Analysis
-
max time kernel
64s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 15:30
Behavioral task
behavioral1
Sample
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
22ba5b7d0429dab421d2cf588bd2bcf0
-
SHA1
35cd0f0a318e1593ef4b75851c57b62d98dcd4b4
-
SHA256
0513f94f6dd484d6248a5b7723f37b87ff344c5759222de904dff432fd6e4fab
-
SHA512
aa348a7b81b713efd3856c318c32ddb6df95bd325c8cf5f47b6da0f08fec4ea76aa2e3f9abbd846d1acb53fbfca85d8a5d527f36d77ba717cf63d6cf8f9067db
-
SSDEEP
24576:cIXgvr4B9f01ZmQvrb91v92W9C05wkEPSOdKkrzEoxrC9toC9Dq9onk8:cIwkB9f0VP91v92W805IPSOdKgzEoxrS
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dafmqb32.exeMqbbagjo.exeNpdhaq32.exeEcogodlk.exeHofjem32.exeHfmddp32.exeCfeepelg.exeGcedad32.exeDgfmep32.exeDeeqch32.exeBknmok32.exeFpemhb32.exeFqglggcp.exeFqfemqod.exeMkipao32.exeNbeedh32.exeIbibfa32.exeOekhacbn.exeBbonei32.exeKnfndjdp.exeAkcldl32.exeFkefbcmf.exeNdmecgba.exeKcdjoaee.exeDpkibo32.exeFpgnoo32.exeLpoaheja.exeBfhmqhkd.exeBfccei32.exeCjmopkla.exeHmeolj32.exePlbkfdba.exeCjogcm32.exeNpijoj32.exeJdnmma32.exeJijokbfp.exeFbpbpkpj.exeDfpcblfp.exeNmkplgnq.exeBhbkpgbf.exeNnahgh32.exePlbmom32.exeInkcem32.exeJgabdlfb.exeOnlahm32.exeIafnjg32.exeKbigpn32.exeKiemmh32.exeKcajceke.exeMlgkbi32.exeKlhemhpk.exeJenpajfb.exeKgnbnpkp.exeKdbepm32.exeEhhfjcff.exeOomjng32.exeQghgigkn.exePohfehdi.exeQogbdl32.exeClmdmm32.exeClciod32.exeLipecm32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafmqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecogodlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfmddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeqch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpemhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqglggcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oekhacbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcldl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpoaheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjmopkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plbkfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjogcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdnmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpbpkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpcblfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbkfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhbkpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnahgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onlahm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiemmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcajceke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlgkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oomjng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qghgigkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clciod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipecm32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Cbajkiof.exe family_berbew C:\Windows\SysWOW64\Cllkin32.exe family_berbew C:\Windows\SysWOW64\Ehgbhbgn.exe family_berbew C:\Windows\SysWOW64\Flqmbd32.exe family_berbew C:\Windows\SysWOW64\Filgbdfd.exe family_berbew C:\Windows\SysWOW64\Gnmifk32.exe family_berbew C:\Windows\SysWOW64\Gmecmg32.exe family_berbew C:\Windows\SysWOW64\Jnpkflne.exe family_berbew C:\Windows\SysWOW64\Klhemhpk.exe family_berbew C:\Windows\SysWOW64\Kbigpn32.exe family_berbew C:\Windows\SysWOW64\Ldllgiek.exe family_berbew C:\Windows\SysWOW64\Lmjnak32.exe family_berbew C:\Windows\SysWOW64\Mbkpeake.exe family_berbew C:\Windows\SysWOW64\Mnbpjb32.exe family_berbew C:\Windows\SysWOW64\Ndmecgba.exe family_berbew C:\Windows\SysWOW64\Nijnln32.exe family_berbew C:\Windows\SysWOW64\Pljcllqe.exe family_berbew C:\Windows\SysWOW64\Cgkocj32.exe family_berbew C:\Windows\SysWOW64\Dicnkdnf.exe family_berbew C:\Windows\SysWOW64\Egikjh32.exe family_berbew C:\Windows\SysWOW64\Eklqcl32.exe family_berbew C:\Windows\SysWOW64\Edfbaabj.exe family_berbew C:\Windows\SysWOW64\Hlgimqhf.exe family_berbew C:\Windows\SysWOW64\Klbdgb32.exe family_berbew C:\Windows\SysWOW64\Klngkfge.exe family_berbew C:\Windows\SysWOW64\Lpnmgdli.exe family_berbew C:\Windows\SysWOW64\Lgqkbb32.exe family_berbew C:\Windows\SysWOW64\Mklcadfn.exe family_berbew C:\Windows\SysWOW64\Nameek32.exe family_berbew C:\Windows\SysWOW64\Ngealejo.exe family_berbew C:\Windows\SysWOW64\Nfdddm32.exe family_berbew C:\Windows\SysWOW64\Nnmlcp32.exe family_berbew C:\Windows\SysWOW64\Nmkplgnq.exe family_berbew C:\Windows\SysWOW64\Nbflno32.exe family_berbew C:\Windows\SysWOW64\Mfokinhf.exe family_berbew C:\Windows\SysWOW64\Mqbbagjo.exe family_berbew C:\Windows\SysWOW64\Mfjann32.exe family_berbew C:\Windows\SysWOW64\Mqnifg32.exe family_berbew C:\Windows\SysWOW64\Mjcaimgg.exe family_berbew C:\Windows\SysWOW64\Jijokbfp.exe family_berbew C:\Windows\SysWOW64\Jbbccgmp.exe family_berbew C:\Windows\SysWOW64\Iladfn32.exe family_berbew C:\Windows\SysWOW64\Ifdlng32.exe family_berbew C:\Windows\SysWOW64\Igoomk32.exe family_berbew C:\Windows\SysWOW64\Ifpcchai.exe family_berbew C:\Windows\SysWOW64\Hbggif32.exe family_berbew C:\Windows\SysWOW64\Mqklqhpg.exe family_berbew C:\Windows\SysWOW64\Mkndhabp.exe family_berbew C:\Windows\SysWOW64\Lbfook32.exe family_berbew C:\Windows\SysWOW64\Lbcbjlmb.exe family_berbew C:\Windows\SysWOW64\Llgjaeoj.exe family_berbew C:\Windows\SysWOW64\Lcofio32.exe family_berbew C:\Windows\SysWOW64\Lhiakf32.exe family_berbew C:\Windows\SysWOW64\Lgehno32.exe family_berbew C:\Windows\SysWOW64\Knmdeioh.exe family_berbew C:\Windows\SysWOW64\Kcgphp32.exe family_berbew C:\Windows\SysWOW64\Kgqocoin.exe family_berbew C:\Windows\SysWOW64\Kadfkhkf.exe family_berbew C:\Windows\SysWOW64\Kgnbnpkp.exe family_berbew C:\Windows\SysWOW64\Knfndjdp.exe family_berbew C:\Windows\SysWOW64\Kdnild32.exe family_berbew C:\Windows\SysWOW64\Jehlkhig.exe family_berbew C:\Windows\SysWOW64\Jlphbbbg.exe family_berbew C:\Windows\SysWOW64\Jefpeh32.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Lipecm32.exeMmdgbp32.exeMmfdhojb.exeMdbiji32.exeNpijoj32.exeNoogpfjh.exeNlbgikia.exeNdnlnm32.exeNkjapglg.exeOionacqo.exeOkojkf32.exeOnocmadb.exeOekhacbn.exeOemegc32.exePadeldeo.exePohfehdi.exePojbkh32.exePhbgcnig.exePclhdl32.exeQcqaok32.exeQogbdl32.exeAmkbnp32.exeAollokco.exeAkcldl32.exeAkeijlfq.exeBnfblgca.exeBjmbqhif.exeBfccei32.exeBplhnoej.exeBjallg32.exeBfhmqhkd.exeBbonei32.exeCiifbchf.exeCbajkiof.exeCjmopkla.exeCllkin32.exeChcloo32.exeDedlag32.exeEkcaonhe.exeEhgbhbgn.exeEpbfmd32.exeEkhkjm32.exeEgokonjc.exeEdclib32.exeEolmip32.exeFlqmbd32.exeFhgnge32.exeFbpbpkpj.exeFoccjood.exeFilgbdfd.exeFqglggcp.exeGjpqpl32.exeGcheib32.exeGnmifk32.exeGfhnjm32.exeGpabcbdb.exeGmecmg32.exeGjicfk32.exeGcahoqhf.exeHinqgg32.exeHfbaql32.exeHloiib32.exeHalbai32.exeHbknkl32.exepid process 1756 Lipecm32.exe 2896 Mmdgbp32.exe 2460 Mmfdhojb.exe 2756 Mdbiji32.exe 2528 Npijoj32.exe 2396 Noogpfjh.exe 2992 Nlbgikia.exe 696 Ndnlnm32.exe 864 Nkjapglg.exe 2568 Oionacqo.exe 1996 Okojkf32.exe 1976 Onocmadb.exe 1104 Oekhacbn.exe 944 Oemegc32.exe 2716 Padeldeo.exe 2552 Pohfehdi.exe 2712 Pojbkh32.exe 572 Phbgcnig.exe 2780 Pclhdl32.exe 1724 Qcqaok32.exe 3004 Qogbdl32.exe 1836 Amkbnp32.exe 1492 Aollokco.exe 1624 Akcldl32.exe 1936 Akeijlfq.exe 900 Bnfblgca.exe 1548 Bjmbqhif.exe 2320 Bfccei32.exe 2100 Bplhnoej.exe 1700 Bjallg32.exe 2440 Bfhmqhkd.exe 2276 Bbonei32.exe 1404 Ciifbchf.exe 1132 Cbajkiof.exe 2500 Cjmopkla.exe 2492 Cllkin32.exe 2368 Chcloo32.exe 2644 Dedlag32.exe 456 Ekcaonhe.exe 2560 Ehgbhbgn.exe 2188 Epbfmd32.exe 1664 Ekhkjm32.exe 636 Egokonjc.exe 2720 Edclib32.exe 2684 Eolmip32.exe 1716 Flqmbd32.exe 2296 Fhgnge32.exe 2232 Fbpbpkpj.exe 1264 Foccjood.exe 1184 Filgbdfd.exe 2796 Fqglggcp.exe 2656 Gjpqpl32.exe 1652 Gcheib32.exe 2148 Gnmifk32.exe 884 Gfhnjm32.exe 2032 Gpabcbdb.exe 2828 Gmecmg32.exe 2628 Gjicfk32.exe 3064 Gcahoqhf.exe 2364 Hinqgg32.exe 2912 Hfbaql32.exe 1216 Hloiib32.exe 1532 Halbai32.exe 1784 Hbknkl32.exe -
Loads dropped DLL 64 IoCs
Processes:
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exeLipecm32.exeMmdgbp32.exeMmfdhojb.exeMdbiji32.exeNpijoj32.exeNoogpfjh.exeNlbgikia.exeNdnlnm32.exeNkjapglg.exeOionacqo.exeOkojkf32.exeOnocmadb.exeOekhacbn.exeOemegc32.exePadeldeo.exePohfehdi.exePojbkh32.exePhbgcnig.exePclhdl32.exeQcqaok32.exeQogbdl32.exeAmkbnp32.exeAollokco.exeAkcldl32.exeAkeijlfq.exeBnfblgca.exeBjmbqhif.exeBfccei32.exeBplhnoej.exeBjallg32.exeBfhmqhkd.exepid process 1312 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe 1312 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe 1756 Lipecm32.exe 1756 Lipecm32.exe 2896 Mmdgbp32.exe 2896 Mmdgbp32.exe 2460 Mmfdhojb.exe 2460 Mmfdhojb.exe 2756 Mdbiji32.exe 2756 Mdbiji32.exe 2528 Npijoj32.exe 2528 Npijoj32.exe 2396 Noogpfjh.exe 2396 Noogpfjh.exe 2992 Nlbgikia.exe 2992 Nlbgikia.exe 696 Ndnlnm32.exe 696 Ndnlnm32.exe 864 Nkjapglg.exe 864 Nkjapglg.exe 2568 Oionacqo.exe 2568 Oionacqo.exe 1996 Okojkf32.exe 1996 Okojkf32.exe 1976 Onocmadb.exe 1976 Onocmadb.exe 1104 Oekhacbn.exe 1104 Oekhacbn.exe 944 Oemegc32.exe 944 Oemegc32.exe 2716 Padeldeo.exe 2716 Padeldeo.exe 2552 Pohfehdi.exe 2552 Pohfehdi.exe 2712 Pojbkh32.exe 2712 Pojbkh32.exe 572 Phbgcnig.exe 572 Phbgcnig.exe 2780 Pclhdl32.exe 2780 Pclhdl32.exe 1724 Qcqaok32.exe 1724 Qcqaok32.exe 3004 Qogbdl32.exe 3004 Qogbdl32.exe 1836 Amkbnp32.exe 1836 Amkbnp32.exe 1492 Aollokco.exe 1492 Aollokco.exe 1624 Akcldl32.exe 1624 Akcldl32.exe 1936 Akeijlfq.exe 1936 Akeijlfq.exe 900 Bnfblgca.exe 900 Bnfblgca.exe 1548 Bjmbqhif.exe 1548 Bjmbqhif.exe 2320 Bfccei32.exe 2320 Bfccei32.exe 2100 Bplhnoej.exe 2100 Bplhnoej.exe 1700 Bjallg32.exe 1700 Bjallg32.exe 2440 Bfhmqhkd.exe 2440 Bfhmqhkd.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lmjnak32.exeEhhfjcff.exeMmdgbp32.exeNpdhaq32.exeCfcmlg32.exeKnfopnkk.exeQcqaok32.exeIlabmedg.exePejmfqan.exeKmkihbho.exeQnpcpa32.exeHblgnkdh.exeJdpjba32.exeLdkdckff.exeIlofhffj.exeJnpkflne.exeGcgqgd32.exeAmhcad32.exeGpabcbdb.exeFgnadkic.exeGiipab32.exeHidcef32.exeHgnokgcc.exeFappgflg.exeOcclcg32.exeBjmbqhif.exeKcmcoblm.exeMjdcbf32.exeHkdgecna.exeApilcoho.exeJofejpmc.exeIppdgc32.exeEkcaonhe.exeIdadnd32.exeGmnngl32.exePcdldknm.exeLgehno32.exeMqbbagjo.exeNameek32.exeLadebd32.exeMndhnd32.exeLkakicam.exeHnjbeh32.exeLgqkbb32.exeHbknkl32.exeLiqoflfh.exeHqfaldbo.exeIafnjg32.exeMfjann32.exeAlodeacc.exeJkdcdf32.exeGjpqpl32.exeMnbpjb32.exeBhbkpgbf.exeNchipb32.exeNkjapglg.exeJehlkhig.exedescription ioc process File created C:\Windows\SysWOW64\Liqoflfh.exe Lmjnak32.exe File opened for modification C:\Windows\SysWOW64\Ecogodlk.exe Ehhfjcff.exe File created C:\Windows\SysWOW64\Aijikd32.dll Mmdgbp32.exe File created C:\Windows\SysWOW64\Opfegp32.exe Npdhaq32.exe File created C:\Windows\SysWOW64\Dkeoongd.exe Cfcmlg32.exe File created C:\Windows\SysWOW64\Nkgmej32.dll Knfopnkk.exe File created C:\Windows\SysWOW64\Binoil32.dll Qcqaok32.exe File created C:\Windows\SysWOW64\Ifffkncm.exe Ilabmedg.exe File created C:\Windows\SysWOW64\Ncocffdb.dll Pejmfqan.exe File opened for modification C:\Windows\SysWOW64\Ldgnklmi.exe Kmkihbho.exe File opened for modification C:\Windows\SysWOW64\Qghgigkn.exe Qnpcpa32.exe File created C:\Windows\SysWOW64\Hmalldcn.exe Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jdpjba32.exe File created C:\Windows\SysWOW64\Monhjgkj.exe Ldkdckff.exe File created C:\Windows\SysWOW64\Ifdjeoep.exe Ilofhffj.exe File created C:\Windows\SysWOW64\Kcmcoblm.exe Jnpkflne.exe File created C:\Windows\SysWOW64\Jcidje32.dll Hblgnkdh.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gcgqgd32.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Amhcad32.exe File created C:\Windows\SysWOW64\Lbijlpke.dll Gpabcbdb.exe File opened for modification C:\Windows\SysWOW64\Fqfemqod.exe Fgnadkic.exe File created C:\Windows\SysWOW64\Gjjmijme.exe Giipab32.exe File created C:\Windows\SysWOW64\Hblgnkdh.exe Hidcef32.exe File created C:\Windows\SysWOW64\Hdbpekam.exe Hgnokgcc.exe File opened for modification C:\Windows\SysWOW64\Fpemhb32.exe Fappgflg.exe File created C:\Windows\SysWOW64\Oomjng32.exe Occlcg32.exe File created C:\Windows\SysWOW64\Bfccei32.exe Bjmbqhif.exe File opened for modification C:\Windows\SysWOW64\Knbhlkkc.exe Kcmcoblm.exe File opened for modification C:\Windows\SysWOW64\Mpphdpcf.exe Mjdcbf32.exe File created C:\Windows\SysWOW64\Icplje32.exe Hkdgecna.exe File created C:\Windows\SysWOW64\Amoibc32.exe Apilcoho.exe File opened for modification C:\Windows\SysWOW64\Jepmgj32.exe Jofejpmc.exe File created C:\Windows\SysWOW64\Fnddef32.dll Ippdgc32.exe File created C:\Windows\SysWOW64\Ecogodlk.exe Ehhfjcff.exe File opened for modification C:\Windows\SysWOW64\Ehgbhbgn.exe Ekcaonhe.exe File opened for modification C:\Windows\SysWOW64\Iphecepe.exe Idadnd32.exe File created C:\Windows\SysWOW64\Flpkcb32.dll Hgnokgcc.exe File opened for modification C:\Windows\SysWOW64\Gpogiglp.exe Gmnngl32.exe File created C:\Windows\SysWOW64\Plbmom32.exe Pcdldknm.exe File created C:\Windows\SysWOW64\Lpnmgdli.exe Lgehno32.exe File created C:\Windows\SysWOW64\Mfokinhf.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Hbggif32.exe Nameek32.exe File opened for modification C:\Windows\SysWOW64\Mebnic32.exe Ladebd32.exe File opened for modification C:\Windows\SysWOW64\Mfpmbf32.exe Mndhnd32.exe File opened for modification C:\Windows\SysWOW64\Lbkaoalg.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Bihmcd32.dll Lkakicam.exe File created C:\Windows\SysWOW64\Fohlogok.dll Hnjbeh32.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lgqkbb32.exe File opened for modification C:\Windows\SysWOW64\Hhhgcc32.exe Hbknkl32.exe File opened for modification C:\Windows\SysWOW64\Mjpkqonj.exe Liqoflfh.exe File created C:\Windows\SysWOW64\Pbihfb32.dll Hqfaldbo.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Iafnjg32.exe File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Mfjann32.exe File created C:\Windows\SysWOW64\Hjojpeec.dll Alodeacc.exe File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Jkdcdf32.exe File created C:\Windows\SysWOW64\Gcheib32.exe Gjpqpl32.exe File opened for modification C:\Windows\SysWOW64\Nfghdcfj.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Inppon32.dll Bhbkpgbf.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hqfaldbo.exe File created C:\Windows\SysWOW64\Pdlmgo32.dll Mfjann32.exe File created C:\Windows\SysWOW64\Nkfkidmk.exe Nchipb32.exe File created C:\Windows\SysWOW64\Oionacqo.exe Nkjapglg.exe File created C:\Windows\SysWOW64\Cgohil32.dll Idadnd32.exe File opened for modification C:\Windows\SysWOW64\Klbdgb32.exe Jehlkhig.exe -
Modifies registry class 64 IoCs
Processes:
Gncnmane.exeHgnokgcc.exeIlemce32.exeIdadnd32.exeKcopdb32.exeLbcbjlmb.exeMklcadfn.exeIfdlng32.exePaiche32.exeCfcmlg32.exeFlqmbd32.exeHloiib32.exeCqaiph32.exeDgfmep32.exeMjpkqonj.exeLcofio32.exeGoiafp32.exeDdbmcb32.exePalbgn32.exeGcheib32.exeKcdjoaee.exeQfljkp32.exeDacpkc32.exeJpigma32.exeNhhehpbc.exeKiemmh32.exeQkibcg32.exeBbbgod32.exeHdbpekam.exeBlnpddeo.exeNkfkidmk.exeJoiappkp.exeCblfdg32.exeLlgjaeoj.exeMdbiji32.exeAnlhkbhq.exeOpodknco.exeNopaoj32.exeJpgmpk32.exeEpbfmd32.exeLmjnak32.exeMnbpjb32.exeNijnln32.exePljcllqe.exeFjhcegll.exeFqfemqod.exeLhiddoph.exeCjmopkla.exeCmmagpef.exeDlfgcl32.exeEjaphpnp.exeKdbepm32.exeGolgon32.exeEhgbhbgn.exeLkakicam.exeOmqlpp32.exeKgnbnpkp.exeIfpcchai.exeMonhjgkj.exeNpijoj32.exeJkhldafl.exeGhajacmo.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckobc32.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpkcb32.dll" Hgnokgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpeabpb.dll" Kcopdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paiche32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfcmlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbfgoak.dll" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepblac.dll" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnqffif.dll" Goiafp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddbmcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Palbgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcheib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdjpd32.dll" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlbkeee.dll" Kiemmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmbnbgf.dll" Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baleem32.dll" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmichb32.dll" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Blnpddeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cblfdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdbiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpapdk32.dll" Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opodknco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll" Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epbfmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pljcllqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll" Lhiddoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjmopkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abigipko.dll" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigpahm.dll" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjcge32.dll" Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfefenn.dll" Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkakicam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omqlpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgnbnpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghajacmo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exeLipecm32.exeMmdgbp32.exeMmfdhojb.exeMdbiji32.exeNpijoj32.exeNoogpfjh.exeNlbgikia.exeNdnlnm32.exeNkjapglg.exeOionacqo.exeOkojkf32.exeOnocmadb.exeOekhacbn.exeOemegc32.exePadeldeo.exedescription pid process target process PID 1312 wrote to memory of 1756 1312 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Lipecm32.exe PID 1312 wrote to memory of 1756 1312 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Lipecm32.exe PID 1312 wrote to memory of 1756 1312 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Lipecm32.exe PID 1312 wrote to memory of 1756 1312 22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe Lipecm32.exe PID 1756 wrote to memory of 2896 1756 Lipecm32.exe Mmdgbp32.exe PID 1756 wrote to memory of 2896 1756 Lipecm32.exe Mmdgbp32.exe PID 1756 wrote to memory of 2896 1756 Lipecm32.exe Mmdgbp32.exe PID 1756 wrote to memory of 2896 1756 Lipecm32.exe Mmdgbp32.exe PID 2896 wrote to memory of 2460 2896 Mmdgbp32.exe Mmfdhojb.exe PID 2896 wrote to memory of 2460 2896 Mmdgbp32.exe Mmfdhojb.exe PID 2896 wrote to memory of 2460 2896 Mmdgbp32.exe Mmfdhojb.exe PID 2896 wrote to memory of 2460 2896 Mmdgbp32.exe Mmfdhojb.exe PID 2460 wrote to memory of 2756 2460 Mmfdhojb.exe Mdbiji32.exe PID 2460 wrote to memory of 2756 2460 Mmfdhojb.exe Mdbiji32.exe PID 2460 wrote to memory of 2756 2460 Mmfdhojb.exe Mdbiji32.exe PID 2460 wrote to memory of 2756 2460 Mmfdhojb.exe Mdbiji32.exe PID 2756 wrote to memory of 2528 2756 Mdbiji32.exe Npijoj32.exe PID 2756 wrote to memory of 2528 2756 Mdbiji32.exe Npijoj32.exe PID 2756 wrote to memory of 2528 2756 Mdbiji32.exe Npijoj32.exe PID 2756 wrote to memory of 2528 2756 Mdbiji32.exe Npijoj32.exe PID 2528 wrote to memory of 2396 2528 Npijoj32.exe Noogpfjh.exe PID 2528 wrote to memory of 2396 2528 Npijoj32.exe Noogpfjh.exe PID 2528 wrote to memory of 2396 2528 Npijoj32.exe Noogpfjh.exe PID 2528 wrote to memory of 2396 2528 Npijoj32.exe Noogpfjh.exe PID 2396 wrote to memory of 2992 2396 Noogpfjh.exe Nlbgikia.exe PID 2396 wrote to memory of 2992 2396 Noogpfjh.exe Nlbgikia.exe PID 2396 wrote to memory of 2992 2396 Noogpfjh.exe Nlbgikia.exe PID 2396 wrote to memory of 2992 2396 Noogpfjh.exe Nlbgikia.exe PID 2992 wrote to memory of 696 2992 Nlbgikia.exe Ndnlnm32.exe PID 2992 wrote to memory of 696 2992 Nlbgikia.exe Ndnlnm32.exe PID 2992 wrote to memory of 696 2992 Nlbgikia.exe Ndnlnm32.exe PID 2992 wrote to memory of 696 2992 Nlbgikia.exe Ndnlnm32.exe PID 696 wrote to memory of 864 696 Ndnlnm32.exe Nkjapglg.exe PID 696 wrote to memory of 864 696 Ndnlnm32.exe Nkjapglg.exe PID 696 wrote to memory of 864 696 Ndnlnm32.exe Nkjapglg.exe PID 696 wrote to memory of 864 696 Ndnlnm32.exe Nkjapglg.exe PID 864 wrote to memory of 2568 864 Nkjapglg.exe Oionacqo.exe PID 864 wrote to memory of 2568 864 Nkjapglg.exe Oionacqo.exe PID 864 wrote to memory of 2568 864 Nkjapglg.exe Oionacqo.exe PID 864 wrote to memory of 2568 864 Nkjapglg.exe Oionacqo.exe PID 2568 wrote to memory of 1996 2568 Oionacqo.exe Okojkf32.exe PID 2568 wrote to memory of 1996 2568 Oionacqo.exe Okojkf32.exe PID 2568 wrote to memory of 1996 2568 Oionacqo.exe Okojkf32.exe PID 2568 wrote to memory of 1996 2568 Oionacqo.exe Okojkf32.exe PID 1996 wrote to memory of 1976 1996 Okojkf32.exe Onocmadb.exe PID 1996 wrote to memory of 1976 1996 Okojkf32.exe Onocmadb.exe PID 1996 wrote to memory of 1976 1996 Okojkf32.exe Onocmadb.exe PID 1996 wrote to memory of 1976 1996 Okojkf32.exe Onocmadb.exe PID 1976 wrote to memory of 1104 1976 Onocmadb.exe Oekhacbn.exe PID 1976 wrote to memory of 1104 1976 Onocmadb.exe Oekhacbn.exe PID 1976 wrote to memory of 1104 1976 Onocmadb.exe Oekhacbn.exe PID 1976 wrote to memory of 1104 1976 Onocmadb.exe Oekhacbn.exe PID 1104 wrote to memory of 944 1104 Oekhacbn.exe Oemegc32.exe PID 1104 wrote to memory of 944 1104 Oekhacbn.exe Oemegc32.exe PID 1104 wrote to memory of 944 1104 Oekhacbn.exe Oemegc32.exe PID 1104 wrote to memory of 944 1104 Oekhacbn.exe Oemegc32.exe PID 944 wrote to memory of 2716 944 Oemegc32.exe Padeldeo.exe PID 944 wrote to memory of 2716 944 Oemegc32.exe Padeldeo.exe PID 944 wrote to memory of 2716 944 Oemegc32.exe Padeldeo.exe PID 944 wrote to memory of 2716 944 Oemegc32.exe Padeldeo.exe PID 2716 wrote to memory of 2552 2716 Padeldeo.exe Pohfehdi.exe PID 2716 wrote to memory of 2552 2716 Padeldeo.exe Pohfehdi.exe PID 2716 wrote to memory of 2552 2716 Padeldeo.exe Pohfehdi.exe PID 2716 wrote to memory of 2552 2716 Padeldeo.exe Pohfehdi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\22ba5b7d0429dab421d2cf588bd2bcf0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe34⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe35⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe37⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe38⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe39⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe43⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe44⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe45⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe46⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe48⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe50⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe51⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe55⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe56⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe58⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe59⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe61⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe62⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe64⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe66⤵PID:1768
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe70⤵PID:3008
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe71⤵
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe72⤵PID:2432
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe73⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe74⤵PID:1704
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe75⤵PID:2216
-
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe76⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe78⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe79⤵PID:2420
-
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe80⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe81⤵PID:1012
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe82⤵PID:2648
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe83⤵PID:2408
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe84⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe85⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe86⤵PID:2416
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe87⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe89⤵PID:1484
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe91⤵PID:1072
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:756 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe94⤵PID:2340
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe95⤵PID:1372
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe96⤵PID:2892
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe98⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe99⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe100⤵PID:1916
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe102⤵PID:2744
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe103⤵PID:2596
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe105⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe107⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe108⤵PID:2788
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe109⤵
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe110⤵PID:1752
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe111⤵PID:1032
-
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe112⤵PID:1740
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe113⤵PID:3024
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe114⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe115⤵PID:2604
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe116⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe117⤵
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe118⤵PID:1956
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe119⤵PID:1584
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe120⤵PID:3100
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe121⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe122⤵PID:3180
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe123⤵PID:3220
-
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe124⤵PID:3260
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe125⤵PID:3300
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe126⤵PID:3340
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe127⤵
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe128⤵PID:3420
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe129⤵PID:3460
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe130⤵PID:3500
-
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe131⤵PID:3540
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe132⤵PID:3580
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe133⤵PID:3620
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe134⤵PID:3660
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe135⤵PID:3700
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe136⤵PID:3744
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe137⤵PID:3784
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3824 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe139⤵
- Modifies registry class
PID:3864 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3904 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe141⤵PID:3944
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe142⤵
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe143⤵PID:4024
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe144⤵PID:4064
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe145⤵
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe146⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe147⤵PID:1248
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe149⤵PID:2124
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe150⤵PID:2300
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe152⤵PID:3136
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe153⤵PID:3216
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe154⤵PID:3280
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe155⤵PID:3288
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe156⤵PID:3396
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe157⤵PID:3488
-
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe158⤵PID:2476
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe159⤵PID:3564
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe160⤵PID:564
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe161⤵PID:3608
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe162⤵PID:3728
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe163⤵PID:3684
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe164⤵PID:3800
-
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe165⤵PID:2176
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe166⤵PID:808
-
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe167⤵
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe168⤵PID:948
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe169⤵PID:1940
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe170⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe172⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe173⤵PID:1160
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe174⤵PID:2004
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe175⤵PID:1244
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe176⤵PID:3096
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe177⤵
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe178⤵PID:3244
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe179⤵PID:3328
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe180⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe181⤵
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe182⤵PID:3492
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe183⤵
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe184⤵
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe185⤵PID:2008
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe186⤵PID:3688
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe187⤵PID:1476
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe188⤵PID:3860
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe189⤵PID:3920
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3928 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe191⤵PID:4040
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe192⤵PID:4084
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe193⤵PID:2172
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe194⤵PID:2056
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe195⤵PID:268
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe196⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe197⤵PID:2288
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe199⤵PID:3372
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe200⤵
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe201⤵PID:2768
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe203⤵
- Modifies registry class
PID:3644 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe204⤵PID:3736
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe205⤵PID:3776
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe206⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe207⤵PID:3712
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe208⤵PID:4016
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe211⤵PID:1684
-
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe212⤵PID:3124
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe213⤵PID:3248
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe214⤵PID:2856
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe215⤵PID:2448
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe216⤵
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe217⤵PID:3708
-
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe218⤵PID:3772
-
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe219⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe220⤵
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe221⤵
- Modifies registry class
PID:4088 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe222⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe223⤵PID:580
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe224⤵PID:3240
-
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe225⤵PID:1628
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe226⤵PID:3468
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe227⤵PID:2948
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe228⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe230⤵PID:4180
-
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe231⤵
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe232⤵PID:4260
-
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4300 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe234⤵PID:4340
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe235⤵PID:4380
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe236⤵PID:4420
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe237⤵
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe238⤵PID:4916
-
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe239⤵
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe240⤵PID:5068
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe241⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe242⤵PID:3028