b777634cc14af7a748dfc45b9494c9a009f1a889de34ec3ba64768b4ed702c22229b08864310a7014591f

memory/4340-17-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3340-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pgjfkg32.exe

MD5 f3f9cdd69221d722bfd22dfde8c74bae
SHA1 66a42e3ea10474bcbe87275ec662f5ac66640c97
SHA256 b27a10e529bb63d82fa2e373d84f2f5cde1cf93d05cf9a1574f1ac24811b0165
SHA512 e7ff97403e38338a40b6807ec91b760af7aee9cbea865036733cb0bd838cb0ce8e1a1fc90657defe6938ed4fe77d8f9999e4c9f03f0f9066212c8e31c6d714c2

memory/1648-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pjkombfj.exe

MD5 61d18bfb827095f152ca9934fb5c472f
SHA1 d234059d3997639a2f55a18d2c798f3dea9eb5be
SHA256 94b84892f625d17cd29b365df18b227d4a1034cad1b5cbbb4af7ed675839a315
SHA512 38dc077ce5a247968e0d54737b54970bb7075448dd1e542f4b6df628abd17fd1b6feb67058915ddb35f8d36fe47d3e99249e7f439cec60f1398ab2885779c8bd

C:\Windows\SysWOW64\Qgallfcq.exe

MD5 c891ebffa023c1221cb7689fc3c14f4d
SHA1 c1dd40865fed8f44c2707147dc75cd02bdcd7a02
SHA256 35df258e2dfb21fb50c32c10da26295bc53e38f37d7bf2220db6ed4aab60ee61
SHA512 fb5360bd5c826bfae6bd432a1c6d4e9459e1fde6d062eee99480424102cb523af819ae7e8bfd2635c5fcc3d8f4b1b38519b28d4a367f44c477b48b83719c1fa2

memory/3116-45-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qgciaf32.exe

MD5 d1d277757ac11f9d5327f519979c9dc6
SHA1 bdac2aa7d4bcf76f68e26ef813fed2bc293cf93d
SHA256 87d585adf9d66a698bac2c07459a5bbc39d02a0760a7818e6b96301a4f21cf4b
SHA512 52dc498e87468ebac808ba4b19da9af19d7ff5ee18231f1310af8340b6d128182802cfb3c36af91be9749fb83c7f18a60a594762f382085e017acff00e691b62

memory/1948-53-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aegikj32.exe

MD5 b9c4e0a98d877b68991814cce5db4aec
SHA1 7d1ba65e95eebf0623ffa52fa07558ee7b00a2d8
SHA256 a54f5e29f969ff8f7686b7389bcf86004793c86bd06226ead72311a636441e90
SHA512 84d07a6bc40e6e4cf59e6ddb264eeb42502e34f1c08860522ceff8c0dca5b0a29c44aee6c6b1bcbb59b7e3aeadaea56f6baf903e84d97e50a748b468c7332270

memory/1180-61-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aanjpk32.exe

MD5 f0e8f7b04148b401e325223c6224156d
SHA1 b8a93ba7158ee4c68c29b298806bd38b4b510c7a
SHA256 48e200515981d72d42bd7febc78c3ce16c853666bf61dac7374a28deb20468db
SHA512 e144a28a154cb19128f12279b989f53f230738bc73f1985c1248c4f93752610a025190f7a5bf1d33315b466f5a350735270e90576f00b3c2f21896f9b198c1b6

memory/4184-69-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cefoce32.exe

MD5 72bbc30bce1cb8e6b1842f26707870b2
SHA1 e007e53e6ebb3972dace82329af3a3452ed33281
SHA256 ef3fe31aed240780d0d177468a2ebcaa9ae8fb76db9f1062bd31d58e5e1063ad
SHA512 a7fbd32ffc5ea6f3587679b25de8af91f9f4dc7cb5a7cf97bd1e366b995c1132d360750d9f79ca707f19c3e58ddc041f8598436174a1d0826e2d3480011b60e9

memory/2836-77-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Conclk32.exe

MD5 6639748765e418ea7f890350e171ff12
SHA1 316619083f33c86fd143a5db0fbbf5caa7d0572d
SHA256 74be1196bf28cbd1a0b4312fe1e5ebbbe0c11c0b295fc73a6ca3e754366ab14f
SHA512 5b2c4be07d517dd4cc9696d35036eca5e033e0e47fef3b099653d5ba1e9a375e0efb01264947f58914411c2995e3cc7558cfd0e28a3ea7036eab70d55b39f4dd

memory/1716-81-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jpgmha32.exe

MD5 63505b6aeeef0156a91c391f2297a475
SHA1 b2df118c70aacdc076955a049fc381d76a5ae009
SHA256 6aac9dec173ecb5a3896118cdadf6b0059c21ef41f07baf3bf66dd33c275b506
SHA512 8b1d417f1afa7d634f0686f414b89355f6c3140e6c05a11d91a02e5576fda61e284f89f9e7f0f1b40d754c14101da89162ff3f235b3edf2b60bff44739abe2e1

memory/1620-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jmpgldhg.exe

MD5 4802725d943c9780a6763582a228e857
SHA1 78e2327ee4622124ea70db409014d019e3ee7aac
SHA256 91184b99ca3e0b148301c9203477c0fda78bd657bb4be1a9ec2f720935874d4d
SHA512 b02283dace44196d1e727793c7bae6205d612baf363ea845637d6dc6d9053ba07a28bcd389e2a2f84ce75e1a9c32a73ed6329dedf25dfa96ae0e9f41399d0ad0

memory/4144-97-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jmbdbd32.exe

MD5 c416a78a7a1cdd5d527fa6274881eca1
SHA1 3ec0bb4882b7aa46156b58697539baffa2061a00
SHA256 f1511a60cf3415718067039d3aa59d2bd90571c077aaeeaccbed488a48c606c2
SHA512 ba498ee5d4863ffa2dfd302541561093da14aad7f990e0694ecd162f8179f1c3a9043dcfd734386b65192b5c83270e5808afefc73d3e9f33d46961ffab6b78ad

memory/4980-105-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nloiakho.exe

MD5 49422f1db03bb14efefcba38ea4fe561
SHA1 5cb452717cc36fa0ee72b50a21e54a53616ab0c4
SHA256 4012ddda0a455534692c56a5c9833d8b02c9fafb0ad23559851da2c83283b9ee
SHA512 6ec5d0e6aa92e35e625662a0ffdea64754b561f1fd9782f013e684ae12bb39054fca86f6bd2163c2d13a8f046c589a9e7ecc6b40344ff232ab30eea1b1668516

memory/3492-117-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4340-116-0x0000000000400000-0x0000000000433000-memory.dmp

memory/528-115-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1476-114-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ognpebpj.exe

MD5 b5632d60713a8534bc33b26202b3cdfe
SHA1 6c8c5ec648a39e4314ccb5328cdcd4c0ef6f62d5
SHA256 3a8682c8f5a2e61af6274ee6f1534507dea2f2720e4f88b5579ac57dd7c351b4
SHA512 9294a381d0cae5bc125c2ff2b09c3399c6c0afcc16ec9e3418616616949166188dbc34a4959a3a7de01a9253e3cd3d8e1606f883d44736c90ecbf319177f0823

memory/436-123-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qqijje32.exe

MD5 1f7a26fec20417a207a4e1f9b62320a2
SHA1 7ce9c053718f7f58e4651804e41da92660d02f2b
SHA256 5e58c5c8eefb88ed5d8e44b6a490f179ef6bbbbbda6710553395a876a3e405b5
SHA512 7c3b6e92890a255ce0abb855f8f1530187479911c84529eeb181f1e66062e4eb5fde1b05d5cfa6a00abeaf5af7a99926a0104d05061a2e75be2e9f5a3f7a4c1a

memory/2688-139-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1648-133-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3340-132-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Andqdh32.exe

MD5 fff6092df6a3b6e82dd39969cb5c255f
SHA1 0f06dfdd67d5d9e3fe5c918b695f1a64b2e8ed3f
SHA256 d7dff39daddce1695dfe728222d6f40a856413c7a3ee01706b95994b35518240
SHA512 0bf0d890bf6858c1034c36c6a5c9cb31d9124add3f04a9bd7c9fe32cc9afa06c8d91dfa1fe58cc1dfca2d0aa855b6ca1e2b809e930137f6dfabaa3d207518c68

memory/4412-146-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cfpnph32.exe

MD5 e0e33334bc18ca89a8b31c1229cb2fef
SHA1 5f9c9b634468504a3350caf1177a37a8d0162643
SHA256 98a710c15b12e2e29bd36bae2eaebe381735ce4f55b1390e97e902c874bd2f86
SHA512 8724972b396194f699dd2070e52dd9e442aecd0b4a6eea93f81ac7f1faf592f73ddd8f42bccbd1a4b752f13159068f5913946de888b11ab1d1f207abafe37303

memory/1716-154-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4452-155-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Danecp32.exe

MD5 236e7177692246841c22705b510eb8d7
SHA1 5770613b965981386d5eca197dfab61b6854efc1
SHA256 3acd39797ff73645882190889017c14a2bbd8784ec712d26a2fff851a30730b0
SHA512 8f01d1d34ada43736f4eaab2fa7ac518060763182940b09654581ed564e6c475c08b67f70cbb9aa81b8e9efcc71e74d094f3ecae7d3344f2b9425927286b84fa

memory/1524-164-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emcbio32.exe

MD5 8c637b4d45d9949757e25d401f486e95
SHA1 46f8b8edc8b3fbfa6bf445e8dae6ccd07249cf8b
SHA256 65951906adfa94f0ec85d6631e8cb50c192b47560239e3816a317434f6c11172
SHA512 f8eb9bec2b4d5eebdfc97faa2fd07c985e0fa62f451102d6e2fa103dfe2af037d2f9091ceb664406387dcb39c838a726bc73d540541ec05ba3656ce494310cda

memory/3264-172-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gekcaj32.exe

MD5 56d1b7a15df2632098caf56d84d66e79
SHA1 5b0cbc9a6ad3997b0f411fa0c75d54d65aeae936
SHA256 618c5e0f8124f657fe65503026f1ff3d09db130850cc5d304a9318e499c15ea0
SHA512 f8689035e4a7c7f5181a9a70434de3b9f7792fa73af46e33e9a0cc8c1ec843564647f40bc46901ac20ba8254f4f3437cccd81f3ca7cf9f2ec12de94f98f9e76f

memory/3400-180-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ifihif32.exe

MD5 281d522d172b099d6a897eed76b7ba70
SHA1 09b5bc3d15c3d2f918883e833893f8321358783f
SHA256 7e7588d300f27edc2d968f18b549595ffcf612fea9fb846808113ccbc923bc34
SHA512 b8f14e13cfe2991d63530db5780b43dd5858ea3a1d11701fb9b842d0abb70490640c29bad0e6aad3478ee412d3b3b18337f91904d99315603c527dec97d038b5

memory/3804-188-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Indmnh32.exe

MD5 5c5edb18ac758e6b2a7c60b1e7626e55
SHA1 2dd9a026e9359548781e88a4ace905bf6b347122
SHA256 0f8332b6dc59a86fa0fd0a43d5d202c23e11e2ac312332d7ec2710b03ef8e33e
SHA512 416d3b7d1327cac350a7e5322901916054eae3ab75a7bfda2b2c4871aeacb9d105a81a12c881a8767f07813869dd083888b4e70349b63b11a79cbb400ee77455

memory/3676-200-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jbbfdfkn.exe

MD5 5297d92cfd3efb9d43f2273cc7ef63d4
SHA1 7d68d4056e1dff8f19ef3cdff91dd0165fd3ec31
SHA256 9a6415998deb52b75cb26534150577333cb3ddecef2659b43775f70cb84af7c9
SHA512 813747974dc60a7f02bb36d4f128f0024e49afd165f8a8da834b0f0f7e397adf7f492b624e4e974a68758d31f629c272891df55227f50ac22b81a98bea3422b1

C:\Windows\SysWOW64\Jecofa32.exe

MD5 e6af2d8eb027f1a4705f883b30b91a78
SHA1 6bf1a037eaefe8b5604396dc7182ccf2615c5812
SHA256 9fc72746a8799ae10056c0460ef0c1ed5ae80c5bfe6233dba3642b8d282eb66c
SHA512 cbb27eff66e23893375f3516780bc10f8782d772a44992beafc317d6479d610e84fd5d3b7276c1e296aedbad1e048f5389cb4e4cf48bf9d3d8c4fa674d26d006

memory/1928-206-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1620-205-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2760-217-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jicdap32.exe

MD5 94be3e615262e6baa1f84365afb77f52
SHA1 67725a42f9ab539c2a5650b0165af09d9ea4ca5d
SHA256 95eb67d0fa26267d1cacac7a1248a1e8a2c42de2860377ba6d5008bf901cfe34
SHA512 56cedf798f44cafad85e758ae6cc1240b40194feead032680010eee2f2ee0768e7931310d429df6bfd34d7e0c68df19a3287bd8ac77cb3280fda2fc7cd2b0f80

memory/3100-223-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4144-222-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jicdap32.exe

MD5 d6051ce632ba8f1ed20b61477c092a66
SHA1 6036d6378b255cb1a00d4424516545d0b2696ad3
SHA256 2764e8d09238e04488b80f645ed53dea1707be6ccd4e4da681fd646e4b2aed07
SHA512 9a131de3389ef9dc15814760d9910b0ccac45373e8faed68782d84d531cc1795014c5a9ff65002ee9a81bf788211769c5c55fe5818e7f1e871f3a63d9cd65cd8

memory/632-244-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2688-243-0x0000000000400000-0x0000000000433000-memory.dmp

memory/436-242-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3492-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4980-240-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Amfjeobf.exe

MD5 c723198506c9ff2b03cc0372ec14a121
SHA1 f4edf5ba17fb3fdfd65ee42dc574cf138f70b8ea
SHA256 3341eab3b4ca01127ecf6ddda36c1eb45dc7bad50c08306711ea8e25c318fe9b
SHA512 467f387aed2bb44884f7a23b36b6f37c2741e6212ef775cf2f2dfe0d1ca6537cd10132d63f7c1087e8fd655558c8d19f4d17e394a240593409160ac0950e6143

memory/684-251-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cmipblaq.exe

MD5 5f737eff5efb5522bf5f6cf4da7014ba
SHA1 0e2a593b29bc447183962d31203755520d0fa9b7
SHA256 ac77363abb63d7028a94615716c824427c29ae55641017117fac053d65228c82
SHA512 8d4fcf63a3e841ca7984c70855d49b5f2cc8aa20df28a2f131b270fbe6c4feab2fb8cace8d109fa8b741e1ef3717f8429ad900f2b778a6ac1617ca262a298cba

memory/3660-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4452-262-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4412-261-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dcogje32.exe

MD5 2ca5c0e1fd60a6aebc038968d7360a5b
SHA1 86f7d9efb05334500726a8126e65a88a02189185
SHA256 52937f6d98f0e66fa66287f1c4be7ff73aad58caf78aa3c54d2b9b0314d29009
SHA512 2ed4eaefe734bbe0c86411c09d69e55f6e498dd0a3ec3c7f75d6be808a5b13f45aaebd4d2e01c44c7f614c63145badbc739daad3501ec3241b5e4b1aa8db2093

memory/1668-272-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1524-271-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ehhpla32.exe

MD5 c2584875dfbf7f10af6b7e4205c83110
SHA1 875c903cbce19e816f9307f4a81ab865f3fc3c54
SHA256 b91219c9dfa4299cd33d5eb33fa99fd4ae2f58f6c559fe472c877195eb7591c6
SHA512 194263e0f286188f1bc44c78d8b84ea0966ba19e1480cb8a1c1707f2a8b7905ac9bc4b797cb2eb48081a2af3d1b1eb80ef70416b53c140245fd4ac4cc173e8c4

memory/3564-279-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fkpool32.exe

MD5 0b66037ca7acb8567771f4b136db74cd
SHA1 f4109824f5cfd8698ff2bd89340fe4266524dda3
SHA256 b8c0ea3bc4bba5a7c28a01b81255aadaf251c04d0a0e7aca7bebf731f44267e8
SHA512 c245e203b4faf12d911cd5d2e567f86d8ef0c72e6285fc073d324a5f6fc3863e9e0760a7cd49dfeb2e9bf06cbd4bc926fb46f5b5d9530b5ad14819cdced6f211

memory/4900-290-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3400-289-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3264-288-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3572-297-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5112-302-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3804-308-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3172-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4280-316-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2172-324-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1928-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4544-330-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jgadgf32.exe

MD5 99cf3cd85491c3835cb31fbb86cfaa61
SHA1 5a4e8bbc9592a3cd547c85e470b7d2633f9b69dd
SHA256 b04a781be92ed5719508e0f46f0e0de7f4e79c4e7891411c50cc87070fc910a0
SHA512 e4a887a38ab8e43dd9507a7a23772bb12a9fb9b2612f3c2934f00f5b314462d16ab6c6ea730cb5f7ce1a359e97dfd24c1a02d1ca246cdbcefeb36baca29b9e4f

memory/2952-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3100-338-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5064-345-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1568-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3864-357-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3468-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1816-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1160-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/736-381-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2388-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2876-393-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lbkkgl32.exe

MD5 73b069102841051efc39cb36c00e8dcb
SHA1 0d0682d67cbaad03cfec2f945f421d09ea1f7763
SHA256 639c25e042a26d0fc29920b898a1b5445b3c78f2d5d7eac37e76a6c7fd9621cd
SHA512 b7bb8c93a9a1141da30deae415e7a47bbb6a23188a0745c63e42af8d24e633a48049d54b5a55e88c9ed04f3da0eadfe162a9baa396d0e20bd10efae0746bbc7d

memory/3552-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2464-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2596-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3472-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2592-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1464-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3476-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3288-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3392-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4904-454-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nemmoe32.exe

MD5 6ae231b13ecdf980ed7a816ea180289a
SHA1 ed8a2fbda1b6bad52e6027c922fc4b6900ef3851
SHA256 dc715400e5492ee855ad13409278c1abc7c72a81be95c367afea381f42b7d666
SHA512 49a61496d82a2ae574e02a84d483f052b3b71bd22c066a8843bf999f958a4a833be9bc06c4f168ce9e8d139033293d7bb486ba6cc22d5b3c398360e770143988

memory/2748-462-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1664-468-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1428-474-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3140-480-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ohghgodi.exe

MD5 a69322a0b7813c1e5ebb8ba672a9ba0c
SHA1 50b3241a19d169ecb9cbe1cf96703bb9b4fdcde8
SHA256 3e51fce78827eae7075ddb35aceea644f8095609ad43cab0b4a1c633aeb55c4b
SHA512 b5afb67a057ef76b038fb568d599e24288b2cd23b7c733aeae9429948f7001602c387a28ad3d5081822e6bd558e15a025edee67e8de23750eae2c9b97d03c2d8

memory/4668-489-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ooejohhq.exe

MD5 c456b73a4221248d4ca63c1c30833a9c
SHA1 6f5ebe10d16f5902d6be77863fc7a32f6ff98691
SHA256 277339b271e8eb02120223153eb5add198c930d60f37d76694c0027520b4dc25
SHA512 f2d4615315017eef8e35274e731f2d3085825dfcfbd133d964c36e84d4064dffbd14b9454c1ee22e0c8518aa3aab4ea10f82a92057ba072ff8ceda75c4321c65

memory/2228-495-0x0000000000400000-0x0000000000433000-memory.dmp

memory/728-502-0x0000000000400000-0x0000000000433000-memory.dmp

memory/632-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4848-510-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-518-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pcjiff32.exe

MD5 24bcbf1dcc5094f4293d2371fbc8a118
SHA1 1bbccee6338f8224ae096095858104c6b4b042d4
SHA256 cb74f55b1656351a0f59384d4cc625db271ed002a23121d9e8873a86757827f9
SHA512 60c18467f4797946cedd105b4c8c3ae48b8f9684fafa9582b20e795436b5b84f427d7db706b1a80f05d2345bfbce868f0e811f6ef5f0a754e8a257c9e76eb9b6

memory/1656-528-0x0000000000400000-0x0000000000433000-memory.dmp

memory/180-531-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2680-538-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3460-545-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4612-553-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Acfhad32.exe

MD5 5e72f813932506316c55729a3cda5282
SHA1 f5564338da3fbee8a5a25a7d863363457de8c90b
SHA256 b914d5f39f2ba726fcab9a83248fff342831921ac362c903e7933a9584d1aa12
SHA512 8af7726168f860c6cded65b4d472dc8e66ae8140e178c4bec2905dcb6ca5d3807211003d888ae59796585cb87e856534b1585bab254692e44b18268fd8366d5f

memory/3056-561-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4340-569-0x0000000000400000-0x0000000000433000-memory.dmp

memory/528-576-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1528-582-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4552-590-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bohibc32.exe

MD5 6aa502c20b1535efc0e64f1904d609c1
SHA1 a7f95a76ddbefe068deef8812f4d94fb6759e8ec
SHA256 b2bc59f863c6cc30e95168e84530e4ac0ee424f80b3e4fddd62fa15cb1344263
SHA512 e565525b22b03f2cf910d0584797af35314f0e876f31503c36ca8c2dae9831aaf778a68cfde3991f4e0dda51f97c3d44ac7bd05381b42eb647ce9bcd2b041bf4

memory/684-588-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4820-595-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5000-601-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bckkca32.exe

MD5 f94c390c9bba05873533cb0917d06617
SHA1 85d753299e02d26397f7f6c62da215b9fe1a28ee
SHA256 bc7cb2c7d431df5cd3f59318a0c998043527002ba82710192ea9f48ae0f9c2e2
SHA512 942d349658c2197743f222b60686228a183c9a105ff122b86df4890da7211c5c3c602acb26c8f9b4bfb32e392d83a0a0d9f89acc04b6b8dcbe301aebd9d024f2

memory/3388-608-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cbphdn32.exe

MD5 a44f5334d2b7ef7743cb18f85499fe8c
SHA1 ea1e59e2357e7e692411489dad5dad45acd2867d
SHA256 a1797a8adecb0d229125cb7ca92170846526a2aa2a5dc78f6019281c44d41240
SHA512 ae79b7ae9c1609f022520bad632285505760868e2a18a1c79e7b5da3549251f1e7b80cb1662857ad7a0df9a947615a9a7ae5d74675ef3d3d48c214fcf5e0b3c8

memory/4824-615-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2008-622-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dfefkkqp.exe

MD5 843aea48582701f83c8a20b7bfd124ec
SHA1 5812d0b2d68811dce6e0d1885a9d63393481b204
SHA256 59104cd62e17583b1b62adf1707101166af138b00cfa6cac7365c8aac7e33ddb
SHA512 e7cacb6ca3e9a01bc5e62c992986dbab3654b19d9545a314f3f98cd7c652e5922ce54bf0debb6e9220d1bfd21c63b1ad01ec1369f6c2efece8c47930d7e62f6a

memory/1192-629-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4608-638-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5176-644-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dbcmakpl.exe

MD5 0bc489eaf023b9a9dcd1d6940b6e7261
SHA1 5b7fcf582a14f49ac7b39344eb2dd087d329dbac
SHA256 d6c73f6cf928fea68d164a1d613defe28680bb3b5f7f7315334631fa0da7eda2
SHA512 cc760503673dfbaf0fbc14ff6b2e6d0029e75ddfaecc756ce66869980b4e1d900751e91a49a4f237802f7359fe119200f6baa9eb7c4dd0fdc29858f40fbd74fa

memory/5216-650-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5256-657-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5300-664-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5344-670-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eppqqn32.exe

MD5 215f633d964036ea847bc432b1289c78
SHA1 eda50e3d6ee34aa1dc6b10c4a9b439ec21e10e0c
SHA256 1391814701e662ff0982f4fec794ba286f1eb1361ed0f70eafc653e73a16ac9d
SHA512 4642e026f5cd7e31f16f15594b0a1b5f1690506868961d957a1493316e326063297d53ca605666556b1326b24e5d76279fe208e025aacdab2d71d3a4779fec7e

memory/5384-677-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fikbocki.exe

MD5 cb6df7ab664137ee16fee5b3a4cba4ec
SHA1 07235040b6b9c3e0c92c4a63962aff7f6548b551
SHA256 913ac2aee37ffba86cbec88a8dfd04c702437f0704765de0a698d7ce7377afa9
SHA512 96cbdcad5e056d64d0c62caf238d48ffb07edae09bdcadb02f3710eca14fa1a6cbe1a749e4c0075c101c977237bf763775b0921368e71ca1f5b1933aed8f407b

memory/5428-683-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5472-690-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fdglmkeg.exe

MD5 f945f8e1f1a1bba688fb76e53bd13d28
SHA1 35d78430fb6801978b3e11995dd9d58f6b0f63af
SHA256 9ef7402bdad88cf5a19b18f8c535bc167cbd3d6c6b04831dfdacd4ee4c09226c
SHA512 786c31d8cb835bbf682e0e579d5212750f34de06ca016bb9d2a3c1b40ef79445732c66c5eb9dab8facb7ba805f82930b0992367c8f45ad069c4f1f04bda8afda

memory/5516-698-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5564-704-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gikkfqmf.exe

MD5 891a3f584c5acb4e63a7ee487b46cd59
SHA1 0234beee56593fe36504c2e1c1ccc1471eec5345
SHA256 e3c96caafac6edb4e1b79306e5b080f9137ffcce07c550ed07568a3162f876e9
SHA512 ff26b23866ed7f0c909101e55ce168b7a6a43a57ad3083d0ae0de9ba06fb276e8c1fd7622c1059e220a7b6e2099b0c7a8bc16add2f6167dc2616e9fa4fc596ef

C:\Windows\SysWOW64\Hibafp32.exe

MD5 4308b42521d3c09502f00a51bfdca917
SHA1 b4d5b95e28d4238f768f32c44b5f41c84dd1c005
SHA256 68652616695ae3ce0e9b4a25ba648710adf5cac264105ea78202b51c294c2f0d
SHA512 edbff9a35b25383fa01f3099a851019e77424e938c561a408392964b447c530ac0514fdc97400aded8d3b4272d2aff3b1696fafce2df1191d902452ac8d801fc

C:\Windows\SysWOW64\Hkdjfb32.exe

MD5 30b7158d20260463d69403896518d915
SHA1 f74ac540e1e95cfb08fb3db5f51ee46b295efedb
SHA256 90ce21ceeddb859e97a281ecc15191880583f895473fb94ecfa4d9e844bf0b8b
SHA512 c4c26185fbc8eeda567c15c571db818e0bd73231b063008016f96ef7410e3a571e455206a30b7615bdd4211a451175bc114f3ecdd1f2da1784b052307f1c0fac

C:\Windows\SysWOW64\Idcepgmg.exe

MD5 aaf68331cfcfca072edefe8d4ac0cb66
SHA1 aac37e35186e64b95e2ace651ecfa20cfc2f8ae7
SHA256 c29395307479956aa37630a6a132520b08db4bb27a35f82ea2d5bd34d7437dfb
SHA512 045dc3671589104ced0038e52014a732e2ff648235d582deaf5bead9b60ee455820465083915cbda3743285f94484780f28b48ccb2814767ee8e7904bc3f9e6a

C:\Windows\SysWOW64\Idkkpf32.exe

MD5 4ef79e8be933c42381a48cd4284647f3
SHA1 873f1959f8d0c0f55608e49802281104e851961c
SHA256 943652f9c404a08a23a48c085e3b366d8f2b3de46872f00f92c73832df8d919e
SHA512 869498908c4b03ffc3efc2edc6a64fa514e9a4c506859280f5cbdf26c4a02ca888bcdfb8866342ab74403c607277bb4200cdba7984fb33d33ffdb4bca9b69fa9

C:\Windows\SysWOW64\Jlkipgpe.exe

MD5 f7bd801008081bd61f12a6b250ae630e
SHA1 fb062d614a4ddd96bf5d8167f29cf6bb12e311e8
SHA256 5d9d1e75661cd305b1a3a9d83f5c5f1bd2d18208c202d7b5513eecfafedb318a
SHA512 29cecf70a371c7556c7f6a8624e4a1e4e3202de8332088a024ec9095be18ec792226db40a1e657b43d12dc1cc87efbd5896492efaa1028a8b765afd0021a63ab

C:\Windows\SysWOW64\Kjccdkki.exe

MD5 9546723087c36fb4f4ef5b54fbb1cb47
SHA1 7e297d2bd144e83992b5dc3c0b872520695c618a
SHA256 b4aef6d8bd744ca2681c59c6b1afc57e1e13d2fe7ae4c427f7ae7056fd253954
SHA512 cab59a348a3e79f6e4efb8e6e49e68c6f509a9922d83afbedcc3973ba282a8463b611f7f2586d63dbcf490e9433f0badff57397006ed104e2c03e5fbb0bb8e3b

C:\Windows\SysWOW64\Lmpkadnm.exe

MD5 ca1a9d07460c4701eaa05e21fda2565a
SHA1 5e88028ce5093c00de68b7cbec0d1b9095d44a43
SHA256 09105e916357f6b010381a4cd848378435c605a48a9e4896cf8c50d7da9e0aab
SHA512 996ebfeb0ce8e195544680cb3a9821b0af3a465d03d5b8ff0762540a4f560a0eec82dedc6af4c38b28791849d1dbf5c0c9a8fa5d9f908af6bce09e303e5fe7c1

C:\Windows\SysWOW64\Lqbncb32.exe

MD5 378c448a2dfb62a87264f5e6cd6b897c
SHA1 a58d6fd45abc922b460e589a03aeeb82e4202ea1
SHA256 10c3391199f8b45ee99596323711b3c966550578044b989c8ca73e50390d6102
SHA512 af7d10946a50cdec84210990f40f5c340acd87afee3b95421b672ae170f790627d416a4cfff44eb582931d9cd455db894e004146ef8ea94b585ac2f61881ac1f

C:\Windows\SysWOW64\Mjahlgpf.exe

MD5 69a266f3dbf7d406f10da6101613b707
SHA1 89d2af3eae67371b43713cc3312cf4d5158c123e
SHA256 4e4492efc4675ec75d16afe39f8acf76ea02da60c81d86b35df2ce5962839cd6
SHA512 2ff225ba69c354eba2acf3f5645033b6f1a461d185c00331b845125f1ffa7bbe0450e329bec36fee0963ed249f4d27f94f1890a70ce046d6e6453ded069e46af

C:\Windows\SysWOW64\Aahbbkaq.exe

MD5 4805434e06df6cc3c34d1daf62476446
SHA1 8092c54a9812da0852ee5731933ecb9e0959e050
SHA256 793d0dfc3f0fe902f0d8e9fa2567b589dcab81c5e2d719f5d38571addbb0c219
SHA512 4e99ec6a68baf54d738f64f117dd497a2850dfb93535e508f0b0e629b185c8cea79d50823f4cdf9f5ad15d1be34d5cfb16f0a9dc17ee909d9ccbca95d95906ca

C:\Windows\SysWOW64\Bhpfqcln.exe

MD5 f72039ec082445bac2612bfe9555dc43
SHA1 6b7d034d78e42feb0be1bc4d32847bb867a613cc
SHA256 b30f2f864c9456b2bd310bb08403902398161befec21cbd7a7b31bb3afa31335
SHA512 3cb98061600995970e672f7595b517a0d22e4c9bec03d8802bf9589b337c15dc35b3d8848bf5621afcddc0072402f9249b1b39d60ce4526864205352410d964b

C:\Windows\SysWOW64\Cbbnpg32.exe

MD5 992d69c50b3b3481f703f8d243c2672e
SHA1 61a5f70e02c0bae45b9e0bdd21558b5fe62f4380
SHA256 6d8a9032492a470cea3518dea183a4023513b4e1eafaccd4beafb47160dd1863
SHA512 58462d5478e90bc8d5fcd3f2211c06dd7665977faf5897e970e3293e7ff9dc0a8e43fd6e5f845104caaea75cb0e8bf04819dda57a17e88a576d84392ebd793d6

C:\Windows\SysWOW64\Fiodpl32.exe

MD5 372d1c179f69d2fa79d1cbe34f807868
SHA1 53778b0b970fa712bfeb5e74039df5f562452af4
SHA256 f04585ba2c5dd26f11da7a244421198672463015058d03a8ece253440447de1f
SHA512 1d95c89437571372150772985fd1f67a90080f715f70093c01a10c1bb7557260b05175b9c4adf7af20102b487694994bebc2f39c2f42b7c33e0cc7827923ce72

C:\Windows\SysWOW64\Gfhndpol.exe

MD5 d25cc4e95d305a058c222da15f2bd74b
SHA1 6a708248edd63f395faeab3a31ad62d42dd0a2a8
SHA256 bf52a2d9d47e01b8ce63c607dcf922f70f95425a7adf0ab7869c8bbb4e24370d
SHA512 079f78f8124343db788b18fd4adf688edae1b47a55d933f89a2043966a5292d37f63e0172a7bfaf90590bc42087de41947110929d4bc6531cf4cfcb056bcb129

C:\Windows\SysWOW64\Hlglidlo.exe

MD5 9a04f92019ef2cdcd48e72c5f876fdc6
SHA1 5fbcfdeed14faff7fc3c241c2f92c8b00aa24392
SHA256 ee68098b36a254acf657507eb66d311cd3e24c3a44ec4b4f2315d04925da074a
SHA512 803a3a8d860f829f3044e4878057c6ee1586d7182ea9edcfcf26fb054c20bf7cdd7dc45cd7a3ad7eb5373b144702139714a40cd5950894ff5645074a183b79a5

C:\Windows\SysWOW64\Ieidhh32.exe

MD5 88662167ee434e6c96fb5940e6b41236
SHA1 1972c7c30f00b53dfae79982d49b0bbf332b88ee
SHA256 b880f9cd2da29dba1219db040b9dba653a9338158c818b56d403ee8224a43e69
SHA512 7143465d11bfd2d1e1f4a446eca1be1f966d29913fbe5b336ad66176d9341cb5e36e59350f27f186af4fd5574919d51a65f96ec13924192288c3a70225d6705f

C:\Windows\SysWOW64\Jokkgl32.exe

MD5 3ffff3c80421cb59d39111cb87d7ff4a
SHA1 c389d5cfa2c88343d8d8215f40d40bc3199886dc
SHA256 9086a664a90f0f712b7a4fe66e5ad3e822a34897a833ddd56a6b09dadb6a2c96
SHA512 786c84506dcfa22835eec5f896417d89e589662698c2e19d9f118f9755ceba9daa1bdf3b77364a6762138f7dcb15b30ae9774e93cd22abdf3d8c4b57d8666523

C:\Windows\SysWOW64\Kpanan32.exe

MD5 c62daaccba7137d16f1b99068e95ea08
SHA1 c60511cf0a90ca503da5cc7b8b7da1a0aa21490e
SHA256 4de7acead38114625e876830b5c7378f07a72333a299c070a414987cdbfdfa55
SHA512 cccc1d095223f4a000c2d22f7c21c163905caf9d5d571c574bfd7ebe1e139d4665b6287caecff3694e12c9ace69687d365a876dde46bb8649218909508c2df96

C:\Windows\SysWOW64\Lcimdh32.exe

MD5 60ec80d5876db20408e9b9d106a8e257
SHA1 656ab47a07622f916eb3bd91430df17af09ec5b0
SHA256 bfd8ddcda2d7e9cc241d1c9d6872d205e7b95a2dc5a3b061f5054ac27cca3b09
SHA512 538cd37596141ed4e50bc572728a373015b7771371c39c29cb5a3fe8e0a99dfd4be457206ab72ae0d94187d3ba8e0f8926ccf77e8e4a796a3374eb126434a973

C:\Windows\SysWOW64\Moipoh32.exe

MD5 0cda762fdaffb2d9a5dc74fdddaec5c6
SHA1 8822a63f83c169c3136f8f2d33520a968c05f78d
SHA256 d6d59f80d068caa1a77684cf39676712684785c9a1a4b5c70c7a32dafb1efb91
SHA512 378f61e74b9b2328f2bb1033df57d92984496e7a4691304fefe15649dfbf855e757e67302df1ae8b7f0e0e84f1e085d920f54b3028ee7ec48bb7b6eef1bef725

C:\Windows\SysWOW64\Mfhbga32.exe

MD5 1b9c7a3563f3e3a322a922a07401737f
SHA1 471cc5dbf9dde66bf9119158678347ece7c898c1
SHA256 2558598d01575ff98eaea30318dd590a7c07584ea1581e37ef48e95d21c87b5a
SHA512 796ba896b5852bd8b50ec5a6df77834ef0ecf2c200834b5e4a2fe14fcd55f1b69b843024f3bf9c5ee9f2737a920755362ace77093be0fd110eb0fd01026554dd

C:\Windows\SysWOW64\Oplfkeob.exe

MD5 7e3f17f3e8a0b687d2f5338f26f7da15
SHA1 b22a7028611aa417817e30200b8d79caaa4098ae
SHA256 d457604fdf65182d762dd4bbccec73fa2fd5b34a22792633f2c26ba3d890ec97
SHA512 ada9aba1ddb47cee9b2ec39c0d0ed9c65ad56f05ed82298b3f12c99435fe1fe8fec979e1bf4197e1de3bd4b84b9256a0675f0de8b86af2768cd7784a12eaec8e

C:\Windows\SysWOW64\Ofkgcobj.exe

MD5 c8bba67d8a1e50d1a7bd2417fe63af0c
SHA1 3fe58436d98318e8f1117682a6c11ce292c82cff
SHA256 cb1bb01ea50f15d668377972c4e7627c4776d4633c4a234f47e052a70b3e0709
SHA512 a768513ad047caf4cd77f5f41fb9dac71c43c7a6b03e868956a751617752c0bb5f2578524a37cdee00a5c396ec410e7b1ebd859bf964612d3f20dd53fe384c91

C:\Windows\SysWOW64\Oabhfg32.exe

MD5 d7383623c378bdceadbbac9ce96324af
SHA1 c67dc6de050df253519fb0b83d5f7878b6f1e5ce
SHA256 1c0bf766ca6b355e4e7f21bd7702b357a3ccedbf46dcebb0b5e3879ce8a39648
SHA512 930eb9fe818049ce1a02ce80eb63b5ee11c879d4ab4be9bdcc5421f7385b65a5f9730d3720331956d26bf50856651f1aa50dfcd29e4f5c1dfd00c675a845d8a9

C:\Windows\SysWOW64\Qmeigg32.exe

MD5 9aef4982dd9eace6caf1f287239b8a17
SHA1 7a61418aa4ac03d099d36ec9408af7ec879ec55c
SHA256 3f2c66b67b09a9bd64705b6ca256069bb9a57e3789e3e4b731e4f596e231469e
SHA512 55fe5cb71a48b1bcc3cda37af91dd89c0dccda81a722785e3f92cd2007f40ea9203ab51b82ba7cd833ae65d7e649c5c3e7056b76f0afd6e6a6b2aeb18bb923be

C:\Windows\SysWOW64\Aagkhd32.exe

MD5 16224cc1e875ccec830c4d61eb214640
SHA1 730afa1650a96d0fecd6fb57812dc89930994105
SHA256 d6837d550afd8aab539feb2768db918318490a0f231c8e9fde95408f4800385b
SHA512 c6f0f611b8f45ad12cb477adb7933a9a58e227bf6e4f60107d2f622c65dc7c1db9fb5b0f0937233e58a385b6d7736f19a77f2878d45ba1a95858a06363b88863

C:\Windows\SysWOW64\Akdilipp.exe

MD5 77a6e0b7fe6537d60af0e96a8953ddfc
SHA1 4d155672fd46ad1dcbad35aa2781b56e8627eb8b
SHA256 486c4ff34b987e0f692e5ed753b2161a28f9f023182d8d847b6174ca8767d694
SHA512 159528109ab2ae4aebd66b56d457d25aa6470029067e561e3ba94bcfa1b86a63e8f347e935505c916a150c005b7158436c87091573aa6c30f060e363ea3ac629

C:\Windows\SysWOW64\Bknlbhhe.exe

MD5 4f91ae1e97ff12d01fcd7bfb7c70b334
SHA1 cbab7f16bab6031d033ccffa8d6fce431906d860
SHA256 2105f0d999c36b53918374e1bc61274d6e9b27c2e6ed06013317c942eab98857
SHA512 59a0cbe678207f14047ac42810e6555a671ed2bcd3b101b105d85f93bdf1809d4a7448f675afa9ec83cafa4c35ec2fbfaffdf7673b225f1f2889d7ca6325d46b

C:\Windows\SysWOW64\Cpfcfmlp.exe

MD5 9dc8f25e962f8cda6b5b3e81d62b030b
SHA1 ac07f4a525d342d130d69946584603960b596790
SHA256 2c940e7a3319e36d0c2b186706d1cb8563618d533c37766c42c3e4a6c16df7e9
SHA512 448b234878b0ce36f0d88d68457d127a82711a918fbad20a2972f47c7a2c2393d11dc7f8bc197dfee197b2ec05b2c36b025812bb754903c1d1bdd3d63036c42a

C:\Windows\SysWOW64\Dkcndeen.exe

MD5 48c7aa4fca4a88dc13a83931f6be35e0
SHA1 1b4b9227a380d5a32213ae814e677b521f7d7afe
SHA256 df3b4bdc93f811589d749ad78a72ecef55ff28a196a9d62f34ec9d08efa927d7
SHA512 8b8ebcaf1f107935d1b9cd8e8145df5f54886f80151db81c539dd221de5a3ffe3a75bc4e20d87679a84525b2cd6fa4663552eef081c54154fe7394b558b33e3f

C:\Windows\SysWOW64\Ekonpckp.exe

MD5 6e7fa260426dca17530a85b4a346cac4
SHA1 6caf92cd08a6105d2c61ca226c1f19978630665a
SHA256 312220fc91bd9cb87204c69eebaea0f2f79233a57ff7d6d71bb81f7315e80e96
SHA512 505d322b86489e3573f76515d07e944369e122b77d0be60c160f9a539f93f52ae35be908b6404fbe5f1eecc6daf986f3feeb3640f93c174c8724821e6481b186

C:\Windows\SysWOW64\Fgjhpcmo.exe

MD5 1c9e44994f9a00572904355a754aab5f
SHA1 610b88457eb85378699cf282230472a74bc80cf8
SHA256 c64a6295bd68dd83ade0b76bab2146035e5cf9d4fe7bde1119c596611389460f
SHA512 7842166274f6bc1d0cc50de4d491e1e4f12256d2cd0681428b3295dbe86ed6678c6a7e0321900f86720457364f5544ca6ccde02d0bd556849696bb65b4505be6

C:\Windows\SysWOW64\Fecadghc.exe

MD5 40607d1422c7d5ba2ed7c930d5469477
SHA1 ad860a58b0af2ffba758e8c0f884a2b25df4d345
SHA256 944821500bf3faf38c23de61cca5f698db147e574795186432c28e7d34097475
SHA512 07fe8499d9e320540cb8010c73400ddcbb396a23e61c81b94b1fa5a0853d2b471056c88ffe1c0fe090a51aa6170077c892cca6b5f4027a1dba1117b7d70f9ccc

C:\Windows\SysWOW64\Gkaclqkk.exe

MD5 b131f022c6f96c096fdaa4ea0cb7d077
SHA1 dd0f5d4b68591dfa1430b122cf2e327752e810dd
SHA256 35d71a3aa5260c75f27f0329f3ed51a9a0250d6d15455eb4812d7dabd2259928
SHA512 61cfe843ce4192162332b82e70324995dafe322bf5b33619f1bbce6a31d7918ebdb42d4aea116a8260754af4b065d9de23f06e3384bdd560f07e49d335b8d00d

C:\Windows\SysWOW64\Gbbajjlp.exe

MD5 c8891637cce3e97742eb54c9913e257e
SHA1 991ef1d98909033af2bbe99309843336fb551efb
SHA256 891aa0cb54ce3ca0f41e321f5991960e7ab41147f460b61d07ac332a9398c260
SHA512 f81e8a4c6139fd23c43348dbf6dc288b642975d90873dd25c7ab0dc6192900bc439ef461c69f15a63e2e6e893f3e490490c4ef7cf65bbfea9219a26491d7350d

C:\Windows\SysWOW64\Ipihpkkd.exe

MD5 e48e41ba2e382bf8dcec8409e6498edb
SHA1 9cb25b91139a00b3369845b75756447395a75358
SHA256 2b71cbf1bd4fb4b18421e1c94f2c295d8a5b4fc7b0228ee9383b9525ca509bb4
SHA512 d701e0671be6b18f858ec89fecedc0aad49c55dd9e099f7e94af41a950d7c95b70174f0a276857b362a1b9326587f890cd1385642178c05d6b3c9126271a77cc

C:\Windows\SysWOW64\Jbagbebm.exe

MD5 97fd1e84d68a3619b607f906684f582b
SHA1 e43382dddb589967f769b03c77efdee8bfd7bff1
SHA256 ccfa98f4f29dc7ba6aec31ed6ab8f6bb29eb7026c6954ab60a3e4973ab73902f
SHA512 9e651d9ed7d9cb01e2a1c7957a2fa559e6147f8d8c1285b296ee24af6cd4cdbe95631d41cfb11abcebce041a9d4930d3ebbfcd8a4de3f53d4cab6d273efd12eb

C:\Windows\SysWOW64\Lafmjp32.exe

MD5 f57a58b83eb626f3ca3bce988a8d1ca6
SHA1 dc536355db82ecfee789bcd0ced95abb723b3b31
SHA256 d6c300a68a2baffe2fd9f3feabb649eb9116869f054a05a5c31302a96ba30122
SHA512 88ec230a03ea152bbd878e5624a9a60f01cb6099e6adace5136c305e607baf599332e79624ea4e24a01b6ea517793442cf0895941c9a75148173922cbd16c022

C:\Windows\SysWOW64\Legben32.exe

MD5 e237537343ff679ab4ebe483fad5e6c5
SHA1 70057b4e65e55588930cfde6b069b4f5ef9daa73
SHA256 cbac35ace2188df3a7d963b28ca76731345a4f6d27e9057335220d3d0533c643
SHA512 26c4ef8c09af24eff07ee619a41f4ff5db253325c172aedfa20496a69b424fa554e9fb33b4576250defa9bf6fa37ae632f734031c9f21d2180e61388e53175f4

C:\Windows\SysWOW64\Momcpa32.exe

MD5 cfbb64963d33e6c1443631379c77155e
SHA1 45a1e5c17acdf147fcf7c4e6fbe026f6633a2c50
SHA256 c4b999d39b867e89be6315c4dfdcffee739f134cdfd5508f153b2df172b0696a
SHA512 c3a45a4bf9b8cdfecda7a2a970e4e889733d66e9b229a08df9d869515c8285c9edefa997eebc053affc1a866d608a7e2fb9c8e2012add19c20edccd63b40d9a5

C:\Windows\SysWOW64\Ncpeaoih.exe

MD5 4e8aaaf371e76b8c39c985e3068626b4
SHA1 996a5ac6a4010e50045431b6b24ac3eceadc9996
SHA256 e4734656543744f75353d6a0524a5bdc26a7e9990730e48648aed65435d1799e
SHA512 b1aaf344fb6811376c84b8a113bfa34334a1213b1bab8081f65891471d908b4a7b750b227ad6afb7e4f92733115df191a78ea28b74f16f6b5ffad4bf5bf613b6

C:\Windows\SysWOW64\Oqhoeb32.exe

MD5 b58778c9fce950e36255bc2ae99126ff
SHA1 80b88dd96e66fcd5c3e7b11d0b556c8eb06de6d1
SHA256 0400be87a337c61da001f9006e4fb9b6421d7aeb42e4f85a19da402aaf7ada75
SHA512 cd6eb43eb95c2ba29275c05bee2698df6d84781d7a2dcfbebf595bbc5ab7e1d747c4fc265f03b07f4552abefbafba5b5ea60133b797289f9ac6a739721b5a697

C:\Windows\SysWOW64\Pcpnhl32.exe

MD5 c13c424b6fc923091af2877fe2e91a40
SHA1 44dfdf7f0df43674d6468b6971f5fd7ecb3f3f4b
SHA256 1d832ce678410bc398c4a71575be25923e5631aed1a3e9d4601e5820380a5098
SHA512 ff84f2bad6c8d0ad7e1fd51fc21be501d48b4e6d0f395f2f08c4acb88c7343e2571fc67d994cc0c72fdb70bc18891343dedfa56bbcbe54137ada110b64b51615

C:\Windows\SysWOW64\Aabkbono.exe

MD5 0c79a190aa0c0411a6347e3cf182ab4f
SHA1 6e91c6ee5f8b9e1b65a2532ec68615734950c7b3
SHA256 b1759d711ce9312e23f9f0d3e7435d2e0028fc04bd79bebb62c51db516c2ed9e
SHA512 c8935628aa6328b84e21834cddff543f0779c93061e7d02cec49fd45a66aca05cb333049a7c357083dfcfc27fe225705f65ab3caa383f95d4c3f838d7469ac22

C:\Windows\SysWOW64\Aplaoj32.exe

MD5 83fb5ce049acb8a3bf469b99cdffa387
SHA1 a19ef0e7c91be2e4b940fb33f7af715f1b34d2ab
SHA256 d8ba3a6bc9f9b06e4129489c4c59ab5506ce159ded2a5e164c31951366f2f8f9
SHA512 68e2c203f8bbaee3423c6534d8156f77450412c2c843ed88333aab4e24595588ab3196529d0488788a28f64983790ccfbb4f79098e4fbd99ed6d9a3a5c221a81

C:\Windows\SysWOW64\Cgmhcaac.exe

MD5 9c32fa92c3f19cffa65053a5b981898c
SHA1 0e62523576d13095859730a22ff4dbf6bf5d7edd
SHA256 a94bb0fd2cfe9274a5b7a982f4b10c542bbe755f00ada9443f74f7aef7243392
SHA512 826d3ca46eac7ad8e92cd752a7ee5a6f0dfc9459e948887fbd13c95f4b75bb2b2c9ba99b978db9d254ddf440e3561a260a4543ebbb0098ba9e3bc654f9d1a762

C:\Windows\SysWOW64\Dnljkk32.exe

MD5 705eda66299e5f2c81d16121ee2589f3
SHA1 63f32b504e8cb5d6f6c23c45ccc29b88a9dc7fe3
SHA256 0069e8aa0e4698be373fdd21e77f9228424e12de1dd403e9ac1ccbd091bfcd24
SHA512 8eab1f6f98182711e8fe2ff28b408be219a4962fbb97d278c8191c08a2341132c6791fde0825c6e6388caa9ba84365d20bdde1d6dae71c03f5dbc27b668dc804

C:\Windows\SysWOW64\Edihdb32.exe

MD5 0c8cd8f06553e07f0dc3c44762501e4e
SHA1 a194613f67e746efb1dce62a49cf8c446857384a
SHA256 ed457192a69df9a26f39f7edd363829ed29f87efba502cf11a83b4e280c51c49
SHA512 fb8884191f002af72a9665e32afa9179cfe03f0802585ba9576ab5fc1224090e68fbfb91c0675ea5b314d2f61408ed8cc4378c78e69f6146db09601a8ec6b477

C:\Windows\SysWOW64\Gkoplk32.exe

MD5 841e0ecf279038c09fad7f1fbf6e7475
SHA1 ee5595f332a97d2b700afd1ac009b6d23fe9803e
SHA256 f7e0339223bd310db226aae72d52e6eda85ba8684c37107c114917b9b55636e1
SHA512 c744f650c533bd484696c35b8bb8c3ae25d98ca79d80be9a3ec6d8f91c73968dab95c2f3c058ad0585fa3023285d2b557043fb86ff72386ae4dd1b815cee49f5