Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 19:10
Behavioral task
behavioral1
Sample
02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe
-
Size
6.7MB
-
MD5
02d290c12349139bb45d7bfbb43422a0
-
SHA1
84fd3464e0d7bb5c326a81498b49da87a3e581bc
-
SHA256
8a1dbf9ade806088c228f8bc6d203cd4332db0be419b1b9194e37195b4fd9de5
-
SHA512
f7aabc528f7f19d6a3ad1e23f2b78a4a2bbe06458aabaa054398cb53eafd919d0e5a6f2813b3fb9ad40c65c97f3f10a557b5e20771c3f0b2c3d76bb81513c54b
-
SSDEEP
196608:RaSHFaZRBEYyqmS2DiHPKQgwUgUjvho4wzlF65i6YxE+a3:RaSHFaZRBEYyqmS2DiHPKQg3jvZwNVO3
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikbhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffljlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkomchi.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000155e2-5.dat family_berbew behavioral1/files/0x0024000000015c3c-19.dat family_berbew behavioral1/files/0x0007000000015c87-34.dat family_berbew behavioral1/files/0x0014000000015c52-53.dat family_berbew behavioral1/files/0x0005000000018698-69.dat family_berbew behavioral1/files/0x0006000000018ae2-82.dat family_berbew behavioral1/files/0x0006000000018b15-88.dat family_berbew behavioral1/files/0x0006000000018b37-107.dat family_berbew behavioral1/files/0x0006000000018b4a-119.dat family_berbew behavioral1/files/0x0006000000018b73-131.dat family_berbew behavioral1/files/0x0006000000018ba2-141.dat family_berbew behavioral1/files/0x0005000000019570-314.dat family_berbew behavioral1/files/0x00050000000195a4-335.dat family_berbew behavioral1/files/0x000500000001a013-457.dat family_berbew behavioral1/files/0x000500000001a3c8-491.dat family_berbew behavioral1/files/0x000500000001a431-524.dat family_berbew behavioral1/files/0x000500000001a45f-626.dat family_berbew behavioral1/files/0x000500000001ad1c-745.dat family_berbew behavioral1/files/0x000500000001c82d-798.dat family_berbew behavioral1/files/0x000500000001c837-818.dat family_berbew behavioral1/files/0x000500000001c857-905.dat family_berbew behavioral1/files/0x000400000001c8f3-1002.dat family_berbew behavioral1/files/0x000400000001c8ef-989.dat family_berbew behavioral1/files/0x000400000001c8e9-977.dat family_berbew behavioral1/files/0x000400000001c8e4-960.dat family_berbew behavioral1/files/0x000400000001c8fe-1041.dat family_berbew behavioral1/files/0x000400000001c8f7-1028.dat family_berbew behavioral1/files/0x000400000001c8e0-943.dat family_berbew behavioral1/files/0x000400000001c8da-930.dat family_berbew behavioral1/files/0x000500000001c85d-917.dat family_berbew behavioral1/files/0x000500000001c853-892.dat family_berbew behavioral1/files/0x000500000001c84f-884.dat family_berbew behavioral1/files/0x000500000001c84b-873.dat family_berbew behavioral1/files/0x000500000001c847-862.dat family_berbew behavioral1/files/0x000500000001c843-849.dat family_berbew behavioral1/files/0x000500000001c83f-839.dat family_berbew behavioral1/files/0x000400000001c903-1194.dat family_berbew behavioral1/files/0x000400000001c90e-1234.dat family_berbew behavioral1/files/0x000400000001c912-1248.dat family_berbew behavioral1/files/0x000400000001c908-1213.dat family_berbew behavioral1/files/0x000400000001c9b4-1409.dat family_berbew behavioral1/files/0x000400000001ca8c-1425.dat family_berbew behavioral1/files/0x000400000001cad7-1437.dat family_berbew behavioral1/files/0x000400000001cae9-1447.dat family_berbew behavioral1/files/0x000400000001caf0-1456.dat family_berbew behavioral1/files/0x000400000001cb0d-1465.dat family_berbew behavioral1/files/0x000400000001cb1a-1474.dat family_berbew behavioral1/files/0x000400000001cb26-1481.dat family_berbew behavioral1/files/0x000400000001cb30-1493.dat family_berbew behavioral1/files/0x000400000001cb4b-1512.dat family_berbew behavioral1/files/0x000400000001cb40-1503.dat family_berbew behavioral1/files/0x000400000001cb5a-1523.dat family_berbew behavioral1/files/0x000400000001cb69-1531.dat family_berbew behavioral1/files/0x000400000001cb90-1555.dat family_berbew behavioral1/files/0x000400000001cb74-1547.dat family_berbew behavioral1/files/0x000400000001cb93-1569.dat family_berbew behavioral1/files/0x000400000001cb97-1575.dat family_berbew behavioral1/files/0x000500000001c83b-828.dat family_berbew behavioral1/files/0x000400000001cb9c-1588.dat family_berbew behavioral1/files/0x000400000001cb9f-1596.dat family_berbew behavioral1/files/0x000400000001cbb0-1607.dat family_berbew behavioral1/files/0x000500000001c832-807.dat family_berbew behavioral1/files/0x000400000001cbc5-1617.dat family_berbew behavioral1/files/0x000400000001cc19-1636.dat family_berbew -
Executes dropped EXE 4 IoCs
pid Process 2124 Bmkomchi.exe 2596 Cikbhc32.exe 2408 Cffljlpc.exe 2600 Dcfpel32.exe -
Loads dropped DLL 8 IoCs
pid Process 2612 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe 2612 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe 2124 Bmkomchi.exe 2124 Bmkomchi.exe 2596 Cikbhc32.exe 2596 Cikbhc32.exe 2408 Cffljlpc.exe 2408 Cffljlpc.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ecgdipbc.dll 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Cikbhc32.exe Bmkomchi.exe File created C:\Windows\SysWOW64\Dcfpel32.exe Cffljlpc.exe File opened for modification C:\Windows\SysWOW64\Dcfpel32.exe Cffljlpc.exe File opened for modification C:\Windows\SysWOW64\Cffljlpc.exe Cikbhc32.exe File created C:\Windows\SysWOW64\Clmfcd32.dll Cikbhc32.exe File created C:\Windows\SysWOW64\Peipigfb.dll Cffljlpc.exe File created C:\Windows\SysWOW64\Bmkomchi.exe 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Bmkomchi.exe 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Cikbhc32.exe Bmkomchi.exe File created C:\Windows\SysWOW64\Ambnnc32.dll Bmkomchi.exe File created C:\Windows\SysWOW64\Cffljlpc.exe Cikbhc32.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmkomchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cikbhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgdipbc.dll" 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffljlpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambnnc32.dll" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmfcd32.dll" Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffljlpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peipigfb.dll" Cffljlpc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2124 2612 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe 28 PID 2612 wrote to memory of 2124 2612 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe 28 PID 2612 wrote to memory of 2124 2612 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe 28 PID 2612 wrote to memory of 2124 2612 02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2596 2124 Bmkomchi.exe 29 PID 2124 wrote to memory of 2596 2124 Bmkomchi.exe 29 PID 2124 wrote to memory of 2596 2124 Bmkomchi.exe 29 PID 2124 wrote to memory of 2596 2124 Bmkomchi.exe 29 PID 2596 wrote to memory of 2408 2596 Cikbhc32.exe 30 PID 2596 wrote to memory of 2408 2596 Cikbhc32.exe 30 PID 2596 wrote to memory of 2408 2596 Cikbhc32.exe 30 PID 2596 wrote to memory of 2408 2596 Cikbhc32.exe 30 PID 2408 wrote to memory of 2600 2408 Cffljlpc.exe 31 PID 2408 wrote to memory of 2600 2408 Cffljlpc.exe 31 PID 2408 wrote to memory of 2600 2408 Cffljlpc.exe 31 PID 2408 wrote to memory of 2600 2408 Cffljlpc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02d290c12349139bb45d7bfbb43422a0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe5⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe6⤵PID:2496
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe7⤵PID:880
-
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe8⤵PID:1496
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe9⤵PID:828
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe10⤵PID:1400
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe11⤵PID:2672
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe12⤵PID:1528
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe13⤵PID:1608
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe14⤵PID:2336
-
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe15⤵PID:2708
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe16⤵PID:584
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe17⤵PID:596
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe18⤵PID:3004
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe19⤵PID:2084
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe20⤵PID:2316
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe21⤵PID:1944
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe22⤵PID:2044
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe23⤵PID:2964
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe24⤵PID:2032
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe25⤵PID:884
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe26⤵PID:2268
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe27⤵PID:2064
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe28⤵PID:2468
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe29⤵PID:2588
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe30⤵PID:2640
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe31⤵PID:2424
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe32⤵PID:776
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe33⤵PID:2320
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe34⤵PID:2840
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe35⤵PID:1768
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe36⤵PID:308
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe37⤵PID:2564
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe38⤵PID:1996
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe39⤵PID:324
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe40⤵PID:1448
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe41⤵PID:1688
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe42⤵PID:2788
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe43⤵PID:1632
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe44⤵PID:844
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe45⤵PID:2684
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe46⤵PID:2520
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe47⤵PID:1900
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe48⤵PID:1436
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe49⤵PID:2016
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe50⤵PID:1492
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe51⤵PID:636
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe52⤵PID:1948
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe53⤵PID:704
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe54⤵PID:2868
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe55⤵PID:2240
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe56⤵PID:2264
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe57⤵PID:1512
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe58⤵PID:2536
-
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe59⤵PID:924
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe60⤵PID:2916
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe61⤵PID:576
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe62⤵PID:2668
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe63⤵PID:2212
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe64⤵PID:1404
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe65⤵PID:616
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe66⤵PID:1244
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe67⤵PID:2388
-
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe68⤵PID:2492
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe69⤵PID:2508
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe70⤵PID:2332
-
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe71⤵PID:1748
-
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe72⤵PID:1864
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe73⤵PID:1232
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe74⤵PID:1536
-
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe75⤵PID:644
-
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe76⤵PID:2888
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe77⤵PID:2636
-
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe78⤵PID:2476
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe79⤵PID:1112
-
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe80⤵PID:1928
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe81⤵PID:268
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe82⤵PID:2164
-
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe83⤵PID:1532
-
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe84⤵PID:1700
-
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe85⤵PID:2088
-
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe86⤵PID:2216
-
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe87⤵PID:3132
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe88⤵PID:3276
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe89⤵PID:3336
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe90⤵PID:4048
-
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe91⤵PID:2012
-
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe92⤵PID:2996
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe93⤵PID:2280
-
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe94⤵PID:3644
-
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe95⤵PID:3688
-
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe96⤵PID:3728
-
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe97⤵PID:3772
-
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe98⤵PID:3812
-
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe99⤵PID:3856
-
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe100⤵PID:3884
-
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe101⤵PID:2672
-
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe102⤵PID:584
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe103⤵PID:2964
-
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe104⤵PID:1516
-
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe105⤵PID:3924
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe106⤵PID:3964
-
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe107⤵PID:4068
-
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe108⤵PID:2652
-
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe109⤵PID:4044
-
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe110⤵PID:1788
-
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe111⤵PID:2524
-
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe112⤵PID:1292
-
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe113⤵PID:2852
-
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe114⤵PID:2764
-
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe115⤵PID:1824
-
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe116⤵PID:1688
-
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe117⤵PID:2684
-
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe118⤵PID:3204
-
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe119⤵PID:2560
-
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe120⤵PID:3312
-
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe121⤵PID:2412
-
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe122⤵PID:680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-